Indicators of Malicious SSL Connections

  • Riccardo Bortolameotti
  • Andreas Peter
  • Maarten H. Everts
  • Damiano Bolzoni
Conference paper

DOI: 10.1007/978-3-319-25645-0_11

Volume 9408 of the book series Lecture Notes in Computer Science (LNCS)
Cite this paper as:
Bortolameotti R., Peter A., Everts M.H., Bolzoni D. (2015) Indicators of Malicious SSL Connections. In: Qiu M., Xu S., Yung M., Zhang H. (eds) Network and System Security. NSS 2015. Lecture Notes in Computer Science, vol 9408. Springer, Cham

Abstract

Internet applications use SSL to provide data confidentiality to communicating entities. The use of encryption in SSL makes it impossible to distinguish between benign and malicious connections as the content cannot be inspected. Therefore, we propose and evaluate a set of indicators for malicious SSL connections, which is based on the unencrypted part of SSL (i.e., the SSL handshake protocol). We provide strong evidence for the strength of our indicators to identify malicious connections by cross-checking on blacklists from professional services. Besides the confirmation of prior research results through our indicators, we also found indications for a potential (not yet blacklisted) botnet on SSL. We consider the analysis of such SSL threats as highly relevant and hope that our findings stimulate the research community to further study this direction.

Keywords

SSL Malicious connection indicators Handshake analysis 

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Copyright information

© Springer International Publishing Switzerland 2015

Authors and Affiliations

  • Riccardo Bortolameotti
    • 1
  • Andreas Peter
    • 1
  • Maarten H. Everts
    • 1
    • 2
  • Damiano Bolzoni
    • 1
    • 3
  1. 1.University of TwenteEnschedeThe Netherlands
  2. 2.Netherlands Organisation for Applied Scientific Research (TNO)GroningenThe Netherlands
  3. 3.SecurityMattersEindhovenThe Netherlands