Indicators of Malicious SSL Connections

  • Riccardo BortolameottiEmail author
  • Andreas Peter
  • Maarten H. Everts
  • Damiano Bolzoni
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9408)


Internet applications use SSL to provide data confidentiality to communicating entities. The use of encryption in SSL makes it impossible to distinguish between benign and malicious connections as the content cannot be inspected. Therefore, we propose and evaluate a set of indicators for malicious SSL connections, which is based on the unencrypted part of SSL (i.e., the SSL handshake protocol). We provide strong evidence for the strength of our indicators to identify malicious connections by cross-checking on blacklists from professional services. Besides the confirmation of prior research results through our indicators, we also found indications for a potential (not yet blacklisted) botnet on SSL. We consider the analysis of such SSL threats as highly relevant and hope that our findings stimulate the research community to further study this direction.


SSL Malicious connection indicators Handshake analysis 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Holz, R., Braun, L., Kammenhuber, N., Carle, G.: The SSL landscape: a thorough analysis of the X.509 PKI using active and passive measurements. In: SIGCOMM IMC 2011, pp. 427–444. ACM (2011)Google Scholar
  2. 2.
    Amann, B., Vallentin, M., Hall, S., Sommer, R.: Revisiting SSL: A Large-Scale Study of the Internets Most Trusted Protocol. Technical Report 2012, ICSI (2012)Google Scholar
  3. 3.
    Amann, B., Sommer, R., Vallentin, M., Hall, S.: No attack necessary: the surprising dynamics of SSL trust relationships. In: ACSAC 2013, pp. 179–188. ACM (2013)Google Scholar
  4. 4.
    Georgiev, M., Iyengar, S., Jana, S., Anubhai, R., Boneh, D., Shmatikov, V.: The most dangerous code in the world: validating SSL certificates in non-browser software. In: CCS 2012, pp. 38–49. ACM (2012)Google Scholar
  5. 5.
    Fahl, S., Harbach, M., Muders, T., Baumgrtner, L., Freisleben, B., Smith, M.: Why eve and mallory love android: an analysis of android SSL (in) security. In: CCS 2012, pp. 50–61. ACM (2012)Google Scholar
  6. 6.
    Conti, M., Dragoni, N., Gottardo, S.: MITHYS: mind the hand you shake - protecting mobile devices from SSL usage vulnerabilities. In: Accorsi, R., Ranise, S. (eds.) STM 2013. LNCS, vol. 8203, pp. 65–81. Springer, Heidelberg (2013) CrossRefGoogle Scholar
  7. 7.
    Pukkawanna, S., Kadobayashi, Y., Blanc, G., Garcia-Alfaro, J., Debar, H.: Classification of SSL servers based on their SSL handshake for automated security assessment. In: BADGERS 2014 (to appear 2014)Google Scholar
  8. 8.
    Bates, A., Pletcher, J., Nichols, T., Hollembaek, B., Tian, D., Butler, K.R., Alkhelaifi, A.: Securing SSL certificate verification through dynamic linking. In: CCS 2014, pp. 394–405. ACM (2014)Google Scholar
  9. 9.
    Holz, R., Riedmaier, T., Kammenhuber, N., Carle, G.: X.509 forensics: detecting and localising the SSL/TLS men-in-the-middle. In: Foresti, S., Yung, M., Martinelli, F. (eds.) ESORICS 2012. LNCS, vol. 7459, pp. 217–234. Springer, Heidelberg (2012) CrossRefGoogle Scholar
  10. 10.
    Clark, J., van Oorschot, P.C.: SoK: SSL and HTTPS: revisiting past challenges and evaluating certificate trust model enhancements. In: Symposium on Security and Privacy (SP) 2013, pp. 511–525. IEEE (2013)Google Scholar
  11. 11.
    Antonakakis, M., Perdisci, R., Nadji, Y., Vasiloglou II, N., Abu-Nimeh, S., Lee, W., Dagon, D.: From throw-away traffic to bots: detecting the rise of DGA-based malware. In: USENIX Security Symposium, pp. 491–506. USENIXGoogle Scholar
  12. 12.
    Paxson, V.: Bro: a system for detecting network intruders in real-time. In: USENIX Security. USENIX (1998)Google Scholar
  13. 13.
    Wang, K., Parekh, J.J., Stolfo, S.J.: Anagram: a content anomaly detector resistant to mimicry attack. In: Zamboni, D., Kruegel, C. (eds.) RAID 2006. LNCS, vol. 4219, pp. 226–248. Springer, Heidelberg (2006) CrossRefGoogle Scholar
  14. 14.
    Schiavoni, S., Maggi, F., Cavallaro, L., Zanero, S.: Phoenix: DGA-based botnet tracking and intelligence. In: Dietrich, S. (ed.) DIMVA 2014. LNCS, vol. 8550, pp. 192–211. Springer, Heidelberg (2014) Google Scholar
  15. 15.
    RFC6066. Internet Engineering Task Force (IETF). Transport Layer Security (TLS) Extensions: Extension Definitions.
  16. 16.
    ThreatStop Check IP service.
  17. 17.
    Tcpdump & Libpcap.
  18. 18.
    RFC5246. Internet Engineering Task Force (IETF). The Transport Layer Security (TLS) Protocol Version 1.2 - The TLS Handshaking Protocols.

Copyright information

© Springer International Publishing Switzerland 2015

Authors and Affiliations

  • Riccardo Bortolameotti
    • 1
    Email author
  • Andreas Peter
    • 1
  • Maarten H. Everts
    • 1
    • 2
  • Damiano Bolzoni
    • 1
    • 3
  1. 1.University of TwenteEnschedeThe Netherlands
  2. 2.Netherlands Organisation for Applied Scientific Research (TNO)GroningenThe Netherlands
  3. 3.SecurityMattersEindhovenThe Netherlands

Personalised recommendations