Abstract
Internet applications use SSL to provide data confidentiality to communicating entities. The use of encryption in SSL makes it impossible to distinguish between benign and malicious connections as the content cannot be inspected. Therefore, we propose and evaluate a set of indicators for malicious SSL connections, which is based on the unencrypted part of SSL (i.e., the SSL handshake protocol). We provide strong evidence for the strength of our indicators to identify malicious connections by cross-checking on blacklists from professional services. Besides the confirmation of prior research results through our indicators, we also found indications for a potential (not yet blacklisted) botnet on SSL. We consider the analysis of such SSL threats as highly relevant and hope that our findings stimulate the research community to further study this direction.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
Similar content being viewed by others
References
Holz, R., Braun, L., Kammenhuber, N., Carle, G.: The SSL landscape: a thorough analysis of the X.509 PKI using active and passive measurements. In: SIGCOMM IMC 2011, pp. 427–444. ACM (2011)
Amann, B., Vallentin, M., Hall, S., Sommer, R.: Revisiting SSL: A Large-Scale Study of the Internets Most Trusted Protocol. Technical Report 2012, ICSI (2012)
Amann, B., Sommer, R., Vallentin, M., Hall, S.: No attack necessary: the surprising dynamics of SSL trust relationships. In: ACSAC 2013, pp. 179–188. ACM (2013)
Georgiev, M., Iyengar, S., Jana, S., Anubhai, R., Boneh, D., Shmatikov, V.: The most dangerous code in the world: validating SSL certificates in non-browser software. In: CCS 2012, pp. 38–49. ACM (2012)
Fahl, S., Harbach, M., Muders, T., Baumgrtner, L., Freisleben, B., Smith, M.: Why eve and mallory love android: an analysis of android SSL (in) security. In: CCS 2012, pp. 50–61. ACM (2012)
Conti, M., Dragoni, N., Gottardo, S.: MITHYS: mind the hand you shake - protecting mobile devices from SSL usage vulnerabilities. In: Accorsi, R., Ranise, S. (eds.) STM 2013. LNCS, vol. 8203, pp. 65–81. Springer, Heidelberg (2013)
Pukkawanna, S., Kadobayashi, Y., Blanc, G., Garcia-Alfaro, J., Debar, H.: Classification of SSL servers based on their SSL handshake for automated security assessment. In: BADGERS 2014 (to appear 2014)
Bates, A., Pletcher, J., Nichols, T., Hollembaek, B., Tian, D., Butler, K.R., Alkhelaifi, A.: Securing SSL certificate verification through dynamic linking. In: CCS 2014, pp. 394–405. ACM (2014)
Holz, R., Riedmaier, T., Kammenhuber, N., Carle, G.: X.509 forensics: detecting and localising the SSL/TLS men-in-the-middle. In: Foresti, S., Yung, M., Martinelli, F. (eds.) ESORICS 2012. LNCS, vol. 7459, pp. 217–234. Springer, Heidelberg (2012)
Clark, J., van Oorschot, P.C.: SoK: SSL and HTTPS: revisiting past challenges and evaluating certificate trust model enhancements. In: Symposium on Security and Privacy (SP) 2013, pp. 511–525. IEEE (2013)
Antonakakis, M., Perdisci, R., Nadji, Y., Vasiloglou II, N., Abu-Nimeh, S., Lee, W., Dagon, D.: From throw-away traffic to bots: detecting the rise of DGA-based malware. In: USENIX Security Symposium, pp. 491–506. USENIX
Paxson, V.: Bro: a system for detecting network intruders in real-time. In: USENIX Security. USENIX (1998)
Wang, K., Parekh, J.J., Stolfo, S.J.: Anagram: a content anomaly detector resistant to mimicry attack. In: Zamboni, D., Kruegel, C. (eds.) RAID 2006. LNCS, vol. 4219, pp. 226–248. Springer, Heidelberg (2006)
Schiavoni, S., Maggi, F., Cavallaro, L., Zanero, S.: Phoenix: DGA-based botnet tracking and intelligence. In: Dietrich, S. (ed.) DIMVA 2014. LNCS, vol. 8550, pp. 192–211. Springer, Heidelberg (2014)
RFC6066. Internet Engineering Task Force (IETF). Transport Layer Security (TLS) Extensions: Extension Definitions. https://tools.ietf.org/html/rfc6066
ThreatStop Check IP service. http://www.threatstop.com/checkip
Tcpdump & Libpcap. http://www.tcpdump.org/
RFC5246. Internet Engineering Task Force (IETF). The Transport Layer Security (TLS) Protocol Version 1.2 - The TLS Handshaking Protocols. https://tools.ietf.org/html/rfc5246#section-7
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2015 Springer International Publishing Switzerland
About this paper
Cite this paper
Bortolameotti, R., Peter, A., Everts, M.H., Bolzoni, D. (2015). Indicators of Malicious SSL Connections. In: Qiu, M., Xu, S., Yung, M., Zhang, H. (eds) Network and System Security. NSS 2015. Lecture Notes in Computer Science(), vol 9408. Springer, Cham. https://doi.org/10.1007/978-3-319-25645-0_11
Download citation
DOI: https://doi.org/10.1007/978-3-319-25645-0_11
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-25644-3
Online ISBN: 978-3-319-25645-0
eBook Packages: Computer ScienceComputer Science (R0)