research-article

Malicious SSL Certificate Detection: A Step Towards Advanced Persistent Threat Defence

Authors:

Ibrahim Ghafir,

Vaclav Prenosil,

Mohammad Hammoudeh,

Umar RazaAuthors Info & Claims

ICFNDS '17: Proceedings of the International Conference on Future Networks and Distributed Systems

Article No.: 27

https://doi.org/10.1145/3102304.3102331

Published: 19 July 2017 Publication History

Abstract

Advanced Persistent Threat (APT) is one of the most serious types of cyber attacks, which is a new and more complex version of multistep attack. Within the APT life cycle, continuous communication between infected hosts and Command and Control (C&C) servers is maintained to instruct and guide the compromised machines. These communications are usually protected by Secure Sockets Layer (SSL) encryption, making it difficult to identify if the traffic directed to sites is malicious. This paper presents a Malicious SSL certificate Detection (MSSLD) module, which aims at detecting the APT C&C communications based on a blacklist of malicious SSL certificates. This blacklist consists of two forms of SSL certificates, the SHA1 fingerprints and the serial & subject, that are associated with malware and malicious activities. In this detection module, the network traffic is processed and all secure connections are filtered. The SSL certificate of each secure connection is then matched with the SSL certificate blacklist. This module was experimentally evaluated and the results show successful detection of malicious SSL certificates.

References

[1]

Abdelrahman Abuarqoub, Mohammad Hammoudeh, Bamidele Adebisi, Sohail Jabbar, Ahcene Bounceur, and Hashem Al-Bashar. 2017. Dynamic clustering and management of mobile wireless sensor networks. Computer Networks 117 (2017), 62-75.

Digital Library

[2]

Abdelrahman Abuarqoub, Mohammad Hammoudeh, and Tariq Alsboui. 2012. An overview of information extraction from mobile wireless sensor networks. In Internet of Things, Smart Spaces, and Next Generation Networking. Springer Berlin Heidelberg, 95-106.

[3]

Abuse.ch. 2017. SSL Blacklist a new weapon to fight malware and botnet. http://securityaffairs.co/wordpress/26672/cyber-crime/ssl-blacklist-new-weapon-fight-malware-botnet.html. (2017).

[4]

Kostas G Anagnostakis, Stelios Sidiroglou, Periklis Akritidis, Konstantinos Xinidis, Evangelos P Markatos, and Angelos D Keromytis. 2005. Detecting Targeted Attacks Using Shadow Honeypots. In Usenix Security.

Digital Library

[5]

Paul Bacher, Thorsten Holz, Markus Kotter, and Georg Wicherski. 2005. Know your enemy: Tracking botnets. (2005).

[6]

Marco Balduzzi, Vincenzo Ciangaglini, and Robert McArdle. 2013. Targeted Attacks Detection With SPuNge. (2013).

[7]

Boldizsar Bencsath, Gabor Pek, Levente Buttyan, and Mark Felegyhazi. 2012. Duqu: Analysis, detection, and lessons learned. In ACM European Workshop on System Security (EuroSec), Vol. 2012.

[8]

Leau Yu Beng, Sureswaran Ramadass, and others. 2013. A comparative study of alert correlations for intrusion detection. In Advanced Computer Science Applications and Technologies, 2013 International Conference on. IEEE, 85-88.

Digital Library

[9]

Best-Practical-Solutions. 2017. RT: Request Tracker. https://www.bestpractical. com/rt/. (2017).

[10]

Lars Brenna, Alan Demers, Johannes Gehrke, Mingsheng Hong, Joel Ossher, Biswanath Panda, Mirek Riedewald, Mohit Thatte, and Walker White. 2007. Cayuga: a high-performance event processing engine. In Proceedings of the 2007 ACM SIGMOD international conference on Management of data. ACM, 1100-1102.

Digital Library

[11]

Bro-Project. 2017. Intellegence Framework. https://www.bro.org/sphinx/frameworks/intel.html. (2017). Accessed: 15-02-2017

[12]

Guillaume Brogi and Valerie Viet Triem Tong. 2016. TerminAPTor: Highlighting Advanced Persistent Threats through Information Flow Tracking. In New Technologies, Mobility and Security, IFIP International Conference on. IEEE, 1-5.

[13]

J Vijaya Chandra, Narasimham Challa, and Sai Kiran Pasupuleti. 2016. A practical approach to E-mail spam filters to protect data from advanced persistent threat. In Circuit, Power and Computing Technologies (ICCPCT), 2016 International Conference on. IEEE, 1-5.

[14]

Saranya Chandran, P Hrudya, and Prabaharan Poornachandran. 2015. An efficient classification model for detecting advanced persistent threat. In Advances in Computing, Communications and Informatics (ICACCI), 2015 International Conference on. IEEE, 2001-2009.

[15]

Hyunsang Choi, Heejo Lee, and Hyogon Kim. 2009. BotGAD: detecting botnets by capturing group activities in network traffic. In Proceedings of the Fourth International ICST Conference on COMmunication System softWAre and middlewaRE. ACM, 2.

Digital Library

[16]

Kim-Kwang Raymond Choo. 2011. The cyber threat landscape: Challenges and future research directions. Computers & Security 30, 8 (2011), 719-731.

Digital Library

[17]

Peter J Denning and Dorothy E Denning. 2010. Discussing cyber attack. Commun. ACM 53, 9 (2010), 29-31.

Digital Library

[18]

Ibrahim Ghafir, Mohammad Hammoudeh, and Vaclav Prenosil. 2017. Disguised executable files in spear-phishing emails: Detecting the point of entry in advanced persistent threat. (2017).

[19]

Ibrahim Ghafir, Martin Husak, and Vaclav Prenosil. 2014. A Survey on Intrusion Detection and Prevention Systems. In Proceedings of student conference Zvule, IEEE/UREL. Brno University of Technology, 10-14.

[20]

Ibrahim Ghafir and Vaclav Prenosil. 2014. Advanced Persistent Threat Attack Detection: An Overview. International Journal of Advances in Computer Networks and Its Security (IJCNS) vol. 4, Issue 4 (2014), 50-54.

[21]

Ibrahim Ghafir and Vaclav Prenosil. 2014. DNS query failure and algorithmically generated domain-flux detection. In International Conference on Frontiers of Communications, Networks and Applications (ICFCNA). IEEE Xplore Digital Library, 1-5.

[22]

Ibrahim Ghafir and Vaclav Prenosil. 2015. Advanced Persistent Threat and Spear Phishing Emails. In Proceedings of International Conference on Distance Learning, Simulation and Communication. University of Defence, 34-41.

[23]

Ibrahim Ghafir and Vaclav Prenosil. 2015. Blacklist-based malicious IP traffic detection. In Global Conference on Communication Technologies (GCCT). IEEE Xplore Digital Library, 229-233.

[24]

Ibrahim Ghafir and Vaclav Prenosil. 2015. DNS traffic analysis for malicious domains detection. In 2nd International Conference on Signal Processing and Integrated Networks (SPIN). IEEE Xplore Digital Library, 613-918.

[25]

Ibrahim Ghafir and Vaclav Prenosil. 2016. Malicious file hash detection and drive-by download attacks. In Proceedings of the Second International Conference on Computer and Communication Technologies. Springer, 661-669.

[26]

Ibrahim Ghafir and Vaclav Prenosil. 2016. Proposed approach for targeted attacks detection. In Advanced Computer and Communication Engineering Technology. Springer, 73-80.

[27]

Ibrahim Ghafir, Vaclav Prenosil, Ahmad Alhejailan, and Mohammad Hammoudeh. 2016. Social Engineering Attack Strategies and Defence Approaches. In IEEE 4th International Conference on Future Internet of Things and Cloud (FiCloud). IEEE Xplore Digital Library, 145-149.

[28]

Ibrahim Ghafir, Vaclav Prenosil, and Mohammad Hammoudeh. 2015. Botnet Command and Control Traffic Detection Challenges: A Correlation-based Solution. International Journal of Advances in Computer Networks and Its Security (IJCNS) vol. 7, Issue 2 (2015), 27-31.

[29]

Ibrahim Ghafir, Vaclav Prenosil, Jakub Svoboda, and Mohammad Hammoudeh. 2016. A survey on network security monitoring systems. In IEEE International Conference on Future Internet of Things and Cloud Workshops (FiCloudW). IEEE Xplore Digital Library, 77-82.

[30]

Ibrahim Ghafir, Jakub Svoboda, and Vaclav Prenosil. 2014. Tor-based malware and Tor connection detection. In International Conference on Frontiers of Communications, Networks and Applications (ICFCNA). IEEE Xplore Digital Library, 1-6.

[31]

Ibrahim Ghafir, Jakub Svoboda, and Vaclav Prenosil. 2015. A survey on botnet command and control traffic detection. International Journal of Advances in Computer Networks and its security (ICJNS) vol. 5, Issue 2 (2015), 75-80.

[32]

Paul Giura and Wei Wang. 2012. A context-based detection framework for advanced persistent threats. In Cyber Security (CyberSecurity), 2012 International Conference on. IEEE, 69-74.

Digital Library

[33]

Mohammad Hammoudeh, Fayez Al-Fayez, Huw Lloyd, Robert Newman, Bamidele Adebisi, Ahcene Bounceur, and Abdelrahman Abuarqoub. 2017. A Wireless Sensor Network Border Monitoring System: Deployment Issues and Routing Protocols. IEEE Sensors Journal (2017).

[34]

Mohammad Hammoudeh, Omar Aldabbas, Sarah Mount, Saeed Abuzour, Mai Alfawair, and Serein Alratrout. 2010. Algorithmic construction of optimal and load balanced clusters in Wireless Sensor Networks. In Systems Signals and Devices (SSD), 2010 7th International Multi-Conference on. IEEE, 1-5.

[35]

Mohammad Hammoudeh, Robert Newman, Christopher Dennett, Sarah Mount, and Omar Aldabbas. 2015. Map as a Service: A Framework for Visualising and Maximising Information Return from Multi-ModalWireless Sensor Networks. Sensors 15, 9 (2015), 22970-23003.

[36]

Zhijie Liu, Chongjun Wang, and Shifu Chen. 2008. Correlating multi-step attack and constructing attack scenarios based on attack pattern modeling. In Information Security and Assurance, 2008. ISA 2008. International Conference on. IEEE, 214-219.

Digital Library

[37]

Mandiant. 2017. Mandiant APT1 Report Appendix F Update: SSL Certificate Hashes. https://www.mandiant.com/blog/md5-sha1/. (2017). Accessed: 10-02-2017.

[38]

David Moore, Colleen Shannon, Douglas J Brown, Geoffrey M Voelker, and Stefan Savage. 2006. Inferring internet denial-of-service activity. ACM Transactions on Computer Systems (TOCS) 24, 2 (2006), 115-139.

Digital Library

[39]

Catherine Moxey, Mike Edwards, Opher Etzion, Mamdouh Ibrahim, Sreekanth Iyer, Hubert Lalanne, Mweene Monze, Marc Peters, Yuri Rabinovich, Guy Sharon, and others. 2010. A conceptual model for event processing systems. IBM Redguide publication (2010).

[40]

Nir Nissim, Aviad Cohen, Chanan Glezer, and Yuval Elovici. 2015. Detection of malicious PDF files and directions for enhancements: a state-of-the art survey. Computers & Security 48 (2015), 246-266.

Digital Library

[41]

Oracle. 2017. Network tracing. https://www.virtualbox.org/wiki/Network tips. (2017). Accessed: 07-02-2017.

[42]

Jose Luis Gomez Ortega, Liangxiu Han, and Nicholas Bowring. 2016. A Novel Dynamic Hidden Semi-Markov Model (D-HSMM) for Occupancy Pattern Detection from Sensor Data Stream. In New Technologies, Mobility and Security (NTMS), 2016 8th IFIP International Conference on. IEEE, 1-5.

[43]

Vern Paxson. 1999. Bro: a system for detecting network intruders in real-time. Computer networks 31, 23 (1999), 2435-2463.

Digital Library

[44]

Bro Project. 2017. Input Framework. https://www.bro.org/sphinx/frameworks/input.html. (2017). Accessed: 01-06-2017.

[45]

Bro Project. 2017. x509 certificate event. https://www.bro.org/sphinx/scripts/base/bif/plugins/Bro_X509.events.bif.bro.html#id-x509_certificate. (2017). Accessed: 01-06-2017.

[46]

Terry R Rakes, Jason K Deane, and Loren Paul Rees. 2012. IT security planning under uncertainty for high-impact events. Omega 40, 1 (2012), 79-88.

[47]

Muhammad Jasim Saeed, Liangxiu Han, and Maybin K Muyeba. 2014. An energy efficient and resource preserving target tracking approach for wireless sensor networks. In Communication Systems, Networks & Digital Signal Processing (CSNDSP), 2014 9th International Symposium on. IEEE, 232-237.

[48]

Joseph Sexton, Curtis Storlie, and Joshua Neil. 2015. Attack chain detection. Statistical Analysis and Data Mining: The ASA Data Science Journal 8, 5-6 (2015), 353-363.

[49]

Johan Sigholm and Martin Bang. 2013. Towards Offensive Cyber Counterintelligence: Adopting a Target-Centric View on Advanced Persistent Threats. In Intelligence and Security Informatics Conference (EISIC), 2013 European. IEEE, 166-171.

Digital Library

[50]

Tamir Sobeih, Nick Whittaker, and Liangxiu Han. 2015. DIVINE: Building a Wearable Device for Intelligent Control of Environment Using Google Glass. In Computer and Information Technology; Ubiquitous Computing and Communications; Dependable, Autonomic and Secure Computing; Pervasive Intelligence and Computing (CIT/IUCC/DASC/PICOM), 2015 IEEE International Conference on. IEEE, 1280-1285.

[51]

Stuart Staniford, James A Hoagland, and Joseph M McAlerney. 2002. Practical automated detection of stealthy portscans. Journal of Computer Security 10, 1 (2002), 105-136.

Digital Library

[52]

Jakub Svoboda, Ibrahim Ghafir, and Vaclav Prenosil. 2015. Network monitoring approaches: An overview. International Journal of Advances in Computer Networks and Its Security (IJCNS) vol. 5, Issue I (2015).

[53]

Xu Wang, Kangfeng Zheng, Xinxin Niu, Bin Wu, and Chunhua Wu. Detection of command and control in advanced persistent threat based on independent access. In IEEE International Conference on Communications.

[54]

Paul Wood, Mathew Nisbet, Gerry Egan, and others. 2012. Symantec internet security threat report trends for 2011. Volume XVII (2012).

Cited By

Ndlovu KMauco KMakhura OHu RMotlogelwa NMasizana ALo EMphoyakgosi TMoyo S(2024)Experiences, Lessons, and Challenges With Adapting REDCap for COVID-19 Laboratory Data Management in a Resource-Limited Country: Descriptive StudyJMIR Formative Research10.2196/508978(e50897)Online publication date: 16-Apr-2024
https://doi.org/10.2196/50897
Medileh SLaouid AHammoudeh MKara MBejaoui TEleyan AAl-Khalidi M(2023)A Multi-Key with Partially Homomorphic Encryption Scheme for Low-End Devices Ensuring Data IntegrityInformation10.3390/info1405026314:5(263)Online publication date: 28-Apr-2023
https://doi.org/10.3390/info14050263
Lee KLee JYim K(2023)Classification and Analysis of Malicious Code Detection Techniques Based on the APT AttackApplied Sciences10.3390/app1305289413:5(2894)Online publication date: 23-Feb-2023
https://doi.org/10.3390/app13052894
Show More Cited By

Recommendations

Disguised executable files in spear-phishing emails: detecting the point of entry in advanced persistent threat
ICFNDS '18: Proceedings of the 2nd International Conference on Future Networks and Distributed Systems

In recent years, cyber attacks have caused substantial financial losses and been able to stop fundamental public services. Among the serious attacks, Advanced Persistent Threat (APT) has emerged as a big challenge to the cyber security hitting selected ...
Detection of advanced persistent threat using machine-learning correlation analysis
Abstract
As one of the most serious types of cyber attack, Advanced Persistent Threats (APT) have caused major concerns on a global scale. APT refers to a persistent, multi-stage attack with the intention to compromise the system and gain ...
Behavioral analysis of botnets for threat intelligence

This paper examines the behavioral patterns of fast-flux botnets for threat intelligence. The Threat Intelligence infrastructure, which we have specifically developed for fast-flux botnet detection and monitoring, enables this analysis. Cyber criminals ...

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

ICFNDS '17: Proceedings of the International Conference on Future Networks and Distributed Systems

July 2017

325 pages

ISBN:9781450348447

DOI:10.1145/3102304

Copyright © 2017 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

In-Cooperation

LABSTICC: Labsticc

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 19 July 2017

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

ICFNDS '17

ICFNDS '17: International Conference on Future Networks and Distributed Systems

July 19 - 20, 2017

Cambridge, United Kingdom

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

22
Total Citations
View Citations
550
Total Downloads

Downloads (Last 12 months)46
Downloads (Last 6 weeks)4

Reflects downloads up to 02 Sep 2024

Other Metrics

View Author Metrics

Citations

Cited By

Ndlovu KMauco KMakhura OHu RMotlogelwa NMasizana ALo EMphoyakgosi TMoyo S(2024)Experiences, Lessons, and Challenges With Adapting REDCap for COVID-19 Laboratory Data Management in a Resource-Limited Country: Descriptive StudyJMIR Formative Research10.2196/508978(e50897)Online publication date: 16-Apr-2024
https://doi.org/10.2196/50897
Medileh SLaouid AHammoudeh MKara MBejaoui TEleyan AAl-Khalidi M(2023)A Multi-Key with Partially Homomorphic Encryption Scheme for Low-End Devices Ensuring Data IntegrityInformation10.3390/info1405026314:5(263)Online publication date: 28-Apr-2023
https://doi.org/10.3390/info14050263
Lee KLee JYim K(2023)Classification and Analysis of Malicious Code Detection Techniques Based on the APT AttackApplied Sciences10.3390/app1305289413:5(2894)Online publication date: 23-Feb-2023
https://doi.org/10.3390/app13052894
Deri LFusco F(2023)Evaluating IP Blacklists Effectiveness2023 10th International Conference on Future Internet of Things and Cloud (FiCloud)10.1109/FiCloud58648.2023.00056(336-343)Online publication date: 14-Aug-2023
https://doi.org/10.1109/FiCloud58648.2023.00056
Lefoane MGhafir IKabir SAwan I(2023)Latent Dirichlet Allocation for the Detection of Multi-Stage Attacks2023 24th International Arab Conference on Information Technology (ACIT)10.1109/ACIT58888.2023.10453849(1-7)Online publication date: 6-Dec-2023
https://doi.org/10.1109/ACIT58888.2023.10453849
Liu JLuktarhan NChang YYu W(2022)Malcertificate: Research and Implementation of a Malicious Certificate Detection Algorithm Based on GCNApplied Sciences10.3390/app1209444012:9(4440)Online publication date: 27-Apr-2022
https://doi.org/10.3390/app12094440
Alabduljabbar AMa RChoi SJang RChen SMohaisen DChan-Tin EKennison S(2022)Understanding the Security of Free Content Websites by Analyzing their SSL CertificatesProceedings of the 1st Workshop on Cybersecurity and Social Sciences10.1145/3494108.3522769(19-25)Online publication date: 30-May-2022
https://dl.acm.org/doi/10.1145/3494108.3522769
Lefoane MGhafir IKabir SAwan I(2022)Multi-stage Attack Detection: Emerging Challenges for Wireless Networks2022 International Conference on Smart Applications, Communications and Networking (SmartNets)10.1109/SmartNets55823.2022.9994027(01-05)Online publication date: 29-Nov-2022
https://doi.org/10.1109/SmartNets55823.2022.9994027
Abu Talib MNasir QBou Nassif AMokhamed TAhmed NMahfood B(2022)APT beaconing detection: A systematic reviewComputers & Security10.1016/j.cose.2022.102875122(102875)Online publication date: Nov-2022
https://doi.org/10.1016/j.cose.2022.102875
Li JZhang ZGuo C(2021)Machine Learning-Based Malicious X.509 Certificates’ DetectionApplied Sciences10.3390/app1105216411:5(2164)Online publication date: 1-Mar-2021
https://doi.org/10.3390/app11052164
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents