Extending C2 Traffic Detection Methodologies: From TLS 1.2 to TLS 1.3-enabled Malware

dc.contributor.author Bernardo Luís Portela en
dc.contributor.other 6060 en
dc.date.accessioned 2025-02-25T10:48:35Z
dc.date.available 2025-02-25T10:48:35Z
dc.date.issued 2024 en
dc.description.abstract As the Internet evolves from TLS 1.2 to TLS 1.3, it offers enhanced security against network eavesdropping for online communications. However, this advancement also enables malicious command and control (C2) traffic to more effectively evade malware detectors and intrusion detection systems. Among other capabilities, TLS 1.3 introduces encryption for most handshake messages and conceals the actual TLS record content type, complicating the task for state-of-the-art C2 traffic classifiers that were initially developed for TLS 1.2 traffic. Given the pressing need to accurately detect malicious C2 communications, this paper examines to what extent existing C2 classifiers for TLS 1.2 are less effective when applied to TLS 1.3 traffic, posing a central research question: is it possible to adapt TLS 1.2 detection methodologies for C2 traffic to work with TLS 1.3 flows? We answer this question affirmatively by introducing new methods for inferring certificate size and filtering handshake/protocolrelated records in TLS 1.3 flows. These techniques enable the extraction of key features for enhancing traffic detection and can be utilized to pre-process data flows before applying C2 classifiers. We demonstrate that this approach facilitates the use of existing TLS 1.2 C2 classifiers with high efficacy, allowing for the passive classification of encrypted network traffic. In our tests, we inferred certificate sizes with an average error of 1.0%, and achieved detection rates of 100% when classifying traffic based on certificate size, and over 93% when classifying TLS 1.3 traffic behavior after training solely on TLS 1.2 traffic. To our knowledge, these are the first findings to showcase specialized TLS 1.3 C2 traffic classification. en
dc.identifier P-017-730 en
dc.identifier.uri https://repositorio.inesctec.pt/handle/123456789/15355
dc.language eng en
dc.rights info:eu-repo/semantics/openAccess en
dc.title Extending C2 Traffic Detection Methodologies: From TLS 1.2 to TLS 1.3-enabled Malware en
dc.type en
dc.type Publication en
Files
Original bundle
Now showing 1 - 1 of 1
No Thumbnail Available
Name:
P-017-730.pdf
Size:
824.81 KB
Format:
Adobe Portable Document Format
Description: