Malicious SSL Certificate Detection: A Step Towards Advanced Persistent Threat Defence

Kód výsledku v IS VaVaI

<a href="https://www.isvavai.cz/riv?ss=detail&h=RIV%2F00216224%3A14330%2F17%3A00096897" target="_blank" >RIV/00216224:14330/17:00096897 - isvavai.cz</a>

Výsledek na webu

<a href="https://dl.acm.org/citation.cfm?id=3102331&CFID=996318447&CFTOKEN=91066867" target="_blank" >https://dl.acm.org/citation.cfm?id=3102331&CFID=996318447&CFTOKEN=91066867</a>

DOI - Digital Object Identifier

<a href="http://dx.doi.org/10.1145/3102304.3102331" target="_blank" >10.1145/3102304.3102331</a>

Jazyk výsledku

angličtina

Název v původním jazyce

Malicious SSL Certificate Detection: A Step Towards Advanced Persistent Threat Defence

Popis výsledku v původním jazyce

Advanced Persistent Threat (APT) is one of the most serious types of cyber attacks, which is a new and more complex version of multistep attack. Within the APT life cycle, continuous communication between infected hosts and Command and Control (C&amp;C) servers is maintained to instruct and guide the compromised machines. These communications are usually protected by Secure Sockets Layer (SSL) encryption, making it difficult to identify if the traffic directed to sites is malicious. This paper presents a Malicious SSL certificate Detection (MSSLD) module, which aims at detecting the APT C&amp;C communications based on a blacklist of malicious SSL certificates. This blacklist consists of two forms of SSL certificates, the SHA1 fingerprints and the serial &amp; subject, that are associated with malware and malicious activities. In this detection module, the network traffic is processed and all secure connections are filtered. The SSL certificate of each secure connection is then matched with the SSL certificate blacklist. This module was experimentally evaluated and the results show successful detection of malicious SSL certificates.

Název v anglickém jazyce

Malicious SSL Certificate Detection: A Step Towards Advanced Persistent Threat Defence

Popis výsledku anglicky

Advanced Persistent Threat (APT) is one of the most serious types of cyber attacks, which is a new and more complex version of multistep attack. Within the APT life cycle, continuous communication between infected hosts and Command and Control (C&amp;C) servers is maintained to instruct and guide the compromised machines. These communications are usually protected by Secure Sockets Layer (SSL) encryption, making it difficult to identify if the traffic directed to sites is malicious. This paper presents a Malicious SSL certificate Detection (MSSLD) module, which aims at detecting the APT C&amp;C communications based on a blacklist of malicious SSL certificates. This blacklist consists of two forms of SSL certificates, the SHA1 fingerprints and the serial &amp; subject, that are associated with malware and malicious activities. In this detection module, the network traffic is processed and all secure connections are filtered. The SSL certificate of each secure connection is then matched with the SSL certificate blacklist. This module was experimentally evaluated and the results show successful detection of malicious SSL certificates.

Druh

D - Stať ve sborníku

CEP obor

—

OECD FORD obor

10201 - Computer sciences, information science, bioinformathics (hardware development to be 2.2, social aspect to be 5.8)

Projekt

—

Návaznosti

S - Specificky vyzkum na vysokych skolach

Rok uplatnění

2017

Kód důvěrnosti údajů

S - Úplné a pravdivé údaje o projektu nepodléhají ochraně podle zvláštních právních předpisů

Název statě ve sborníku

Proceedings of International Conference on Future Networks and Distributed Systems

ISBN

9781450348447

ISSN

—

e-ISSN

—

Počet stran výsledku

6

Strana od-do

1-6

Název nakladatele

ACM Digital Library

Místo vydání

Cambridge, United Kingdom

Místo konání akce

Cambridge, United Kingdom

Datum konání akce

19. 7. 2017

Typ akce podle státní příslušnosti

WRD - Celosvětová akce

Kód UT WoS článku

000434833900034