Unmasking malware in TLS connections? It can be done, say Cisco researchers

A group of researchers who work for Cisco* reckons malicious traffic in TLS tunnels can be spotted and blocked – without decrypting user traffic.

That's good news in the corporate setting, because today's protection relies on the controversial approach of terminating the encryption to inspect the traffic.

In this paper at Arxiv, switchzilla's Blake Anderson, Subharthi Paul and David McGrew explain that malware leaves recognisable footprints in the TLS flows.

Their research covered thousands of samples across 18 malware families, and “tens of thousands” of malicious flows out of the millions of encrypted flows captured from an enterprise network (they note that this work might only be relevant to enterprise networks and not, for example, service provider networks).

The main use of deep packet inspection in the researchers' data collection was to sniff out the clientHello and serverHello messages, and ID the TLS versions – but not user data.

Network data alone, they reckon, is enough to attribute TLS flows to most malware families. Even when different families use the same TLS parameters, they can usually be distinguished by their “flow-based features”.

The features they used included flow metadata (bytes in and out, packets in and out, network port numbers, and flow duration); the sequence of packet lengths and times; byte distribution; and TLS header information.

The research included malware from the Bergat, Deshacop, Dridex, Dynamer, Kazy, Parite, Razy, Zedbot and Zusy families, among many others.

The researchers reckon the right application of machine learning to the flow analysis got them “an accuracy of 90.3% for the family attribution problem when restricted to a single, encrypted flow, and an accuracy of 93.2% when we make use of all encrypted flows within a 5-minute window”. ®

*Bootnote: Such research might be Cisco-sponsored, or the researchers might be publishing as individuals; the paper doesn't stipulate which. ®