Malicious SSL Certificate Detection: A Step Towards Advanced
Persistent Threat Defence

D 2017

Malicious SSL Certificate Detection: A Step Towards Advanced Persistent Threat Defence

GHAFIR, Ibrahim; Václav PŘENOSIL; Mohammad HAMMOUDEH; Liangxiu HAN; Raza UMAR et. al.

Základní údaje

Originální název

Malicious SSL Certificate Detection: A Step Towards Advanced Persistent Threat Defence

Autoři

GHAFIR, Ibrahim (760 Sýrie, garant, domácí); Václav PŘENOSIL (203 Česká republika, domácí); Mohammad HAMMOUDEH (826 Velká Británie a Severní Irsko); Liangxiu HAN (826 Velká Británie a Severní Irsko) a Raza UMAR (826 Velká Británie a Severní Irsko)

Vydání

Cambridge, United Kingdom, Proceedings of International Conference on Future Networks and Distributed Systems, od s. 1-6, 6 s. 2017

Nakladatel

ACM Digital Library

Další údaje

Jazyk

angličtina

Typ výsledku

Stať ve sborníku

Obor

10201 Computer sciences, information science, bioinformatics

Stát vydavatele

Spojené státy

Utajení

není předmětem státního či obchodního tajemství

Forma vydání

tištěná verze "print"

Odkazy

URL

Kód RIV

RIV/00216224:14330/17:00096897

Organizační jednotka

Fakulta informatiky

ISBN

978-1-4503-4844-7

DOI

http://dx.doi.org/10.1145/3102304.3102331

UT WoS

000434833900034

EID Scopus

2-s2.0-85030458863

Klíčová slova anglicky

Cyber attacks; malware; advanced persistent threat; malicious SSL certificate; intrusion detection system.

Příznaky

Mezinárodní význam, Recenzováno

Změněno: 13. 5. 2020 19:16, RNDr. Pavel Šmerk, Ph.D.

Anotace

V originále

Advanced Persistent Threat (APT) is one of the most serious types of cyber attacks, which is a new and more complex version of multistep attack. Within the APT life cycle, continuous communication between infected hosts and Command and Control (C&C) servers is maintained to instruct and guide the compromised machines. These communications are usually protected by Secure Sockets Layer (SSL) encryption, making it difficult to identify if the traffic directed to sites is malicious. This paper presents a Malicious SSL certificate Detection (MSSLD) module, which aims at detecting the APT C&C communications based on a blacklist of malicious SSL certificates. This blacklist consists of two forms of SSL certificates, the SHA1 fingerprints and the serial & subject, that are associated with malware and malicious activities. In this detection module, the network traffic is processed and all secure connections are filtered. The SSL certificate of each secure connection is then matched with the SSL certificate blacklist. This module was experimentally evaluated and the results show successful detection of malicious SSL certificates.

Citovat

GHAFIR, Ibrahim; Václav PŘENOSIL; Mohammad HAMMOUDEH; Liangxiu HAN a Raza UMAR. Malicious SSL Certificate Detection: A Step Towards Advanced Persistent Threat Defence. In Proceedings of International Conference on Future Networks and Distributed Systems. Cambridge, United Kingdom: ACM Digital Library, 2017, s. 1-6. ISBN 978-1-4503-4844-7. Dostupné z: https://dx.doi.org/10.1145/3102304.3102331.

@inproceedings{1382494,
   author = {Ghafir, Ibrahim and Přenosil, Václav and Hammoudeh, Mohammad and Han, Liangxiu and Umar, Raza},
   address = {Cambridge, United Kingdom},
   booktitle = {Proceedings of International Conference on Future Networks and Distributed Systems},
   doi = {http://dx.doi.org/10.1145/3102304.3102331},
   keywords = {Cyber attacks; malware; advanced persistent threat; malicious SSL certificate; intrusion detection system.},
   howpublished = {tištěná verze "print"},
   language = {eng},
   location = {Cambridge, United Kingdom},
   isbn = {978-1-4503-4844-7},
   pages = {1-6},
   publisher = {ACM Digital Library},
   title = {Malicious SSL Certificate Detection: A Step Towards Advanced Persistent Threat Defence},
   url = {https://dl.acm.org/citation.cfm?id=3102331&CFID=996318447&CFTOKEN=91066867},
   year = {2017}
}

TY  - CONF
ID  - 1382494
AU  - Ghafir, Ibrahim - Přenosil, Václav - Hammoudeh, Mohammad - Han, Liangxiu - Umar, Raza
PY  - 2017
TI  - Malicious SSL Certificate Detection: A Step Towards Advanced Persistent Threat Defence
PB  - ACM Digital Library
CY  - Cambridge, United Kingdom
SN  - 9781450348447
KW  - Cyber attacks
KW  - malware
KW  - advanced persistent threat
KW  - malicious SSL certificate
KW  - intrusion detection system.
UR  - https://dl.acm.org/citation.cfm?id=3102331&CFID=996318447&CFTOKEN=91066867
L2  - https://dl.acm.org/citation.cfm?id=3102331&CFID=996318447&CFTOKEN=91066867
N2  - Advanced Persistent Threat (APT) is one of the most serious types of cyber attacks, which is a new and more complex version of multistep attack. Within the APT life cycle, continuous communication between infected hosts and Command and Control (C&C) servers is maintained to instruct and guide the compromised machines. These communications are usually protected by Secure Sockets Layer (SSL) encryption, making it difficult to identify if the traffic directed to sites is malicious. This paper presents a Malicious SSL certificate Detection (MSSLD) module, which aims at detecting the APT C&C communications based on a blacklist of malicious SSL certificates. This blacklist consists of two forms of SSL certificates, the SHA1 fingerprints and the serial & subject, that are associated with malware and malicious activities. In this detection module, the network traffic is processed and all secure connections are filtered. The SSL certificate of each secure connection is then matched with the SSL certificate blacklist. This module was experimentally evaluated and the results show successful detection of malicious SSL certificates.
ER  -

GHAFIR, Ibrahim; Václav PŘENOSIL; Mohammad HAMMOUDEH; Liangxiu HAN a Raza UMAR. Malicious SSL Certificate Detection: A Step Towards Advanced Persistent Threat Defence. In \textit{Proceedings of International Conference on Future Networks and Distributed Systems}. Cambridge, United Kingdom: ACM Digital Library, 2017, s.~1-6. ISBN~978-1-4503-4844-7. Dostupné z: https://dx.doi.org/10.1145/3102304.3102331.

Přehled o publikaci