GHAFIR, Ibrahim, Václav PŘENOSIL, Mohammad HAMMOUDEH, Liangxiu HAN and Raza UMAR. Malicious SSL Certificate Detection: A Step Towards Advanced Persistent Threat Defence. In Proceedings of International Conference on Future Networks and Distributed Systems. Cambridge, United Kingdom: ACM Digital Library, 2017, p. 1-6. ISBN 978-1-4503-4844-7. Available from: https://dx.doi.org/10.1145/3102304.3102331.
Other formats:   BibTeX LaTeX RIS
Basic information
Original name Malicious SSL Certificate Detection: A Step Towards Advanced Persistent Threat Defence
Authors GHAFIR, Ibrahim (760 Syrian Arab Republic, guarantor, belonging to the institution), Václav PŘENOSIL (203 Czech Republic, belonging to the institution), Mohammad HAMMOUDEH (826 United Kingdom of Great Britain and Northern Ireland), Liangxiu HAN (826 United Kingdom of Great Britain and Northern Ireland) and Raza UMAR (826 United Kingdom of Great Britain and Northern Ireland).
Edition Cambridge, United Kingdom, Proceedings of International Conference on Future Networks and Distributed Systems, p. 1-6, 6 pp. 2017.
Publisher ACM Digital Library
Other information
Original language English
Type of outcome Proceedings paper
Field of Study 10201 Computer sciences, information science, bioinformatics
Country of publisher United States of America
Confidentiality degree is not subject to a state or trade secret
Publication form printed version "print"
WWW URL
RIV identification code RIV/00216224:14330/17:00096897
Organization unit Faculty of Informatics
ISBN 978-1-4503-4844-7
Doi http://dx.doi.org/10.1145/3102304.3102331
UT WoS 000434833900034
Keywords in English Cyber attacks; malware; advanced persistent threat; malicious SSL certificate; intrusion detection system.
Tags International impact, Reviewed
Changed by Changed by: RNDr. Pavel Šmerk, Ph.D., učo 3880. Changed: 13/5/2020 19:16.
Abstract
Advanced Persistent Threat (APT) is one of the most serious types of cyber attacks, which is a new and more complex version of multistep attack. Within the APT life cycle, continuous communication between infected hosts and Command and Control (C&C) servers is maintained to instruct and guide the compromised machines. These communications are usually protected by Secure Sockets Layer (SSL) encryption, making it difficult to identify if the traffic directed to sites is malicious. This paper presents a Malicious SSL certificate Detection (MSSLD) module, which aims at detecting the APT C&C communications based on a blacklist of malicious SSL certificates. This blacklist consists of two forms of SSL certificates, the SHA1 fingerprints and the serial & subject, that are associated with malware and malicious activities. In this detection module, the network traffic is processed and all secure connections are filtered. The SSL certificate of each secure connection is then matched with the SSL certificate blacklist. This module was experimentally evaluated and the results show successful detection of malicious SSL certificates.
PrintDisplayed: 23/7/2024 02:37