Malicious SSL Certificate Detection: A Step Towards Advanced Persistent Threat Defence

GHAFIR, Ibrahim, Václav PŘENOSIL, Mohammad HAMMOUDEH, Liangxiu HAN and Raza UMAR. Malicious SSL Certificate Detection: A Step Towards Advanced Persistent Threat Defence. In Proceedings of International Conference on Future Networks and Distributed Systems. Cambridge, United Kingdom: ACM Digital Library, 2017, p. 1-6. ISBN 978-1-4503-4844-7. Available from: https://dx.doi.org/10.1145/3102304.3102331.

Basic information

Original name

Malicious SSL Certificate Detection: A Step Towards Advanced Persistent Threat Defence

Authors

GHAFIR, Ibrahim (760 Syrian Arab Republic, guarantor, belonging to the institution), Václav PŘENOSIL (203 Czech Republic, belonging to the institution), Mohammad HAMMOUDEH (826 United Kingdom of Great Britain and Northern Ireland), Liangxiu HAN (826 United Kingdom of Great Britain and Northern Ireland) and Raza UMAR (826 United Kingdom of Great Britain and Northern Ireland)

Edition

Cambridge, United Kingdom, Proceedings of International Conference on Future Networks and Distributed Systems, p. 1-6, 6 pp. 2017

Publisher

ACM Digital Library

---

Other information

Language

English

Type of outcome

Stať ve sborníku

Field of Study

10201 Computer sciences, information science, bioinformatics

Country of publisher

United States of America

Confidentiality degree

není předmětem státního či obchodního tajemství

Publication form

printed version "print"

References:

URL

RIV identification code

RIV/00216224:14330/17:00096897

Organization unit

Faculty of Informatics

ISBN

978-1-4503-4844-7

DOI

http://dx.doi.org/10.1145/3102304.3102331

UT WoS

000434833900034

Keywords in English

Cyber attacks; malware; advanced persistent threat; malicious SSL certificate; intrusion detection system.

Tags

International impact, Reviewed

---

Abstract

V originále

Advanced Persistent Threat (APT) is one of the most serious types of cyber attacks, which is a new and more complex version of multistep attack. Within the APT life cycle, continuous communication between infected hosts and Command and Control (C&C) servers is maintained to instruct and guide the compromised machines. These communications are usually protected by Secure Sockets Layer (SSL) encryption, making it difficult to identify if the traffic directed to sites is malicious. This paper presents a Malicious SSL certificate Detection (MSSLD) module, which aims at detecting the APT C&C communications based on a blacklist of malicious SSL certificates. This blacklist consists of two forms of SSL certificates, the SHA1 fingerprints and the serial & subject, that are associated with malware and malicious activities. In this detection module, the network traffic is processed and all secure connections are filtered. The SSL certificate of each secure connection is then matched with the SSL certificate blacklist. This module was experimentally evaluated and the results show successful detection of malicious SSL certificates.