Litcius/Paper detail

Extending C2 Traffic Detection Methodologies: From TLS 1.2 to TLS 1.3-enabled Malware

Diogo Barradas, Carlos Novo, Bernardo Portela, Sofia Romeiro, Nuno Santos

202414 citationsDOIOpen Access PDF

Abstract

As the Internet evolves from TLS 1.2 to TLS 1.3, it offers enhanced security against network eavesdropping for online communications. However, this advancement also enables malicious command and control (C2) traffic to more effectively evade malware detectors and intrusion detection systems. Among other capabilities, TLS 1.3 introduces encryption for most handshake messages and conceals the actual TLS record content type, complicating the task for state-of-the-art C2 traffic classifiers that were initially developed for TLS 1.2 traffic. Given the pressing need to accurately detect malicious C2 communications, this paper examines to what extent existing C2 classifiers for TLS 1.2 are less effective when applied to TLS 1.3 traffic, posing a central research question: is it possible to adapt TLS 1.2 detection methodologies for C2 traffic to work with TLS 1.3 flows?

Topics & Concepts

MalwareComputer scienceComputer securityOperating systemEmbedded systemNetwork Security and Intrusion DetectionAdvanced Malware Detection TechniquesInternet Traffic Analysis and Secure E-voting