Abstract
During the last couple of years there has been an important surge on the use of HTTPs by malware. The reason for this increase is not completely understood yet, but it is hypothesized that it was forced by organizations only allowing web traffic to the Internet. Using HTTPs makes malware behavior similar to normal connections. Therefore, there has been a growing interest in understanding the usage of HTTPs by malware. This paper describes our research to obtain large quantities of real malware traffic using HTTPs, our use of man-in-the-middle HTTPs interceptor proxies to open and study the content, and our analysis of how the behavior of the malware changes after being intercepted. The research goal is to understand how malware uses HTTPs and the impact of intercepting its traffic. We conclude that the use of an interceptor proxy forces the malware to change its behavior and therefore should be carefully considered before being implemented.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsNotes
- 1.
- 2.
- 3.
- 4.
- 5.
- 6.
- 7.
- 8.
- 9.
- 10.
- 11.
References
O’Neill, M., Ruoti, S., Seamons, K., Zappala, D.: TLS inspection: how often and who cares? IEEE Internet Comput. 21(3), 22–29 (2017). https://doi.org/10.1109/MIC.2017.58
de Carné de Carnavalet, X., Mannan, M.: Killed by Proxy: Analyzing Client-end TLS Interception Software, 21–24 February 2016, San Diego, CA, USA. Copyright 2016 Internet Society, ISBN 1-891562-41-X. https://doi.org/10.14722/ndss.2016.2337
Lokoč, J., Kohout, J., Čech, P., Skopal, T., Pevný, T.: k-NN classification of Malware in HTTPS traffic using the metric space approach. In: Chau, M., Wang, G.Alan, Chen, H. (eds.) PAISI 2016. LNCS, vol. 9650, pp. 131–145. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-31863-9_10
Střasák, F.: Detection of HTTPS Malware Traffic. Open Informatics, Computer and Information Science, May 2017. https://dspace.cvut.cz/bitstream/handle/10467/68528/F3-BP-2017-Strasak-Frantisek-strasak_thesis_2017.pdf?sequence=-1
Anderson, B., Paul, S., McGrew, D.: Deciphering Malware’s use of TLS (without Decryption) (2016). http://arxiv.org/abs/1607.01639
Anderson, B.: Hiding in Plain Sight: Malware’s Use of TLS and Encryption, 25 January 2016. http://blogs.cisco.com/security/malwares-use-of-tls-and-encryption
Anderson, B., McGrew, D., Kendler, A.: Cisco Systems, Inc. Classifying Encrypted Traffic with TLS-Aware Telemetry, January 2016. http://resources.sei.cmu.edu/library/asset-view.cfm?assetID=449962
Stratosphere Dataset. https://stratosphereips.org/category/dataset.html
Nomad Project. https://stratosphereips.org/category/Nomad.html
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 Springer International Publishing AG, part of Springer Nature
About this paper
Cite this paper
Erquiaga, M.J., García, S., Garino, C.G. (2018). Observer Effect: How Intercepting HTTPS Traffic Forces Malware to Change Their Behavior. In: De Giusti, A. (eds) Computer Science – CACIC 2017. CACIC 2017. Communications in Computer and Information Science, vol 790. Springer, Cham. https://doi.org/10.1007/978-3-319-75214-3_26
Download citation
DOI: https://doi.org/10.1007/978-3-319-75214-3_26
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-75213-6
Online ISBN: 978-3-319-75214-3
eBook Packages: Computer ScienceComputer Science (R0)