My MSc project for the MSc in Computing (Security and Reliability) of Imperial College London was on the detection of malware in TLS traffic. It was supported by Lastline, a security company based in the US. My supervisors were Sergio Maffeis (Imperial College) and Marco Cova (Lastline).
This repository contains the report and the presentation of the project. Unfortunately the source files of the classifier are not available but the malware dataset is: link to the malware dataset
The use of encryption on the Internet has spread rapidly these last years, a trend encouraged by the growing concerns about online privacy. TLS (Transport Layer Security), the standard protocol for packet encryption, is now implemented by every major websites to protect users' messages, transactions and credentials. However cybercriminals have started to incorporate TLS into their activities. An increasing number of malware leverage TLS encryption to hide their communications and to exfiltrate data to their command server, effectively bypassing traditional detection platforms.
The goal of this project is to design and implement an effective alternative to the unpractical method of decrypting TLS packets' payload before looking for signs of malware activity. This work presents a highly accurate supervised classifier that can detect malicious TLS flows in a company's network traffic based on a set of features related to TLS, certificates and flow metadata. The classifier was trained on curated datasets of benign and malware observations, which were extracted from capture files thanks to a set of tools specially developed for this purpose.