Classifying Encrypted Traffic with TLS-Aware Telemetry
January 2016 • Presentation
Blake Anderson (Cisco Systems, Inc.), David McGrew (Cisco Systems, Inc.), Alison Kendler (Cisco Systems, Inc.)
In this presentation, the authors propose augmenting the typical 5-tuple with TLS-aware telemetry elements.
Encryption in network traffic is rapidly increasing. This poses major challenges with respect to visibility and threat detection because traditional technologies, such as deep packet inspection, cannot be applied to encrypted traffic. In this presentation, given at FloCon 2016, the authors propose augmenting the typical 5-tuple with TLS-aware telemetry elements. The additional data elements we investigate include the list of offered ciphersuites, the selected ciphersuite, the sequence of the lengths and type codes of TLS records, and the times in milliseconds between TLS records. Leveraging these additional telemetry data elements is vital to gain visibility into encrypted traffic.
To illustrate the importance of these new data elements,the authors examine the problem of classifying malicious, encrypted network traffic. They show that they can accurately discriminate between malicious and benign traffic using machine learning methods that take advantage of the proposed TLS-aware telemetry data elements.
Our analysis is based on data collected over a three-month period. The malicious traffic was collected from a sandboxed environment that analyzed ~10,000 known malicious files per day. The benign traffic was collected from users participating in a pilot program for enhanced telemetry. In addition to the ability to accurately classify encrypted network flows, the collection of TLS-aware telemetry gives insight about how malware made use of TLS. For instance, 38% of the malicious offered ciphersuites were considered insecure, and 7% of the selected ciphersuites were considered insecure.
These numbers were considerably lower for benign traffic, < 1% of offered and chosen ciphersuites. Malware was also much more likely to make use of older TLS versions. In addition to the malware use case, the new data elements give visibility into the type and strength of the cryptography in use, which the authors demonstrate by showing an assessment of TLS usage at an enterprise DMZ network.