search menu icon-carat-right cmu-wordmark

Identification of Malicious SSL Networks by Subgraph Anomaly Detection

January 2018 Presentation
Dhia Mahjoub (OpenDNS), Thomas Mathew (OpenDNS)

In this presentation, the authors will discuss current ways malicious operators use SSL to secure their command-and-control and IP infrastructure.




Sophisticated attackers use SSL to secure communications to command-and-control domains or provide their clients with secure hosting infrastructure. The goal of this talk is to describe methods to automatically detect threats from SSL scan data without relying on prior seeds. We present a series of statistical graph techniques that allow us to discover botnet and bulletproof hosting IP space by examining SSL distribution patterns from open source data.