Two-layer detection framework with a high accuracy and efficiency for a malware family over the TLS protocol

The transport layer security (TLS) protocol is widely adopted by apps as well as malware. With the geometric growth of TLS traffic, accurate and efficient detection of malicious TLS flows is becoming an imperative. However, current studies focus on either detection accuracy or detection efficiency,...

Descripción completa

Detalles Bibliográficos
Autores principales: Zheng, Rongfeng, Liu, Jiayong, Liu, Liang, Liao, Shan, Li, Kai, Wei, Jihong, Li, Li, Tian, Zhiyi
Formato: Online Artículo Texto
Lenguaje:English
Publicado: Public Library of Science 2020
Materias:
Research Article
Acceso en línea:https://www.ncbi.nlm.nih.gov/pmc/articles/PMC7202608/
https://www.ncbi.nlm.nih.gov/pubmed/32374775
http://dx.doi.org/10.1371/journal.pone.0232696
_version_ 1783529732462084096
author Zheng, Rongfeng
Liu, Jiayong
Liu, Liang
Liao, Shan
Li, Kai
Wei, Jihong
Li, Li
Tian, Zhiyi
author_facet Zheng, Rongfeng
Liu, Jiayong
Liu, Liang
Liao, Shan
Li, Kai
Wei, Jihong
Li, Li
Tian, Zhiyi
author_sort Zheng, Rongfeng
collection PubMed
description The transport layer security (TLS) protocol is widely adopted by apps as well as malware. With the geometric growth of TLS traffic, accurate and efficient detection of malicious TLS flows is becoming an imperative. However, current studies focus on either detection accuracy or detection efficiency, and few studies take into account both indicators. In this paper, we propose a two-layer detection framework composed of a filtering model (FM) and a malware family classification model (MFCM). In the first layer, a new set of TLS handshake features is presented to train the FM, which is devised to filter out a majority of benign TLS flows. For identifying malware families, both TLS handshake features and statistical features are applied to construct the MFCM in the second layer. Comprehensive experiments are conducted to substantiate the high accuracy and efficiency of the proposed two-layer framework. A total of 96.32% of benign TLS flows can be filtered out by the FM with few malicious TLS flows being discarded provided the threshold of the FM is set to 0.01. Moreover, a multiclassifier is selected to construct the MFCM to provide better performance than a set of binary classifiers under the same feature set. In addition, when the ratio of benign and malicious TLS flows is set to 10:1, the detection efficiency of the two-layer framework is 188% faster than that of the single-layer framework, while the average detection accuracy reaches 99.45%.
format Online
Article
Text
id pubmed-7202608
institution National Center for Biotechnology Information
language English
publishDate 2020
publisher Public Library of Science
record_format MEDLINE/PubMed
spelling pubmed-72026082020-05-12 Two-layer detection framework with a high accuracy and efficiency for a malware family over the TLS protocol Zheng, Rongfeng Liu, Jiayong Liu, Liang Liao, Shan Li, Kai Wei, Jihong Li, Li Tian, Zhiyi PLoS One Research Article The transport layer security (TLS) protocol is widely adopted by apps as well as malware. With the geometric growth of TLS traffic, accurate and efficient detection of malicious TLS flows is becoming an imperative. However, current studies focus on either detection accuracy or detection efficiency, and few studies take into account both indicators. In this paper, we propose a two-layer detection framework composed of a filtering model (FM) and a malware family classification model (MFCM). In the first layer, a new set of TLS handshake features is presented to train the FM, which is devised to filter out a majority of benign TLS flows. For identifying malware families, both TLS handshake features and statistical features are applied to construct the MFCM in the second layer. Comprehensive experiments are conducted to substantiate the high accuracy and efficiency of the proposed two-layer framework. A total of 96.32% of benign TLS flows can be filtered out by the FM with few malicious TLS flows being discarded provided the threshold of the FM is set to 0.01. Moreover, a multiclassifier is selected to construct the MFCM to provide better performance than a set of binary classifiers under the same feature set. In addition, when the ratio of benign and malicious TLS flows is set to 10:1, the detection efficiency of the two-layer framework is 188% faster than that of the single-layer framework, while the average detection accuracy reaches 99.45%. Public Library of Science 2020-05-06 /pmc/articles/PMC7202608/ /pubmed/32374775 http://dx.doi.org/10.1371/journal.pone.0232696 Text en © 2020 Zheng et al http://creativecommons.org/licenses/by/4.0/ This is an open access article distributed under the terms of the Creative Commons Attribution License (http://creativecommons.org/licenses/by/4.0/) , which permits unrestricted use, distribution, and reproduction in any medium, provided the original author and source are credited.
spellingShingle Research Article
Zheng, Rongfeng
Liu, Jiayong
Liu, Liang
Liao, Shan
Li, Kai
Wei, Jihong
Li, Li
Tian, Zhiyi
Two-layer detection framework with a high accuracy and efficiency for a malware family over the TLS protocol
title Two-layer detection framework with a high accuracy and efficiency for a malware family over the TLS protocol
title_full Two-layer detection framework with a high accuracy and efficiency for a malware family over the TLS protocol
title_fullStr Two-layer detection framework with a high accuracy and efficiency for a malware family over the TLS protocol
title_full_unstemmed Two-layer detection framework with a high accuracy and efficiency for a malware family over the TLS protocol
title_short Two-layer detection framework with a high accuracy and efficiency for a malware family over the TLS protocol
title_sort two-layer detection framework with a high accuracy and efficiency for a malware family over the tls protocol
topic Research Article
url https://www.ncbi.nlm.nih.gov/pmc/articles/PMC7202608/
https://www.ncbi.nlm.nih.gov/pubmed/32374775
http://dx.doi.org/10.1371/journal.pone.0232696
work_keys_str_mv AT zhengrongfeng twolayerdetectionframeworkwithahighaccuracyandefficiencyforamalwarefamilyoverthetlsprotocol
AT liujiayong twolayerdetectionframeworkwithahighaccuracyandefficiencyforamalwarefamilyoverthetlsprotocol
AT liuliang twolayerdetectionframeworkwithahighaccuracyandefficiencyforamalwarefamilyoverthetlsprotocol
AT liaoshan twolayerdetectionframeworkwithahighaccuracyandefficiencyforamalwarefamilyoverthetlsprotocol
AT likai twolayerdetectionframeworkwithahighaccuracyandefficiencyforamalwarefamilyoverthetlsprotocol
AT weijihong twolayerdetectionframeworkwithahighaccuracyandefficiencyforamalwarefamilyoverthetlsprotocol
AT lili twolayerdetectionframeworkwithahighaccuracyandefficiencyforamalwarefamilyoverthetlsprotocol
AT tianzhiyi twolayerdetectionframeworkwithahighaccuracyandefficiencyforamalwarefamilyoverthetlsprotocol

Ejemplares similares