A Survey on TLS-Encrypted Malware Network Traffic Analysis Applicable to Security Operations Centers
Recently, a majority of security operations centers (SOCs) have been facing a critical issue of increased adoption of transport layer security (TLS) encryption on the Internet, in network traffic analysis (NTA). To this end, in this survey article, we present existing research on NTA and related are...
| Main Authors: | , , |
|---|---|
| Format: | Article |
| Language: | English |
| Published: |
MDPI AG
2021-12-01
|
| Series: | Applied Sciences |
| Subjects: | |
| Online Access: | https://www.mdpi.com/2076-3417/12/1/155 |
| _version_ | 1797499651928096768 |
|---|---|
| author | Chaeyeon Oh Joonseo Ha Heejun Roh |
| author_facet | Chaeyeon Oh Joonseo Ha Heejun Roh |
| author_sort | Chaeyeon Oh |
| collection | DOAJ |
| description | Recently, a majority of security operations centers (SOCs) have been facing a critical issue of increased adoption of transport layer security (TLS) encryption on the Internet, in network traffic analysis (NTA). To this end, in this survey article, we present existing research on NTA and related areas, primarily focusing on TLS-encrypted traffic to detect and classify malicious traffic with deployment scenarios for SOCs. Security experts in SOCs and researchers in academia can obtain useful information from our survey, as the main focus of our survey is NTA methods applicable to malware detection and family classification. Especially, we have discussed pros and cons of three main deployment models for encrypted NTA: TLS interception, inspection using cryptographic functions, and passive inspection without decryption. In addition, we have discussed the state-of-the-art methods in TLS-encrypted NTA for each component of a machine learning pipeline, typically used in the state-of-the-art methods. |
| first_indexed | 2024-03-10T03:50:29Z |
| format | Article |
| id | doaj.art-a24c30eff77e48f89024c62f2c0bbb4b |
| institution | Directory Open Access Journal |
| issn | 2076-3417 |
| language | English |
| last_indexed | 2024-03-10T03:50:29Z |
| publishDate | 2021-12-01 |
| publisher | MDPI AG |
| record_format | Article |
| series | Applied Sciences |
| spelling | doaj.art-a24c30eff77e48f89024c62f2c0bbb4b2023-11-23T11:08:33ZengMDPI AGApplied Sciences2076-34172021-12-0112115510.3390/app12010155A Survey on TLS-Encrypted Malware Network Traffic Analysis Applicable to Security Operations CentersChaeyeon Oh0Joonseo Ha1Heejun Roh2Department of Cyber Security, Graduate School, Korea University, Sejong 30019, KoreaCyber Security Major, Division of Applied Mathematical Sciences, Korea University Sejong Campus, Sejong 30019, KoreaDepartment of Cyber Security, Graduate School, Korea University, Sejong 30019, KoreaRecently, a majority of security operations centers (SOCs) have been facing a critical issue of increased adoption of transport layer security (TLS) encryption on the Internet, in network traffic analysis (NTA). To this end, in this survey article, we present existing research on NTA and related areas, primarily focusing on TLS-encrypted traffic to detect and classify malicious traffic with deployment scenarios for SOCs. Security experts in SOCs and researchers in academia can obtain useful information from our survey, as the main focus of our survey is NTA methods applicable to malware detection and family classification. Especially, we have discussed pros and cons of three main deployment models for encrypted NTA: TLS interception, inspection using cryptographic functions, and passive inspection without decryption. In addition, we have discussed the state-of-the-art methods in TLS-encrypted NTA for each component of a machine learning pipeline, typically used in the state-of-the-art methods.https://www.mdpi.com/2076-3417/12/1/155network traffic analysistraffic classificationsecurity operations centertransport layer securitymalware |
| spellingShingle | Chaeyeon Oh Joonseo Ha Heejun Roh A Survey on TLS-Encrypted Malware Network Traffic Analysis Applicable to Security Operations Centers Applied Sciences network traffic analysis traffic classification security operations center transport layer security malware |
| title | A Survey on TLS-Encrypted Malware Network Traffic Analysis Applicable to Security Operations Centers |
| title_full | A Survey on TLS-Encrypted Malware Network Traffic Analysis Applicable to Security Operations Centers |
| title_fullStr | A Survey on TLS-Encrypted Malware Network Traffic Analysis Applicable to Security Operations Centers |
| title_full_unstemmed | A Survey on TLS-Encrypted Malware Network Traffic Analysis Applicable to Security Operations Centers |
| title_short | A Survey on TLS-Encrypted Malware Network Traffic Analysis Applicable to Security Operations Centers |
| title_sort | survey on tls encrypted malware network traffic analysis applicable to security operations centers |
| topic | network traffic analysis traffic classification security operations center transport layer security malware |
| url | https://www.mdpi.com/2076-3417/12/1/155 |
| work_keys_str_mv | AT chaeyeonoh asurveyontlsencryptedmalwarenetworktrafficanalysisapplicabletosecurityoperationscenters AT joonseoha asurveyontlsencryptedmalwarenetworktrafficanalysisapplicabletosecurityoperationscenters AT heejunroh asurveyontlsencryptedmalwarenetworktrafficanalysisapplicabletosecurityoperationscenters AT chaeyeonoh surveyontlsencryptedmalwarenetworktrafficanalysisapplicabletosecurityoperationscenters AT joonseoha surveyontlsencryptedmalwarenetworktrafficanalysisapplicabletosecurityoperationscenters AT heejunroh surveyontlsencryptedmalwarenetworktrafficanalysisapplicabletosecurityoperationscenters |