Vol.37, No.1, 2021, pp.105-119, doi:10.32604/csse.2021.015074
TLSmell: Direct Identification on Malicious HTTPs Encryption Traffic with Simple Connection-Specific Indicators
  • Zhengqiu Weng1,2, Timing Chen1,*, Tiantian Zhu1, Hang Dong1, Dan Zhou1, Osama Alfarraj3
1 School of Computer Science and Technology, Zhejiang University of Technology, Hangzhou, 310023, China
2 Department of Information Technology, Wenzhou Polytechnic, Wenzhou, 325035, China
3 Computer Science Department, Community College, King Saud University, Riyadh, 11437, Saudi Arabia
* Corresponding Author: Timing Chen. Email:
Received 05 November 2020; Accepted 13 December 2020; Issue published 05 February 2021
Internet traffic encryption is a very common traffic protection method. Most internet traffic is protected by the encryption protocol called transport layer security (TLS). Although traffic encryption can ensure the security of communication, it also enables malware to hide its information and avoid being detected. At present, most of the malicious traffic detection methods are aimed at the unencrypted ones. There are some problems in the detection of encrypted traffic, such as high false positive rate, difficulty in feature extraction, and insufficient practicability. The accuracy and effectiveness of existing methods need to be improved. In this paper, we present TLSmell, a framework that conducts malicious encrypted HTTPs traffic detection with simple connection-specific indicators by using different classifiers based online training. We perform deep packet analysis of encrypted traffic through data pre-processing to extract effective features, and then the online training algorithm is used for training and prediction. Without decrypting the original traffic, high-precision malicious traffic detection and analysis are realized, which can guarantee user privacy and communication security. At the same time, since there is no need to decrypt the traffic in advance, the efficiency of detecting malicious HTTPs traffic will be greatly improved. Combined with the traditional detection and analysis methods, malicious HTTPs traffic is screened, and suspicious traffic is further analyzed by the expert through the context of suspicious behaviors, thereby improving the overall performance of malicious encrypted traffic detection.
Cyber security; malware detection; TLS; feature engineering
Cite This Article
Z. Weng, T. Chen, T. Zhu, H. Dong, D. Zhou et al., "Tlsmell: direct identification on malicious https encryption traffic with simple connection-specific indicators," Computer Systems Science and Engineering, vol. 37, no.1, pp. 105–119, 2021.
This work is licensed under a Creative Commons Attribution 4.0 International License , which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.