Detecting Cyber Malicious Activity Via Analyzing SSL Certificates
Abstract
SSL certificate encryption is a cryptographic technique and an essential element for protecting user’s data and privacy
exchanged over the internet. Although SSL certificate is used for legitimate applications, cybercriminals are taking advantages of its secure features while performing their cyber-criminal activities against victims. Therefore, SSL encryption introduces an obstacle for security researchers and analysts to spot malicious activities of domains in the network. This paper will present a study of the SSL/TLS protocols and X.509 SSL certificate. It will present a custom bash script dubbed “SSL CHECKER” that was developed to help analyzing SSL certificate metadata of domains visited by a user. It will assist in finding possible anomalies within certificates metadata and alerting security analysts of possible suspicious activity to perform required actions. The script was created to ease the analysis process of domains for cyber analysts. It is effective for environments that do not use Bro logs, a Network Intrusion Detection System (NIDS) that is based on monitoring network traffic and analyzing different data flows [1]. The research would help in identifying hackers interest and preferences of utilized Certificate Authorities and encryption algorithms. Future work will include machine learning algorithms to enhance the detection mechanisms.
Authors: Huda Al Dhanhani, Chan Yeob Yeun, Ernesto Damiani
Published in: ICITST-WorldCIS-WCST-WCICSS-2019 Proceedings
- Date of Conference: 9-11 December 2019
- DOI: 10.20533/ICITST.WorldCIS.WCST.WCICSS.2019.0005
- ISBN: 978-1-913572-06-8
- Conference Location: London, UK