Indicators of Malicious SSL Connections

Riccardo Bortolameotti, Andreas Peter, Maarten Hinderik Everts, D. Bolzoni

Research output: Chapter in Book/Report/Conference proceedingConference contributionAcademicpeer-review

3 Citations (Scopus)


Internet applications use SSL to provide data confidential- ity to communicating entities. The use of encryption in SSL makes it impossible to distinguish between benign and malicious connections as the content cannot be inspected. Therefore, we propose and evaluate a set of indicators for malicious SSL connections, which is based on the unencrypted part of SSL (i.e., the SSL handshake protocol). We provide strong evidence for the strength of our indicators to identify malicious connections by cross-checking on blacklists from professional services. Besides the confirmation of prior research results through our indicators, we also found indications for a potential (not yet blacklisted) botnet on SSL. We consider the analysis of such SSL threats as highly relevant and hope that our findings stimulate the research community to further study this direction.
Original languageUndefined
Title of host publication9th International Conference on Network and System Security, NSS 2015
Place of PublicationNew York
Number of pages14
ISBN (Print)978-3-319-25645-0
Publication statusPublished - Nov 2015
Event9th International Conference on Network and System Security, NSS 2015 - New York, United States
Duration: 3 Nov 20155 Nov 2015
Conference number: 9

Publication series

NameLecture Notes in Computer Science
PublisherSpringer Verlag


Conference9th International Conference on Network and System Security, NSS 2015
Abbreviated titleNSS
Country/TerritoryUnited States
CityNew York


  • SCS-Cybersecurity
  • IR-98163
  • METIS-315016
  • EWI-26432

Cite this