{rfName}
Un

Indexed in

License and Use

Icono OpenAccess

Citations

14

Altmetrics

Analysis of institutional authors

Gómez GAuthor

Share

February 6, 2023
Publications
>
Article

Unsupervised Detection and Clustering of Malicious TLS Flows

Publicated to: Security And Communication Networks. 2023 3676692- - 2023-01-12 2023(), DOI: 10.1155/2023/3676692

Authors:

Gomez, G; Kotzias, P; Dell'Amico, M; Bilge, L; Caballero, J
[+]

Affiliations

IMDEA Software Inst, Madrid, Spain - Author
IMDEA Software Institute - Author
Norton Res Grp, Paris, France - Author
Norton Research Group - Author
Univ Genoa, Genoa, Italy - Author
Univ Politecn Madrid, IMDEA Software Inst, Madrid, Spain - Author
Universidad Politécnica de Madrid - Author
Università degli Studi di Genova - Author
See more

Abstract

Malware abuses TLS to encrypt its malicious traffic, preventing examination by content signatures and deep packet inspection. Network detection of malicious TLS flows is important, but it is a challenging problem. Prior works have proposed supervised machine learning detectors using TLS features. However, by trying to represent all malicious traffic, supervised binary detectors produce models that are too loose, thus introducing errors. Furthermore, they do not distinguish flows generated by different malware. On the other hand, supervised multiclass detectors produce tighter models and can classify flows by the malware family but require family labels, which are not available for many samples. To address these limitations, this work proposes a novel unsupervised approach to detect and cluster malicious TLS flows. Our approach takes input network traces from sandboxes. It clusters similar TLS flows using 90 features that capture properties of the TLS client, TLS server, certificate, and encrypted payload and uses the clusters to build an unsupervised detector that can assign a malicious flow to the cluster it belongs to, or determine if it is benign. We evaluate our approach using 972K traces from a commercial sandbox and 35M TLS flows from a research network. Our clustering shows very high precision and recall with an F1 score of 0.993. We compare our unsupervised detector with two state-of-the-art approaches, showing that it outperforms both. The false detection rate of our detector is 0.032% measured over four months of traffic.
[+]

Keywords

Classification

Quality index

Bibliometric impact. Analysis of the contribution and dissemination channel

The work has been published in the journal Security And Communication Networks, Q4 Agency Scopus (SJR), its regional focus and specialization in Computer Networks and Communications, give it significant recognition in a specific niche of scientific knowledge at an international level.

Independientemente del impacto esperado determinado por el canal de difusión, es importante destacar el impacto real observado de la propia aportación.

Según las diferentes agencias de indexación, el número de citas acumuladas por esta publicación hasta la fecha 2025-12-21:

  • WoS: 4
  • Scopus: 7
[+]

Impact and social visibility

From the perspective of influence or social adoption, and based on metrics associated with mentions and interactions provided by agencies specializing in calculating the so-called "Alternative or Social Metrics," we can highlight as of 2025-12-21:

  • The use of this contribution in bookmarks, code forks, additions to favorite lists for recurrent reading, as well as general views, indicates that someone is using the publication as a basis for their current work. This may be a notable indicator of future more formal and academic citations. This claim is supported by the result of the "Capture" indicator, which yields a total of: 29 (PlumX).

It is essential to present evidence supporting full alignment with institutional principles and guidelines on Open Science and the Conservation and Dissemination of Intellectual Heritage. A clear example of this is:

  • The work has been submitted to a journal whose editorial policy allows open Open Access publication.
[+]

Leadership analysis of institutional authors

This work has been carried out with international collaboration, specifically with researchers from: France; Italy.

There is a significant leadership presence as some of the institution’s authors appear as the first or last signer, detailed as follows: First Author (GOMEZ MONTES, GIBRAN ALBERTO) .

[+]