Abstract

In recent years, as more and more softwares use SSL encryption protocol to improve the security and integrity of communications, the encrypted traffic is growing, which brings new challenges to cyber attack detection. Since most of the SSL traffic is unreadable ciphertext, traditional pattern recognition and deep packet inspection are not applicable. In addition, the current machine learning methods are not fully applicable to encrypted traffic detection. The detection of encrypted malicious traffic is still an open problem. In this paper, we propose an SSL malicious traffic detection method based on multi-view features. Our method comprehensively extracts features from multiple views, including flow statistics, SSL handshake field, and certificate to retain key original information. We test four machine learning models, i.e., SVM, Decision Tree, Random Forest, and XGBoost on the CTU Malware dataset. The results show that XGBoost performs best reaching an accuracy of 97.71%, which is better than other studies on the CTU dataset.