Can We Create a TLS Lie Detector?

抄録

As encryption technology has become more widely used, attackers have begun to use techniques that increase the stealth nature of their attacks based on the assumption that encrypted communications are being used. As an example, some threat actors, including Lazarus, have been reported to use a sophisticated technique, named “FakeTLS”. This is a method that aims to avoid detection and blocking by Deep Packet Inspection (DPI) by disguising its appearance as Transport Layer Security (TLS) communication. In this study, based on the FakeTLS method used by Lazarus, we attempted to distinguish whether TLS communication is spoofed or not without decrypting the communication content. We have created a dataset of normal TLS and FakeTLS based on command output results, which attackers often collect in the early stages of an intrusion. FakeTLS data were encrypted with algorithms often used by threat actors. For some algorithms, we reproduced exactly the same algorithms as Lazarus's methods. We collected the features based on the Shannon entropy and randomness testings from the encrypted part of the TLS communications and constructed a classifier named TLS Lie Detector using novelty detection methods. Our experimental results showed that the classifier can detect lies with an F0.5 score of 0.88, an F1 score of 0.78, an F2 score of 0.70, and a Matthews correlation coefficient of 0.74. In particular, our proposed method could completely detect FakeTLS using weak encryption algorithms.