How to detect Malware in Encrypted Traffic WITHOUT Decryption


This presentation will be about the encryption trend that currently is taking place. This consists of stronger encryption being used and the broad adoption of encryption. Furthermore, browsers will report plain text websites as being potentially harmful. On top of that mechanisms like Public Key and Certificate Pinning, make it mathematically impossible to decrypt the traffic, without breaking the connection. According to the classical approach security needs to be performed by looking inside of the data packets. With encrypted traffic this means that traffic needs to be decrypted, before inspecting the data packets. This is often done by Man-in-the-Middle decryption by a Next-Gen Firewall. With more broad adoption of strong encryption and pinning mechanisms, this make it difficult, not-scalable and in some cases impossible to decrypt the traffic. Furthermore, with stricter privacy legislations being put in place, it is sometimes illegal to do this kind of inspections.


This presentation will touch on a new approach, where contextual flow data and machine learning algorithms are used to detect malware with a significant high certainty rate and a significant low 0-False Discovery Rate.