TY - GEN
T1 - Propagating Threat Scores with a TLS Ecosystem Graph Model Derived by Active Measurements
AU - Sosnowski, Markus
AU - Sattler, Patrick
AU - Zirngibl, Johannes
AU - Betzer, Tim
AU - Carle, Georg
N1 - Publisher Copyright:
© 2024 IFIP.
PY - 2024
Y1 - 2024
N2 - The Internet is shaped by independent actors and heterogeneous deployments. With the wide adoption of Transport Layer Security (TLS), a whole ecosystem of intertwined entities emerged. Acquiring a comprehensive view allows searching for previously unknown malicious entities and providing valuable cyber-threat intelligence. Actively collected Internet-wide Domain Name System (DNS) and TLS meta-data can provide the basis for such large-scale analyses. However, in order to efficiently navigate the vast volumes of data, an effective methodology is required. This work proposes a graph model of the TLS ecosystem that utilizes the relationships between servers, domains, and certificates. A Probabilistic Threat Propagation (PTP) algorithm is then used to propagate a threat score from existing blocklists to related nodes. We conducted a one-year-long measurement study of 13 monthly active Internet-wide DNS and TLS measurements to evaluate the methodology. The latest measurement found four highly suspicious clusters among the nodes with high threat scores. External threat intelligence services were used to confirm a high rate of maliciousness in the rest of the newly found servers. With the help of optimized thresholds, we identified 557 domains and 11 IP addresses throughout the last year before they were known to be malicious. Up to 40% of the identified nodes appeared on average three months later on the input blocklist. This work proposes a versatile graph model to analyze the TLS ecosystem and a PTP analysis to help security researchers focus on suspicious subsets of the Internet when searching for unknown threats.
AB - The Internet is shaped by independent actors and heterogeneous deployments. With the wide adoption of Transport Layer Security (TLS), a whole ecosystem of intertwined entities emerged. Acquiring a comprehensive view allows searching for previously unknown malicious entities and providing valuable cyber-threat intelligence. Actively collected Internet-wide Domain Name System (DNS) and TLS meta-data can provide the basis for such large-scale analyses. However, in order to efficiently navigate the vast volumes of data, an effective methodology is required. This work proposes a graph model of the TLS ecosystem that utilizes the relationships between servers, domains, and certificates. A Probabilistic Threat Propagation (PTP) algorithm is then used to propagate a threat score from existing blocklists to related nodes. We conducted a one-year-long measurement study of 13 monthly active Internet-wide DNS and TLS measurements to evaluate the methodology. The latest measurement found four highly suspicious clusters among the nodes with high threat scores. External threat intelligence services were used to confirm a high rate of maliciousness in the rest of the newly found servers. With the help of optimized thresholds, we identified 557 domains and 11 IP addresses throughout the last year before they were known to be malicious. Up to 40% of the identified nodes appeared on average three months later on the input blocklist. This work proposes a versatile graph model to analyze the TLS ecosystem and a PTP analysis to help security researchers focus on suspicious subsets of the Internet when searching for unknown threats.
KW - Blocklists
KW - DNS
KW - Internet-wide Measurements
KW - Labeled Property Graph
KW - Probabilistic Threat Propagation
KW - TLS
UR - http://www.scopus.com/inward/record.url?scp=85197876059&partnerID=8YFLogxK
U2 - 10.23919/TMA62044.2024.10559063
DO - 10.23919/TMA62044.2024.10559063
M3 - Conference contribution
AN - SCOPUS:85197876059
T3 - TMA 2024 - Proceedings of the 8th Network Traffic Measurement and Analysis Conference
BT - TMA 2024 - Proceedings of the 8th Network Traffic Measurement and Analysis Conference
PB - Institute of Electrical and Electronics Engineers Inc.
T2 - 8th Network Traffic Measurement and Analysis Conference, TMA 2024
Y2 - 21 May 2024 through 24 May 2024
ER -