Detail publikačního výsledku

Experience Report: Using JA4+ Fingerprints for Malware Detection in Encrypted Traffic

MATOUŠEK, P.; RYŠAVÝ, O.; BURGETOVÁ, I.

Original Title

Experience Report: Using JA4+ Fingerprints for Malware Detection in Encrypted Traffic

English Title

Experience Report: Using JA4+ Fingerprints for Malware Detection in Encrypted Traffic

Type

Paper in proceedings (conference paper)

Original Abstract

Detection of malware communications is limited due to encryption. Malware control, updates, and distribution are encapsulated in TLS tunnels, making it difficult to distinguish between malicious and benign transmissions. One way, how to detect malware communication, is to analyze the TLS handshake and obtain so-called JA4+ fingerprints. This report analyses the effectiveness of JA4+ fingerprints for malware detection, focusing specifically on the JA4, JA4S and JA4X fingerprints and their accuracy. It examines the process of creating malware fingerprints, explores the uniqueness of these fingerprints across  different malware families and their ability to distinguish between malicious and benign applications. By examining the overlap and uniqueness, the study evaluates the effectiveness of using JA4+ fingerprints to detect malware in encrypted communications.

English abstract

Detection of malware communications is limited due to encryption. Malware control, updates, and distribution are encapsulated in TLS tunnels, making it difficult to distinguish between malicious and benign transmissions. One way, how to detect malware communication, is to analyze the TLS handshake and obtain so-called JA4+ fingerprints. This report analyses the effectiveness of JA4+ fingerprints for malware detection, focusing specifically on the JA4, JA4S and JA4X fingerprints and their accuracy. It examines the process of creating malware fingerprints, explores the uniqueness of these fingerprints across  different malware families and their ability to distinguish between malicious and benign applications. By examining the overlap and uniqueness, the study evaluates the effectiveness of using JA4+ fingerprints to detect malware in encrypted communications.

Authors

MATOUŠEK, P.; RYŠAVÝ, O.; BURGETOVÁ, I.

Released

07.10.2024

Location

Prague

Book

Proceedings of 20th International Conference on Network and Service Management

Pages from

1

Pages to

5

Pages count

5

URL

https://www.fit.vut.cz/research/publication/13252/

Full text in the Digital Library

http://hdl.handle.net/

BibTex

@inproceedings{BUT189464,
  author="Petr {Matoušek} and Ondřej {Ryšavý} and Ivana {Burgetová}",
  title="Experience Report: Using JA4+ Fingerprints for Malware Detection in Encrypted Traffic",
  booktitle="Proceedings of 20th International Conference on Network and Service Management",
  year="2024",
  pages="1--5",
  address="Prague",
  url="https://www.fit.vut.cz/research/publication/13252/"
}

Documents

1571045669
Experience_Report_Using_JA4_Fingerprints_for_Malware_Detection_in_Encrypted_Traffic

Responsibility: Ing. Marek Strakoš