{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,2,14]],"date-time":"2026-02-14T11:05:00Z","timestamp":1771067100368,"version":"3.50.1"},"reference-count":56,"publisher":"Association for Computing Machinery (ACM)","issue":"2","license":[{"start":{"date-parts":[[2016,9,17]],"date-time":"2016-09-17T00:00:00Z","timestamp":1474070400000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"funder":[{"DOI":"10.13039\/100006785","name":"Google","doi-asserted-by":"crossref","id":[{"id":"10.13039\/100006785","id-type":"DOI","asserted-by":"crossref"}]},{"DOI":"10.13039\/100006754","name":"Army Research Laboratory","doi-asserted-by":"crossref","award":["W911NF-13-2-0045"],"award-info":[{"award-number":["W911NF-13-2-0045"]}],"id":[{"id":"10.13039\/100006754","id-type":"DOI","asserted-by":"crossref"}]},{"DOI":"10.13039\/100000001","name":"National Science Foundation","doi-asserted-by":"publisher","award":["CNS 1250367; DHS BAA 11-02-TTA 03-0107"],"award-info":[{"award-number":["CNS 1250367; DHS BAA 11-02-TTA 03-0107"]}],"id":[{"id":"10.13039\/100000001","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["ACM Trans. Priv. Secur."],"published-print":{"date-parts":[[2016,9,17]]},"abstract":"<jats:p>Rogue certificates are valid certificates issued by a legitimate certificate authority (CA) that are nonetheless untrustworthy; yet trusted by web browsers and users. With the current public key infrastructure, there exists a window of vulnerability between the time a rogue certificate is issued and when it is detected. Rogue certificates from recent compromises have been trusted for as long as weeks before detection and revocation. Previous proposals to close this window of vulnerability require changes in the infrastructure, Internet protocols, or end user experience. We present a method for detecting rogue certificates from trusted CAs developed from a large and timely collection of certificates. This method automates classification by building machine-learning models with Deep Neural Networks (DNN). Despite the scarcity of rogue instances in the dataset, DNN produced a classification method that is proven both in simulation and in the July 2014 compromise of the India CCA. We report the details of the classification method and illustrate that it is repeatable, such as with datasets obtained from crawling. We describe the classification performance under our current research deployment.<\/jats:p>","DOI":"10.1145\/2975591","type":"journal-article","created":{"date-parts":[[2016,9,19]],"date-time":"2016-09-19T20:11:45Z","timestamp":1474315905000},"page":"1-31","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":33,"title":["Detection of Rogue Certificates from Trusted Certificate Authorities Using Deep Neural Networks"],"prefix":"10.1145","volume":"19","author":[{"given":"Zheng","family":"Dong","sequence":"first","affiliation":[{"name":"Microsoft Corporation, Redmond, WA"}]},{"given":"Kevin","family":"Kane","sequence":"additional","affiliation":[{"name":"Microsoft Research, Redmond, WA"}]},{"given":"L. Jean","family":"Camp","sequence":"additional","affiliation":[{"name":"Indiana University Bloomington, Bloomington, IN"}]}],"member":"320","published-online":{"date-parts":[[2016,9,17]]},"reference":[{"key":"e_1_2_1_1_1","doi-asserted-by":"publisher","DOI":"10.1145\/2523649.2523665"},{"key":"e_1_2_1_3_1","unstructured":"ANSSI. 2013. Revocation of an IGC\/A branch. http:\/\/www.ssi.gouv.fr\/en\/the-anssi\/events\/revocation-of-an- igc-a-branch-808.html. (Dec 2013).  ANSSI. 2013. Revocation of an IGC\/A branch. http:\/\/www.ssi.gouv.fr\/en\/the-anssi\/events\/revocation-of-an- igc-a-branch-808.html. (Dec 2013)."},{"key":"e_1_2_1_4_1","volume-title":"Recent Advances in Intrusion Detection","author":"Bailey Michael","unstructured":"Michael Bailey , Jon Oberheide , Jon Andersen , Z. Morley Mao , Farnam Jahanian , and Jose Nazario . 2007. Automated classification and analysis of internet malware . In Recent Advances in Intrusion Detection . Springer , 178--197. Michael Bailey, Jon Oberheide, Jon Andersen, Z. Morley Mao, Farnam Jahanian, and Jose Nazario. 2007. Automated classification and analysis of internet malware. In Recent Advances in Intrusion Detection. Springer, 178--197."},{"key":"e_1_2_1_5_1","volume-title":"Sung","author":"Basnet Ram","year":"2008","unstructured":"Ram Basnet , Srinivas Mukkamala , and Andrew H . Sung . 2008 . Detection of phishing attacks: A machine learning approach. In Soft Computing Applications in Industry, Bhanu Prasad (Ed.). Studies in Fuzziness and Soft Computing, Vol. 226 . Springer , Berlin, 373--383. Ram Basnet, Srinivas Mukkamala, and Andrew H. Sung. 2008. Detection of phishing attacks: A machine learning approach. In Soft Computing Applications in Industry, Bhanu Prasad (Ed.). Studies in Fuzziness and Soft Computing, Vol. 226. Springer, Berlin, 373--383."},{"key":"e_1_2_1_6_1","doi-asserted-by":"publisher","DOI":"10.1145\/1952982.1952984"},{"key":"e_1_2_1_7_1","doi-asserted-by":"publisher","DOI":"10.1561\/2200000006"},{"key":"e_1_2_1_8_1","volume-title":"Proc. Neuro-Nimes 91","author":"Bottou L\u00e9on","year":"1991","unstructured":"L\u00e9on Bottou . 1991 . Stochastic gradient learning in neural networks . Proc. Neuro-Nimes 91 , 8 (1991). L\u00e9on Bottou. 1991. Stochastic gradient learning in neural networks. Proc. Neuro-Nimes 91, 8 (1991)."},{"key":"e_1_2_1_9_1","doi-asserted-by":"publisher","DOI":"10.1023\/A:1010933404324"},{"key":"e_1_2_1_10_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2014.15"},{"key":"e_1_2_1_11_1","volume-title":"Data Mining and Knowledge Discovery Handbook","author":"Chawla Nitesh V.","unstructured":"Nitesh V. Chawla . 2005. Data mining for imbalanced datasets: An overview . In Data Mining and Knowledge Discovery Handbook . Springer , 853--867. Nitesh V. Chawla. 2005. Data mining for imbalanced datasets: An overview. In Data Mining and Knowledge Discovery Handbook. Springer, 853--867."},{"key":"e_1_2_1_12_1","doi-asserted-by":"publisher","DOI":"10.5555\/1622407.1622416"},{"key":"e_1_2_1_13_1","doi-asserted-by":"publisher","DOI":"10.1023\/A:1022627411411"},{"key":"e_1_2_1_14_1","doi-asserted-by":"publisher","DOI":"10.1145\/2664243.2664279"},{"key":"e_1_2_1_15_1","doi-asserted-by":"publisher","DOI":"10.1145\/2504730.2504755"},{"key":"e_1_2_1_16_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2012.28"},{"key":"e_1_2_1_17_1","doi-asserted-by":"publisher","DOI":"10.5555\/1756006.1756025"},{"key":"e_1_2_1_18_1","volume-title":"stuxnet dossier. White Paper","author":"Falliere Nicolas","year":"2011","unstructured":"Nicolas Falliere , Liam O. Murchu , and Eric Chien . 2011. W32. stuxnet dossier. White Paper , Symantec Corp., Security Response ( 2011 ). Nicolas Falliere, Liam O. Murchu, and Eric Chien. 2011. W32. stuxnet dossier. White Paper, Symantec Corp., Security Response (2011)."},{"key":"e_1_2_1_19_1","doi-asserted-by":"publisher","DOI":"10.1007\/s10115-003-0132-7"},{"key":"e_1_2_1_20_1","unstructured":"Dennis Fisher. 2011. DigiNotar Says Its CA Infrastructure Was Compromised. Retrieved from https:\/\/threatpost.com\/diginotar-says-its-ca-infrastructure-was-compromised-083011\/75594\/.  Dennis Fisher. 2011. DigiNotar Says Its CA Infrastructure Was Compromised. Retrieved from https:\/\/threatpost.com\/diginotar-says-its-ca-infrastructure-was-compromised-083011\/75594\/."},{"key":"e_1_2_1_21_1","unstructured":"CA\/Browser Forum. 2015. Baseline Requirements Certificate Policy for the Issuance and Management of Publicly-Trusted Certificates. Retrieved from https:\/\/cabforum.org\/wp-content\/uploads\/CAB-Forum-BR-1.3.0.pdf.  CA\/Browser Forum. 2015. Baseline Requirements Certificate Policy for the Issuance and Management of Publicly-Trusted Certificates. Retrieved from https:\/\/cabforum.org\/wp-content\/uploads\/CAB-Forum-BR-1.3.0.pdf."},{"key":"e_1_2_1_22_1","doi-asserted-by":"publisher","DOI":"10.1371\/journal.pcbi.1002673"},{"key":"e_1_2_1_23_1","doi-asserted-by":"publisher","DOI":"10.1145\/1314389.1314391"},{"key":"e_1_2_1_24_1","doi-asserted-by":"publisher","DOI":"10.1109\/CEC.2002.1007012"},{"key":"e_1_2_1_25_1","volume-title":"Proc. of USENIX Security\u201908","author":"Gu Guofei","year":"2008","unstructured":"Guofei Gu , Roberto Perdisci , Junjie Zhang , Wenke Lee , and others. 2008 . BotMiner: Clustering analysis of network traffic for protocol-and structure-independent botnet detection . In Proc. of USENIX Security\u201908 . USENIX, 139--154. Guofei Gu, Roberto Perdisci, Junjie Zhang, Wenke Lee, and others. 2008. BotMiner: Clustering analysis of network traffic for protocol-and structure-independent botnet detection. In Proc. of USENIX Security\u201908. USENIX, 139--154."},{"key":"e_1_2_1_26_1","unstructured":"Phillip Hallam-Baker. 2011. Comodo SSL Affiliate The Recent RA Compromise. Retrieved from https:\/\/blogs. comodo.com\/uncategorized\/the-recent-ra-compromise\/.  Phillip Hallam-Baker. 2011. Comodo SSL Affiliate The Recent RA Compromise. Retrieved from https:\/\/blogs. comodo.com\/uncategorized\/the-recent-ra-compromise\/."},{"key":"e_1_2_1_27_1","doi-asserted-by":"publisher","DOI":"10.1145\/2046684.2046692"},{"key":"e_1_2_1_28_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2014.13"},{"key":"e_1_2_1_29_1","volume-title":"http:\/\/tools.ietf.org\/html\/rfc5280. (May","author":"Public Key Infrastructure Certificate IETF.","year":"2008","unstructured":"IETF. 2008. Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile . http:\/\/tools.ietf.org\/html\/rfc5280. (May 2008 ). IETF. 2008. Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile. http:\/\/tools.ietf.org\/html\/rfc5280. (May 2008)."},{"key":"e_1_2_1_30_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICNP.2006.320179"},{"key":"e_1_2_1_31_1","volume-title":"Proc. of WEIS\u201912","author":"Kelley Timothy","unstructured":"Timothy Kelley and L. Jean Camp . 2012. Online promiscuity: Prophylactic patching and the spread of computer transmitted infections . In Proc. of WEIS\u201912 . Springer . Timothy Kelley and L. Jean Camp. 2012. Online promiscuity: Prophylactic patching and the spread of computer transmitted infections. In Proc. of WEIS\u201912. Springer."},{"key":"e_1_2_1_32_1","volume-title":"DANE: Taking TLS authentication to the next level using DNSSEC. IETF J. (Oct.","author":"Barnes Richard L.","year":"2011","unstructured":"Richard L. Barnes . 2011 . DANE: Taking TLS authentication to the next level using DNSSEC. IETF J. (Oct. 2011). Richard L. Barnes. 2011. DANE: Taking TLS authentication to the next level using DNSSEC. IETF J. (Oct. 2011)."},{"key":"e_1_2_1_33_1","unstructured":"Jon Larimer and Kenny Root. 2012. Security and Privacy in Android Apps. Retrieved from https:\/\/developers.google.com\/events\/io\/2012\/sessions\/gooio2012\/107\/.  Jon Larimer and Kenny Root. 2012. Security and Privacy in Android Apps. Retrieved from https:\/\/developers.google.com\/events\/io\/2012\/sessions\/gooio2012\/107\/."},{"key":"e_1_2_1_34_1","doi-asserted-by":"crossref","unstructured":"Ben Laurie Adam Langley and Emilia Kasper. 2013. RFC 6962: Certificate transparency. http:\/\/www.rfceditor.org\/info\/rfc6962.  Ben Laurie Adam Langley and Emilia Kasper. 2013. RFC 6962: Certificate transparency. http:\/\/www.rfceditor.org\/info\/rfc6962.","DOI":"10.17487\/rfc6962"},{"key":"e_1_2_1_35_1","doi-asserted-by":"publisher","DOI":"10.2307\/2347628"},{"key":"e_1_2_1_36_1","doi-asserted-by":"publisher","DOI":"10.1145\/1089815.1089821"},{"key":"e_1_2_1_37_1","doi-asserted-by":"publisher","DOI":"10.1145\/1553374.1553462"},{"key":"e_1_2_1_38_1","doi-asserted-by":"publisher","DOI":"10.1145\/2508859.2516726"},{"key":"e_1_2_1_39_1","doi-asserted-by":"publisher","DOI":"10.5555\/646752.704751"},{"key":"e_1_2_1_40_1","unstructured":"Microsoft. 2013. Microsoft Security Advisory 2798897: Fraudulent Digital Certificates Could Allow Spoofing. Retrieved from https:\/\/technet.microsoft.com\/library\/security\/2798897.  Microsoft. 2013. Microsoft Security Advisory 2798897: Fraudulent Digital Certificates Could Allow Spoofing. Retrieved from https:\/\/technet.microsoft.com\/library\/security\/2798897."},{"key":"e_1_2_1_41_1","unstructured":"Microsoft. 2014a. Manage Trusted Root Certificates. Retrieved from https:\/\/technet.microsoft.com\/en-us\/library\/cc754841.aspx.  Microsoft. 2014a. Manage Trusted Root Certificates. Retrieved from https:\/\/technet.microsoft.com\/en-us\/library\/cc754841.aspx."},{"key":"e_1_2_1_42_1","volume-title":"Microsoft Security Advisory 2982792: Improperly Issued Digital Certificates Could Allow Spoofing. https:\/\/technet.microsoft.com\/en-us\/library\/security\/2982792.aspx. (Jul","year":"2014","unstructured":"Microsoft. 2014b. Microsoft Security Advisory 2982792: Improperly Issued Digital Certificates Could Allow Spoofing. https:\/\/technet.microsoft.com\/en-us\/library\/security\/2982792.aspx. (Jul 2014 ). Microsoft. 2014b. Microsoft Security Advisory 2982792: Improperly Issued Digital Certificates Could Allow Spoofing. https:\/\/technet.microsoft.com\/en-us\/library\/security\/2982792.aspx. (Jul 2014)."},{"key":"e_1_2_1_43_1","volume-title":"Karim El Defrawy, and Gene Tsudik.","author":"Mishari Mishari Al","year":"2009","unstructured":"Mishari Al Mishari , Emiliano De Cristofaro , Karim El Defrawy, and Gene Tsudik. 2009 . Harvesting SSL certificate data to identify web-fraud. arXiv preprint arXiv:0909.3688 (Sep 2009). Mishari Al Mishari, Emiliano De Cristofaro, Karim El Defrawy, and Gene Tsudik. 2009. Harvesting SSL certificate data to identify web-fraud. arXiv preprint arXiv:0909.3688 (Sep 2009)."},{"key":"e_1_2_1_44_1","doi-asserted-by":"publisher","DOI":"10.1145\/1299015.1299016"},{"key":"e_1_2_1_45_1","unstructured":"Mozilla. 2015. CA:AddRootToFirefox: Installing Certificates into Firefox. Retrieved from https:\/\/wiki. mozilla.org\/CA:AddRootToFirefox.  Mozilla. 2015. CA:AddRootToFirefox: Installing Certificates into Firefox. Retrieved from https:\/\/wiki. mozilla.org\/CA:AddRootToFirefox."},{"key":"e_1_2_1_46_1","volume-title":"Proc. of SecureComm\u201907","author":"Rosiello Angelo P. E.","unstructured":"Angelo P. E. Rosiello , E. Kirda , C. Kruegel , and F. Ferrandi . 2007. A layout-similarity-based approach for detecting phishing pages . In Proc. of SecureComm\u201907 . Springer, 454--463. Angelo P. E. Rosiello, E. Kirda, C. Kruegel, and F. Ferrandi. 2007. A layout-similarity-based approach for detecting phishing pages. In Proc. of SecureComm\u201907. Springer, 454--463."},{"key":"e_1_2_1_47_1","volume-title":"Proc. of IGARSS\u201996","volume":"3","author":"Schistad Solberg A. H.","unstructured":"A. H. Schistad Solberg and R. Solberg . 1996. A large-scale evaluation of features for automatic detection of oil spills in ERS SAR images . In Proc. of IGARSS\u201996 , Vol. 3 . 1484--1486. A. H. Schistad Solberg and R. Solberg. 1996. A large-scale evaluation of features for automatic detection of oil spills in ERS SAR images. In Proc. of IGARSS\u201996, Vol. 3. 1484--1486."},{"key":"e_1_2_1_48_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2010.25"},{"key":"e_1_2_1_49_1","doi-asserted-by":"publisher","DOI":"10.1145\/1553374.1553498"},{"key":"e_1_2_1_50_1","volume-title":"Proc. of SPIE Aerosense\u201903","author":"Theiler James","unstructured":"James Theiler and D. Michael Cai . 2003. Resampling approach for anomaly detection in multispectral images . In Proc. of SPIE Aerosense\u201903 . International Society for Optics and Photonics, 230--240. James Theiler and D. Michael Cai. 2003. Resampling approach for anomaly detection in multispectral images. In Proc. of SPIE Aerosense\u201903. International Society for Optics and Photonics, 230--240."},{"key":"e_1_2_1_51_1","volume-title":"Models as Make-Believe: Imagination, Fiction and Scientific Representation","author":"Toon Adam","unstructured":"Adam Toon . 2012. Models as Make-Believe: Imagination, Fiction and Scientific Representation . Palgrave Macmillan . Adam Toon. 2012. Models as Make-Believe: Imagination, Fiction and Scientific Representation. Palgrave Macmillan."},{"key":"e_1_2_1_52_1","unstructured":"Tor. 2011. The DigiNotar Debacle and What You Should Do About It. Retrieved from https:\/\/blog.torproject.org\/blog\/diginotar-debacle-and-what-you-should-do-about-it.  Tor. 2011. The DigiNotar Debacle and What You Should Do About It. Retrieved from https:\/\/blog.torproject.org\/blog\/diginotar-debacle-and-what-you-should-do-about-it."},{"key":"e_1_2_1_53_1","volume-title":"Proc. of USENIX Security\u201914","author":"Wang Gang","unstructured":"Gang Wang , Tianyi Wang , Haitao Zheng , and Ben Y. Zhao . 2014. Man vs. machine: Practical adversarial detection of malicious crowdsourcing workers . In Proc. of USENIX Security\u201914 . USENIX, 239--254. Gang Wang, Tianyi Wang, Haitao Zheng, and Ben Y. Zhao. 2014. Man vs. machine: Practical adversarial detection of malicious crowdsourcing workers. In Proc. of USENIX Security\u201914. USENIX, 239--254."},{"key":"e_1_2_1_54_1","volume-title":"Simulation and Similarity: Using Models to Understand the World","author":"Weisberg Michael","unstructured":"Michael Weisberg . 2013. Simulation and Similarity: Using Models to Understand the World . Oxford University Press . Michael Weisberg. 2013. Simulation and Similarity: Using Models to Understand the World. Oxford University Press."},{"key":"e_1_2_1_55_1","volume-title":"Proc. of USENIX\u201908","volume":"200","author":"Wendlandt Dan","year":"2008","unstructured":"Dan Wendlandt , David G. Andersen , and Adrian Perrig . 2008 . Perspectives: Improving SSH-style host authentication with multi-path probing . In Proc. of USENIX\u201908 , Vol. 200 . USENIX, 321--334. Dan Wendlandt, David G. Andersen, and Adrian Perrig. 2008. Perspectives: Improving SSH-style host authentication with multi-path probing. In Proc. of USENIX\u201908, Vol. 200. USENIX, 321--334."},{"key":"e_1_2_1_56_1","volume-title":"Proc. of NDSS\u201910","author":"Whittaker Colin","year":"2010","unstructured":"Colin Whittaker , Brian Ryner , and Marria Nazif . 2010 . Large-scale automatic classification of phishing pages . In Proc. of NDSS\u201910 . ISOC. Colin Whittaker, Brian Ryner, and Marria Nazif. 2010. Large-scale automatic classification of phishing pages. In Proc. of NDSS\u201910. ISOC."},{"key":"e_1_2_1_57_1","doi-asserted-by":"publisher","DOI":"10.1145\/2019599.2019606"}],"container-title":["ACM Transactions on Privacy and Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/2975591","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/2975591","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,18]],"date-time":"2025-06-18T03:50:18Z","timestamp":1750218618000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/2975591"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2016,9,17]]},"references-count":56,"journal-issue":{"issue":"2","published-print":{"date-parts":[[2016,9,17]]}},"alternative-id":["10.1145\/2975591"],"URL":"https:\/\/doi.org\/10.1145\/2975591","relation":{},"ISSN":["2471-2566","2471-2574"],"issn-type":[{"value":"2471-2566","type":"print"},{"value":"2471-2574","type":"electronic"}],"subject":[],"published":{"date-parts":[[2016,9,17]]},"assertion":[{"value":"2015-02-01","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2016-07-01","order":1,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}},{"value":"2016-09-17","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}