{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,3,20]],"date-time":"2026-03-20T16:18:57Z","timestamp":1774023537420,"version":"3.50.1"},"publisher-location":"New York, NY, USA","reference-count":62,"publisher":"ACM","license":[{"start":{"date-parts":[[2024,9,30]],"date-time":"2024-09-30T00:00:00Z","timestamp":1727654400000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"funder":[{"name":"Funda\u00e7\u00e3o para a Ci\u00eancia e Tecnologia (FCT)","award":["UIDB\/50021\/2020"],"award-info":[{"award-number":["UIDB\/50021\/2020"]}]},{"name":"Funda\u00e7\u00e3o para a Ci\u00eancia e Tecnologia (FCT)","award":["2021.08532.BD"],"award-info":[{"award-number":["2021.08532.BD"]}]},{"name":"NSERC","award":["RGPIN-2023-03304"],"award-info":[{"award-number":["RGPIN-2023-03304"]}]},{"name":"IAPMEI","award":["C6632206063-00466847(SmartRetail)"],"award-info":[{"award-number":["C6632206063-00466847(SmartRetail)"]}]},{"name":"Recovery and Resilience Mechanism (MRR) of the European Union (EU)","award":["Component 5 of core funding for Technology and Innovation Centres (CTI)"],"award-info":[{"award-number":["Component 5 of core funding for Technology and Innovation Centres (CTI)"]}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2024,9,30]]},"DOI":"10.1145\/3678890.3678921","type":"proceedings-article","created":{"date-parts":[[2024,9,29]],"date-time":"2024-09-29T22:23:36Z","timestamp":1727648616000},"page":"181-196","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":11,"title":["Extending C2 Traffic Detection Methodologies: From TLS 1.2 to TLS 1.3-enabled Malware"],"prefix":"10.1145","author":[{"ORCID":"https:\/\/orcid.org\/0000-0003-0338-2692","authenticated-orcid":false,"given":"Diogo","family":"Barradas","sequence":"first","affiliation":[{"name":"University of Waterloo, Canada"}]},{"ORCID":"https:\/\/orcid.org\/0009-0003-0094-5565","authenticated-orcid":false,"given":"Carlos","family":"Novo","sequence":"additional","affiliation":[{"name":"INESC TEC, HASLab & DCC FCUP, Portugal"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-7203-2621","authenticated-orcid":false,"given":"Bernardo","family":"Portela","sequence":"additional","affiliation":[{"name":"INESC TEC, HASLab & DCC FCUP, Portugal"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-5251-0577","authenticated-orcid":false,"given":"Sofia","family":"Romeiro","sequence":"additional","affiliation":[{"name":"INESC-ID \/ IST, Universidade de Lisboa, Portugal"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-9938-0653","authenticated-orcid":false,"given":"Nuno","family":"Santos","sequence":"additional","affiliation":[{"name":"INESC-ID \/ IST, Universidade de Lisboa, Portugal"}]}],"member":"320","published-online":{"date-parts":[[2024,9,30]]},"reference":[{"key":"e_1_3_2_1_1_1","unstructured":"abuse.ch. 2023. SSL Blacklist (SSLBL). https:\/\/sslbl.abuse.ch\/"},{"key":"e_1_3_2_1_2_1","doi-asserted-by":"publisher","DOI":"10.1145\/3447382"},{"key":"e_1_3_2_1_3_1","unstructured":"John Althouse. 2019. TLS Fingerprinting with JA3 and JA3S. https:\/\/engineering.salesforce.com\/tls-fingerprinting-with-ja3-and-ja3s-247362855967\/"},{"key":"e_1_3_2_1_4_1","unstructured":"Blake Anderson. 2019. TLS Fingerprinting in the Real World. https:\/\/blogs.cisco.com\/security\/tls-fingerprinting-in-the-real-world"},{"key":"e_1_3_2_1_5_1","doi-asserted-by":"publisher","DOI":"10.1145\/3292006.3300025"},{"key":"e_1_3_2_1_6_1","doi-asserted-by":"publisher","DOI":"10.1145\/2996758.2996768"},{"key":"e_1_3_2_1_7_1","doi-asserted-by":"publisher","DOI":"10.1145\/2996758.2996768"},{"key":"e_1_3_2_1_8_1","doi-asserted-by":"publisher","DOI":"10.1145\/3097983.3098163"},{"key":"e_1_3_2_1_9_1","doi-asserted-by":"publisher","DOI":"10.1007\/s11416-017-0306-6"},{"key":"e_1_3_2_1_10_1","doi-asserted-by":"publisher","DOI":"10.1145\/357830.357849"},{"key":"e_1_3_2_1_11_1","doi-asserted-by":"publisher","DOI":"10.1109\/CCNC49033.2022.9700625"},{"key":"e_1_3_2_1_12_1","doi-asserted-by":"publisher","DOI":"10.1023\/A:1010933404324"},{"key":"e_1_3_2_1_13_1","unstructured":"L. Breiman J. Friedman C.J. Stone and R.A. Olshen. 1984. Classification and Regression Trees. Taylor & Francis."},{"key":"e_1_3_2_1_14_1","volume-title":"DNS. In 10th USENIX Workshop on Free and Open Communications on the Internet (FOCI 20)","author":"Bushart Jonas","year":"2020","unstructured":"Jonas Bushart and Christian Rossow. 2020. Padding ain\u2019t enough: Assessing the privacy guarantees of encrypted DNS. In 10th USENIX Workshop on Free and Open Communications on the Internet (FOCI 20)."},{"key":"e_1_3_2_1_15_1","unstructured":"Brian Caswell Jay Beale and Andrew Baker. 2007. Snort intrusion detection and prevention toolkit. Syngress."},{"key":"e_1_3_2_1_16_1","volume-title":"ChatGPT: The Curious Case of Attack Vectors\u2019 Supply Chain Management Improvement. In 2023 IEEE International Conference on Electro Information Technology (eIT). IEEE, 499\u2013504","author":"Chowdhury Minhaz","year":"2023","unstructured":"Minhaz Chowdhury, Nafiz Rifat, Shadman Latif, Mostofa Ahsan, Md\u00a0Saifur Rahman, and Rahul Gomes. 2023. ChatGPT: The Curious Case of Attack Vectors\u2019 Supply Chain Management Improvement. In 2023 IEEE International Conference on Electro Information Technology (eIT). IEEE, 499\u2013504."},{"key":"e_1_3_2_1_17_1","unstructured":"Cisco Systems. 2019. cisco\/joy: A package for capturing and analyzing network flow data and intraflow data for network research forensics and security monitoring.https:\/\/github.com\/cisco\/joy"},{"key":"e_1_3_2_1_18_1","unstructured":"Cloudflare. 2024. 1.1.1.1 \u2014 The free app that makes your Internet faster.https:\/\/one.one.one.one\/family\/"},{"key":"e_1_3_2_1_19_1","unstructured":"curl. 2023. command line tool and library for transferring data with URLs. https:\/\/curl.se\/"},{"key":"e_1_3_2_1_20_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-8348-9283-6_17"},{"key":"e_1_3_2_1_21_1","unstructured":"Brad Duncan. 2024. Malware-Traffic-Analysis.net. https:\/\/malware-traffic-analysis.net"},{"key":"e_1_3_2_1_22_1","doi-asserted-by":"publisher","DOI":"10.1145\/3545948.3545973"},{"key":"e_1_3_2_1_23_1","unstructured":"Fraunhofer FKIE. 2023. Meterpreter (malware family) \u2013 malpedia. https:\/\/malpedia.caad.fkie.fraunhofer.de\/details\/win.meterpreter"},{"key":"e_1_3_2_1_24_1","volume-title":"23rd International Conference on Distributed Computing Systems, 2003. Proceedings. IEEE, 340\u2013347","author":"Fu Xinwen","year":"2003","unstructured":"Xinwen Fu, Bryan Graham, Riccardo Bettati, and Wei Zhao. 2003. On effectiveness of link padding for statistical traffic analysis attacks. In 23rd International Conference on Distributed Computing Systems, 2003. Proceedings. IEEE, 340\u2013347."},{"key":"e_1_3_2_1_25_1","doi-asserted-by":"publisher","DOI":"10.1145\/3545948.3545983"},{"key":"e_1_3_2_1_26_1","unstructured":"Sean Gallagher. 2021. Nearly half of malware now use TLS to conceal communications. https:\/\/news.sophos.com\/en-us\/2021\/04\/21\/nearly-half-of-malware-now-use-tls-to-conceal-communications\/"},{"key":"e_1_3_2_1_27_1","doi-asserted-by":"publisher","DOI":"10.1145\/3102304.3102331"},{"key":"e_1_3_2_1_28_1","doi-asserted-by":"publisher","unstructured":"Alessandro Ghedini and Victor Vasiliev. 2020. TLS Certificate Compression. RFC 8879. https:\/\/doi.org\/10.17487\/RFC8879","DOI":"10.17487\/RFC8879"},{"key":"e_1_3_2_1_29_1","doi-asserted-by":"publisher","DOI":"10.1155\/2023"},{"key":"e_1_3_2_1_30_1","doi-asserted-by":"publisher","DOI":"10.3390\/electronics10243180"},{"key":"e_1_3_2_1_31_1","unstructured":"Habdul Hazeez. 2022. What is TLS fingerprinting?https:\/\/fingerprint.com\/blog\/what-is-tls-fingerprinting-transport-layer-security\/"},{"key":"e_1_3_2_1_32_1","unstructured":"Ralph Holz Johanna Amann Abbas Razaghpanah and Narseo Vallina-Rodriguez. 2019. The Era of TLS 1.3: Measuring Deployment and Use with Active and Passive Methods. arXiv:1907.12762http:\/\/arxiv.org\/abs\/1907.12762"},{"key":"e_1_3_2_1_33_1","doi-asserted-by":"publisher","DOI":"10.1145\/3411740.3411742"},{"key":"e_1_3_2_1_34_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-981-16-8059-5_13"},{"key":"e_1_3_2_1_35_1","volume-title":"Internet Security Report: Q1","author":"Lab Guard\u2019s\u00a0Threat","year":"2023","unstructured":"WatchGuard\u2019s\u00a0Threat Lab. 2023. Internet Security Report: Q1 2023. https:\/\/www.watchguard.com\/wgrd-resource-center\/security-report-q1-2023"},{"key":"e_1_3_2_1_36_1","volume-title":"Internet Security Report: Q4","author":"Lab Guard\u2019s\u00a0Threat","year":"2023","unstructured":"WatchGuard\u2019s\u00a0Threat Lab. 2024. Internet Security Report: Q4 2023. https:\/\/www.watchguard.com\/wgrd-resource-center\/security-report-q4-2023"},{"key":"e_1_3_2_1_37_1","volume-title":"Samaneh Tajalizadehkhoob, Maciej Korczy\u0144ski, and Wouter Joosen.","author":"Pochat Victor Le","year":"2024","unstructured":"Victor Le Pochat, Tom Van Goethem, Samaneh Tajalizadehkhoob, Maciej Korczy\u0144ski, and Wouter Joosen. 2024. Tranco list with ID 662LX. https:\/\/tranco-list.eu\/list\/662LX"},{"key":"e_1_3_2_1_38_1","unstructured":"Ivan Letteri Giuseppe Della\u00a0Penna Luca Di\u00a0Vita and Maria\u00a0Teresa Grifa. 2020. MTA-KDD\u201919: A Dataset for Malware Traffic Detection.. In Itasec. CEUR Ancona 153\u2013165."},{"key":"e_1_3_2_1_39_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2022.103000"},{"key":"e_1_3_2_1_40_1","unstructured":"Chronicle Security\u00a0Ireland Limited. 2023. VirusTotal. https:\/\/www.virustotal.com\/"},{"key":"e_1_3_2_1_41_1","doi-asserted-by":"publisher","DOI":"10.1145\/3485447.3512217"},{"key":"e_1_3_2_1_42_1","doi-asserted-by":"publisher","DOI":"10.1109\/INFOCOM.2019.8737507"},{"key":"e_1_3_2_1_43_1","unstructured":"Mandiant. 2023. M-Trends reports. https:\/\/www.mandiant.com\/m-trends"},{"key":"e_1_3_2_1_44_1","doi-asserted-by":"crossref","unstructured":"Vasilios Mavroudis and Jamie Hayes. 2023. Adaptive Webpage Fingerprinting from TLS Traces. arxiv:2010.10294\u00a0[cs.CR]","DOI":"10.1109\/DSN58367.2023.00049"},{"key":"e_1_3_2_1_45_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICNP.2016.7785325"},{"key":"e_1_3_2_1_46_1","doi-asserted-by":"publisher","DOI":"10.1109\/DASC-PICom-CBDCom-CyberSciTech49142.2020.00026"},{"key":"e_1_3_2_1_47_1","unstructured":"Carlos Novo. 2024. CarlosANovo\/extending12to13: Code for \"Extending C2 Traffic Detection Methodologies: From TLS 1.2 to TLS 1.3-enabled Malware\".https:\/\/github.com\/CarlosANovo\/extending12to13"},{"key":"e_1_3_2_1_48_1","doi-asserted-by":"publisher","DOI":"10.1145\/3457904"},{"key":"e_1_3_2_1_49_1","unstructured":"Christopher Patton. 2020. Good-bye ESNI hello ECH!http:\/\/blog.cloudflare.com\/encrypted-client-hello\/"},{"key":"e_1_3_2_1_50_1","unstructured":"Paul Prasse Gerrit Gruben Lukas Machlika Tomas Pevny Michal Sofka and Tobias Scheffer. 2017. Malware Detection by HTTPS Traffic Analysis. (2017) 10\u00a0pages."},{"key":"e_1_3_2_1_51_1","volume-title":"cert_provider.rb \u2013 Metasploit framework (source code). https:\/\/github.com\/rapid7\/metasploit-framework\/blob\/6.3.17\/lib\/msf\/core\/cert_provider.rb#L41","unstructured":"Rapid7. 2023. cert_provider.rb \u2013 Metasploit framework (source code). https:\/\/github.com\/rapid7\/metasploit-framework\/blob\/6.3.17\/lib\/msf\/core\/cert_provider.rb#L41"},{"key":"e_1_3_2_1_52_1","unstructured":"Rapid7. 2023. metasploit-payloads. https:\/\/github.com\/rapid7\/metasploit-payloads\/tree\/master\/python\/meterpreter"},{"key":"e_1_3_2_1_53_1","doi-asserted-by":"publisher","unstructured":"Eric Rescorla. 2018. The Transport Layer Security (TLS) Protocol Version 1.3. RFC 8446. https:\/\/doi.org\/10.17487\/RFC8446","DOI":"10.17487\/RFC8446"},{"key":"e_1_3_2_1_54_1","unstructured":"Eric Rescorla Kazuho Oku Nick Sullivan and Christopher\u00a0A. Wood. 2023. TLS Encrypted Client Hello. Internet-Draft draft-ietf-tls-esni-16. Internet Engineering Task Force. https:\/\/datatracker.ietf.org\/doc\/draft-ietf-tls-esni\/16\/ Work in Progress."},{"key":"e_1_3_2_1_55_1","volume-title":"sklearn.model_selection","unstructured":"scikit-learn developers. 2024. sklearn.model_selection.StratifiedGroupKFold. https:\/\/scikit-learn.org\/stable\/modules\/generated\/sklearn.model_selection.StratifiedGroupKFold.html"},{"key":"e_1_3_2_1_56_1","doi-asserted-by":"publisher","DOI":"10.1109\/TIFS.2017.2692682"},{"key":"e_1_3_2_1_57_1","unstructured":"sitespeed.io. 2023. Browsertime. https:\/\/github.com\/sitespeedio\/browsertime"},{"key":"e_1_3_2_1_58_1","doi-asserted-by":"publisher","unstructured":"Brian Trammell and Elisa Boschi. 2008. Bidirectional Flow Export Using IP Flow Information Export (IPFIX). RFC 5103. https:\/\/doi.org\/10.17487\/RFC5103","DOI":"10.17487\/RFC5103"},{"key":"e_1_3_2_1_59_1","unstructured":"Johannes\u00a0B. Ullrich. 2022. Encrypted Client Hello: Anybody Using it Yet?https:\/\/isc.sans.edu\/diary\/Encrypted+Client+Hello%3A+Anybody+Using+it+Yet%3F\/28792"},{"key":"e_1_3_2_1_60_1","doi-asserted-by":"publisher","DOI":"10.1145\/1455770.1455812"},{"key":"e_1_3_2_1_61_1","doi-asserted-by":"publisher","DOI":"10.1145\/3545948.3545968"},{"key":"e_1_3_2_1_62_1","unstructured":"Diwen Xue Michalis Kallitsis Amir Houmansadr and Roya Ensafi. [n. d.]. Fingerprinting Obfuscated Proxy Traffic with Encapsulated TLS Handshakes. ([n. d.])."}],"event":{"name":"RAID '24: The 27th International Symposium on Research in Attacks, Intrusions and Defenses","location":"Padua Italy","acronym":"RAID '24"},"container-title":["The 27th International Symposium on Research in Attacks, Intrusions and Defenses"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3678890.3678921","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3678890.3678921","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,19]],"date-time":"2025-06-19T01:18:00Z","timestamp":1750295880000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3678890.3678921"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2024,9,30]]},"references-count":62,"alternative-id":["10.1145\/3678890.3678921","10.1145\/3678890"],"URL":"https:\/\/doi.org\/10.1145\/3678890.3678921","relation":{},"subject":[],"published":{"date-parts":[[2024,9,30]]},"assertion":[{"value":"2024-09-30","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}