Systems and methods for detecting malicious use of digital certificates
First Claim
1. A computer-implemented method for detecting malicious use of digital certificates, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:
- deducing, by a deduction module, an effectiveness of a plurality of fields within digital certificates in distinguishing malicious use of invalid certificates from benign use of invalid certificates by using a machine learning algorithm to examine fields of invalid certificates that have been used maliciously and fields of invalid certificates that have been used legitimately;
weighting, by the deduction module, each of the plurality of fields according to the effectiveness of the fields;
identifying, by the deduction module and based on the weighting of each of the plurality of fields, at least one field within invalid digital certificates that is more useful than at least one other field in distinguishing malicious use of invalid certificates from benign use of invalid certificates;
before performing an analysis to determine whether a digital certificate is potentially being used to facilitate malicious communications, determining, by a determination module, that the digital certificate is invalid by determining that the digital certificate is not trusted by a certificate authority;
in response to determining that the digital certificate is invalid, locating, by a location module, within the invalid digital certificate, the field that was identified as being more useful in distinguishing malicious use of invalid certificates from benign use of invalid certificates;
determining, by an analysis module, based on an analysis of information from the field of the invalid digital certificate, that the invalid digital certificate is potentially being used to facilitate malicious communications;
performing, by a security module, a security action in response to determining that the invalid digital certificate is potentially being used to facilitate malicious communications.
2 Assignments
0 Petitions
Accused Products
Abstract
A computer-implemented method for detecting malicious use of digital certificates may include determining that a digital certificate is invalid. The method may further include locating, within the invalid digital certificate, at least one field that was previously identified as being useful in distinguishing malicious use of invalid certificates from benign use of invalid certificates. The method may also include determining, based on analysis of information from the field of the invalid digital certificate, that the invalid digital certificate is potentially being used to facilitate malicious communications. The method may additionally include performing a security action in response to determining that the invalid digital certificate is potentially being used to facilitate malicious communications. Various other methods, systems, and computer-readable media are disclosed.
48 Citations
17 Claims
-
1. A computer-implemented method for detecting malicious use of digital certificates, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:
-
deducing, by a deduction module, an effectiveness of a plurality of fields within digital certificates in distinguishing malicious use of invalid certificates from benign use of invalid certificates by using a machine learning algorithm to examine fields of invalid certificates that have been used maliciously and fields of invalid certificates that have been used legitimately; weighting, by the deduction module, each of the plurality of fields according to the effectiveness of the fields; identifying, by the deduction module and based on the weighting of each of the plurality of fields, at least one field within invalid digital certificates that is more useful than at least one other field in distinguishing malicious use of invalid certificates from benign use of invalid certificates; before performing an analysis to determine whether a digital certificate is potentially being used to facilitate malicious communications, determining, by a determination module, that the digital certificate is invalid by determining that the digital certificate is not trusted by a certificate authority; in response to determining that the digital certificate is invalid, locating, by a location module, within the invalid digital certificate, the field that was identified as being more useful in distinguishing malicious use of invalid certificates from benign use of invalid certificates; determining, by an analysis module, based on an analysis of information from the field of the invalid digital certificate, that the invalid digital certificate is potentially being used to facilitate malicious communications; performing, by a security module, a security action in response to determining that the invalid digital certificate is potentially being used to facilitate malicious communications. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A system for detecting malicious use of digital certificates, the system comprising:
-
a memory; a deduction module, stored in the memory, that; deduces an effectiveness of a plurality of fields within digital certificates in distinguishing malicious use of invalid certificates from benign use of invalid certificates by using a machine learning algorithm to examine fields of invalid certificates that have been used maliciously and fields of invalid certificates that have been used legitimately; weights each of the plurality of fields according to the effectiveness of the fields; identifies, based on the weighting of each of the plurality of fields, at least one field within invalid digital certificates that is more useful than at least one other field in distinguishing malicious use of invalid certificates from benign use of invalid certificates; a determination module, stored in the memory, that determines, before an analysis is performed to determine whether a digital certificate is being used to facilitate malicious communications, that the digital certificate is invalid by determining that the digital certificate is not trusted by a certificate authority; a location module, stored in the memory, that locates, within the invalid digital certificate in response to the determination that the digital certificate is invalid, the field that was identified as being more useful in distinguishing malicious use of invalid certificates from benign use of invalid certificates; an analysis module, stored in the memory, that determines, based on an analysis of information from the field of the invalid digital certificate, that the invalid digital certificate is potentially being used to facilitate malicious communications; a security module, stored in the memory, that performs a security action in response to determining that the invalid digital certificate is potentially being used to facilitate malicious communications; at least one hardware processor that is configured to execute the deduction module, the determination module, the location module, the analysis module, and the security module. - View Dependent Claims (8, 9, 10, 11, 12)
-
-
13. A non-transitory computer-readable storage medium comprising one or more computer-readable instructions that, when executed by at least one processor of a computing device, cause the computing device to:
-
deduce, by a deduction module, an effectiveness of a plurality of fields within digital certificates in distinguishing malicious use of invalid certificates from benign use of invalid certificates by using a machine learning algorithm to examine fields of invalid certificates that have been used maliciously and fields of invalid certificates that have been used legitimately; weight, by the deduction module, each of the plurality of fields according to the effectiveness of the fields; identify, by the deduction module and based on the weighting of each of the plurality of fields, at least one field within invalid digital certificates that is more useful than at least one other field in distinguishing malicious use of invalid certificates from benign use of invalid certificates; before performing an analysis to determine whether a digital certificate is potentially being used to facilitate malicious communications, determine, by a determination module, that the digital certificate is invalid by determining that the digital certificate is not trusted by a certificate authority; in response to determining that the digital certificate is invalid, locate, by a location module, within the digital certificate, the field that was identified as being more useful in distinguishing malicious use of invalid certificates from benign use of invalid certificates; determine, by an analysis module, based on an analysis of information from the field of the invalid digital certificate, that the invalid digital certificate is potentially being used to facilitate malicious communications; perform, by a security module, a security action in response to determining that the invalid digital certificate is potentially being used to facilitate malicious communications. - View Dependent Claims (14, 15, 16, 17)
-
Specification