@unpublished{PrasseGrubenMachlikaetal.2016,
  author    = {Prasse, Paul and Gruben, Gerrit and Machlika, Lukas and Pevny, Tomas and Sofka, Michal and Scheffer, Tobias},
  title     = {Malware Detection by HTTPS Traffic Analysis},
  url       = {http://nbn-resolving.de/urn:nbn:de:kobv:517-opus4-100942},
  pages     = {10},
  year      = {2016},
  abstract  = {In order to evade detection by network-traffic analysis, a growing proportion of malware uses the encrypted HTTPS protocol. We explore the problem of detecting malware on client computers based on HTTPS traffic analysis. In this setting, malware has to be detected based on the host IP address, ports, timestamp, and data volume information of TCP/IP packets that are sent and received by all the applications on the client. We develop a scalable protocol that allows us to collect network flows of known malicious and benign applications as training data and derive a malware-detection method based on a neural networks and sequence classification. We study the method's ability to detect known and new, unknown malware in a large-scale empirical study.},
  language  = {en}
}
@article{PrasseKnaebelMachlicaetal.2019,
  author    = {Prasse, Paul and Knaebel, Rene and Machlica, Lukas and Pevny, Tomas and Scheffer, Tobias},
  title     = {Joint detection of malicious domains and infected clients},
  series = {Machine learning},
  volume    = {108},
  journal   = {Machine learning},
  number    = {8-9},
  publisher = {Springer},
  address   = {Dordrecht},
  issn      = {0885-6125},
  doi       = {10.1007/s10994-019-05789-z},
  pages     = {1353 -- 1368},
  year      = {2019},
  abstract  = {Detection of malware-infected computers and detection of malicious web domains based on their encrypted HTTPS traffic are challenging problems, because only addresses, timestamps, and data volumes are observable. The detection problems are coupled, because infected clients tend to interact with malicious domains. Traffic data can be collected at a large scale, and antivirus tools can be used to identify infected clients in retrospect. Domains, by contrast, have to be labeled individually after forensic analysis. We explore transfer learning based on sluice networks; this allows the detection models to bootstrap each other. In a large-scale experimental study, we find that the model outperforms known reference models and detects previously unknown malware, previously unknown malware families, and previously unknown malicious domains.},
  language  = {en}
}