{"id":"https://openalex.org/W4417307732","doi":"https://doi.org/10.2197/ipsjjip.33.1119","title":"An Analysis of TLS Parameter Variation in Malware C2 Communication","display_name":"An Analysis of TLS Parameter Variation in Malware C2 Communication","publication_year":2025,"publication_date":"2025-01-01","ids":{"openalex":"https://openalex.org/W4417307732","doi":"https://doi.org/10.2197/ipsjjip.33.1119"},"language":"en","primary_location":{"id":"doi:10.2197/ipsjjip.33.1119","is_oa":true,"landing_page_url":"https://doi.org/10.2197/ipsjjip.33.1119","pdf_url":"https://www.jstage.jst.go.jp/article/ipsjjip/33/0/33_1119/_pdf","source":{"id":"https://openalex.org/S4210239267","display_name":"Journal of Information Processing","issn_l":"1882-6652","issn":["1882-6652"],"is_oa":true,"is_in_doaj":false,"is_core":true,"host_organization":null,"host_organization_name":null,"host_organization_lineage":[],"host_organization_lineage_names":[],"type":"journal"},"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Journal of Information Processing","raw_type":"journal-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":true,"oa_status":"diamond","oa_url":"https://www.jstage.jst.go.jp/article/ipsjjip/33/0/33_1119/_pdf","any_repository_has_fulltext":false},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5070129251","display_name":"A. Kanda","orcid":"https://orcid.org/0000-0002-7376-6467"},"institutions":[{"id":"https://openalex.org/I4210138172","display_name":"Institute of Information Security","ror":"https://ror.org/03rmfrm44","country_code":"JP","type":"education","lineage":["https://openalex.org/I4210138172"]},{"id":"https://openalex.org/I4210163160","display_name":"DoCoMo Communications Laboratories Europe GmbH","ror":"https://ror.org/04qae1p49","country_code":"DE","type":"company","lineage":["https://openalex.org/I2251713219","https://openalex.org/I4210143714","https://openalex.org/I4210163160"]}],"countries":["DE","JP"],"is_corresponding":true,"raw_author_name":"Atsushi Kanda","raw_affiliation_strings":["Institute of Information Security","NTT DOCOMO BUSINESS, Inc"],"affiliations":[{"raw_affiliation_string":"Institute of Information Security","institution_ids":["https://openalex.org/I4210138172"]},{"raw_affiliation_string":"NTT DOCOMO BUSINESS, Inc","institution_ids":["https://openalex.org/I4210163160"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5014822597","display_name":"Masaki Hashimoto","orcid":"https://orcid.org/0000-0001-5596-282X"},"institutions":[{"id":"https://openalex.org/I201933988","display_name":"Kagawa University","ror":"https://ror.org/04j7mzp05","country_code":"JP","type":"education","lineage":["https://openalex.org/I201933988"]}],"countries":["JP"],"is_corresponding":false,"raw_author_name":"Masaki Hashimoto","raw_affiliation_strings":["Kagawa University"],"affiliations":[{"raw_affiliation_string":"Kagawa University","institution_ids":["https://openalex.org/I201933988"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5043970801","display_name":"Takao Okubo","orcid":"https://orcid.org/0000-0002-4490-1420"},"institutions":[{"id":"https://openalex.org/I4210138172","display_name":"Institute of Information Security","ror":"https://ror.org/03rmfrm44","country_code":"JP","type":"education","lineage":["https://openalex.org/I4210138172"]}],"countries":["JP"],"is_corresponding":false,"raw_author_name":"Takao Okubo","raw_affiliation_strings":["Institute of Information Security"],"affiliations":[{"raw_affiliation_string":"Institute of Information Security","institution_ids":["https://openalex.org/I4210138172"]}]}],"institutions":[],"countries_distinct_count":2,"institutions_distinct_count":3,"corresponding_author_ids":["https://openalex.org/A5070129251"],"corresponding_institution_ids":["https://openalex.org/I4210138172","https://openalex.org/I4210163160"],"apc_list":null,"apc_paid":null,"fwci":0.0,"has_fulltext":true,"cited_by_count":0,"citation_normalized_percentile":{"value":0.20557983,"is_in_top_1_percent":false,"is_in_top_10_percent":false},"cited_by_percentile_year":null,"biblio":{"volume":"33","issue":"0","first_page":"1119","last_page":"1127"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T11598","display_name":"Internet Traffic Analysis and Secure E-voting","score":0.34610000252723694,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T11598","display_name":"Internet Traffic Analysis and Secure E-voting","score":0.34610000252723694,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11498","display_name":"Security in Wireless Sensor Networks","score":0.14990000426769257,"subfield":{"id":"https://openalex.org/subfields/1705","display_name":"Computer Networks and Communications"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11504","display_name":"Advanced Authentication Protocols Security","score":0.1469999998807907,"subfield":{"id":"https://openalex.org/subfields/1705","display_name":"Computer Networks and Communications"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/malware","display_name":"Malware","score":0.8623999953269958},{"id":"https://openalex.org/keywords/transport-layer-security","display_name":"Transport Layer Security","score":0.7077000141143799},{"id":"https://openalex.org/keywords/encryption","display_name":"Encryption","score":0.6398000121116638},{"id":"https://openalex.org/keywords/variation","display_name":"Variation (astronomy)","score":0.5270000100135803},{"id":"https://openalex.org/keywords/security-parameter","display_name":"Security parameter","score":0.44429999589920044},{"id":"https://openalex.org/keywords/protocol","display_name":"Protocol (science)","score":0.4293000102043152},{"id":"https://openalex.org/keywords/set","display_name":"Set (abstract data type)","score":0.37869998812675476},{"id":"https://openalex.org/keywords/mobile-malware","display_name":"Mobile malware","score":0.3716999888420105}],"concepts":[{"id":"https://openalex.org/C541664917","wikidata":"https://www.wikidata.org/wiki/Q14001","display_name":"Malware","level":2,"score":0.8623999953269958},{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.8537999987602234},{"id":"https://openalex.org/C148176105","wikidata":"https://www.wikidata.org/wiki/Q206494","display_name":"Transport Layer Security","level":3,"score":0.7077000141143799},{"id":"https://openalex.org/C148730421","wikidata":"https://www.wikidata.org/wiki/Q141090","display_name":"Encryption","level":2,"score":0.6398000121116638},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.5698999762535095},{"id":"https://openalex.org/C2778334786","wikidata":"https://www.wikidata.org/wiki/Q1586270","display_name":"Variation (astronomy)","level":2,"score":0.5270000100135803},{"id":"https://openalex.org/C2776711565","wikidata":"https://www.wikidata.org/wiki/Q7445058","display_name":"Security parameter","level":3,"score":0.44429999589920044},{"id":"https://openalex.org/C2780385302","wikidata":"https://www.wikidata.org/wiki/Q367158","display_name":"Protocol (science)","level":3,"score":0.4293000102043152},{"id":"https://openalex.org/C31258907","wikidata":"https://www.wikidata.org/wiki/Q1301371","display_name":"Computer network","level":1,"score":0.4092000126838684},{"id":"https://openalex.org/C177264268","wikidata":"https://www.wikidata.org/wiki/Q1514741","display_name":"Set (abstract data type)","level":2,"score":0.37869998812675476},{"id":"https://openalex.org/C2780967490","wikidata":"https://www.wikidata.org/wiki/Q1291200","display_name":"Mobile malware","level":3,"score":0.3716999888420105},{"id":"https://openalex.org/C510870077","wikidata":"https://www.wikidata.org/wiki/Q7444868","display_name":"Secure communication","level":3,"score":0.36899998784065247},{"id":"https://openalex.org/C2779227376","wikidata":"https://www.wikidata.org/wiki/Q6505497","display_name":"Layer (electronics)","level":2,"score":0.3479999899864197},{"id":"https://openalex.org/C178489894","wikidata":"https://www.wikidata.org/wiki/Q8789","display_name":"Cryptography","level":2,"score":0.33709999918937683},{"id":"https://openalex.org/C190793597","wikidata":"https://www.wikidata.org/wiki/Q189768","display_name":"Application layer","level":3,"score":0.334199994802475},{"id":"https://openalex.org/C12269588","wikidata":"https://www.wikidata.org/wiki/Q132364","display_name":"Communications protocol","level":2,"score":0.3165000081062317},{"id":"https://openalex.org/C33884865","wikidata":"https://www.wikidata.org/wiki/Q1254335","display_name":"Cryptographic protocol","level":3,"score":0.29580000042915344},{"id":"https://openalex.org/C124101348","wikidata":"https://www.wikidata.org/wiki/Q172491","display_name":"Data mining","level":1,"score":0.2827000021934509},{"id":"https://openalex.org/C49289754","wikidata":"https://www.wikidata.org/wiki/Q2267081","display_name":"Side channel attack","level":3,"score":0.2800000011920929},{"id":"https://openalex.org/C38369872","wikidata":"https://www.wikidata.org/wiki/Q7445009","display_name":"Security analysis","level":2,"score":0.2727000117301941},{"id":"https://openalex.org/C80444323","wikidata":"https://www.wikidata.org/wiki/Q2878974","display_name":"Theoretical computer science","level":1,"score":0.25279998779296875},{"id":"https://openalex.org/C84525096","wikidata":"https://www.wikidata.org/wiki/Q3506050","display_name":"Cryptovirology","level":3,"score":0.251800000667572}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.2197/ipsjjip.33.1119","is_oa":true,"landing_page_url":"https://doi.org/10.2197/ipsjjip.33.1119","pdf_url":"https://www.jstage.jst.go.jp/article/ipsjjip/33/0/33_1119/_pdf","source":{"id":"https://openalex.org/S4210239267","display_name":"Journal of Information Processing","issn_l":"1882-6652","issn":["1882-6652"],"is_oa":true,"is_in_doaj":false,"is_core":true,"host_organization":null,"host_organization_name":null,"host_organization_lineage":[],"host_organization_lineage_names":[],"type":"journal"},"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Journal of Information Processing","raw_type":"journal-article"}],"best_oa_location":{"id":"doi:10.2197/ipsjjip.33.1119","is_oa":true,"landing_page_url":"https://doi.org/10.2197/ipsjjip.33.1119","pdf_url":"https://www.jstage.jst.go.jp/article/ipsjjip/33/0/33_1119/_pdf","source":{"id":"https://openalex.org/S4210239267","display_name":"Journal of Information Processing","issn_l":"1882-6652","issn":["1882-6652"],"is_oa":true,"is_in_doaj":false,"is_core":true,"host_organization":null,"host_organization_name":null,"host_organization_lineage":[],"host_organization_lineage_names":[],"type":"journal"},"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Journal of Information Processing","raw_type":"journal-article"},"sustainable_development_goals":[],"awards":[{"id":"https://openalex.org/G8833605281","display_name":"Development of Fine-grained Protection Domain Structure Mechanisms to Support Practical Implementation of Defense in Depth Strategies","funder_award_id":"24K14956","funder_id":"https://openalex.org/F4320334764","funder_display_name":"Japan Society for the Promotion of Science"}],"funders":[{"id":"https://openalex.org/F4320320912","display_name":"Ministry of Education, Culture, Sports, Science and Technology","ror":"https://ror.org/048rj2z13"},{"id":"https://openalex.org/F4320334764","display_name":"Japan Society for the Promotion of Science","ror":"https://ror.org/00hhkn466"}],"has_content":{"grobid_xml":true,"pdf":true},"content_urls":{"pdf":"https://content.openalex.org/works/W4417307732.pdf","grobid_xml":"https://content.openalex.org/works/W4417307732.grobid-xml"},"referenced_works_count":10,"referenced_works":["https://openalex.org/W2915352631","https://openalex.org/W2947585023","https://openalex.org/W2963065250","https://openalex.org/W3004004161","https://openalex.org/W3017051667","https://openalex.org/W3167814386","https://openalex.org/W3206052242","https://openalex.org/W4391775046","https://openalex.org/W4399582618","https://openalex.org/W4402957849"],"related_works":[],"abstract_inverted_index":{"Transport":[0],"Layer":[1,9],"Security":[2],"(TLS),":[3],"previously":[4],"known":[5],"as":[6],"Secure":[7],"Sockets":[8],"(SSL),":[10],"is":[11,51],"a":[12],"common":[13],"protocol":[14],"for":[15,159,177],"encrypted":[16],"communication.":[17],"Since":[18],"TLS":[19,40,49,52,64,68,102,113,164],"has":[20],"now":[21],"become":[22],"popular":[23],"and":[24,108,126,140,174],"many":[25],"applications":[26],"communicate":[27],"over":[28],"TLS,":[29],"attackers":[30],"have":[31,72,75,97],"started":[32],"to":[33,35,46,156],"choose":[34],"hide":[36],"their":[37],"activities":[38],"inside":[39],"communications.":[41,154],"One":[42],"of":[43,88,92,101,112,121,134,162,171],"the":[44,60,63,82,86,99,105,110,160,169],"countermeasures":[45],"detect":[47],"malicious":[48],"communication":[50,94],"fingerprinting.":[53],"In":[54],"this":[55],"paper,":[56],"we":[57,96,166],"focused":[58],"on":[59,181],"probability":[61],"that":[62,74,143],"parameters":[65],"used":[66],"in":[67,81,150],"client":[69],"fingerprinting":[70],"may":[71],"variations":[73,146],"not":[76],"been":[77],"taken":[78],"into":[79],"account":[80],"previous":[83],"work.":[84],"Through":[85],"analysis":[87],"approximately":[89],"11.5":[90],"years":[91],"malware":[93,136,152],"datasets,":[95],"clarified":[98],"transition":[100],"parameters,":[103],"especially":[104],"changes":[106],"before":[107],"after":[109],"spread":[111],"1.3.":[114],"We":[115,129],"also":[116],"introduce":[117],"two":[118],"new":[119],"concepts":[120],"parameter":[122,145,172],"variation:":[123],"Parameter":[124,127],"Fluctuation":[125],"Drift.":[128],"revealed":[130],"through":[131],"detailed":[132],"investigations":[133],"three":[135],"families,":[137],"Trickbot,":[138],"IcedID,":[139],"Cobalt":[141],"Strike,":[142],"these":[144],"do":[147],"indeed":[148],"occur":[149],"real-world":[151],"C2":[153],"Finally,":[155],"provide":[157],"suggestions":[158],"design":[161],"fluctuation-tolerant":[163],"fingerprints,":[165],"deeply":[167],"discussed":[168],"nature":[170],"fluctuations":[173],"provided":[175],"directions":[176],"future":[178],"work":[179],"based":[180],"preliminary":[182],"experiments.":[183]},"counts_by_year":[],"updated_date":"2026-04-21T08:09:41.155169","created_date":"2025-12-14T00:00:00"}