Publication Details
Experience Report: Using JA4+ Fingerprints for Malware Detection in Encrypted Traffic
Detection of malware communications is limited due to encryption. Malware
control, updates, and distribution are encapsulated in TLS tunnels, making it
difficult to distinguish between malicious and benign transmissions. One way, how
to detect malware communication, is to analyze the TLS handshake and obtain
so-called JA4+ fingerprints. This report analyses the effectiveness of JA4+
fingerprints for malware detection, focusing specifically on the JA4, JA4S and
JA4X fingerprints and their accuracy. It examines the process of creating malware
fingerprints, explores the uniqueness of these fingerprints across different
malware families and their ability to distinguish between malicious and benign
applications. By examining the overlap and uniqueness, the study evaluates the
effectiveness of using JA4+ fingerprints to detect malware in encrypted
communications.
@inproceedings{BUT189464,
author="Petr {Matoušek} and Ondřej {Ryšavý} and Ivana {Burgetová}",
title="Experience Report: Using JA4+ Fingerprints for Malware Detection in Encrypted Traffic",
booktitle="Proceedings of 20th International Conference on Network and Service Management",
year="2024",
pages="1--5",
address="Prague",
url="https://www.fit.vut.cz/research/publication/13252/"
}