Published May 13, 2024 | Version v1
Conference proceeding Open

Fingerprinting the Shadows: Unmasking Malicious Servers with Machine Learning-Powered TLS Analysis

  • 1. ROR icon Foundation for Research and Technology Hellas
  • 2. ROR icon Technical University of Crete
  • 3. ROR icon University of Crete


Over the last few years, the adoption of encryption in network traffic has been constantly increasing. The percentage of encrypted communications worldwide is estimated to exceed 90%. Although network encryption protocols mainly aim to secure and protect users' online activities and communications, they have been exploited by malicious entities that hide their presence in the network. It was estimated that in 2022, more than 85% of the malware used encrypted communication channels.

In this work, we examine state-of-the-art fingerprinting techniques and extend a machine learning pipeline for effective and practical server classification. Specifically, we actively contact servers to initiate communication over the TLS protocol and through exhaustive requests, we extract communication metadata. We investigate which features favor an effective classification, following state-of-the-art approaches. Our extended pipeline can indicate whether a server is malicious or not with 91% precision and 95% recall, while it can specify the botnet family with 99% precision and 99% recall.

This work was supported by the projects GREEN.DAT.AI, SENTINEL and SecOPERA, funded by the European Commission under Grant Agreements No. 101070416, No. 101021659, and No. 101070599,



Fingerprinting the Shadows-Unmasking Malicious Servers with Machine Learning-Powered TLS Analysis.pdf

Additional details


Green.Dat.AI – Energy-efficient AI-ready Data Spaces 101070416
European Commission
SENTINEL – Bridging the security, privacy and data protection gap for smaller enterprises in Europe 101021659
European Commission
SecOPERA – Secure OPen source softwarE and hardwaRe Adaptable framework 101070599
European Commission