Toward Fingerprinting Encrypted C2 Traffic in the Data Plane

Author(s)

• Ali Mazloum
• Elie Kfoury, University of South CarolinaFollow
• Jorge Crichigno, University of South CarolinaFollow
• Ali AlSabeh

Description

• Transport Layer Security (TLS) is the dominant protocol that enables users to securely interact with the Internet.

• Threat actors are using TLS to bypass traditional cybersecurity defenses like firewalls and intrusion detection systems.

• Modern malware attacks are hiding behind TLS secure channels. • Many malware families that infect users receive malicious instructions from the command and control (C2) server.

• As the communication between malware and the C2 server is encrypted, it can easily bypass modern security appliances that rely on deep packet inspection (DPI).

• In response to this threat, this project aims at utilizing ML to identify encrypted C2 communication.

• The project implements a distributed ML model over two hardware accelerators.

• The system achieves 99.3% detection accuracy with a microsecond-level processing latency.

Publication Info

2026.

© 2026 Ali Mazloum, Elie Kfoury, Jorge Crichigno, &  Ali Alsabeh