International Journal of Computing and Digital Systems ISSN (2210-142X) Int. J. Com. Dig. Sys. 10, No.1 (Jann-2021) E-mail: rs.abhaypratapsingh@gkv.ac.in, msa@gkv.ac.in http://journals.uob.edu.bh A Comparative Review of Malware Analysis and Detection in HTTPs Traffic Abhay Pratap Singh 1 and Mahendra Singh 2 1, 2 Department of Computer Science, Gurukula Kangri Vishwavidyalaya Haridwar, India Received 3 Apr.2020, Revised 30 Jul. 2020, Accepted 13 Nov. 2020, Published 1 Jul. 2021 Abstract: HTTPs is essentially an integration of the Hypertext Transfer Protocol with either TLS or SSL. The responsibility of SSL/TLS in HTTPs is to encrypt the content of HTTP. Without encryption, the communication can be comprehended by anyone that keeps up seeing the packets between the sender and receiver. As a higher amount of web traffic shifts towards encrypted traffic, concealing an attack in encrypted communication will develop in prominence and refinement. Malware poses one of the significant digital security risks in the present scenario, with the goal of malware is to exfiltrate information from networks and misusing it. The measure of malwares utilizing HTTPs traffic for their communication is on the rise year by year. This situation is obscure to handle for cyber security researchers because malware traffic is encrypted, and it primarily looks like regular traffic. The detection and analysis of malware in HTTPs traffic is challenging because application data is encrypted between the client and server. This paper endeavors to analytically review the concepts and techniques for malware analysis and detection in HTTPs traffic and performs a comparative study of state of the art. The review suggests that most of the techniques are using the statistical features of network traffic and machine- learning based techniques in order to detect and classify malware in encrypted traffic. Keywords: Malware, Botnet, Encryption, Network Security, SSL/TLS 1. INTRODUCTION The HTTPs (hypertext transfer protocol secure) protocol is a standout amongst the most well-known protocol in computer network organization that gives a protected communication between networks. HTTPs is a combination of HTTP and SSL/TLS. As per a Google report [1] of April 2017, the use of HTTPs is on the rise. The report demonstrates that PC users download more than 50% of the web pages using HTTPs, and utilized 66% of their time in HTTPs pages. With this growing usage of encrypted network traffic on the whole internet, malware has also begun to utilize the HTTPs to secure its own communication. The diversity of encrypted malware or encoded malware is increasing, and attackers are also utilizing different techniques to convey malware like code obfuscation, drive-by downloads, encryption, etc. Unfortunately, encryption is a twofold edged sword, while genuine clients utilize encryption for all the genuine reason; the cyber attackers utilize this to avoid detection and secure their malicious activities. Malware protection for a computer system is one of the utmost network security tasks for individual users and businesses because even a single cyber-attack can result in data leakage and adequate losses. The significant losses and frequent types of cyber-attack point out the need for precise and timely detection methods. The growing volume of encrypted web traffic, both genuine and malicious, poses much more difficulties and perplexity for protectors endeavoring to recognize and monitor potential threats. Encryption is a means to update security in many ways; however, it likewise gives malicious actors a vast apparatus to cover command – and – control (otherwise called c2and CC) activity, managing them enough time to work and inflict damage. The identification of HTTPs malware traffic is challenging and complex on the grounds that the communication is encrypted between the client and server that give a favorable position to the attacker to set up malware. Generally, network security tools neglect to recognize this sort of threat. The common solution for managing and inspecting HTTPs traffic in big companies is to introduce HTTPs interceptor proxies. This interceptor is set between the client and server. The enciphered traffic is deciphered, examined whether it contains malicious traffic or not, encrypted again and sent to the destination IP (internet address) as shown in Figure 1. http://dx.doi.org/10.12785/ijcds/100111