Detection of Rogue Certificates from Trusted Certificate Authorities Using Deep Neural Networks

Rogue certificates are valid certificates issued by a legitimate certificate authority (CA) which are nonetheless untrustworthy; yet trusted by web browsers and users. With the current public key infrastructure (PKI) there exists a window of vulnerability between the time a rogue certificate is issued and when it is detected. Rogue certificates from recent compromises have been trusted for as long as weeks before detection and revocation. Previous proposals to close this window of vulnerability require changes in the infrastructure, Internet protocols, or end user experience. We present a method for detecting rogue certificates from trusted CAs developed from a large and timely collection of certificates. This method automates classification by building machine learning models with Deep Neural Networks (DNN). Despite the scarcity of rogue instances in the dataset DNN produced a classification method that is proven both in simulation and in the July 2014 compromise of the India CCA. We report the details of the classification method and illustrate that it is repeatable, such as with datasets obtained from crawling. We describe the classification performance under our current research deployment.