Mates: Drift-Adaptive Cobalt Strike Encrypted Traffic Detection Based on Multi-Space Feature Modeling and Fusion

Cobalt Strike (CS) attacks using encrypted HTTPS channels have become the primary type of ransomware and advanced persistent threat attacks. The detection of malicious CS traffic is not only hindered by certificate impersonation and a lack of cryptographic semantics but also severely exacerbated by frequent attack strategy changes, which induce concept drift in traffic features, ultimately leading to a precipitous decline in detection model performance. Existing concept drift adaptation methods in malicious traffic detection typically rely on manually labeled data, which have high annotation costs and response latency. In this paper, multi-space feature modeling and fusion (Mates), an encrypted CS traffic detection framework, is proposed. Mates models features in multiple data spaces and performs feature fusion, thereby enhancing the feature representation of encrypted traffic and representing a new mechanism for adapting to concept drift. In terms of feature representation, we integrate three complementary feature spaces, including TLS handshake semantics, ciphertext payloads, and packet temporal statistics, and utilize handshake plaintext semantics to guide ciphertext feature learning. To address the issue of concept drift, a test-time adaptation mechanism for Mates is proposed based on multi-space prototypes, which dynamically updates the prototypes using high-confidence samples, enabling the model to automatically adapt to distribution shifts without manual labeling. We conduct extensive experiments on real-world datasets encompassing various drift scenarios. The results show that Mates achieves effective adaptation utilizing minimal unlabeled target samples, with an F1 score 3.43% higher than that of the current state-of-the-art adaptive methods.