Services Work ThreatFade About Blog Pricing Careers Start a project →
// Research Paper

Statistical Detection of Encrypted C2 Traffic:
The ThreatFade Methodology

Published: March 2025 Updated: April 2026 By Tinlance Limited
Abstract

Command-and-control (C2) malware increasingly uses encrypted protocols — QUIC, TLS, HTTPS — to evade signature-based detection. ThreatFade introduces a statistical approach: instead of signature matching, it measures the behavioural fingerprint of encrypted traffic using z-score analysis of inter-packet timing, beacon periodicity, and jitter deviation. Validated against 490,000+ real packets from three production malware families, ThreatFade achieves a z-score of 14.76 for Merlin QUIC C2 with a 0% false-positive rate across all five normal traffic patterns. This paper describes the methodology, validation results, and MITRE ATT&CK mappings.

Key Findings

14.76
Z-score
Merlin QUIC C2 detection confidence
490K+
Packets
Validated across real malware captures
0%
False positives
Across all 5 normal traffic patterns
3
Malware families
Merlin, Cobalt Strike, IcedID validated
1,440
Time-series
Signals analyzed per detection cycle
7.01
Z-score
Cobalt Strike beacon detection

Methodology

Traditional network intrusion detection relies on signature matching — if a packet matches a known bad pattern, flag it. This fails against encrypted C2 traffic because the payload is opaque.

ThreatFade instead analyses the timing behaviour of encrypted connections. Malware beaconing — the periodic check-in of infected hosts to their C2 server — produces statistically distinct inter-packet intervals compared to human-initiated encrypted traffic (HTTPS browsing, video calls, DNS-over-HTTPS).

Statistical Framework

For each connection flow, ThreatFade computes:

  1. Inter-Packet Interval Distribution — mean (μ), standard deviation (σ), and coefficient of variation across a rolling 60-second window
  2. Beacon Jitter Analysis — C2 agents introduce jitter (±N% random delay) to evade detection; ThreatFade's model accounts for known jitter profiles
  3. Z-Score Calculation — distance from the normal traffic population mean in standard deviation units: z = (x − μ) / σ
  4. MITRE ATT&CK Mapping — positive detections are tagged to the relevant technique (T1027 Obfuscated Files/Information, T1571 Non-Standard Port, T1095 Non-Application Layer Protocol)

Connections with z-scores above 3.0 (99.7% confidence) are flagged as anomalous. Scores above 7.0 trigger a high-confidence C2 alert.

Validation Results

Malware Family Protocol Packets Z-Score MITRE False Positives
Merlin QUIC QUIC/UDP 490,000+ 14.76 T1027, T1095 0%
Cobalt Strike HTTPS/TLS 210,000+ 7.01 T1071.001, T1027 0%
IcedID HTTPS/TLS 180,000+ 3.89 T1071.001 0%
Normal HTTP Traffic HTTPS 50,000 0.31 N/A
Normal Video Call QUIC/UDP 75,000 0.44 N/A

* False positive test population: HTTPS browsing, DNS-over-HTTPS, video conferencing, file sync traffic, API polling. All scored below z=1.0.

MITRE ATT&CK Coverage

T1027
Obfuscated Files/Information
Encrypted C2 payload evasion — detected via statistical deviation
T1071.001
Application Layer Protocol: Web
HTTPS-based C2 — detected via beacon interval analysis
T1095
Non-Application Layer Protocol
QUIC-based C2 — primary Merlin detection vector
T1571
Non-Standard Port
Port anomalies correlated with beacon patterns
Access ThreatFade

Deploy this detection capability in your SOC.

ThreatFade is production-validated and integrates with your SIEM via CEF, Splunk HEC, or JSON export. Join the beta programme.

Join waitlist → Talk to us