Encryption Does Not Equal Invisibility – Detecting Anomalous TLS Certificates with the Half-Space-Trees Algorithm

This report presents an approach for detecting suspicious TLS certificates in encrypted traffic by applying incremental, unsupervised anomaly detection (Half-Space-Trees). It explains how attackers obtain and misuse TLS certificates (self-signed, free CAs, stolen/fraudulently issued), contrasts malicious and legitimate certificate attributes with examples (including a Ryuk ransomware certificate), and describes model development, validation, and deployment in SOC environments where anomaly scores are combined with other signals (JA3, beaconing, domain analysis) to enable real-time detection.