Analyzing encrypted traffic behavior using contextual traffic data

What is claimed is: 1. A method, comprising: detecting, at a device in a network, an encrypted traffic flow comprising one or more encrypted packets sent by a client in the network; selecting, at the device, one or more additional packets sent by the client from which to capture contextual traffic data for the encrypted traffic flow; capturing, by the device, the contextual traffic data for the encrypted traffic flow from the one or more additional packets sent by the client; performing, by the device, a classification of the encrypted traffic flow by using the contextual traffic data as input to a machine learning-based classifier; and generating, by the device, an alert based on the classification of the encrypted traffic flow, wherein selection of the one or more additional packets sent by the client from which to capture the contextual traffic data is based on the one or more additional packets being: 1) included in a predefined fixed-size set of packets sent sequentially before or after a request packet of the encrypted traffic flow, 2) sent by the client within a predefined timespan of the request packet of the encrypted traffic flow, or 3) associated with a predefined micro-activity performed by the client. 2. The method as in claim 1 , wherein the machine learning-based classifier is trained using sample contextual traffic data for encrypted traffic flows that are known to be either benign or malicious. 3. The method as in claim 1 , wherein the encrypted traffic flow comprises one or more HTTP Secure (HTTPS) packets. 4. The method as in claim 1 , wherein the predefined fixed-size set of packets defines a fixed number of requests issued by the client sequentially before or after a request packet of the encrypted traffic flow. 5. The method as in claim 1 , wherein the predefined timespan defines a window within which the request packet of the encrypted traffic flow and at least one other request packet are issued by the client. 6. The method as in claim 1 , wherein the predefined micro-activity represents an activity performed by a user of the client. 7. The method as in claim 1 , wherein capturing the contextual traffic data for the encrypted traffic flow comprises: extracting, by the device, header information from the one or more additional packets sent by the client; and constructing, by the device, a feature vector for input to the machine learning-based classifier based on the header information that is extracted. 8. The method as in claim 7 , wherein the header information is extracted from one or more of: a content-type header field, a user-agent header field, an accept-language header field, a server header field, or a status-code header field. 9. The method as in claim 1 , wherein capturing the contextual traffic data for the encrypted traffic flow comprises: analyzing, by the device, the encrypted traffic flow to infer header field values of the encrypted traffic flow using a machine learning-based model. 10. An apparatus, comprising: one or more network interfaces to communicate with a network; a processor coupled to the one or more network interfaces and configured to execute one or more processes; and a memory configured to store a process that is executable by the processor, the process when executed operable to: detect an encrypted traffic flow comprising one or more encrypted packets sent by a client in the network; select one or more additional packets sent by the client from which to capture contextual traffic data for the encrypted traffic flow; capture the contextual traffic data for the encrypted traffic flow from the one or more additional packets sent by the client; perform a classification of the encrypted traffic flow by using the contextual traffic data as input to a machine learning-based classifier; and generate an alert based on the classification of the encrypted traffic flow, wherein selection of the one or more additional packets sent by the client from which to capture the contextual traffic data is based on the one or more additional packets being: 1) included in a predefined fixed-size set of packets sent sequentially before or after a request packet of the encrypted traffic flow, 2) sent by the client within a predefined timespan of the request packet of the encrypted traffic flow, or 3) associated with a predefined micro-activity performed by the client. 11. The apparatus as in claim 10 , wherein the machine learning-based classifier is trained using sample contextual traffic data for encrypted traffic flows that are known to be either benign or malicious. 12. The apparatus as in claim 10 , wherein the encrypted traffic flow comprises one or more HTTP Secure (HTTPS) packets. 13. The apparatus as in claim 10 , wherein the predefined fixed-size set of packets defines a fixed number of requests issued by the client sequentially before or after a request packet of the encrypted traffic flow. 14. The apparatus as in claim 10 , wherein the predefined timespan defines a window within which the request packet of the encrypted traffic flow and at least one other request packet are issued by the client. 15. The apparatus as in claim 10 , wherein the predefined micro-activity represents an activity performed by a user of the client. 16. The apparatus as in claim 10 , wherein the apparatus captures the contextual traffic data for the encrypted traffic flow by: extracting header information from the one or more additional packets sent by the client; and constructing a feature vector for input to the machine learning-based classifier based on the header information that is extracted. 17. The apparatus as in claim 16 , wherein the header information is extracted from one or more of: a content-type header field, a user-agent header field, an accept-language header field, a server header field, or a status-code header field. 18. The apparatus as in claim 10 , wherein the apparatus captures the contextual traffic data for the encrypted traffic flow by: analyzing the encrypted traffic flow to infer header field values of the encrypted traffic flow using a machine learning-based model. 19. A tangible, non-transitory, computer-readable medium that stores program instructions that cause a device in a network to execute a process comprising: detecting, at the device, an encrypted traffic flow comprising one or more encrypted packets sent by a client in the network; selecting, at the device, one or more additional packets sent by the client from which to capture contextual traffic data for the encrypted traffic flow; capturing, by the device, the contextual traffic data for the encrypted traffic flow from the one or more additional packets sent by the client; performing, by the device, a classification of the encrypted traffic flow by using the contextual traffic data as input to a machine learning-based classifier; and generating, by the device, an alert based on the classification of the encrypted traffic flow, wherein selection of the one or more additional packets sent by the client from which to capture the contextual traffic data is based on the one or more additional packets being: 1) included in a predefined fixed-size set of packets sent sequentially before or after a request packet of the encrypted traffic flow, 2) sent by the client within a predefined timespan of the request packet of the encrypted traffic flow, or 3) associated with a predefined micro-activity performed by the client. 20. The tangible, non-transitory, computer-readable medium as in cla