Malware classification and attribution through server fingerprinting using server certificate data

What is claimed is: 1. A method comprising: receiving first network traffic including an encrypted flow; extracting connection data from the encrypted flow without decrypting the encrypted flow, the connection data including one or more certificates, ciphersuites used, and metrics regarding the encrypted flow; characterizing the encrypted flow as malicious or non-malicious by using the connection data as input to a machine learning classifier; and responsive to characterizing of the encrypted flow as malicious, updating a policy on a first network node to block the encrypted flow. 2. The method of claim 1 , wherein receiving first network traffic including an encrypted flow is performed at the first network node and; characterizing the encrypted flow as malicious by using the connection data as input to a machine learning classifier is performed at a classifying device. 3. The method of claim 1 , wherein the method further comprises: responsive to characterizing of the encrypted flow as malicious, updating a policy on a second network node to block the encrypted flow. 4. The method of claim 1 , wherein the connection data further includes information regarding a sequence of packet lengths and timing data of the encrypted flow. 5. The method of claim 1 , wherein the method further comprises: identifying an application within the encrypted flow by using the connection data as input to a machine learning classifier. 6. The method of claim 5 , wherein the connection data further includes information regarding a sequence of application packet lengths and timing data of the encrypted flow. 7. The method of claim 1 , further including, responsive to classifying the encrypted flow as malicious, sending an alert. 8. A system, comprising: one or more nodes connected in a network, each node with a processor, a memory, and one or more network interfaces, wherein the system is configured to receive a series of instructions, which when executed on one or more processors across the one or more nodes, cause the system to perform actions including: receiving first network traffic including an encrypted flow; extracting connection data from the encrypted flow without decrypting the encrypted flow, the connection data including one or more certificates, ciphersuites used, and metrics regarding the encrypted flow; characterizing the encrypted flow as malicious or non-malicious by using the connection data as input to a machine learning classifier; and responsive to characterizing of the encrypted flow as malicious, updating a policy on a first network node to block the encrypted flow. 9. The system of claim 8 , wherein receiving first network traffic including an encrypted flow is performed at the first network node and characterizing the encrypted flow as malicious by using the connection data as input to a machine learning classifier is performed at a classifying device. 10. The system of claim 8 , the actions further including: responsive to characterizing of the encrypted flow as malicious, updating a policy on a second network node to block the encrypted flow. 11. The system of claim 8 , wherein the connection data further includes information regarding a sequence of packet lengths and timing data of the encrypted flow. 12. The system of claim 8 , the actions further including: identifying an application within the encrypted flow by using the connection data as input to a machine learning classifier. 13. The system of claim 12 , wherein the connection data further includes information regarding a sequence of application packet lengths and timing data of the encrypted flow. 14. The system of claim 8 , the actions further including, responsive to classifying the encrypted flow as malicious, sending an alert. 15. A non-transitory computer-readable medium, the medium including instructions which, when executed on one or more processors across one or more nodes connected through a network, cause the one or more nodes to perform actions including: receiving first network traffic including an encrypted flow; extracting connection data from the encrypted flow without decrypting the encrypted flow, the connection data including one or more certificates, ciphersuites used, and metrics regarding the encrypted flow; characterizing the encrypted flow as malicious or non-malicious by using the connection data as input to a machine learning classifier; and responsive to characterizing of the encrypted flow as malicious, updating a policy on a first network node to block the encrypted flow. 16. The computer-readable medium of claim 15 , wherein receiving first network traffic including an encrypted flow is performed at the first network node and characterizing the encrypted flow as malicious by using the connection data as input to a machine learning classifier is performed at a classifying device. 17. The computer-readable medium of claim 15 , the actions further including: responsive to characterizing of the encrypted flow as malicious, updating a policy on a second network node to block the encrypted flow. 18. The computer-readable medium of claim 15 , wherein the connection data further includes information regarding a sequence of packet lengths and timing data of the encrypted flow. 19. The computer-readable medium of claim 15 , the actions further including: identifying an application within the encrypted flow by using the connection data as input to a machine learning classifier. 20. The computer-readable medium of claim 19 , wherein the connection data further includes information regarding a sequence of application packet lengths and timing data of the encrypted flow. 21. The computer-readable medium of claim 15 , the actions further including, responsive to classifying the encrypted flow as malicious, sending an alert.