Identifying self-signed certificates using http access logs for malware detection

What is claimed is: 1 . A method comprising: receiving, at a device in a network, traffic information regarding one or more secure sessions in the network; associating, by the device, the one or more secure sessions with corresponding certificate validation check traffic indicated by the received traffic information; making, by the device, a self-signed certificate determination for an endpoint domain of a particular secure session based on whether the particular secure session is associated with certificate validation check traffic; and causing, by the device, the self-signed certificate determination for the endpoint domain to be used as input to a malware detector. 2 . The method as in claim 1 , wherein the malware detector causes the performance of a mitigation action in the network when the malware detector detects malware. 3 . The method as in claim 1 , wherein the malware detector is configured to treat a self-signed certificate for a domain as an indication of the presence of malware in the network. 4 . The method as in claim 1 , wherein the traffic information regarding the one or more secure sessions comprises Hypertext Transfer Protocol (HTTP) access logs regarding HTTP traffic associated with the one or more secure sessions. 5 . The method as in claim 1 , wherein making the self-signed certificate determination for the endpoint domain of the particular secure session comprises: determining, by the device, that the endpoint domain used a self-signed certificate in the particular secure session based on the particular secure session not being associated with certificate validation check traffic. 6 . The method as in claim 1 , wherein associating the one or more secure sessions with corresponding certificate validation check traffic comprises: matching, by the device, client addresses of the one or more secure sessions with client addresses of the certificate validation check traffic. 7 . The method as in claim 1 , wherein the certificate validation check traffic comprises a certificate revocation list (CRL) download or an Online Certificate Status Protocol (OCSP) check. 8 . The method as in claim 1 , wherein the self-signed certificate determination for the endpoint domain is based on whether any of the one or more secure sessions involving the endpoint domain are associated with certificate validation check traffic. 9 . The method as in claim 1 , wherein receiving the traffic information regarding the one or more secure sessions in the network comprises: capturing, by the device, the traffic information regarding the one or more secure sessions in the network. 10 . An apparatus, comprising: one or more network interfaces to communicate with a network; a processor coupled to the network interfaces and configured to execute one or more processes; and a memory configured to store a process executable by the processor, the process when executed operable to: receive traffic information regarding one or more secure sessions in the network; associate the one or more secure sessions with corresponding certificate validation check traffic indicated by the received traffic information; make a self-signed certificate determination for an endpoint domain of a particular secure session based on whether the particular secure session is associated with certificate validation check traffic; and cause the self-signed certificate determination for the endpoint domain to be used as input to a malware detector. 11 . The apparatus as in claim 10 , wherein the malware detector causes the performance of a mitigation action in the network when the malware detector detects malware. 12 . The apparatus as in claim 10 , wherein the malware detector is configured to treat a self-signed certificate for a domain as an indication of the presence of malware in the network. 13 . The apparatus as in claim 10 , wherein the traffic information regarding the one or more secure sessions comprises Hypertext Transfer Protocol (HTTP) access logs regarding HTTP traffic associated with the one or more secure sessions. 14 . The apparatus as in claim 10 , wherein the apparatus makes the self-signed certificate determination for the endpoint domain of the particular secure session by: determining that the endpoint domain used a self-signed certificate in the particular secure session based on the particular secure session not being associated with certificate validation check traffic. 15 . The apparatus as in claim 10 , wherein the apparatus associates the one or more secure sessions with corresponding certificate validation check traffic by: matching client addresses of the one or more secure sessions with client addresses of the certificate validation check traffic. 16 . The apparatus as in claim 10 , wherein the certificate validation check traffic comprises a certificate revocation list (CRL) download or an Online Certificate Status Protocol (OCSP) check. 17 . The apparatus as in claim 10 , wherein the self-signed certificate determination for the endpoint domain is based on whether any of the one or more secure sessions involving the endpoint domain are associated with certificate validation check traffic. 18 . The apparatus as in claim 10 , wherein the apparatus receives the traffic information regarding the one or more secure sessions in the network by: capturing the traffic information regarding the one or more secure sessions in the network. 19 . A tangible, non-transitory, computer-readable medium storing program instructions that cause a device in a network to execute a process comprising: receiving, at the device, traffic information regarding one or more secure sessions in the network; associating, by the device, the one or more secure sessions with corresponding certificate validation check traffic indicated by the received traffic information; making, by the device, a self-signed certificate determination for an endpoint domain of a particular secure session based on whether the particular secure session is associated with certificate validation check traffic; and causing, by the device, the self-signed certificate determination for the endpoint domain to be used as input to a malware detector. 20 . The computer-readable medium as in claim 19 , wherein the device makes the self-signed certificate determination for the endpoint domain of the particular secure session by: determining, by the device, that the endpoint domain used a self-signed certificate s in the particular secure session based on the particular secure session not being associated with certificate validation check traffic.