Passive decryption of encrypted traffic to generate more accurate machine learning training data

What is claimed is: 1 . A method comprising: capturing a memory dump of a device in a sandbox environment executing a malware sample; identifying a cryptographic key based on a particular data structure in the captured memory dump; using the identified cryptographic key to decrypt encrypted traffic sent by the device; labeling at least a portion of the decrypted traffic sent by the device as benign; and training a machine learning-based traffic classifier based on the at least a portion of the decrypted traffic sent by the device and labeled as benign. 2 . The method as in claim 1 , further comprising: deploying the machine learning-based traffic classifier to a node in a network, to detect the presence of malware in the network. 3 . The method as in claim 1 , wherein the particular data structure comprises a wrapper for the cryptographic key, the method further comprising: identifying a particular encryption suite used by the device to encrypt the traffic; and identifying the data structure based on the identified encryption suite used by the device to encrypt the traffic. 4 . The method as in claim 1 , wherein capturing the memory dump of the device executing the malware sample comprises: detecting a triggering condition to initiate the memory dump. 5 . The method as in claim 4 , wherein the triggering condition to initiate the memory dump comprises one of: a Change Cipher Spec message appearing in the traffic of the device, multiple socket.send( ) calls to a particular 5-tuple being observed, detecting multiple calls to a particular application programming interface (API) of the device. 6 . The method as in claim 1 , wherein identifying the encryption key based on the particular data structure in the captured memory dump comprises: identifying a set of bytes in the memory dump having high entropy in comparison to bytes preceding or following the set of bytes in the memory dump. 7 . The method as in claim 1 , wherein the traffic sent by the device is encrypted using Transport Layer Security (TLS). 8 . An apparatus, comprising: one or more network interfaces to communicate with a network; a processor coupled to the network interfaces and configured to execute one or more processes; and a memory configured to store a process executable by the processor, the process when executed configured to: capture a memory dump of a device in a sandbox environment executing a malware sample; identify a cryptographic key based on a particular data structure in the captured memory dump; use the identified cryptographic key to decrypt encrypted traffic sent by the device; label at least a portion of the decrypted traffic sent by the device as benign; and train a machine learning-based traffic classifier based on the at least a portion of the decrypted traffic sent by the device and labeled as benign. 9 . The apparatus as in claim 8 , wherein the process when executed is further configured to: deploy the machine learning-based traffic classifier to a node in a network, to detect the presence of malware in the network. 10 . The apparatus as in claim 8 , wherein the particular data structure comprises a wrapper for the cryptographic key, wherein the process when executed is further configured to: identify a particular encryption suite used by the device to encrypt the traffic; and s identify the data structure based on the identified encryption suite used by the device to encrypt the traffic. 11 . The apparatus as in claim 8 , wherein the apparatus captures the memory dump of the device executing the malware sample by: detecting a triggering condition to initiate the memory dump. 12 . The apparatus as in claim 11 , wherein the triggering condition to initiate the memory dump comprises one of: a Change Cipher Spec message appearing in the traffic of the device, multiple socket.send( ) calls to a particular 5-tuple being observed, detecting multiple calls to a particular application programming interface (API) of the device. 13 . The apparatus as in claim 8 , wherein the apparatus identifies the encryption key based on the particular data structure in the captured memory dump by: identifying a set of bytes in the memory dump having high entropy in comparison to bytes preceding or following the set of bytes in the memory dump. 14 . The apparatus as in claim 8 , wherein the traffic sent by the device is encrypted using Transport Layer Security (TLS). 15 . A tangible, non-transitory, computer-readable medium storing program instructions that cause a computing device to execute a process comprising: capturing a memory dump of a device in a sandbox environment executing a malware sample; identifying a cryptographic key based on a particular data structure in the captured memory dump; using the identified cryptographic key to decrypt encrypted traffic sent by the device; labeling at least a portion of the decrypted traffic sent by the device in the sandbox environment as benign; and training a machine learning-based traffic classifier based on the at least a portion of the decrypted traffic sent by the device in the sandbox environment and labeled as benign. 16 . The computer-readable medium as in claim 15 , wherein capturing the memory dump of the device executing the malware sample comprises: detecting a triggering condition to initiate the memory dump. 17 . The computer-readable medium as in claim 16 , wherein the triggering condition to initiate the memory dump comprises one of: a Change Cipher Spec message appearing in the traffic of the device, multiple socket.send( ) calls to a particular 5-tuple being observed, detecting multiple calls to a particular application programming interface (API) of the device. 18 . The computer-readable medium as in claim 8 , wherein the program instructions identify the encryption key based on the particular data structure in the captured memory dump by: identifying a set of bytes in the memory dump having high entropy in comparison to bytes preceding or following the set of bytes in the memory dump. 19 . The computer-readable medium as in claim 16 , wherein the traffic sent by the device is encrypted using Transport Layer Security (TLS). 20 . The computer-readable medium as in claim 16 , wherein the program instructions when executed is further configured to: deploy the machine learning-based traffic classifier to a node in a network, to detect the presence of malware in the network.