Anomaly Detection in Certificate Transparency Logs
Richard Ostertág, Martin Stanek
TL;DR
This work tackles anomaly detection in Certificate Transparency logs by applying an unsupervised Isolation Forest to a large, representative sample of CT-log certificates. By engineering features across subject details, public key characteristics, issuer rarity, validity, and SAN-related extensions, the method identifies certificates that diverge from typical CT-log patterns rather than solely enforcing X.509 lint compliance. The study reveals notable outliers associated with cloud infrastructures (notably Microsoft Azure) and ZeroSSL, illustrating both operational anomalies and potential automation issues in certificate issuance. The findings demonstrate the feasibility of CT-log anomaly detection as a complementary monitoring tool, with future work suggested on domain-specific training, excluding widespread cloud certificates, and integrating linter results for richer analysis.
Abstract
We propose an anomaly detection technique for X.509 certificates utilizing Isolation Forest. This method can be beneficial when compliance testing with X.509 linters proves unsatisfactory, and we seek to identify anomalies beyond standards compliance. The technique is validated on a sample of certificates from Certificate Transparency logs.