HTTPS traffic analysis and client identification using passive SSL/TLS fingerprinting

Husák, Martin; Čermák, Milan; Jirsík, Tomáš; Čeleda, Pavel

doi:10.1186/s13635-016-0030-7

Cited by 74 publications

(41 citation statements)

References 23 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Specific versions of Firefox browsers used in Kali Linux 4 , a well known penetration testing tool collection, was also detected. This is in line with previous research; for example, Husák et al obtained similar results when fingerprinting applications [10]. Although preliminary look into this feature gave extremely positive results, it is also something that the adversary may choose to change, as e.g.…”

Section: Tls Fingerprintssupporting

confidence: 90%

Anomaly-Based Network Intrusion Detection Using Wavelets and Adversarial Autoencoders

Puuska

Kokkonen

Alatalo

et al. 2019

Innovative Security Solutions for Information Technology and Communications

View full text Add to dashboard Cite

Rinnakkaistallennettu versio voi erota alkuperäisestä julkaistusta sivunumeroiltaan ja ilmeeltään.Abstract. The number of intrusions and attacks against data networks and networked systems increases constantly, while encryption has made it more difficult to inspect network traffic and classify it as malicious. In this paper, an anomaly-based intrusion detection system using Haar wavelet transforms in combination with an adversarial autoencoder was developed for detecting malicious TLS-encrypted Internet traffic. Data containing legitimate, as well as advanced malicious traffic was collected from a large-scale cyber exercise and used in the analysis. Based on the findings and domain expertise, a set of features for distinguishing modern malware from packet timing analysis were chosen and evaluated. Performance of the adversarial autoencoder was compared with a traditional autoencoder. The results indicate that the adversarial model performs better than the traditional autoencoder. In addition, a machine learning pipeline capable of analyzing traffic in near real time was developed for data analysis.

show abstract

Section: Tls Fingerprintssupporting

confidence: 90%

Anomaly-Based Network Intrusion Detection Using Wavelets and Adversarial Autoencoders

Puuska

Kokkonen

Alatalo

et al. 2019

Innovative Security Solutions for Information Technology and Communications

View full text Add to dashboard Cite

show abstract

“…Empirical research by Husák et al [7] investigated the feasibility of monitoring TLS handshakes to fingerprint and identify clients. They found, that especially the supported cipher suite lists vary among various client applications and their versions.…”

Section: Related Workmentioning

confidence: 99%

Tracking Users across the Web via TLS Session Resumption

Burkert

Federrath

et al. 2018

Proceedings of the 34th Annual Computer Security Applications Conference

View full text Add to dashboard Cite

User tracking on the Internet can come in various forms, e.g., via cookies or by fingerprinting web browsers. A technique that got less attention so far is user tracking based on TLS and specifically based on the TLS session resumption mechanism. To the best of our knowledge, we are the first that investigate the applicability of TLS session resumption for user tracking. For that, we evaluated the configuration of 48 popular browsers and one million of the most popular websites. Moreover, we present a so-called prolongation attack, which allows extending the tracking period beyond the lifetime of the session resumption mechanism. To show that under the observed browser configurations tracking via TLS session resumptions is feasible, we also looked into DNS data to understand the longest consecutive tracking period for a user by a particular website. Our results indicate that with the standard setting of the session resumption lifetime in many current browsers, the average user can be tracked for up to eight days. With a session resumption lifetime of seven days, as recommended upper limit in the draft for TLS version 1.3, 65% of all users in our dataset can be tracked permanently.

show abstract

“…Roni and Langberg classified encrypted network flows by their application type [4] .Velan and Milan found that the initiation of an encrypted connection and the protocol structure give away much information about traffic clissificaion [5] .The SSL/TLS protocol and its applications were analyzed by Qualys SSL Lab [6] , they proposed the idea of HTTP client fingerprinting using the information of SSL/TLS handshake. Martin Husák and colleagues gave a way to estimate User-Agent of a client in HTTPS communication through the fingerprint of initial SSL/TLS handshake in 2015 [7] .However, due to the fuzziness of the fingerprint, the identification of browsers was not accurate.Salusky and Thomas disclosed for fingerprinting and identifying client applications based on the analysis of client requests in an HTTP-based communication [8] .For the algorithm of traffic identification, Alshammari and his colleagues assessed the robustness of machine learning for classifying encrypted traffic [9] . They foound that the C4.5 based approach performs much better than adaboost, support vector machine, Naive Bayesian and RIPPER.…”

Section: Related Workmentioning

confidence: 99%

Browser Identification Based on Encrypted Traffic

Liu¹,

Han²,

Wei³

2016

Proceedings of the 2016 International Conference on Communications, Information Management and Network Security

View full text Add to dashboard Cite

Abstract-Network traffic encryption brings security to network communication, however it also brings challenges to network monitoring. As more and more major websites use encryption protocol to protect imformation of visitors, it is a burning issue to identify client when session is encrypted. In this paper, we present browser identification of HTTPS client based on packet length. The sequence of request packet length is different among browsers and our experiment shows that it is possible to recognize what kind of browser the traffic comes from according to length sequence. We theoretically analyze the possibility of using the request packet length to identify browsers and show the method of using length sequence to establish dictionary. The dictionaries are used to distinguish unknown traffic flow. Our experiment results show that we can get accurate results of browser identification in HTTPS communication through packet length analysis.

show abstract

HTTPS traffic analysis and client identification using passive SSL/TLS fingerprinting

Cited by 74 publications

References 23 publications

Anomaly-Based Network Intrusion Detection Using Wavelets and Adversarial Autoencoders

Anomaly-Based Network Intrusion Detection Using Wavelets and Adversarial Autoencoders

Tracking Users across the Web via TLS Session Resumption

Browser Identification Based on Encrypted Traffic

Contact Info

Product

Resources

About