Positional-Unigram Byte Models for Generalized TLS Fingerprinting
Abstract: We use positional-unigram byte models along with maximum likelihood for generalized TLS fingerprinting and empirically show that it is robust to cipher stunting. Our approach creates a set of positional-unigram byte models from client hello messages. Each positional-unigram byte model is a statistical model of TLS client hello traffic created by a client application or process. To fingerprint a TLS connection, we use its client hello, and compute the likelihood as a function of a statistical model. The statistical model that maximizes the likelihood function is the predicted client application for the given client hello. Our data driven approach does not use side-channel information and can be updated on-the-fly. We experimentally validate our method on an internal dataset and show that it is robust to cipher stunting by tracking an unbiased $f_{1}$ score as we synthetically increase randomization.
- Google. Https encryption on the web. 2022. URL https://transparencyreport.google.com/https/overview?hl=en.
- Sophos. Nearly half of malware now use tls to conceal communications. 2021. URL https://news.sophos.com/en-us/2021/04/21/nearly-half-of-malware-now-use-tls-to-conceal-communications/.
- J. Althouse. Tls fingerprinting with ja3 and ja3s. 2019. URL https://engineering.salesforce.com/tls-fingerprinting-with-ja3-and-ja3s-247362855967.
- Bots tampering with tls to avoid detection. Akamai Blog, 2019. URL https://blogs.akamai.com/sitr/2019/05/bots-tampering-with-tls-to-avoid-detection.html.
- Accurate tls fingerprinting using destination context and knowledge bases, 2020. URL https://arxiv.org/abs/2009.01939.
- Tomá JirsÃk Martin Husák, Milan Cermák and Pavel Celeda. Network-based https client identification using ssl/tls fingerprinting, 2015. URL https://ieeexplore.ieee.org/document/7299941.
- T. Dierks and Rescorla. The transport layer security (tls) protocol version 1.2. 2008. URL https://tools.ietf.org/html/rfc5246#appendix-A.5.
- S. Hollenbeck. Transport layer security protocol compression methods. 2004. URL https://tools.ietf.org/html/rfc3749#section-2.
- D. Eastlake. Transport layer security (tls) extensions: Extension definitions. 2011. URL https://tools.ietf.org/html/rfc6066.
- Marcus Bakker. Hunting with ja3, 2018. URL https://www.mbsecure.nl/blog/2018/06/hunting-with-ja3.
- Abuse CN. Ssl blacklist by abuse cn. 14 May 2020. URL https://sslbl.abuse.ch/ja3-fingerprints/.
- JA3er.com. Ja3er.com – hashes and user agents. 14 May 2020. URL https://ja3er.com/downloads.html.
- TrisulNetworkAnalytics. Trisul network analytics. 14 May 2020. URL https://github.com/trisulnsm/ja3prints.
- Salesforce. Salesforce list. 14 May 2020. URL https://github.com/salesforce/ja3/tree/master/lists.
- Brotherston. Lee brotherston. 14 May 2020. URL https://github.com/LeeBrotherston/tls-fingerprinting/.
- D. Benjamin. Applying grease to tls extensibility. 2018. URL https://tools.ietf.org/id/draft-ietf-tls-grease-01.html.
Paper Prompts
Sign up for free to create and run prompts on this paper using GPT-5.
Top Community Prompts
Collections
Sign up for free to add this paper to one or more collections.