Papers
Topics
Authors
Recent
Search
2000 character limit reached

Positional-Unigram Byte Models for Generalized TLS Fingerprinting

Published 13 May 2024 in cs.CR | (2405.07848v1)

Abstract: We use positional-unigram byte models along with maximum likelihood for generalized TLS fingerprinting and empirically show that it is robust to cipher stunting. Our approach creates a set of positional-unigram byte models from client hello messages. Each positional-unigram byte model is a statistical model of TLS client hello traffic created by a client application or process. To fingerprint a TLS connection, we use its client hello, and compute the likelihood as a function of a statistical model. The statistical model that maximizes the likelihood function is the predicted client application for the given client hello. Our data driven approach does not use side-channel information and can be updated on-the-fly. We experimentally validate our method on an internal dataset and show that it is robust to cipher stunting by tracking an unbiased $f_{1}$ score as we synthetically increase randomization.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (16)
  1. Google. Https encryption on the web. 2022. URL https://transparencyreport.google.com/https/overview?hl=en.
  2. Sophos. Nearly half of malware now use tls to conceal communications. 2021. URL https://news.sophos.com/en-us/2021/04/21/nearly-half-of-malware-now-use-tls-to-conceal-communications/.
  3. J. Althouse. Tls fingerprinting with ja3 and ja3s. 2019. URL https://engineering.salesforce.com/tls-fingerprinting-with-ja3-and-ja3s-247362855967.
  4. Bots tampering with tls to avoid detection. Akamai Blog, 2019. URL https://blogs.akamai.com/sitr/2019/05/bots-tampering-with-tls-to-avoid-detection.html.
  5. Accurate tls fingerprinting using destination context and knowledge bases, 2020. URL https://arxiv.org/abs/2009.01939.
  6. Tomá Jirsík Martin Husák, Milan Cermák and Pavel Celeda. Network-based https client identification using ssl/tls fingerprinting, 2015. URL https://ieeexplore.ieee.org/document/7299941.
  7. T. Dierks and Rescorla. The transport layer security (tls) protocol version 1.2. 2008. URL https://tools.ietf.org/html/rfc5246#appendix-A.5.
  8. S. Hollenbeck. Transport layer security protocol compression methods. 2004. URL https://tools.ietf.org/html/rfc3749#section-2.
  9. D. Eastlake. Transport layer security (tls) extensions: Extension definitions. 2011. URL https://tools.ietf.org/html/rfc6066.
  10. Marcus Bakker. Hunting with ja3, 2018. URL https://www.mbsecure.nl/blog/2018/06/hunting-with-ja3.
  11. Abuse CN. Ssl blacklist by abuse cn. 14 May 2020. URL https://sslbl.abuse.ch/ja3-fingerprints/.
  12. JA3er.com. Ja3er.com – hashes and user agents. 14 May 2020. URL https://ja3er.com/downloads.html.
  13. TrisulNetworkAnalytics. Trisul network analytics. 14 May 2020. URL https://github.com/trisulnsm/ja3prints.
  14. Salesforce. Salesforce list. 14 May 2020. URL https://github.com/salesforce/ja3/tree/master/lists.
  15. Brotherston. Lee brotherston. 14 May 2020. URL https://github.com/LeeBrotherston/tls-fingerprinting/.
  16. D. Benjamin. Applying grease to tls extensibility. 2018. URL https://tools.ietf.org/id/draft-ietf-tls-grease-01.html.

Summary

No one has generated a summary of this paper yet.

Paper to Video (Beta)

No one has generated a video about this paper yet.

Whiteboard

No one has generated a whiteboard explanation for this paper yet.

Open Problems

We haven't generated a list of open problems mentioned in this paper yet.

Continue Learning

We haven't generated follow-up questions for this paper yet.

Collections

Sign up for free to add this paper to one or more collections.

Tweets

Sign up for free to view the 2 tweets with 0 likes about this paper.