Network-based HTTPS Client Identification Using SSL/TLS Fingerprinting

Autoři

HUSÁK Martin ČERMÁK Milan JIRSÍK Tomáš ČELEDA Pavel

Rok publikování 2015
Druh Článek ve sborníku
Konference 2015 10th International Conference on Availability, Reliability and Security
Fakulta / Pracoviště MU

Ústav výpočetní techniky

Citace
www http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=7299941
Doi http://dx.doi.org/10.1109/ARES.2015.35
Obor Informatika
Klíčová slova HTTP;HTTPS;SSL/TLS;fingerprint;User-Agent;identification;network monitoring
Přiložené soubory
Popis The growing share of encrypted network traffic complicates network traffic analysis and network forensics. In this paper, we present real-time lightweight identification of HTTPS clients based on network monitoring and SSL/TLS fingerprinting. Our experiment shows that it is possible to estimate the User-Agent of a client in HTTPS communication via the analysis of the SSL/TLS handshake. The fingerprints of SSL/TLS handshakes, including a list of supported cipher suites, differ among clients and correlate to User-Agent values from a HTTP header. We built up a dictionary of SSL/TLS cipher suite lists and HTTP User-Agents and assigned the User-Agents to the observed SSL/TLS connections to identify communicating clients. We discuss host-based and network-based methods of dictionary retrieval and estimate the quality of the data. The usability of the proposed method is demonstrated on two case studies of network forensics.

Používáte starou verzi internetového prohlížeče. Doporučujeme aktualizovat Váš prohlížeč na nejnovější verzi.

Další info