Network-based HTTPS Client Identification Using SSL/TLS Fingerprinting
| Autoři | |
|---|---|
| Rok publikování | 2015 |
| Druh | Článek ve sborníku |
| Konference | 2015 10th International Conference on Availability, Reliability and Security |
| Fakulta / Pracoviště MU | |
| Citace | |
| www | http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=7299941 |
| Doi | https://doi.org/10.1109/ARES.2015.35 |
| Obor | Informatika |
| Klíčová slova | HTTP;HTTPS;SSL/TLS;fingerprint;User-Agent;identification;network monitoring |
| Přiložené soubory | |
| Popis | The growing share of encrypted network traffic complicates network traffic analysis and network forensics. In this paper, we present real-time lightweight identification of HTTPS clients based on network monitoring and SSL/TLS fingerprinting. Our experiment shows that it is possible to estimate the User-Agent of a client in HTTPS communication via the analysis of the SSL/TLS handshake. The fingerprints of SSL/TLS handshakes, including a list of supported cipher suites, differ among clients and correlate to User-Agent values from a HTTP header. We built up a dictionary of SSL/TLS cipher suite lists and HTTP User-Agents and assigned the User-Agents to the observed SSL/TLS connections to identify communicating clients. We discuss host-based and network-based methods of dictionary retrieval and estimate the quality of the data. The usability of the proposed method is demonstrated on two case studies of network forensics. |