HTTPS Traffic Analysis and Client Identification Using Passive SSL/TLS Fingerprinting

Kód výsledku v IS VaVaI

<a href="https://www.isvavai.cz/riv?ss=detail&h=RIV%2F00216224%3A14610%2F16%3A00089221" target="_blank" >RIV/00216224:14610/16:00089221 - isvavai.cz</a>

Výsledek na webu

<a href="http://www.jis.eurasipjournals.com/content/2016/1/6" target="_blank" >http://www.jis.eurasipjournals.com/content/2016/1/6</a>

DOI - Digital Object Identifier

<a href="http://dx.doi.org/10.1186/s13635-016-0030-7" target="_blank" >10.1186/s13635-016-0030-7</a>

Jazyk výsledku

angličtina

Název v původním jazyce

HTTPS Traffic Analysis and Client Identification Using Passive SSL/TLS Fingerprinting

Popis výsledku v původním jazyce

The encryption of network traffic complicates legitimate network monitoring, traffic analysis, and network forensics. In this paper, we present real-time lightweight identification of HTTPS clients based on network monitoring and SSL/TLS fingerprinting. Our experiment shows that it is possible to estimate the User-Agent of a client in HTTPS communication via the analysis of the SSL/TLS handshake. The fingerprints of SSL/TLS handshakes, including a list of supported cipher suites, differ among clients and correlate to User-Agent values from a HTTP header. We built up a dictionary of SSL/TLS cipher suite lists and HTTP User-Agents and assigned the User-Agents to the observed SSL/TLS connections to identify communicating clients. The dictionary was used to classify live HTTPS network traffic. We were able to retrieve client types from 95.4 % of HTTPS network traffic. Further, we discussed host-based and network-based methods of dictionary retrieval and estimated the quality of the data.

Název v anglickém jazyce

HTTPS Traffic Analysis and Client Identification Using Passive SSL/TLS Fingerprinting

Popis výsledku anglicky

The encryption of network traffic complicates legitimate network monitoring, traffic analysis, and network forensics. In this paper, we present real-time lightweight identification of HTTPS clients based on network monitoring and SSL/TLS fingerprinting. Our experiment shows that it is possible to estimate the User-Agent of a client in HTTPS communication via the analysis of the SSL/TLS handshake. The fingerprints of SSL/TLS handshakes, including a list of supported cipher suites, differ among clients and correlate to User-Agent values from a HTTP header. We built up a dictionary of SSL/TLS cipher suite lists and HTTP User-Agents and assigned the User-Agents to the observed SSL/TLS connections to identify communicating clients. The dictionary was used to classify live HTTPS network traffic. We were able to retrieve client types from 95.4 % of HTTPS network traffic. Further, we discussed host-based and network-based methods of dictionary retrieval and estimated the quality of the data.

Druh

J_imp - Článek v periodiku v databázi Web of Science

CEP obor

—

OECD FORD obor

10201 - Computer sciences, information science, bioinformathics (hardware development to be 2.2, social aspect to be 5.8)

Projekt

—

Návaznosti

S - Specificky vyzkum na vysokych skolach

Rok uplatnění

2016

Kód důvěrnosti údajů

S - Úplné a pravdivé údaje o projektu nepodléhají ochraně podle zvláštních právních předpisů

Název periodika

EURASIP Journal on Information Security

ISSN

1687-4161

e-ISSN

—

Svazek periodika

2016

Číslo periodika v rámci svazku

1

Stát vydavatele periodika

DE - Spolková republika Německo

Počet stran výsledku

14

Strana od-do

1-14

Kód UT WoS článku

000387412900001

EID výsledku v databázi Scopus

2-s2.0-84959325515