Using TLS Fingerprints for OS Identification in Encrypted Traffic

• Authors: LAŠTOVIČKA Martin; ŠPAČEK Stanislav; VELAN Petr; ČELEDA Pavel
• Year of publication: 2020
• Type: Article in Proceedings
• Conference: 2020 IEEE/IFIP Network Operations and Management Symposium (NOMS 2020)
• MU Faculty or unit: Institute of Computer Science
• Web: https://ieeexplore.ieee.org/document/9110319
• Doi: http://dx.doi.org/10.1109/NOMS47738.2020.9110319
• Keywords: OS fingerprinting;passive monitoring;IPFIX;TLS

Attached files

• 2020-NOMS-Using-TLS-Fingerprints-for-OS-Identification-in-Encrypted-Traffic-paper.pdf
• 2020-NOMS-Using-TLS-Fingerprints-for-OS-Identification-in-Encrypted-Traffic-presentation.pdf

• Description: Asset identification plays a vital role in situational awareness building. However, the current trends in communication encryption and the emerging new protocols turn the well-known methods into a decline as they lose the necessary data to work correctly. In this paper, we examine the traffic patterns of the TLS protocol and its changes introduced in version 1.3. We train a machine learning model on TLS handshake parameters to identify the operating system of the client device and compare its results to well-known identification methods. We test the proposed method in a large wireless network. Our results show that precise operating system identification can be achieved in encrypted traffic of mobile devices and notebooks connected to the wireless network.

Related projects

• CyberSecurity, CyberCrime and Critical Information Infrastructures Center of Excellence
• Cyber security cOmpeteNce fOr Research anD Innovation
• Aplikovaný výzkum: softwarové architektury kritických infrastruktur, bezpečnost počítačových systémů, zpracování přirozeného jazyka a jazykové inženýrství, vizualizaci velkých dat a rozšířená realita.