Informace o publikaci

HTTPS Traffic Analysis and Client Identification Using Passive SSL/TLS Fingerprinting

Autoři

HUSÁK Martin ČERMÁK Milan JIRSÍK Tomáš ČELEDA Pavel

Druh Článek v odborném periodiku
Časopis / Zdroj EURASIP Journal on Information Security
Fakulta / Pracoviště MU

Fakulta informatiky Ústav výpočetní techniky

Citace
WWW http://www.jis.eurasipjournals.com/content/2016/1/6
Doi http://dx.doi.org/10.1186/s13635-016-0030-7
Obor Informatika
Klíčová slova Network monitoring;HTTPS;User-Agent;SSL;TLS;Fingerprinting
Přiložené soubory
Popis The encryption of network traffic complicates legitimate network monitoring, traffic analysis, and network forensics. In this paper, we present real-time lightweight identification of HTTPS clients based on network monitoring and SSL/TLS fingerprinting. Our experiment shows that it is possible to estimate the User-Agent of a client in HTTPS communication via the analysis of the SSL/TLS handshake. The fingerprints of SSL/TLS handshakes, including a list of supported cipher suites, differ among clients and correlate to User-Agent values from a HTTP header. We built up a dictionary of SSL/TLS cipher suite lists and HTTP User-Agents and assigned the User-Agents to the observed SSL/TLS connections to identify communicating clients. The dictionary was used to classify live HTTPS network traffic. We were able to retrieve client types from 95.4 % of HTTPS network traffic. Further, we discussed host-based and network-based methods of dictionary retrieval and estimated the quality of the data.

Používáte starou verzi internetového prohlížeče. Doporučujeme aktualizovat Váš prohlížeč na nejnovější verzi.

Další info