network based https client identification using ssl tls
play

NETWORK-BASED HTTPS CLIENT IDENTIFICATION USING SSL/TLS - PowerPoint PPT Presentation

Jun 27, 2023 •478 likes •662 views

NETWORK-BASED HTTPS CLIENT IDENTIFICATION USING SSL/TLS FINGERPRINTING Monday 24 th August, 2015 Martin Husk Milan ermk Tom Jirsk Pavel eleda Introduction Rising popularity of encrypted traffic secures the transmission, but

  1. NETWORK-BASED HTTPS CLIENT IDENTIFICATION USING SSL/TLS FINGERPRINTING Monday 24 th August, 2015 Martin Husák Milan Čermák Tomáš Jirsík Pavel Čeleda

  2. Introduction Rising popularity of encrypted traffic secures the transmission, but also prevents legitimate monitoring and classification. Lot of work has been done on HTTP traffic identification and classification, but it is useless when dealing with HTTPS. The adversaries may evade disclosure by hiding malicious behavior in encrypted connections. Is there anything we can do to analyse encrypted traffic while preserving privacy of communication? For example, User-Agent is used often for analyses. Do we have anything similar in HTTPS? HTTPS Client Identification Page 2 / 18

  3. Motivation I What can we tell about clients accessing an HTTPS server without access to system logs on the machine? HTTPS Client Identification Page 3 / 18

  4. Motivation II What about clients behind NAT? Can we enumerate them and estimate their types? HTTPS Client Identification Page 4 / 18

  5. Hypothesis It is possible to estimate a User-Agent of a client in HTTPS communication knowing only the parameters of SSL/TLS handshake . HTTPS Client Identification Page 5 / 18

  6. SSL/TLS Traffic Measurement HTTPS Client Identification Page 6 / 18

  7. SSL/TLS Traffic Measurement ClientHello Protocol version, cipher suite list , extensions. Cipher suite list is the most variable SSL/TLS handshake parameter. HTTPS Client Identification Page 7 / 18

  8. Research Questions Question I. Which parameters of a SSL/TLS handshake can be used for client identification? Question II. How can we build a dictionary of SSL/TLS handshakes and HTTP User-Agents? Question III. How large does the dictionary need to be to cover a significant portion of network traffic? HTTPS Client Identification Page 8 / 18

  9. Experiment design HTTPS Client Identification Page 9 / 18

  10. Pairing Ciper Suite Lists and User-Agents Host-based method Proposed earlier by Ristić et al. The results are exact, but it is difficult to obtain large dictionary. Limited to a single host (web server). Limited set of client types that can be observed. HTTPS Client Identification Page 10 / 18

  11. Pairing Ciper Suite Lists and User-Agents Network-based method Clients commonly communicate via both HTTP and HTTPS. HTTP and HTTPS connections with the same source IP address are selected. Cipher suite list from the HTTPS connection is paired to the User-Agent from the HTTP connection that is the closest in time. Not limited to a single host. Can detect any client type. Better re fl ects the structure of live network tra ffi c. HTTPS Client Identi fi cation Page 11 / 18

  12. Experiment Results I Over 85 million HTTPS connection were processed during a week in our campus network. 307 pairs (72 unique cipher suite lists) were collected using host-based method on a single host. 12,832 pairs (305 unique cipher suite lists) were collected using network-based method in our campus network. The final dictionary is a union of the two (316 unique cipher suite lists). We were able to assign a User-Agent to 99.6 % of HTTPS connections. 57 % of connections used TLS 1.2, 40 % used TLS 1.0. HTTPS Client Identification Page 12 / 18

  13. Experiment Results II 100% 90% 80% Portion of traffic 60% 40% 20% 0% 0 10 20 40 60 80 100 120 140 Top X cipher suite lists HTTPS Client Identification Page 13 / 18

  14. Experiment Results III 800 100% Cumulative portion of traffic identified 700 80% Number of unique pairs 600 500 60% 400 40% 300 200 20% Portion of traffic identified 100 Number of unique pairs 0 0% 0 1 2 3 4 5 6 7 8 9 10 ALL Number of User-Agents per cipher suite list HTTPS Client Identification Page 14 / 18

  15. Client Types in Dictionary other unknown: unknown desktop: application unknown: update 8.3% unknown: command line 11.6% unknown: browser unknown: crawler unknown: application 8.7% desktop: browser 35.3% 10.5% mobile: unknown 9% mobile: browser 6.5% desktop: update mobile: application desktop: unknown HTTPS Client Identification Page 15 / 18

  16. Client Types in Network Traffic unknown: unknown other desktop: application unknown: command line unknown: browser 20% unknown: application desktop: browser 13% mobile: browser 59.9% mobile: crawler mobile: application desktop: command line HTTPS Client Identification Page 16 / 18

  17. Conclusion Parameters of SSL/TLS handshake can be used for identification of clients in HTTPS communication. Cipher suite lists in SSL/TLS corresponds to HTTP User-Agents. Novel network-based of pairing cipher suite lists and User-Agents was proposed. The approach was tested in live network environment. Type of client can be estimated, while the privacy of communication is preserved. HTTPS Client Identification Page 17 / 18

  18. THANK YOU FOR YOUR ATTENTION! Martin Husák muni.cz/csirt @csirtmu husakm@ics.muni.cz

Recommend

1 HTTP Client-server paradigm Typical network app has two application pieces: client and server

1 HTTP Client-server paradigm Typical network app has two application pieces: client and server

Network Applications Drive Network Design Important to remember that network applications are the reason we care about 3: Application Protocols: building a network infrastructure HTTP and DNS Applications range from text based command

504 views • 14 slides
Clock Skew Based Client Device Identification in Cloud Environments Wei-Chung Teng Dept. of

Clock Skew Based Client Device Identification in Cloud Environments Wei-Chung Teng Dept. of

Clock Skew Based Client Device Identification in Cloud Environments Wei-Chung Teng Dept. of Computer Science & Info. Eng. National Taiwan University of Sci. & Tech. 1 Wei-Chung Teng on behalf of Assoc. Prof. Yuh-Jye Lee CLOUD SERVICE

364 views • 32 slides
Example of analysis of signaling network based on 3 small GTP binding proteins: identification of

Example of analysis of signaling network based on 3 small GTP binding proteins: identification of

Example of analysis of signaling network based on 3 small GTP binding proteins: identification of oscillators for rapid leukocytes adhesion triggering by chemokines = activation = inhibition Level 1 RhoA zPKC PDK1 PKB 2-molecules zPKC

374 views • 14 slides
Network-based and Client-based DMM solutions using Mobile IP mechanisms

Network-based and Client-based DMM solutions using Mobile IP mechanisms

Network-based and Client-based DMM solutions using Mobile IP mechanisms draft-bernardos-dmm-cmip-07 draft-bernardos-dmm-pmip-08 draft-bernardos-dmm-distributed-anchoring-09 Carlos J. Bernardos Universidad Carlos III de Madrid Antonio de la

635 views • 19 slides
hybrid client-server and p2p network for web-based collaborative 3d design Caroline DESPRAT a ,

hybrid client-server and p2p network for web-based collaborative 3d design Caroline DESPRAT a ,

hybrid client-server and p2p network for web-based collaborative 3d design Caroline DESPRAT a , Herv LUGA b , Jean-Pierre JESSEL c June 9, 2015 WSCG15 Plzen, Czech Republic VORTEX team, IRIT UMR 5505, University of Toulouse, France a

668 views • 27 slides
CS519: Computer Networks Lecture 8: Apr 21, 2004 VPNs VPN Taxonomy CS519 VPN Network Client

CS519: Computer Networks Lecture 8: Apr 21, 2004 VPNs VPN Taxonomy CS519 VPN Network Client

CS519: Computer Networks Lecture 8: Apr 21, 2004 VPNs VPN Taxonomy CS519 VPN Network Client Provider-based Customer-based Provider-based Customer-based L3 L2 Compulsory Voluntary Virtual Router BGP/MPLS ATM Frame Relay Secure

1.15k views • 70 slides
Game Bot Identification Game Bot Identification based on Manifold Learning based on Manifold

Game Bot Identification Game Bot Identification based on Manifold Learning based on Manifold

Game Bot Identification Game Bot Identification based on Manifold Learning based on Manifold Learning Kuan Ta Chen Academia Sinica Hsing Kuo Pao NTUST Hong Chung Chang NTUST ACM NetGames 2008 Game Bots Game bots: automated AI programs

371 views • 36 slides
Hot set identification for Social network applications Michele Colajanni Claudia Canali

Hot set identification for Social network applications Michele Colajanni Claudia Canali

Hot set identification for Social network applications Michele Colajanni Claudia Canali Riccardo Lancellotti University of Modena and Reggio Emilia IEEE Compsac 2009 1 Future Web Scenarios Community-based services Social networking:

207 views • 18 slides
Network Applications Network Applications There are many network applications Network

Network Applications Network Applications There are many network applications Network

Network Applications Network Applications There are many network applications Network applications involve the cooperation Client Server Programming Client Server Programming of processes running on different hosts connected by a

323 views • 7 slides
Client Curriculum Presentation to STL-ODN Members & Guests, September 28, 2012 based on the

Client Curriculum Presentation to STL-ODN Members & Guests, September 28, 2012 based on the

St. Louis Organization Development Network Almost Home Developing a Client Curriculum Presentation to STL-ODN Members & Guests, September 28, 2012 based on the Shawn T. Trares Graduate Student Award for research or community practice in

386 views • 17 slides
Client Server Programming Client Server Programming Srinidhi Varadarajan Network Applications

Client Server Programming Client Server Programming Srinidhi Varadarajan Network Applications

Client Server Programming Client Server Programming Srinidhi Varadarajan Network Applications Network Applications There are many network applications Network applications involve the cooperation of processes running on different hosts

613 views • 40 slides
Community Identification of Complex Network Xiang-Sun Zhang http://zhangroup.aporc.org Chinese

Community Identification of Complex Network Xiang-Sun Zhang http://zhangroup.aporc.org Chinese

Community Identification of Complex Network Xiang-Sun Zhang http://zhangroup.aporc.org Chinese Academy of Sciences 2008.10.31, OSB2008 1 Outline Background Community identification definition Community identification methods

658 views • 40 slides
Push Away Your Privacy: Precise User Tracking Based on TLS Client Certificate Authentication

Push Away Your Privacy: Precise User Tracking Based on TLS Client Certificate Authentication

Chair of Network Architectures and Services TUM Department of Informatics Technical University of Munich (TUM) Push Away Your Privacy: Precise User Tracking Based on TLS Client Certificate Authentication Matthias Wachs, Quirin Scheitle, and

462 views • 14 slides
Extent- -based Incremental Identification based Incremental Identification Extent of Reaction

Extent- -based Incremental Identification based Incremental Identification Extent of Reaction

LABORATOIRE DAUTOMATIQUE AUTOMATIC CONTROL LABORATORY Extent- -based Incremental Identification based Incremental Identification Extent of Reaction Kinetics from Spectroscopic Data of Reaction Kinetics from Spectroscopic Data XIII

428 views • 23 slides
Identification of Human Gait Why Fourier-Based . . . Why Fourier-Based . . . in

Identification of Human Gait Why Fourier-Based . . . Why Fourier-Based . . . in

Introduction Formulation of the . . . Straightforward . . . Identification of Human Gait Why Fourier-Based . . . Why Fourier-Based . . . in Neuro-Rehabilitation: Shift Detection: . . . Towards Efficient Algorithms General Case Conclusions

502 views • 10 slides
Pub/sub server for the modern web. Flexible, scalable, easy to use. https://nchan.slact.net What

Pub/sub server for the modern web. Flexible, scalable, easy to use. https://nchan.slact.net What

Pub/sub server for the modern web. Flexible, scalable, easy to use. https://nchan.slact.net What is it? HTTP POST Application Websocket Websocket client EventSource client Long-Poll client Buffering Pub/Sub server for web clients

708 views • 49 slides
Tanmay Bhagwat (Slides borrowed from Kevin Cleary and modified as required) UB Cyber and Network

Tanmay Bhagwat (Slides borrowed from Kevin Cleary and modified as required) UB Cyber and Network

Tanmay Bhagwat (Slides borrowed from Kevin Cleary and modified as required) UB Cyber and Network Defense Most communications on the internet are Client / Server based. A client is typically a desktop computer or smart device. Servers are

486 views • 29 slides
EAP Client-side Transport draft-boursetty-eap-cst-00.txt IETF 57 EAP WG July 2003 A typical EAP

EAP Client-side Transport draft-boursetty-eap-cst-00.txt IETF 57 EAP WG July 2003 A typical EAP

EAP Client-side Transport draft-boursetty-eap-cst-00.txt IETF 57 EAP WG July 2003 A typical EAP setup Access Target Client NAS Network Network AAA server S 2 A new EAP setup Authentication AuthToken AuthServer Integrity Client

628 views • 7 slides
Multi-Threaded Servers December 6, 2007 1 Client-Server Communication Client Client Client

Multi-Threaded Servers December 6, 2007 1 Client-Server Communication Client Client Client

Multi-Threaded Servers December 6, 2007 1 Client-Server Communication Client Client Client Client Client Client Client Client Client Google Client Client Client Client Client Client Many clients; 1 server Server starts and then

333 views • 6 slides
1 Hybrid of client-server and P2P Processes communicating Client process: process that Process:

1 Hybrid of client-server and P2P Processes communicating Client process: process that Process:

Some network apps E-mail Internet telephone Application Layer Overview and Web Real-time video conference Instant messaging Web/HTTP Massive parallel Remote login computing P2P file sharing Multi-user network

425 views • 7 slides
Person Re-Identification Yiheng Liu Outli line Background Image-Based Person

Person Re-Identification Yiheng Liu Outli line Background Image-Based Person

Person Re-Identification Yiheng Liu Outli line Background Image-Based Person Re-Identification Partial Person Re-identification Video-Based Person Re-Identification Our Methods Outli line Background Image-Based

373 views • 26 slides
From 5-pass MQ -based identification to MQ -based signatures Ming-Shing Chen 1 , 2 , Andreas

From 5-pass MQ -based identification to MQ -based signatures Ming-Shing Chen 1 , 2 , Andreas

From 5-pass MQ -based identification to MQ -based signatures Ming-Shing Chen 1 , 2 , Andreas Hlsing 3 , Joost Rijneveld 4 , Simona Samardjiska 5 , Peter Schwabe 4 National Taiwan University 1 / Academia Sinica 2 , Taipei, Taiwan Eindhoven

710 views • 44 slides
AUTO-ADAPTIVE WEB LAYOUT OF ACEMAP BASED ON MOBILE CLIENT With the growth of smart phone use,

AUTO-ADAPTIVE WEB LAYOUT OF ACEMAP BASED ON MOBILE CLIENT With the growth of smart phone use,

AUTO-ADAPTIVE WEB LAYOUT OF ACEMAP BASED ON MOBILE CLIENT With the growth of smart phone use, more and more web-based applications start to offer access from a mobile client, whether it is a browser or a native application. Front-end

470 views • 18 slides
Content Server Caching Network Client Web Server Browser Avoid Network Latency Avoid Queuing

Content Server Caching Network Client Web Server Browser Avoid Network Latency Avoid Queuing

Content Server Caching Network Client Web Server Browser Avoid Network Latency Avoid Queuing Delays at Server Cache Content Locally at client Updates? Cache Content at proxies Proxy Server Client Proxy Server Content Server Proxy

781 views • 14 slides

More recommend