network based https client identification using ssl tls
play

NETWORK-BASED HTTPS CLIENT IDENTIFICATION USING SSL/TLS - PowerPoint PPT Presentation

NETWORK-BASED HTTPS CLIENT IDENTIFICATION USING SSL/TLS FINGERPRINTING Monday 24 th August, 2015 Martin Husk Milan ermk Tom Jirsk Pavel eleda Introduction Rising popularity of encrypted traffic secures the transmission, but


  1. NETWORK-BASED HTTPS CLIENT IDENTIFICATION USING SSL/TLS FINGERPRINTING Monday 24 th August, 2015 Martin Husák Milan Čermák Tomáš Jirsík Pavel Čeleda

  2. Introduction Rising popularity of encrypted traffic secures the transmission, but also prevents legitimate monitoring and classification. Lot of work has been done on HTTP traffic identification and classification, but it is useless when dealing with HTTPS. The adversaries may evade disclosure by hiding malicious behavior in encrypted connections. Is there anything we can do to analyse encrypted traffic while preserving privacy of communication? For example, User-Agent is used often for analyses. Do we have anything similar in HTTPS? HTTPS Client Identification Page 2 / 18

  3. Motivation I What can we tell about clients accessing an HTTPS server without access to system logs on the machine? HTTPS Client Identification Page 3 / 18

  4. Motivation II What about clients behind NAT? Can we enumerate them and estimate their types? HTTPS Client Identification Page 4 / 18

  5. Hypothesis It is possible to estimate a User-Agent of a client in HTTPS communication knowing only the parameters of SSL/TLS handshake . HTTPS Client Identification Page 5 / 18

  6. SSL/TLS Traffic Measurement HTTPS Client Identification Page 6 / 18

  7. SSL/TLS Traffic Measurement ClientHello Protocol version, cipher suite list , extensions. Cipher suite list is the most variable SSL/TLS handshake parameter. HTTPS Client Identification Page 7 / 18

  8. Research Questions Question I. Which parameters of a SSL/TLS handshake can be used for client identification? Question II. How can we build a dictionary of SSL/TLS handshakes and HTTP User-Agents? Question III. How large does the dictionary need to be to cover a significant portion of network traffic? HTTPS Client Identification Page 8 / 18

  9. Experiment design HTTPS Client Identification Page 9 / 18

  10. Pairing Ciper Suite Lists and User-Agents Host-based method Proposed earlier by Ristić et al. The results are exact, but it is difficult to obtain large dictionary. Limited to a single host (web server). Limited set of client types that can be observed. HTTPS Client Identification Page 10 / 18

  11. Pairing Ciper Suite Lists and User-Agents Network-based method Clients commonly communicate via both HTTP and HTTPS. HTTP and HTTPS connections with the same source IP address are selected. Cipher suite list from the HTTPS connection is paired to the User-Agent from the HTTP connection that is the closest in time. Not limited to a single host. Can detect any client type. Better re fl ects the structure of live network tra ffi c. HTTPS Client Identi fi cation Page 11 / 18

  12. Experiment Results I Over 85 million HTTPS connection were processed during a week in our campus network. 307 pairs (72 unique cipher suite lists) were collected using host-based method on a single host. 12,832 pairs (305 unique cipher suite lists) were collected using network-based method in our campus network. The final dictionary is a union of the two (316 unique cipher suite lists). We were able to assign a User-Agent to 99.6 % of HTTPS connections. 57 % of connections used TLS 1.2, 40 % used TLS 1.0. HTTPS Client Identification Page 12 / 18

  13. Experiment Results II 100% 90% 80% Portion of traffic 60% 40% 20% 0% 0 10 20 40 60 80 100 120 140 Top X cipher suite lists HTTPS Client Identification Page 13 / 18

  14. Experiment Results III 800 100% Cumulative portion of traffic identified 700 80% Number of unique pairs 600 500 60% 400 40% 300 200 20% Portion of traffic identified 100 Number of unique pairs 0 0% 0 1 2 3 4 5 6 7 8 9 10 ALL Number of User-Agents per cipher suite list HTTPS Client Identification Page 14 / 18

  15. Client Types in Dictionary other unknown: unknown desktop: application unknown: update 8.3% unknown: command line 11.6% unknown: browser unknown: crawler unknown: application 8.7% desktop: browser 35.3% 10.5% mobile: unknown 9% mobile: browser 6.5% desktop: update mobile: application desktop: unknown HTTPS Client Identification Page 15 / 18

  16. Client Types in Network Traffic unknown: unknown other desktop: application unknown: command line unknown: browser 20% unknown: application desktop: browser 13% mobile: browser 59.9% mobile: crawler mobile: application desktop: command line HTTPS Client Identification Page 16 / 18

  17. Conclusion Parameters of SSL/TLS handshake can be used for identification of clients in HTTPS communication. Cipher suite lists in SSL/TLS corresponds to HTTP User-Agents. Novel network-based of pairing cipher suite lists and User-Agents was proposed. The approach was tested in live network environment. Type of client can be estimated, while the privacy of communication is preserved. HTTPS Client Identification Page 17 / 18

  18. THANK YOU FOR YOUR ATTENTION! Martin Husák muni.cz/csirt @csirtmu husakm@ics.muni.cz

Recommend


More recommend