NETWORK-BASED HTTPS CLIENT IDENTIFICATION USING SSL/TLS - - PowerPoint PPT Presentation

network based https client identification using ssl tls
SMART_READER_LITE
LIVE PREVIEW

NETWORK-BASED HTTPS CLIENT IDENTIFICATION USING SSL/TLS - - PowerPoint PPT Presentation

Jun 27, 2023 478 likes •664 views

NETWORK-BASED HTTPS CLIENT IDENTIFICATION USING SSL/TLS FINGERPRINTING Monday 24 th August, 2015 Martin Husk Milan ermk Tom Jirsk Pavel eleda Introduction Rising popularity of encrypted traffic secures the transmission, but

slide-1
SLIDE 1

NETWORK-BASED HTTPS CLIENT IDENTIFICATION USING SSL/TLS FINGERPRINTING

Monday 24th August, 2015

Martin Husák

Milan Čermák Tomáš Jirsík Pavel Čeleda

slide-2
SLIDE 2

Introduction

Rising popularity of encrypted traffic secures the transmission, but also prevents legitimate monitoring and classification. Lot of work has been done on HTTP traffic identification and classification, but it is useless when dealing with HTTPS. The adversaries may evade disclosure by hiding malicious behavior in encrypted connections. Is there anything we can do to analyse encrypted traffic while preserving privacy of communication? For example, User-Agent is used often for analyses. Do we have anything similar in HTTPS?

HTTPS Client Identification Page 2 / 18

slide-3
SLIDE 3

Motivation I

What can we tell about clients accessing an HTTPS server without access to system logs on the machine?

HTTPS Client Identification Page 3 / 18

slide-4
SLIDE 4

Motivation II

What about clients behind NAT? Can we enumerate them and estimate their types?

HTTPS Client Identification Page 4 / 18

slide-5
SLIDE 5

Hypothesis

It is possible to estimate a User-Agent of a client in HTTPS communication knowing only the parameters of SSL/TLS handshake.

HTTPS Client Identification Page 5 / 18

slide-6
SLIDE 6

SSL/TLS Traffic Measurement

HTTPS Client Identification Page 6 / 18

slide-7
SLIDE 7

SSL/TLS Traffic Measurement

ClientHello Protocol version, cipher suite list, extensions. Cipher suite list is the most variable SSL/TLS handshake parameter.

HTTPS Client Identification Page 7 / 18

slide-8
SLIDE 8

Research Questions

Question I.

Which parameters of a SSL/TLS handshake can be used for client identification?

Question II.

How can we build a dictionary of SSL/TLS handshakes and HTTP User-Agents?

Question III.

How large does the dictionary need to be to cover a significant portion of network traffic?

HTTPS Client Identification Page 8 / 18

slide-9
SLIDE 9

Experiment design

HTTPS Client Identification Page 9 / 18

slide-10
SLIDE 10

Pairing Ciper Suite Lists and User-Agents

Host-based method Proposed earlier by Ristić et al. The results are exact, but it is difficult to obtain large dictionary. Limited to a single host (web server). Limited set of client types that can be observed.

HTTPS Client Identification Page 10 / 18

slide-11
SLIDE 11

Pairing Ciper Suite Lists and User-Agents

Network-based method Clients commonly communicate via both HTTP and HTTPS. HTTP and HTTPS connections with the same source IP address are selected. Cipher suite list from the HTTPS connection is paired to the User-Agent from the HTTP connection that is the closest in time. Not limited to a single host. Can detect any client type. Better reflects the structure of live network traffic.

HTTPS Client Identification Page 11 / 18

slide-12
SLIDE 12

Experiment Results I

Over 85 million HTTPS connection were processed during a week in our campus network. 307 pairs (72 unique cipher suite lists) were collected using host-based method on a single host. 12,832 pairs (305 unique cipher suite lists) were collected using network-based method in our campus network. The final dictionary is a union of the two (316 unique cipher suite lists). We were able to assign a User-Agent to 99.6 % of HTTPS connections. 57 % of connections used TLS 1.2, 40 % used TLS 1.0.

HTTPS Client Identification Page 12 / 18

slide-13
SLIDE 13

Experiment Results II

0% 20% 40% 60% 80% 90% 100% 10 20 40 60 80 100 120 140 Portion of traffic Top X cipher suite lists

HTTPS Client Identification Page 13 / 18

slide-14
SLIDE 14

Experiment Results III

100 200 300 400 500 600 700 800 1 2 3 4 5 6 7 8 9 10 ALL 0% 20% 40% 60% 80% 100% Number of unique pairs Cumulative portion of traffic identified Number of User-Agents per cipher suite list Portion of traffic identified Number of unique pairs

HTTPS Client Identification Page 14 / 18

slide-15
SLIDE 15

Client Types in Dictionary

desktop: application desktop: browser desktop: update desktop: unknown mobile: application mobile: browser mobile: unknown unknown: application unknown: crawler unknown: browser unknown: command line unknown: update unknown: unknown 8.3% 35.3% 11.6% 8.7% 10.5% 9% 6.5%

  • ther

HTTPS Client Identification Page 15 / 18

slide-16
SLIDE 16

Client Types in Network Traffic

20% 13% 59.9% desktop: application desktop: browser desktop: command line mobile: application mobile: browser mobile: crawler unknown: application unknown: browser unknown: command line unknown: unknown

  • ther

HTTPS Client Identification Page 16 / 18

slide-17
SLIDE 17

Conclusion

Parameters of SSL/TLS handshake can be used for identification

  • f clients in HTTPS communication.

Cipher suite lists in SSL/TLS corresponds to HTTP User-Agents. Novel network-based of pairing cipher suite lists and User-Agents was proposed. The approach was tested in live network environment. Type of client can be estimated, while the privacy of communication is preserved.

HTTPS Client Identification Page 17 / 18

slide-18
SLIDE 18

THANK YOU FOR YOUR ATTENTION!

muni.cz/csirt

Martin Husák

@csirtmu husakm@ics.muni.cz