NETWORK-BASEDHTTPSCLIENT IDENTIFICATIONUSINGSSL/TLS FINGERPRINTING · 2015-09-09 ·...
Transcript of NETWORK-BASEDHTTPSCLIENT IDENTIFICATIONUSINGSSL/TLS FINGERPRINTING · 2015-09-09 ·...
NETWORK-BASED HTTPS CLIENTIDENTIFICATION USING SSL/TLSFINGERPRINTINGMonday 24th August, 2015
Martin HusákMilan ČermákTomáš JirsíkPavel Čeleda
IntroductionRising popularity of encrypted traffic secures the transmission,but also prevents legitimate monitoring and classification.Lot of work has been done on HTTP traffic identification andclassification, but it is useless when dealing with HTTPS.The adversaries may evade disclosure by hiding maliciousbehavior in encrypted connections.Is there anything we can do to analyse encrypted traffic whilepreserving privacy of communication?For example, User-Agent is used often for analyses. Do we haveanything similar in HTTPS?
HTTPS Client IdentificationPage 2 / 18
Motivation IWhat can we tell about clients accessing an HTTPS server withoutaccess to system logs on the machine?
HTTPS Client IdentificationPage 3 / 18
Motivation IIWhat about clients behind NAT?Can we enumerate them and estimate their types?
HTTPS Client IdentificationPage 4 / 18
HypothesisIt is possible to estimate a User-Agent of a client in HTTPScommunication knowing only the parameters of SSL/TLShandshake.
HTTPS Client IdentificationPage 5 / 18
SSL/TLS Traffic Measurement
HTTPS Client IdentificationPage 6 / 18
SSL/TLS Traffic MeasurementClientHello
Protocol version,cipher suite list,extensions.
Cipher suite list is the most variable SSL/TLS handshake parameter.
HTTPS Client IdentificationPage 7 / 18
Research QuestionsQuestion I.Which parameters of a SSL/TLS handshake can be used for clientidentification?Question II.How can we build a dictionary of SSL/TLS handshakes and HTTPUser-Agents?Question III.How large does the dictionary need to be to cover a significantportion of network traffic?
HTTPS Client IdentificationPage 8 / 18
Experiment design
HTTPS Client IdentificationPage 9 / 18
Pairing Ciper Suite Lists and User-AgentsHost-based method
Proposed earlier by Ristić et al.The results are exact, but it is difficult to obtain large dictionary.Limited to a single host (web server).Limited set of client types that can be observed.
HTTPS Client IdentificationPage 10 / 18
Pairing Ciper Suite Lists and User-AgentsNetwork-based method
Clients commonly communicate via both HTTP and HTTPS.HTTP and HTTPS connections with the same source IP addressare selected.Cipher suite list from the HTTPS connection is paired to theUser-Agent from the HTTP connection that is the closest in time.Not limited to a single host.Can detect any client type.Better reflects the structure of live network traffic.
HTTPS Client IdentificationPage 11 / 18
Experiment Results IOver 85million HTTPS connection were processed during aweek in our campus network.307 pairs (72 unique cipher suite lists) were collected usinghost-based method on a single host.12,832 pairs (305 unique cipher suite lists) were collected usingnetwork-based method in our campus network.The final dictionary is a union of the two(316 unique cipher suite lists).We were able to assign a User-Agent to 99.6 % of HTTPSconnections.57 % of connections used TLS 1.2, 40 % used TLS 1.0.
HTTPS Client IdentificationPage 12 / 18
Experiment Results II
0%
20%
40%
60%
80%90%
100%
0 10 20 40 60 80 100 120 140
Port
ion o
f tr
affi
c
Top X cipher suite lists
HTTPS Client IdentificationPage 13 / 18
Experiment Results III
0
100
200
300
400
500
600
700
800
0 1 2 3 4 5 6 7 8 9 10 ALL0%
20%
40%
60%
80%
100%
Num
ber
of u
niqu
e pa
irs
Cum
ulat
ive
port
ion
of tr
affi
c id
entif
ied
Number of User-Agents per cipher suite list
Portion of traffic identified
Number of unique pairs
HTTPS Client IdentificationPage 14 / 18
Client Types in Dictionarydesktop: application
desktop: browser
desktop: update
desktop: unknownmobile: application
mobile: browser
mobile: unknown
unknown: application
unknown: crawlerunknown: browserunknown: command line
unknown: update
unknown: unknown
8.3%
35.3%
11.6%
8.7%
10.5%
9%
6.5%
other
HTTPS Client IdentificationPage 15 / 18
Client Types in Network Traffic
20%
13%59.9%
desktop: application
desktop: browser
desktop: command linemobile: application
mobile: browser
mobile: crawler
unknown: application
unknown: browser
unknown: command lineunknown: unknown other
HTTPS Client IdentificationPage 16 / 18
ConclusionParameters of SSL/TLS handshake can be used for identificationof clients in HTTPS communication.Cipher suite lists in SSL/TLS corresponds to HTTP User-Agents.Novel network-based of pairing cipher suite lists andUser-Agents was proposed.The approach was tested in live network environment.Type of client can be estimated, while the privacy ofcommunication is preserved.
HTTPS Client IdentificationPage 17 / 18
THANK YOU FOR YOUR ATTENTION!muni.cz/csirt Martin Husák@csirtmu [email protected]