Thesis Details
Fingerprinting and Identification of TLS Connections
TLS is the most popular encryption protocol used on the internet today. It aims to provide high levels of security and privacy for inter-device communication. However, it presents a challenge from a network monitoring and administration standpoint, as it is not possible to analyse the communication encrypted with TLS at a large scale with existing methods based on deep packet inspection. Analysing encrypted communication can help administrators to detect malicious activity on their networks, and can help them identify potential security threats. In this work, I present a method that allows us to leverage the advantages of two TLS fingerprinting methods, JA3 and Cisco Mercury, to determine the operating system and processes of clients on a computer network. The proposed method is able to achieve comparable or better results than the existing Mercury approach for selected datasets whilst providing more analysis opportunities than JA3. A software implementation of the proposed fingerprinting approach is created as an analysis module for the NEMEA framework.
TLS, Fingerprint, JA3, Cisco, Mercury, NEMEA, Process, Operating, System, Classification, Module
Hliněná Dana, doc. RNDr., Ph.D. (DMAT FEEC BUT), člen
Kořenek Jan, doc. Ing., Ph.D. (DCSY FIT BUT), člen
Křena Bohuslav, Ing., Ph.D. (DITS FIT BUT), člen
Szőke Igor, Ing., Ph.D. (DCGM FIT BUT), člen
@bachelorsthesis{FITBT23922,
author = "Luk\'{a}\v{s} Hejcman",
type = "Bachelor's thesis",
title = "Fingerprinting and Identification of TLS Connections",
school = "Brno University of Technology, Faculty of Information Technology",
year = 2021,
location = "Brno, CZ",
language = "english",
url = "https://www.fit.vut.cz/study/thesis/23922/"
}