References & Citations
Computer Science > Networking and Internet Architecture
Title: Active TLS Stack Fingerprinting: Characterizing TLS Server Deployments at Scale
(Submitted on 27 Jun 2022 (v1), last revised 30 Aug 2023 (this version, v3))
Abstract: Active measurements can be used to collect server characteristics on a large scale. This kind of metadata can help discovering hidden relations and commonalities among server deployments offering new possibilities to cluster and classify them. As an example, identifying a previously-unknown cybercriminal infrastructures can be a valuable source for cyber-threat intelligence. We propose herein an active measurement-based methodology for acquiring Transport Layer Security (TLS) metadata from servers and leverage it for their fingerprinting. Our fingerprints capture the characteristic behavior of the TLS stack primarily caused by the implementation, configuration, and hardware support of the underlying server. Using an empirical optimization strategy that maximizes information gain from every handshake to minimize measurement costs, we generated 10 general-purpose Client Hellos used as scanning probes to create a large database of TLS configurations used for classifying servers. We fingerprinted 28 million servers from the Alexa and Majestic toplists and two Command and Control (C2) blocklists over a period of 30 weeks with weekly snapshots as foundation for two long-term case studies: classification of Content Delivery Network and C2 servers. The proposed methodology shows a precision of more than 99 % and enables a stable identification of new servers over time. This study describes a new opportunity for active measurements to provide valuable insights into the Internet that can be used in security-relevant use cases.
Submission history
From: Markus Sosnowski [view email][v1] Mon, 27 Jun 2022 12:23:49 GMT (137kb,D)
[v2] Wed, 5 Apr 2023 08:44:06 GMT (195kb,D)
[v3] Wed, 30 Aug 2023 10:25:42 GMT (211kb,D)
Link back to: arXiv, form interface, contact.