DissecTLS: A Scalable Active Scanner for TLS Server Configurations, Capabilities, and TLS Fingerprinting-Reference-Cited by-同舟云学术

DissecTLS: A Scalable Active Scanner for TLS Server Configurations, Capabilities, and TLS Fingerprinting

Published:2023 Issue: Volume: Page:110-126
ISSN:0302-9743
Container-title:Passive and Active Measurement
language:
Short-container-title:

Author:

Sosnowski Markus^ORCID,Zirngibl Johannes^ORCID,Sattler Patrick^ORCID,Carle Georg^ORCID

Abstract

AbstractCollecting metadata from Transport Layer Security (TLS) servers on a large scale allows to draw conclusions about their capabilities and configuration. This provides not only insights into the Internet but it enables use cases like detecting malicious Command and Control (C &C) servers. However, active scanners can only observe and interpret the behavior of TLS servers, the underlying configuration and implementation causing the behavior remains hidden. Existing approaches struggle between resource intensive scans that can reconstruct this data and light-weight fingerprinting approaches that aim to differentiate servers without making any assumptions about their inner working. With this work we propose DissecTLS, an active TLS scanner that is both light-weight enough to be used for Internet measurements and able to reconstruct the configuration and capabilities of the TLS stack. This was achieved by modeling the parameters of the TLS stack and derive an active scan that dynamically creates scanning probes based on the model and the previous responses from the server. We provide a comparison of five active TLS scanning and fingerprinting approaches in a local testbed and on toplist targets. We conducted a measurement study over nine weeks to fingerprint C &C servers and analyzed popular and deprecated TLS parameter usage. Similar to related work, the fingerprinting achieved a maximum precision of 99 % for a conservative detection threshold of 100 %; and at the same time, we improved the recall by a factor of 2.8.

Publisher

Springer Nature Switzerland

Link

https://link.springer.com/content/pdf/10.1007/978-3-031-28486-1_6

Reference33 articles.

1. abuse.ch: Feodo Tracker. https://feodotracker.abuse.ch/. Accessed 28 Oct 28 (2022)

2. abuse.ch: SSL Certificate Blacklist. https://sslbl.abuse.ch/. Accessed 28 Oct 2022

3. Althouse, J., Atkinson, J., Atkins, J.: TLS Fingerprinting with JA3 and JA3S (2019). https://engineering.salesforce.com/tls-fingerprinting-with-ja3-and-ja3s-247362855967

4. Althouse, J., Smart, A., Nunnally Jr., R., Brady, M.: Easily identify malicious servers on the internet with JARM (2020). https://engineering.salesforce.com/easily-identify-malicious-servers-on-the-internet-with-jarm-e095edac525a

5. Anderson, B., McGrew, D.: OS fingerprinting: new techniques and a study of information gain and obfuscation. In: 2017 IEEE Conference on Communications and Network Security (CNS) (2017). https://doi.org/10.1109/CNS.2017.8228647

Cited by 5 articles. 订阅此论文施引文献订阅此论文施引文献，注册后可以免费订阅5篇论文的施引文献，订阅后可以查看论文全部施引文献

1. EFACTLS: Effective Active TLS Fingerprinting for Large-Scale Server Deployment Characterization;IEEE Transactions on Network and Service Management;2024-06

2. Propagating Threat Scores with a TLS Ecosystem Graph Model Derived by Active Measurements;2024 8th Network Traffic Measurement and Analysis Conference (TMA);2024-05-21

3. Fingerprinting the Shadows: Unmasking Malicious Servers with Machine Learning-Powered TLS Analysis;Proceedings of the ACM Web Conference 2024;2024-05-13

4. QUIC Hunter: Finding QUIC Deployments and Identifying Server Libraries Across the Internet;Lecture Notes in Computer Science;2024

5. Pump Up the JARM: Studying the Evolution of Botnets Using Active TLS Fingerprinting;2023 IEEE Symposium on Computers and Communications (ISCC);2023-07-09