Saved in:
Bibliographic Details
Main Authors: Valdez, Hector A., McPherson, Sean
Format: Preprint
Published: 2024
Subjects:
Online Access:https://arxiv.org/abs/2405.07848
Tags: Add Tag
No Tags, Be the first to tag this record!
_version_ 1866916244183056384
author Valdez, Hector A.
McPherson, Sean
author_facet Valdez, Hector A.
McPherson, Sean
contents We use positional-unigram byte models along with maximum likelihood for generalized TLS fingerprinting and empirically show that it is robust to cipher stunting. Our approach creates a set of positional-unigram byte models from client hello messages. Each positional-unigram byte model is a statistical model of TLS client hello traffic created by a client application or process. To fingerprint a TLS connection, we use its client hello, and compute the likelihood as a function of a statistical model. The statistical model that maximizes the likelihood function is the predicted client application for the given client hello. Our data driven approach does not use side-channel information and can be updated on-the-fly. We experimentally validate our method on an internal dataset and show that it is robust to cipher stunting by tracking an unbiased $f_{1}$ score as we synthetically increase randomization.
format Preprint
id arxiv_https___arxiv_org_abs_2405_07848
institution arXiv
publishDate 2024
record_format arxiv
spellingShingle Positional-Unigram Byte Models for Generalized TLS Fingerprinting
Valdez, Hector A.
McPherson, Sean
Cryptography and Security
We use positional-unigram byte models along with maximum likelihood for generalized TLS fingerprinting and empirically show that it is robust to cipher stunting. Our approach creates a set of positional-unigram byte models from client hello messages. Each positional-unigram byte model is a statistical model of TLS client hello traffic created by a client application or process. To fingerprint a TLS connection, we use its client hello, and compute the likelihood as a function of a statistical model. The statistical model that maximizes the likelihood function is the predicted client application for the given client hello. Our data driven approach does not use side-channel information and can be updated on-the-fly. We experimentally validate our method on an internal dataset and show that it is robust to cipher stunting by tracking an unbiased $f_{1}$ score as we synthetically increase randomization.
title Positional-Unigram Byte Models for Generalized TLS Fingerprinting
topic Cryptography and Security
url https://arxiv.org/abs/2405.07848