Categorizing TLS traffic based on JA3 pre-hash values - UTU Tutkimustietojärjestelmä

A4 Vertaisarvioitu artikkeli konferenssijulkaisussa

Categorizing TLS traffic based on JA3 pre-hash values

Tekijät: Heino Jenny, Hakkala Antti, Virtanen Seppo

Toimittaja: Shakshuki Elhadi

Konferenssin vakiintunut nimi: International Conference on Ambient Systems, Networks and Technologies Networks

Julkaisuvuosi: 2023

Journal: Procedia Computer Science

Kokoomateoksen nimi: The 14th International Conference on Ambient Systems, Networks and Technologies Networks (ANT 2022) and The 6th International Conference on Emerging Data and Industry 4.0 (EDI40)

Sarjan nimi: Procedia Computer Science

Vuosikerta: 220

Aloitussivu: 94

Lopetussivu: 101

eISSN: 1877-0509

DOI: https://doi.org/10.1016/j.procs.2023.03.015

Verkko-osoite: https://doi.org/10.1016/j.procs.2023.03.015

Rinnakkaistallenteen osoite: https://research.utu.fi/converis/portal/detail/Publication/179257961

Tiivistelmä

The JA3 algorithm for fingerprinting TLS client traffic has become a popular additional tool in the tool set of network security professionals. The pre-hash value of the JA3 fingerprint lists parameter values from the TLS handshake supported by the TLS client. In this paper we present two different machine learning methods for identifying the endpoint application from TLS traffic based on the JA3 pre-hash string. Both methods were able to identify applications from Mozilla in our sample set, but had more variation with other applications. The methods can be used for improving network security accuracy.

Ladattava julkaisu

This is an electronic reprint of the original article.
This reprint may differ from the original in pagination and typographic detail. Please cite the original version.

1-s2.0-S1877050923005501-main.pdf