JAPPI: An unsupervised endpoint application identification methodology for improved Zero Trust models, risk score calculations and threat detection - UTU Research Portal

A1 Refereed original research article in a scientific journal

JAPPI: An unsupervised endpoint application identification methodology for improved Zero Trust models, risk score calculations and threat detection

Authors: Heino, Jenny; Jalio, Christian; Hakkala, Antti; Virtanen, Seppo

Publisher: Elsevier

Publication year: 2024

Journal: Computer Networks

Journal name in source: Computer Networks

Article number: 110606

Volume: 250

ISSN: 1389-1286

DOI: https://doi.org/10.1016/j.comnet.2024.110606

Web address : https://doi.org/10.1016/j.comnet.2024.110606

Self-archived copy’s web address: https://research.utu.fi/converis/portal/detail/Publication/456974115

Abstract

The surge in global digitalization triggered by COVID-19 has led to a significant increase in internet traffic and has precipitated a rapid transformation of the network security landscape. Despite being increasingly difficult, accurate traffic inspection is vital for ensuring productivity while reliably protecting internal assets. Endpoint application identification enables high accuracy inspection and detection by providing network security solutions with specific context on individual connections. However, achieving it in real-time with standard fingerprinting methods based only on client-side traffic has proven to be a challenging problem with no comprehensive solution thus far. In this article, we present a new methodology for identifying endpoint applications from network traffic, utilising machine learning. Our methodology leverages similarities in the pre-hash string of the JA3 algorithm for fingerprinting application specific TLS Client Hello messages. By utilising well-known clustering algorithms it is possible to identify the underlying TLS libraries and the application from the traffic remarkably better than with simple string-based matching. Our model can categorize 99,5% of the traffic in a controlled network, and 93,8% in an uncontrolled network, compared to 0,1% and 0,2% using simple string matching. Our methodology is especially effective for enhancing Zero Trust models, calculating a risk score for network events, and improving threat detection accuracy in network security solutions.

Downloadable publication

This is an electronic reprint of the original article.
This reprint may differ from the original in pagination and typographic detail. Please cite the original version.

1-s2.0-S1389128624004389-main.pdf