JAPPI: An unsupervised endpoint application identification methodology for improved Zero Trust models, risk score calculations and threat detection - UTU Tutkimustietojärjestelmä

A1 Vertaisarvioitu alkuperäisartikkeli tieteellisessä lehdessä

JAPPI: An unsupervised endpoint application identification methodology for improved Zero Trust models, risk score calculations and threat detection

Tekijät: Heino, Jenny; Jalio, Christian; Hakkala, Antti; Virtanen, Seppo

Kustantaja: Elsevier

Julkaisuvuosi: 2024

Journal: Computer Networks

Tietokannassa oleva lehden nimi: Computer Networks

Artikkelin numero: 110606

Vuosikerta: 250

ISSN: 1389-1286

DOI: https://doi.org/10.1016/j.comnet.2024.110606

Verkko-osoite: https://doi.org/10.1016/j.comnet.2024.110606

Rinnakkaistallenteen osoite: https://research.utu.fi/converis/portal/detail/Publication/456974115

Tiivistelmä

The surge in global digitalization triggered by COVID-19 has led to a significant increase in internet traffic and has precipitated a rapid transformation of the network security landscape. Despite being increasingly difficult, accurate traffic inspection is vital for ensuring productivity while reliably protecting internal assets. Endpoint application identification enables high accuracy inspection and detection by providing network security solutions with specific context on individual connections. However, achieving it in real-time with standard fingerprinting methods based only on client-side traffic has proven to be a challenging problem with no comprehensive solution thus far. In this article, we present a new methodology for identifying endpoint applications from network traffic, utilising machine learning. Our methodology leverages similarities in the pre-hash string of the JA3 algorithm for fingerprinting application specific TLS Client Hello messages. By utilising well-known clustering algorithms it is possible to identify the underlying TLS libraries and the application from the traffic remarkably better than with simple string-based matching. Our model can categorize 99,5% of the traffic in a controlled network, and 93,8% in an uncontrolled network, compared to 0,1% and 0,2% using simple string matching. Our methodology is especially effective for enhancing Zero Trust models, calculating a risk score for network events, and improving threat detection accuracy in network security solutions.

Ladattava julkaisu

This is an electronic reprint of the original article.
This reprint may differ from the original in pagination and typographic detail. Please cite the original version.

1-s2.0-S1389128624004389-main.pdf