The encryption of network traffic complicates legitimate network monitoring, traffic analysis, and network forensics.\nIn this paper, we present real-time lightweight identification of HTTPS clients based on network monitoring and\nSSL/TLS fingerprinting. Our experiment shows that it is possible to estimate the User-Agent of a client in HTTPS\ncommunication via the analysis of the SSL/TLS handshake. The fingerprints of SSL/TLS handshakes, including a list of\nsupported cipher suites, differ among clients and correlate to User-Agent values from a HTTP header. We built up\na dictionary of SSL/TLS cipher suite lists and HTTP User-Agents and assigned the User-Agents to the observed SSL/TLS\nconnections to identify communicating clients. The dictionary was used to classify live HTTPS network traffic. We were\nable to retrieve client types from 95.4 % of HTTPS network traffic. Further, we discussed host-based and\nnetwork-based methods of dictionary retrieval and estimated the quality of the data.
Loading....