EFACTLS: Effective Active TLS Fingerprinting for Large-Scale Server Deployment Characterization

Markus Sosnowski, Johannes Zirngibl, Patrick Sattler, Georg Carle, Claas Grohnfeldt, Michele Russo, Daniele Sgandurra

Research output: Contribution to journalArticlepeer-review

2 Scopus citations

Abstract

Active measurements allow the collection of server characteristics on a large scale that can aid in discovering hidden relations and commonalities among server deployments. Finding these relations opens up new possibilities for clustering and classifying server deployments; for example, identifying a previously unknown cybercriminal infrastructure can be valuable cyber-threat intelligence. In this work, we propose a methodology based on active measurements to acquire Transport Layer Security (TLS) metadata from servers and leverage it for fingerprinting. Our fingerprints capture characteristic behavior of the TLS stack, primarily influenced by the server's implementation, configuration, and hardware support. Using an empirical optimization strategy that maximizes information gained from every handshake to minimize measurement costs, we generated 10 general-purpose Client Hellos. They served as scanning probes to create an extensive database of TLS configurations to classify servers. We propose the Shannon Entropy to measure collected information and compare different approaches. This study fingerprinted 8 million servers from the Tranco top list and two Command and Control (C2) blocklists over 60 weeks with weekly snapshots. The resulting data formed the foundation for two long-term case studies: classification of Content Delivery Network and C2 servers. Moreover, the detection was fine-grained enough to detect C2 server families. The proposed methodology demonstrated a precision of 99% and enabled a stable identification of new servers over time. This study shows how active measurements can provide valuable security-relevant insights and improve our understanding of the Internet.

Original languageEnglish
Pages (from-to)2582-2595
Number of pages14
JournalIEEE Transactions on Network and Service Management
Volume21
Issue number3
DOIs
StatePublished - 2024

Keywords

  • Active scanning
  • TLS
  • command and control servers
  • fingerprinting
  • server classification

Fingerprint

Dive into the research topics of 'EFACTLS: Effective Active TLS Fingerprinting for Large-Scale Server Deployment Characterization'. Together they form a unique fingerprint.

Cite this