LS - JA3 Client Fingerprinting Comparisons for Applications running on Windows, Linux and Android Operating Systems
Gupta, Ayush (2022-05-04)
LS - JA3 Client Fingerprinting Comparisons for Applications running on Windows, Linux and Android Operating Systems
(04.05.2022)
Julkaisu on tekijänoikeussäännösten alainen. Teosta voi lukea ja tulostaa henkilökohtaista käyttöä varten. Käyttö kaupallisiin tarkoituksiin on kielletty.
suljettu
Julkaisun pysyvä osoite on:
https://urn.fi/URN:NBN:fi-fe2022070150838
https://urn.fi/URN:NBN:fi-fe2022070150838
Tiivistelmä
TLS fingerprinting has evolved in response to growing cybersecurity concerns. The need for a mechanism that can detect malicious activity in the encrypted traffic during communication between server and client without decryption has led to the development of the JA3 methodology. Various studies have endeavored to analyze network traffic using various statistical, mathematical, and intelligent computing techniques. The uniqueness of this research is that it attempts to examine the uniqueness of the fingerprints produced by a client on Android, Windows, and Linux operating systems and conducts cross-comparisons of their characteristics.
The questions that are answered in the study are:
(a) What is the most likely list of fingerprints that a client could make?
(b) Do different clients generate similar fingerprints on the same operating system?
(c) Whether or not different clients produce similar fingerprints on different operating systems.
(d) For a given client, does the Ja3 generate the same or different fingerprint on different operating systems?
Different methodologies have been deployed to extract and analyze the data produced on the selected operating systems. This study focuses on the TLS fingerprinting of client hello packets generated by different clients from the selected OS. Analysis of the results reveals that JA3 obtained from various applications for different operating systems exhibits differing features. Some applications produce unique fingerprints, while some produce common hashes for a particular operating system. Web browsers like Chrome, Mozilla Firefox, and Edge produce a large number of hashes per OS. Some applications, like Teams and Skype, were found to have common hashes. For some applications, like Telegram, no hashes were produced.
When the JA3 is applied to the firewall to be used with end-point detection, unique JA3 fingerprints can be used to identify the application, while common or similar hashes can be used to predict the application type.
The questions that are answered in the study are:
(a) What is the most likely list of fingerprints that a client could make?
(b) Do different clients generate similar fingerprints on the same operating system?
(c) Whether or not different clients produce similar fingerprints on different operating systems.
(d) For a given client, does the Ja3 generate the same or different fingerprint on different operating systems?
Different methodologies have been deployed to extract and analyze the data produced on the selected operating systems. This study focuses on the TLS fingerprinting of client hello packets generated by different clients from the selected OS. Analysis of the results reveals that JA3 obtained from various applications for different operating systems exhibits differing features. Some applications produce unique fingerprints, while some produce common hashes for a particular operating system. Web browsers like Chrome, Mozilla Firefox, and Edge produce a large number of hashes per OS. Some applications, like Teams and Skype, were found to have common hashes. For some applications, like Telegram, no hashes were produced.
When the JA3 is applied to the firewall to be used with end-point detection, unique JA3 fingerprints can be used to identify the application, while common or similar hashes can be used to predict the application type.