Categorizing TLS traffic based on JA3 pre-hash values

Heino Jenny; Hakkala Antti; Virtanen Seppo
Categorizing TLS traffic based on JA3 pre-hash values

Heino Jenny
Hakkala Antti
Virtanen Seppo
Katso/Avaa
Lataukset: 

doi:10.1016/j.procs.2023.03.015
URI
https://doi.org/10.1016/j.procs.2023.03.015
Näytä kaikki kuvailutiedot
Julkaisun pysyvä osoite on:
https://urn.fi/URN:NBN:fi-fe2023042037766
Tiivistelmä

The JA3 algorithm for fingerprinting TLS client traffic has become a popular additional tool in the tool set of network security professionals. The pre-hash value of the JA3 fingerprint lists parameter values from the TLS handshake supported by the TLS client. In this paper we present two different machine learning methods for identifying the endpoint application from TLS traffic based on the JA3 pre-hash string. Both methods were able to identify applications from Mozilla in our sample set, but had more variation with other applications. The methods can be used for improving network security accuracy.

Kokoelmat