JAPPI: An unsupervised endpoint application identification methodology for improved Zero Trust models, risk score calculations and threat detection

Abstract

The surge in global digitalization triggered by COVID-19 has led to a significant increase in internet traffic and has precipitated a rapid transformation of the network security landscape. Despite being increasingly difficult, accurate traffic inspection is vital for ensuring productivity while reliably protecting internal assets. Endpoint application identification enables high accuracy inspection and detection by providing network security solutions with specific context on individual connections. However, achieving it in real-time with standard fingerprinting methods based only on client-side traffic has proven to be a challenging problem with no comprehensive solution thus far. In this article, we present a new methodology for identifying endpoint applications from network traffic, utilising machine learning. Our methodology leverages similarities in the pre-hash string of the JA3 algorithm for fingerprinting application specific TLS Client Hello messages. By utilising well-known clustering algorithms it is possible to identify the underlying TLS libraries and the application from the traffic remarkably better than with simple string-based matching. Our model can categorize 99,5% of the traffic in a controlled network, and 93,8% in an uncontrolled network, compared to 0,1% and 0,2% using simple string matching. Our methodology is especially effective for enhancing Zero Trust models, calculating a risk score for network events, and improving threat detection accuracy in network security solutions.