Skip to content

Add some heuristics to detect encrypted/obfuscated/proxied TLS flows #2553

Merged
IvanNardi merged 1 commit into
ntop:devfrom
IvanNardi:tls_flights_heuristic
Sep 24, 2024
Merged

Add some heuristics to detect encrypted/obfuscated/proxied TLS flows #2553
IvanNardi merged 1 commit into
ntop:devfrom
IvanNardi:tls_flights_heuristic

Conversation

@IvanNardi

@IvanNardi IvanNardi commented Sep 9, 2024

Copy link
Copy Markdown
Collaborator

Based on the paper: "Fingerprinting Obfuscated Proxy Traffic with
Encapsulated TLS Handshakes".
See: https://www.usenix.org/conference/usenixsecurity24/presentation/xue-fingerprinting

Basic idea:

  • the packets/bytes distribution of a TLS handshake is quite unique
  • this fingerprint is still detectable if the handshake is
    encrypted/proxied/obfuscated

All heuristics are disabled by default.

@IvanNardi

IvanNardi commented Sep 9, 2024
edited
Loading

Copy link
Copy Markdown
Collaborator Author

Set as draft because we are waiting for some other commits to be merged before it.... This way we can start triggering the CI

@IvanNardi IvanNardi force-pushed the tls_flights_heuristic branch from e1d7ffb to 7140393 Compare September 9, 2024 10:53
@IvanNardi IvanNardi marked this pull request as draft September 9, 2024 10:53
@IvanNardi IvanNardi force-pushed the tls_flights_heuristic branch 5 times, most recently from 06c1894 to 99682ee Compare September 10, 2024 19:16
@IvanNardi IvanNardi marked this pull request as ready for review September 10, 2024 19:23
@IvanNardi IvanNardi marked this pull request as draft September 10, 2024 19:38
@IvanNardi IvanNardi marked this pull request as ready for review September 16, 2024 17:16
@IvanNardi IvanNardi force-pushed the tls_flights_heuristic branch 3 times, most recently from bd7f62e to 5c09f44 Compare September 20, 2024 09:10
@IvanNardi
Add some heuristics to detect encrypted/obfuscated/proxied TLS flows
f8d3c6d 
Based on the paper: "Fingerprinting Obfuscated Proxy Traffic with
Encapsulated TLS Handshakes".
See: https://www.usenix.org/conference/usenixsecurity24/presentation/xue-fingerprinting

Basic idea:
* the packets/bytes distribution of a TLS handshake is quite unique
* this fingerprint is still detectable if the handshake is
encrypted/proxied/obfuscated

All heuristics are disabled by default.
@IvanNardi IvanNardi force-pushed the tls_flights_heuristic branch from 5c09f44 to f8d3c6d Compare September 23, 2024 16:28
@sonarqubecloud

sonarqubecloud Bot commented Sep 23, 2024

Copy link
Copy Markdown

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

@IvanNardi IvanNardi merged commit ddd08f9 into ntop:dev Sep 24, 2024
@IvanNardi IvanNardi deleted the tls_flights_heuristic branch September 24, 2024 12:20
@mmanoj

mmanoj commented Sep 25, 2024

Copy link
Copy Markdown
Contributor

@IvanNardi

Thanks for this effort, I will study the mentioned paper and see how we can extend this to detect vpn and anonymizers.Please advice if you already have ideas, so I can contribute as well.

@chenrui333 chenrui333 mentioned this pull request Dec 21, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@IvanNardi @mmanoj