Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add some heuristics to detect encrypted/obfuscated/proxied TLS flows #2553

Merged
merged 1 commit into from
Sep 24, 2024
Merged

Add some heuristics to detect encrypted/obfuscated/proxied TLS flows #2553

merged 1 commit into from
Sep 24, 2024

Conversation

IvanNardi
Copy link
Collaborator

Based on the paper: "Fingerprinting Obfuscated Proxy Traffic with
Encapsulated TLS Handshakes".
See: https://www.usenix.org/conference/usenixsecurity24/presentation/xue-fingerprinting

Basic idea:

  • the packets/bytes distribution of a TLS handshake is quite unique
  • this fingerprint is still detectable if the handshake is
    encrypted/proxied/obfuscated

All heuristics are disabled by default.

@IvanNardi
Copy link
Collaborator Author

IvanNardi commented Sep 9, 2024
edited
Loading

Set as draft because we are waiting for some other commits to be merged before it.... This way we can start triggering the CI

@IvanNardi IvanNardi marked this pull request as draft September 9, 2024 10:53
@IvanNardi IvanNardi force-pushed the tls_flights_heuristic branch 5 times, most recently from 06c1894 to 99682ee Compare September 10, 2024 19:16
@IvanNardi IvanNardi marked this pull request as ready for review September 10, 2024 19:23
@IvanNardi IvanNardi marked this pull request as draft September 10, 2024 19:38
@IvanNardi IvanNardi marked this pull request as ready for review September 16, 2024 17:16
@IvanNardi IvanNardi force-pushed the tls_flights_heuristic branch 3 times, most recently from bd7f62e to 5c09f44 Compare September 20, 2024 09:10
@IvanNardi
Add some heuristics to detect encrypted/obfuscated/proxied TLS flows
f8d3c6d 
Based on the paper: "Fingerprinting Obfuscated Proxy Traffic with
Encapsulated TLS Handshakes".
See: https://www.usenix.org/conference/usenixsecurity24/presentation/xue-fingerprinting

Basic idea:
* the packets/bytes distribution of a TLS handshake is quite unique
* this fingerprint is still detectable if the handshake is
encrypted/proxied/obfuscated

All heuristics are disabled by default.
@sonarcloud SonarCloud
Copy link

sonarcloud bot commented Sep 23, 2024

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

@IvanNardi IvanNardi merged commit ddd08f9 into ntop:dev Sep 24, 2024
36 checks passed
@IvanNardi IvanNardi deleted the tls_flights_heuristic branch September 24, 2024 12:20
@mmanoj
Copy link
Contributor

mmanoj commented Sep 25, 2024

@IvanNardi

Thanks for this effort, I will study the mentioned paper and see how we can extend this to detect vpn and anonymizers.Please advice if you already have ideas, so I can contribute as well.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@IvanNardi @mmanoj