论文标题
活动TLS堆栈指纹:表征TLS服务器部署
Active TLS Stack Fingerprinting: Characterizing TLS Server Deployments at Scale
论文作者
论文摘要
主动测量可用于大规模收集服务器特性。这种元数据可以帮助发现服务器部署之间的隐藏关系和共同点,从而提供新的可能性来群集和对它们进行分类。例如,识别以前未知的网络犯罪基础设施可能是网络威胁智能的宝贵来源。我们在此提出了一种基于主动测量的方法,用于从服务器中获取运输层安全性(TLS)元数据,并利用其用于指纹。我们的指纹捕获了TLS堆栈的特征行为,主要是由基础服务器的实现,配置和硬件支持引起的。使用经验优化策略,该策略可最大程度地提高每个握手的信息增益,以最大程度地减少测量成本,我们生成了10个通用客户端Hellos用作扫描探针,以创建用于分类服务器的TLS配置的大数据库。我们从Alexa和Majestic的顶级列表和两个指挥和控制(C2)的块列表中,在30周内,每周快照,作为两个长期案例研究的基础:内容交付网络和C2服务器的分类。所提出的方法的精度超过99%,可以随着时间的推移对新服务器进行稳定识别。这项研究介绍了一个新的积极测量的机会,可以为互联网提供有价值的见解,该见解可用于与安全相关的用例中。
Active measurements can be used to collect server characteristics on a large scale. This kind of metadata can help discovering hidden relations and commonalities among server deployments offering new possibilities to cluster and classify them. As an example, identifying a previously-unknown cybercriminal infrastructures can be a valuable source for cyber-threat intelligence. We propose herein an active measurement-based methodology for acquiring Transport Layer Security (TLS) metadata from servers and leverage it for their fingerprinting. Our fingerprints capture the characteristic behavior of the TLS stack primarily caused by the implementation, configuration, and hardware support of the underlying server. Using an empirical optimization strategy that maximizes information gain from every handshake to minimize measurement costs, we generated 10 general-purpose Client Hellos used as scanning probes to create a large database of TLS configurations used for classifying servers. We fingerprinted 28 million servers from the Alexa and Majestic toplists and two Command and Control (C2) blocklists over a period of 30 weeks with weekly snapshots as foundation for two long-term case studies: classification of Content Delivery Network and C2 servers. The proposed methodology shows a precision of more than 99 % and enables a stable identification of new servers over time. This study describes a new opportunity for active measurements to provide valuable insights into the Internet that can be used in security-relevant use cases.
