Publication Details
Towards Identification of Network Applications in Encrypted Traffic
TLS fingerprinting, JA4, encrypted traffic, application identification, machine
learning
Network traffic monitoring for security threat detection and network performance
management is challenging because most communications are protected by
encryption. This paper addresses the problem of identifying applications
associated with Transport Layer Security (TLS) network connections.
We evaluate three primary approaches to classifying TLS traffic: fingerprinting
methods, SNI-based identification, and machine learning based classifiers. Each
method has strengths and limitations: fingerprinting relies on a regularly
updated database of known hashes, SNI is vulnerable to obfuscation or missing
information, and an AI technique such as machine learning requires sufficient
labelled training data. To support research in this area, we have also created
a novel dataset of labelled TLS communications for popular desktop and mobile
applications.
The comparison of these methods that we present highlights the challenges of
identifying individual applications, as TLS properties are significantly shared
across applications. The simpler task of identifying a collection of candidate
applications still provides valuable insights for network monitoring and can be
achieved with high accuracy by all methods considered. Finally, we suggest
practical use cases and identify future research directions to further improve
application identification methods.
@inproceedings{BUT193364,
author="Ivana {Burgetová} and Petr {Matoušek} and Ondřej {Ryšavý}",
title="Towards Identification of Network Applications in Encrypted Traffic",
booktitle="The Proceedings of the 8th Cyber Security in Networking Conference (CSNet 2024)",
year="2024",
series="IEEE Explore",
volume="8",
pages="213--221",
publisher="IEEE Communications Society",
address="Paris",
doi="10.1109/CSNet64211.2024",
isbn="979-8-3315-3410-3",
url="https://www.fit.vut.cz/research/publication/13289/"
}