| Item type |
Trans(1) |
| 公開日 |
2023-01-27 |
| タイトル |
|
|
タイトル |
Service Identification of TLS Flows Based on Handshake Analysis |
| タイトル |
|
|
言語 |
en |
|
タイトル |
Service Identification of TLS Flows Based on Handshake Analysis |
| 言語 |
|
|
言語 |
eng |
| キーワード |
|
|
主題Scheme |
Other |
|
主題 |
[コンシューマ・システム論文] service identification, TLS, SNI, HTTPS |
| 資源タイプ |
|
|
資源タイプ識別子 |
http://purl.org/coar/resource_type/c_6501 |
|
資源タイプ |
journal article |
| 著者所属 |
|
|
|
Kogakuini University |
| 著者所属 |
|
|
|
Kogakuini University |
| 著者所属 |
|
|
|
Kogakuini University |
| 著者所属 |
|
|
|
The University of Tokyo |
| 著者所属 |
|
|
|
Ochanomizu University |
| 著者所属 |
|
|
|
Kogakuini University |
| 著者所属 |
|
|
|
Kogakuini University |
| 著者所属(英) |
|
|
|
en |
|
|
Kogakuini University |
| 著者所属(英) |
|
|
|
en |
|
|
Kogakuini University |
| 著者所属(英) |
|
|
|
en |
|
|
Kogakuini University |
| 著者所属(英) |
|
|
|
en |
|
|
The University of Tokyo |
| 著者所属(英) |
|
|
|
en |
|
|
Ochanomizu University |
| 著者所属(英) |
|
|
|
en |
|
|
Kogakuini University |
| 著者所属(英) |
|
|
|
en |
|
|
Kogakuini University |
| 著者名 |
Ryo, Asaoka
Yuto, Soma
Hiroaki, Yamauchi
Akihiro, Nakao
Masato, Oguchi
Saneyasu, Yamaguchi
Aki, Kobayashi
|
| 著者名(英) |
Ryo, Asaoka
Yuto, Soma
Hiroaki, Yamauchi
Akihiro, Nakao
Masato, Oguchi
Saneyasu, Yamaguchi
Aki, Kobayashi
|
| 論文抄録 |
|
|
内容記述タイプ |
Other |
|
内容記述 |
Identification of services constituting traffic from given IP network flows is important for many purposes such as management of quality of service, prevention of security problems, and providing a discounting service for customers only in accessing specified services like zero-rating service. The simplest methods for identifying these services are identifications based on IP addresses and port numbers. However, such methods are not sufficiently accurate and thus require improvement. Deep packet inspection (DPI) is an advanced method for improving the accuracy of identification. Many current IP flows are encrypted with the transport layer security (TLS) protocol. Therefore, an identification method cannot analyze almost all the data encrypted by TLS. In the cases of TLS 1.2 or less, some fields, e.g. server name indication (SNI), in the protocol header for the TLS session establishment are not encrypted and then can be analyzed. Thus, we can expect that the service can be identified from IP flows, which are composed of TLS sessions, by analyzing these fields. For achieving this, two challenges are mainly required. One is grouping TLS sessions by accesses from many TLS sessions that pass through a network element. The other is the identification of service from TLS sessions grouped in the first challenge. In our work, we mainly focus on the second theme, i.e., service identification from given TLS sessions. In our previous work, we proposed a method for identification by analyzing these non-encrypted data based on DPI and n-gram. However, there is room for improvement in identification accuracy because this method analyzed all the non-encrypted data including random values without protocol analysis. In this paper, we propose a new method for identifying the service from given TLS sessions based on SNI with protocol data unit (PDU) analysis. The proposed method clusters TLS sessions according to the value of SNI and identifies services from the occurrences of all groups. We evaluated the proposed method by identifying services on Google, Yahoo, and MSN sites, and the results showed that the proposed method could identify services more accurately than the existing method. The average ratios of inaccurate identifications were decreased by 65%, 72%, and 41% in our experiments of Google, Yahoo, and MSN services, respectively.
------------------------------
This is a preprint of an article intended for publication Journal of
Information Processing(JIP). This preprint should not be cited. This
article should be cited as: Journal of Information Processing Vol.31(2023) (online)
------------------------------ |
| 論文抄録(英) |
|
|
内容記述タイプ |
Other |
|
内容記述 |
Identification of services constituting traffic from given IP network flows is important for many purposes such as management of quality of service, prevention of security problems, and providing a discounting service for customers only in accessing specified services like zero-rating service. The simplest methods for identifying these services are identifications based on IP addresses and port numbers. However, such methods are not sufficiently accurate and thus require improvement. Deep packet inspection (DPI) is an advanced method for improving the accuracy of identification. Many current IP flows are encrypted with the transport layer security (TLS) protocol. Therefore, an identification method cannot analyze almost all the data encrypted by TLS. In the cases of TLS 1.2 or less, some fields, e.g. server name indication (SNI), in the protocol header for the TLS session establishment are not encrypted and then can be analyzed. Thus, we can expect that the service can be identified from IP flows, which are composed of TLS sessions, by analyzing these fields. For achieving this, two challenges are mainly required. One is grouping TLS sessions by accesses from many TLS sessions that pass through a network element. The other is the identification of service from TLS sessions grouped in the first challenge. In our work, we mainly focus on the second theme, i.e., service identification from given TLS sessions. In our previous work, we proposed a method for identification by analyzing these non-encrypted data based on DPI and n-gram. However, there is room for improvement in identification accuracy because this method analyzed all the non-encrypted data including random values without protocol analysis. In this paper, we propose a new method for identifying the service from given TLS sessions based on SNI with protocol data unit (PDU) analysis. The proposed method clusters TLS sessions according to the value of SNI and identifies services from the occurrences of all groups. We evaluated the proposed method by identifying services on Google, Yahoo, and MSN sites, and the results showed that the proposed method could identify services more accurately than the existing method. The average ratios of inaccurate identifications were decreased by 65%, 72%, and 41% in our experiments of Google, Yahoo, and MSN services, respectively.
------------------------------
This is a preprint of an article intended for publication Journal of
Information Processing(JIP). This preprint should not be cited. This
article should be cited as: Journal of Information Processing Vol.31(2023) (online)
------------------------------ |
| 書誌レコードID |
|
|
収録物識別子タイプ |
NCID |
|
収録物識別子 |
AA12628043 |
| 書誌情報 |
情報処理学会論文誌コンシューマ・デバイス&システム(CDS)
巻 13,
号 1,
発行日 2023-01-27
|
| ISSN |
|
|
収録物識別子タイプ |
ISSN |
|
収録物識別子 |
2186-5728 |
| 出版者 |
|
|
言語 |
ja |
|
出版者 |
情報処理学会 |
IPSJ-TCDS1301004.pdf (2.0 MB)
