doi: 10.17586/2226-1494-2020-20-5-747-754


TRAFFIC AUTHENTICITY ANALYSIS BASED ON DIGITAL FINGERPRINT DATA OF NETWORK PROTOCOL IMPLEMENTATIONS

S. M. Ishkuvatov, I. . Komarov


Read the full article  ';
Article in Russian

For citation:
Ishkuvatov S.M., Komarov I.I. Traffic authenticity analysis based on digital fingerprint data of network protocol implementations. Scientific and Technical Journal of Information Technologies, Mechanics and Optics, 2020, vol. 20, no. 5, pp. 747–754 (in Russian). doi: 10.17586/2226-1494-2020-20-5-747-754


Abstract
Subject of Research. The problem of traffic authenticity determination based on digital fingerprint data of network protocol implementations is considered. Description methods for digital prints of network protocols and characteristic changes in the original digital prints during transmission over various communication channels are studied. The applicability of anonymization tools, detection of Man-in-the-Middle Attacks, and malware based on the digital fingerprint analysis of protocol implementations is researched. Ways of record format improvement for digital prints with the view to avoid collisions of prints are proposed. Method. Features of each implementation of an existing or potentially possible information transfer protocol can be described by a digital fingerprint of this implementation and identified by the receiving party. Communication equipment on the information transmission path may be forced to change some of the initial parameters due to its internal limitations or limitations of the transmitting environment. The receiving party identifies the current implementation of the transmitting party’s protocol, based on pre-prepared lists of digital fingerprints, taking into account the permissible characteristic changes by nodes along the path of transmitted data. Comparing the original digital fingerprint with the fingerprint received by the server for certain sets of parameters, the receiving party makes assumptions about the methods of data transmission, the client’s use of anonymization tools, or third-party intervention in the transmission process. Based on the information obtained as a result of comparing digital fingerprints, it takes a decision about the possibility of communication sessions with the current sender. Within all communication sessions with the current sender, the recipient controls the immutability of the original digital fingerprint of the protocol by active and passive methods. Main Results. In the course of the study, network connection methods, anonymization tools, and connection from a potentially dangerous implementation are determined on the example of mitmproxy. Practical Relevance. Digital fingerprint automated analysis of network protocol client implementations provides the detection of incoming connections of malicious applications, network robots, and confirmation facts about the client’s applying of anonymization tools. Detection of malicious implementations by their digital fingerprints is possible not only on the receiving side, but on the entire network section along the path of packets, and therefore, blocks such connections at the network border.

Keywords: digital fingerprint, Man-in-the-Middle Attack, mitmproxy, anonymization, Tor network

Acknowledgements. The paper was prepared with the financial support of the Ministry of Science and Higher Education of the Russian Federation under the agreement No. 075-15-2019-1707 dated from 22.11.2019 (identifier RFMEFI60519X0189, internal number 05.605.21.0189).

References
1. Man-in-the-middle attack. Available at: https://en.wikipedia.org/wiki/Man-in-the-middle_attack (accessed: 19.07.2020).
2. Shu G., Lee D. Network protocol system fingerprinting - A formal approach. Proc. INFOCOM 2006: 25th IEEE International Conference on Computer Communications, 2006, pp. 4146810. doi: 10.1109/INFOCOM.2006.157
3. Carnut M., Gondim J. ARP spoofing detection on switched Ethernet networks: A feasibility study. Proc. of the 5th Simposio Seguranca em Informatica, 2003.
4. Liu H., Zhang Y., Wang H., Yang W., Li J., Gu D. TagDroid: hybrid SSL certificate verification in android. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), 2015, vol. 8958, pp. 120–131. doi: 10.1007/978-3-319-21966-0_9
5. Smith S. The Internet of Risky Things: Trusting the Devices That Surround Us. O'Reilly Media, Inc., 2017, 240 p.
6. Kulikova O.M., Suvorova S.D. Targeted advertising as a tool for building communications with the target audience. Economy and business: theory and practice, 2020, no. 3-2(61), pp. 98–102. Available at: https://cyberleninka.ru/article/n/targetirovannaya-reklama-kak-instrument-postroeniya-kommunikatsiy-s-tselevoy-auditoriey (accessed: 10.09.2020). (in Russian). doi: 10.24411/2411-0450-2020-10218
7. Zalewski M. p0f v3. Available at: http://lcamtuf.coredump.cx/p0f3/ (accessed: 19.07.2020).
8. Transmission Control Protocol (TCP) Parameters. Available at: https://www.iana.org/assignments/tcp-parameters/tcp-parameters.xhtml (accessed: 19.07.2020).
9. Satori. Available at: https://github.com/xnih/satori/blob/master/fingerprints/tcp.xml (accessed: 19.07.2020).
10. Intercept the planet! Available at: http://intercepter-ng.blogspot.com/ (accessed: 19.07.2020).
11. Laurent D. Ethernet vendor codes, and well-known MAC addresses. The first single application for the entire DevOps lifecycle — GitLab. Available at: https://gitlab.com/wireshark/wireshark/raw/master/manuf (accessed: 19.07.2020).
12. Husák M., Čermák M., Jirsík T., Čeleda P. HTTPS traffic analysis and client identification using passive SSL/TLS fingerprinting. EURASIP Journal on Information Security, 2016, vol. 2016, no. 1, pp. 6. doi: 10.1186/s13635-016-0030-7
13. JA3 - A method for profiling SSL/TLS Clients. Available at: https://github.com/salesforce/ja3 (accessed: 19.07.2020).
14. Chrome Platform Status. GREASE for TLS. Last updated on 2017-06-14. Available at: https://www.chromestatus.com/feature/6475903378915328 (accessed: 19.07.2020).
15. mitmproxy - an interactive HTTPS proxy. Available at: https://mitmproxy.org/ (accessed: 19.07.2020).
16. Vorobeva A.A. Dynamic feature selection for web user identification on linguistic and stylistic features of online texts. Scientific and Technical Journal of Information Technologies, Mechanics and Optics, 2017, vol. 17, no. 1, pp. 117–128. (in Russian). doi: 10.17586/2226-1494-2017-17-1-117-128


Creative Commons License

This work is licensed under a Creative Commons Attribution-NonCommercial 4.0 International License
Copyright 2001-2024 ©
Scientific and Technical Journal
of Information Technologies, Mechanics and Optics.
All rights reserved.

Яндекс.Метрика