Add some heuristics to detect encrypted/obfuscated/proxied TLS flows

ntop / nDPI

Open Source Deep Packet Inspection Software Toolkit

http://www.ntop.org

GNU Lesser General Public License v3.0

3.86k stars 901 forks source link

Add some heuristics to detect encrypted/obfuscated/proxied TLS flows #2553

Closed IvanNardi closed 2 months ago

IvanNardi commented 2 months ago

Based on the paper: "Fingerprinting Obfuscated Proxy Traffic with Encapsulated TLS Handshakes". See: https://www.usenix.org/conference/usenixsecurity24/presentation/xue-fingerprinting

Basic idea:

the packets/bytes distribution of a TLS handshake is quite unique
this fingerprint is still detectable if the handshake is encrypted/proxied/obfuscated

All heuristics are disabled by default.

IvanNardi commented 2 months ago

Set as draft because we are waiting for some other commits to be merged before it.... This way we can start triggering the CI

sonarcloud[bot] commented 2 months ago

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

mmanoj commented 2 months ago

@IvanNardi

Thanks for this effort, I will study the mentioned paper and see how we can extend this to detect vpn and anonymizers.Please advice if you already have ideas, so I can contribute as well.