English

Fingerprinting web servers through Transformer-encoded HTTP response headers

Cryptography and Security 2024-04-02 v1 Machine Learning Networking and Internet Architecture

Abstract

We explored leveraging state-of-the-art deep learning, big data, and natural language processing to enhance the detection of vulnerable web server versions. Focusing on improving accuracy and specificity over rule-based systems, we conducted experiments by sending various ambiguous and non-standard HTTP requests to 4.77 million domains and capturing HTTP response status lines. We represented these status lines through training a BPE tokenizer and RoBERTa encoder for unsupervised masked language modeling. We then dimensionality reduced and concatenated encoded response lines to represent each domain's web server. A Random Forest and multilayer perceptron (MLP) classified these web servers, and achieved 0.94 and 0.96 macro F1-score, respectively, on detecting the five most popular origin web servers. The MLP achieved a weighted F1-score of 0.55 on classifying 347 major type and minor version pairs. Analysis indicates that our test cases are meaningful discriminants of web server types. Our approach demonstrates promise as a powerful and flexible alternative to rule-based systems.

Keywords

Cite

@article{arxiv.2404.00056,
  title  = {Fingerprinting web servers through Transformer-encoded HTTP response headers},
  author = {Patrick Darwinkel},
  journal= {arXiv preprint arXiv:2404.00056},
  year   = {2024}
}

Comments

Based on a bachelor's thesis. Submission to arXiv approved by supervisor

R2 v1 2026-06-28T15:38:39.275Z