English

Positional-Unigram Byte Models for Generalized TLS Fingerprinting

Cryptography and Security 2024-05-14 v1

Abstract

We use positional-unigram byte models along with maximum likelihood for generalized TLS fingerprinting and empirically show that it is robust to cipher stunting. Our approach creates a set of positional-unigram byte models from client hello messages. Each positional-unigram byte model is a statistical model of TLS client hello traffic created by a client application or process. To fingerprint a TLS connection, we use its client hello, and compute the likelihood as a function of a statistical model. The statistical model that maximizes the likelihood function is the predicted client application for the given client hello. Our data driven approach does not use side-channel information and can be updated on-the-fly. We experimentally validate our method on an internal dataset and show that it is robust to cipher stunting by tracking an unbiased f1f_{1} score as we synthetically increase randomization.

Keywords

Cite

@article{arxiv.2405.07848,
  title  = {Positional-Unigram Byte Models for Generalized TLS Fingerprinting},
  author = {Hector A. Valdez and Sean McPherson},
  journal= {arXiv preprint arXiv:2405.07848},
  year   = {2024}
}
R2 v1 2026-06-28T16:25:33.256Z