A Novel TLS-Based Fingerprinting Approach That Combines Feature Expansion and Similarity Mapping
Malicious domains are part of the landscape of the internet but are becoming more prevalent and more dangerous both to companies and to individuals. They can be hosted on various technologies and serve an array of content, including malware, command and control and complex phishing sites that are de...
Saved in:
| Main Authors: | , , |
|---|---|
| Format: | Article |
| Language: | English |
| Published: |
MDPI AG
2025-03-01
|
| Series: | Future Internet |
| Subjects: | |
| Online Access: | https://www.mdpi.com/1999-5903/17/3/120 |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| _version_ | 1850090788954832896 |
|---|---|
| author | Amanda Thomson Leandros Maglaras Naghmeh Moradpoor |
| author_facet | Amanda Thomson Leandros Maglaras Naghmeh Moradpoor |
| author_sort | Amanda Thomson |
| collection | DOAJ |
| description | Malicious domains are part of the landscape of the internet but are becoming more prevalent and more dangerous both to companies and to individuals. They can be hosted on various technologies and serve an array of content, including malware, command and control and complex phishing sites that are designed to deceive and expose. Tracking, blocking and detecting such domains is complex, and very often it involves complex allowlist or denylist management or SIEM integration with open-source TLS fingerprinting techniques. Many fingerprinting techniques, such as JARM and JA3, are used by threat hunters to determine domain classification, but with the increase in TLS similarity, particularly in CDNs, they are becoming less useful. The aim of this paper was to adapt and evolve open-source TLS fingerprinting techniques with increased features to enhance granularity and to produce a similarity-mapping system that would enable the tracking and detection of previously unknown malicious domains. This was achieved by enriching TLS fingerprints with HTTP header data and producing a fine-grain similarity visualisation that represented high-dimensional data using MinHash and Locality-Sensitive Hashing. Influence was taken from the chemistry domain, where the problem of high-dimensional similarity in chemical fingerprints is often encountered. An enriched fingerprint was produced, which was then visualised across three separate datasets. The results were analysed and evaluated, with 67 previously unknown malicious domains being detected based on their similarity to known malicious domains and nothing else. The similarity-mapping technique produced demonstrates definite promise in the arena of early detection of malware and phishing domains. |
| format | Article |
| id | doaj-art-ef9f7b06358e407abeb59ee309d4840d |
| institution | DOAJ |
| issn | 1999-5903 |
| language | English |
| publishDate | 2025-03-01 |
| publisher | MDPI AG |
| record_format | Article |
| series | Future Internet |
| spelling | doaj-art-ef9f7b06358e407abeb59ee309d4840d2025-08-20T02:42:30ZengMDPI AGFuture Internet1999-59032025-03-0117312010.3390/fi17030120A Novel TLS-Based Fingerprinting Approach That Combines Feature Expansion and Similarity MappingAmanda Thomson0Leandros Maglaras1Naghmeh Moradpoor2School of Computing, Engineering and Built Environment (SCEBE), Edinburgh Napier University, 10 Colinton Road, Edinburgh EH10 5DT, UKSchool of Computer Science and Informatics, De Montfort University, The Gateway, Leicester LE1 9BH, UKSchool of Computing, Engineering and Built Environment (SCEBE), Edinburgh Napier University, 10 Colinton Road, Edinburgh EH10 5DT, UKMalicious domains are part of the landscape of the internet but are becoming more prevalent and more dangerous both to companies and to individuals. They can be hosted on various technologies and serve an array of content, including malware, command and control and complex phishing sites that are designed to deceive and expose. Tracking, blocking and detecting such domains is complex, and very often it involves complex allowlist or denylist management or SIEM integration with open-source TLS fingerprinting techniques. Many fingerprinting techniques, such as JARM and JA3, are used by threat hunters to determine domain classification, but with the increase in TLS similarity, particularly in CDNs, they are becoming less useful. The aim of this paper was to adapt and evolve open-source TLS fingerprinting techniques with increased features to enhance granularity and to produce a similarity-mapping system that would enable the tracking and detection of previously unknown malicious domains. This was achieved by enriching TLS fingerprints with HTTP header data and producing a fine-grain similarity visualisation that represented high-dimensional data using MinHash and Locality-Sensitive Hashing. Influence was taken from the chemistry domain, where the problem of high-dimensional similarity in chemical fingerprints is often encountered. An enriched fingerprint was produced, which was then visualised across three separate datasets. The results were analysed and evaluated, with 67 previously unknown malicious domains being detected based on their similarity to known malicious domains and nothing else. The similarity-mapping technique produced demonstrates definite promise in the arena of early detection of malware and phishing domains.https://www.mdpi.com/1999-5903/17/3/120passive fingerprintingactive fingerprintingmalware domainsphishing domainsdetection methods |
| spellingShingle | Amanda Thomson Leandros Maglaras Naghmeh Moradpoor A Novel TLS-Based Fingerprinting Approach That Combines Feature Expansion and Similarity Mapping Future Internet passive fingerprinting active fingerprinting malware domains phishing domains detection methods |
| title | A Novel TLS-Based Fingerprinting Approach That Combines Feature Expansion and Similarity Mapping |
| title_full | A Novel TLS-Based Fingerprinting Approach That Combines Feature Expansion and Similarity Mapping |
| title_fullStr | A Novel TLS-Based Fingerprinting Approach That Combines Feature Expansion and Similarity Mapping |
| title_full_unstemmed | A Novel TLS-Based Fingerprinting Approach That Combines Feature Expansion and Similarity Mapping |
| title_short | A Novel TLS-Based Fingerprinting Approach That Combines Feature Expansion and Similarity Mapping |
| title_sort | novel tls based fingerprinting approach that combines feature expansion and similarity mapping |
| topic | passive fingerprinting active fingerprinting malware domains phishing domains detection methods |
| url | https://www.mdpi.com/1999-5903/17/3/120 |
| work_keys_str_mv | AT amandathomson anoveltlsbasedfingerprintingapproachthatcombinesfeatureexpansionandsimilaritymapping AT leandrosmaglaras anoveltlsbasedfingerprintingapproachthatcombinesfeatureexpansionandsimilaritymapping AT naghmehmoradpoor anoveltlsbasedfingerprintingapproachthatcombinesfeatureexpansionandsimilaritymapping AT amandathomson noveltlsbasedfingerprintingapproachthatcombinesfeatureexpansionandsimilaritymapping AT leandrosmaglaras noveltlsbasedfingerprintingapproachthatcombinesfeatureexpansionandsimilaritymapping AT naghmehmoradpoor noveltlsbasedfingerprintingapproachthatcombinesfeatureexpansionandsimilaritymapping |