TRAFFIC AUTHENTICITY ANALYSIS BASED ON DIGITAL FINGERPRINT DATA OF NETWORK PROTOCOL IMPLEMENTATIONS

• Main Authors: Sergei M. Ishkuvatov, Igor I. Komarov
• Format: Article
• Language: English
• Published: Saint Petersburg National Research University of Information Technologies, Mechanics and Optics (ITMO University) 2020-10-01
• Series: Naučno-tehničeskij Vestnik Informacionnyh Tehnologij, Mehaniki i Optiki
• Subjects: digital fingerprint; man-in-the-middle attack; mitmproxy; anonymization
• Online Access: https://ntv.ifmo.ru/file/article/19945.pdf

Subject of Research. The problem of traffic authenticity determination based on digital fingerprint data of network protocol implementations is considered. Description methods for digital prints of network protocols and characteristic changes in the original digital prints during transmission over various communication channels are studied. The applicability of anonymization tools, detection of Man-in-the-Middle Attacks, and malware based on the digital fingerprint analysis of protocol implementations is researched. Ways of record format improvement for digital prints with the view to avoid collisions of prints are proposed. Method. Features of each implementation of an existing or potentially possible information transfer protocol can be described by a digital fingerprint of this implementation and identified by the receiving party. Communication equipment on the information transmission path may be forced to change some of the initial parameters due to its internal limitations or limitations of the transmitting environment. The receiving party identifies the current implementation of the transmitting party’s protocol, based on pre-prepared lists of digital fingerprints, taking into account the permissible characteristic changes by nodes along the path of transmitted data. Comparing the original digital fingerprint with the fingerprint received by the server for certain sets of parameters, the receiving party makes assumptions about the methods of data transmission, the client’s use of anonymization tools, or third-party intervention in the transmission process. Based on the information obtained as a result of comparing digital fingerprints, it takes a decision about the possibility of communication sessions with the current sender. Within all communication sessions with the current sender, the recipient controls the immutability of the original digital fingerprint of the protocol by active and passive methods. Main Results. In the course of the study, network connection methods, anonymization tools, and connection from a potentially dangerous implementation are determined on the example of mitmproxy. Practical Relevance. Digital fingerprint automated analysis of network protocol client implementations provides the detection of incoming connections of malicious applications, network robots, and confirmation facts about the client’s applying of anonymization tools. Detection of malicious implementations by their digital fingerprints is possible not only on the receiving side, but on the entire network section along the path of packets, and therefore, blocks such connections at the network border.