HTTPS Event-Flow Correlation: Improving Situational Awareness in Encrypted Web Traffic

TL;DR

This paper presents a novel method for correlating host-based and network data in encrypted HTTPS traffic to enhance situational awareness, adapting to new protocols like TLS 1.3 and QUIC, and evaluating its effectiveness in real network environments.

Contribution

It introduces a correlation approach that works with encrypted traffic, analyzes factors affecting performance, and adapts to modern encryption protocols for improved monitoring.

Findings

Correlation remains feasible with encrypted traffic using custom features.

Certain server configurations negatively impact correlation accuracy.

Method adapts effectively to TLS 1.3 and QUIC protocols.

Abstract

Achieving situational awareness is a challenging process in current HTTPS-dominant web traffic. In this paper, we propose a new approach to encrypted web traffic monitoring. First, we design a method for correlating host-based and network monitoring data based on their common features and a correlation time-window. Then we analyze the correlation results in detail to identify configurations of web servers and monitoring infrastructure that negatively affect the correlation. We describe these properties and possible data preprocessing techniques to minimize their impact on correlation performance. Furthermore, to test the correlation method's behavior in different web server setups and for recent encryption protocols, we modify it by adapting the correlation features to TLS 1.3 and QUIC. Finally, we evaluate the correlation method on a dataset collected from a campus network. The results show that while the correlation requires monitoring of custom event and flow features, it remains feasible even when using encryption protocols designed for the near future.