Clid: Identifying TLS Clients With Unsupervised Learning on Domain Names

TL;DR

Clid is an unsupervised learning tool that identifies TLS clients by clustering domain names from SNI fields, providing broad client insights without relying on outdated rule-based databases.

Contribution

This paper introduces Clid, a novel unsupervised clustering approach using Bayesian optimization to identify TLS clients based on domain name associations.

Findings

Clid successfully identifies strongly associated domain names for at least 60% of clients.

Clid outperforms rule-based methods in dynamic network environments.

Clid can adapt to large-scale TLS datasets with millions of handshakes.

Abstract

In this paper, we introduce Clid, a Transport Layer Security (TLS) client identification tool based on unsupervised learning on domain names in the server name indication (SNI) field. Clid aims to provide some information on a wide range of clients, even though it may not be able to identify a definitive characteristic about each one of the clients. This is a different approach from that of many existing rule-based client identification tools that rely on hardcoded databases to identify granular characteristics of a few clients. Often times, these tools can identify only a small number of clients in a real-world network as their databases grow outdated, which motivates an alternative approach like Clid. For this research, we utilize some 345 million anonymized TLS handshakes collected from a large university campus network. From each handshake, we create a TCP fingerprint that identifies each unique client that corresponds to a physical device on the network. Clid uses Bayesian optimization to find the 'optimal' DBSCAN clustering of clients and domain names for a set of TLS connections. Clid maps each client cluster to one or more domain clusters that are most strongly associated with it based on the frequency and exclusivity of their TLS connections. While learning highly associated domain names of a client may not immediately tell us specific characteristics of the client like its the operating system, manufacturer, or TLS configuration, it may serve as a strong first step to doing so. We evaluate Clid's performance on various subsets of our captured TLS handshakes and on different parameter settings that affect the granularity of identification results. Our experiments show that Clid is able to identify 'strongly associated' domain names for at least 60% of all clients in all our experiments.