Authors: Jonas Andre, Johannes Naab, Benedikt Jaeger, Georg Carle, Leander Seidlitz, Stephan Günther

Authors: Kilian Holzinger, Henning Stubbe, Manuel Simon, Sebastian Gallenmüller, Georg Carle

Collecting metadata from Transport Layer Security (TLS) servers on a large scale allows to draw conclusions about their capabilities and configuration. This provides not only insights into the Internet but it enables use cases like detecting malicious Command and Control (C &C) servers. However, active scanners can only observe and interpret the behavior of TLS servers, the underlying configuration and implementation causing the behavior remains hidden. Existing approaches struggle between resource intensive scans that can reconstruct this data and light-weight fingerprinting approaches that aim to differentiate servers without making any assumptions about their inner working. With this work we propose DissecTLS, an active TLS scanner that is both light-weight enough to be used for Internet measurements and able to reconstruct the configuration and capabilities of the TLS stack. This was achieved by modeling the parameters of the TLS stack and derive an active scan that dynamically creates scanning probes based on the model and the previous responses from the server. We provide a comparison of five active TLS scanning and fingerprinting approaches in a local testbed and on toplist targets. We conducted a measurement study over nine weeks to fingerprint C &C servers and analyzed popular and deprecated TLS parameter usage. Similar to related work, the fingerprinting achieved a maximum precision of 99 % for a conservative detection threshold of 100 %; and at the same time, we improved the recall by a factor of 2.8.

Authors: Markus Sosnowski, Johannes Zirngibl, Patrick Sattler, Georg Carle

Authors: Filip Rezabek*, Marcin Bosk*, Georg Carle, Jörg Ott

Authors: Yuri Demchenko, Sebastian Gallenmüller, Serge Fdida, Panayiotis Andreou, Cedric Crettaz, Mathias Kirkeng

Authors: Richard Von Seck, Filip Rezabek, Benedikt Jaeger, Sebastian Gallenmüller, Georg Carle

TCP throughput and RTT prediction are essential to model TCP behavior and optimize network configurations. Flows adapt their sending rate to network parameters like link capacity or buffer size and interact with parallel flows. Especially the elastic behavior of TCP congestion control can vary, even when only slight changes in the network occur. Thus, existing analytical models for TCP behavior reach their limits due to the number and complexity of different algorithms. Machine learning approaches, in contrast, are often fixed to specific network topologies.This paper presents a TCP bandwidth and RTT prediction approach that can handle different algorithms and topologies. For this, we utilize Gated Graph Neural Networks and simulated network traffic. We evaluate different encodings of the input data into graphs and how network size, number of flows, and TCP algorithms influence prediction accuracy. Additionally, we quantify the impact of different input features on our models. We show that Graph Neural Networks can be used to model TCP behavior. The resulting models can predict RTT with a median relative error of 2.29% and throughput with an error of 13.31%.

Authors: Benedikt Jaeger, Max Helm, Lars Schwegmann, Georg Carle

Authors: Sebastian Gallenmüller, Florian Wiedner, Johannes Naab, Georg Carle

Authors: Stephan Günther, Georg Carle

Authors: Stephan Günther, Georg Carle, Adrian Pesch