Author
Listed:
- Amanda Thomson
(School of Computing, Engineering and Built Environment (SCEBE), Edinburgh Napier University, 10 Colinton Road, Edinburgh EH10 5DT, UK)
- Leandros Maglaras
(School of Computer Science and Informatics, De Montfort University, The Gateway, Leicester LE1 9BH, UK
Department of Digital Media and Communication, Ionian University, 28100 Kefalonia, Greece)
- Naghmeh Moradpoor
(School of Computing, Engineering and Built Environment (SCEBE), Edinburgh Napier University, 10 Colinton Road, Edinburgh EH10 5DT, UK)
Abstract
Malicious domains are part of the landscape of the internet but are becoming more prevalent and more dangerous both to companies and to individuals. They can be hosted on various technologies and serve an array of content, including malware, command and control and complex phishing sites that are designed to deceive and expose. Tracking, blocking and detecting such domains is complex, and very often it involves complex allowlist or denylist management or SIEM integration with open-source TLS fingerprinting techniques. Many fingerprinting techniques, such as JARM and JA3, are used by threat hunters to determine domain classification, but with the increase in TLS similarity, particularly in CDNs, they are becoming less useful. The aim of this paper was to adapt and evolve open-source TLS fingerprinting techniques with increased features to enhance granularity and to produce a similarity-mapping system that would enable the tracking and detection of previously unknown malicious domains. This was achieved by enriching TLS fingerprints with HTTP header data and producing a fine-grain similarity visualisation that represented high-dimensional data using MinHash and Locality-Sensitive Hashing. Influence was taken from the chemistry domain, where the problem of high-dimensional similarity in chemical fingerprints is often encountered. An enriched fingerprint was produced, which was then visualised across three separate datasets. The results were analysed and evaluated, with 67 previously unknown malicious domains being detected based on their similarity to known malicious domains and nothing else. The similarity-mapping technique produced demonstrates definite promise in the arena of early detection of malware and phishing domains.
Suggested Citation
Amanda Thomson & Leandros Maglaras & Naghmeh Moradpoor, 2025.
"A Novel TLS-Based Fingerprinting Approach That Combines Feature Expansion and Similarity Mapping,"
Future Internet, MDPI, vol. 17(3), pages 1-20, March.
Handle:
RePEc:gam:jftint:v:17:y:2025:i:3:p:120-:d:1607295
Download full text from publisher
Corrections
All material on this site has been provided by the respective publishers and authors. You can help correct errors and omissions. When requesting a correction, please mention this item's handle: RePEc:gam:jftint:v:17:y:2025:i:3:p:120-:d:1607295. See general information about how to correct material in RePEc.
If you have authored this item and are not yet registered with RePEc, we encourage you to do it here. This allows to link your profile to this item. It also allows you to accept potential citations to this item that we are uncertain about.
We have no bibliographic references for this item. You can help adding them by using this form .
If you know of missing items citing this one, you can help us creating those links by adding the relevant references in the same way as above, for each refering item. If you are a registered author of this item, you may also want to check the "citations" tab in your RePEc Author Service profile, as there may be some citations waiting for confirmation.
For technical questions regarding this item, or to correct its authors, title, abstract, bibliographic or download information, contact: MDPI Indexing Manager (email available below). General contact details of provider: https://www.mdpi.com .
Please note that corrections may take a couple of weeks to filter through
the various RePEc services.