We use positional-unigram byte models along with maximum likelihood for generalized TLS fingerprinting and empirically show that it is robust to cipher stunting. Our approach creates a set of positional-unigram byte models from client hello messages. Each positional-unigram byte model is a statistical model of TLS client hello traffic created by a client application or process. To fingerprint a TLS connection, we use its client hello, and compute the likelihood as a function of a statistical model. The statistical model that maximizes the likelihood function is the predicted client application for the given client hello. Our data driven approach does not use side-channel information and can be updated on-the-fly. We experimentally validate our method on an internal dataset and show that it is robust to cipher stunting by tracking an unbiased $f_{1}$ score as we synthetically increase randomization.

翻译：我们采用位置-单字字节模型结合最大似然估计实现广义TLS指纹识别，并通过实验证明该方法对密码套件抑制具有鲁棒性。该方法从客户端问候消息中构建一组位置-单字字节模型，每个模型均为客户端应用或进程生成的TLS客户端问候流量的统计模型。为对TLS连接进行指纹识别，我们提取其客户端问候数据，并计算其相对于各统计模型的似然函数值。使似然函数最大化的统计模型即为该客户端问候所对应的预测客户端应用。本数据驱动方法不依赖侧信道信息，且支持在线更新。我们通过内部数据集进行实验验证，通过追踪无偏$f_{1}$分数（在合成随机化递增条件下），证明该方法对密码套件抑制具有鲁棒性。