An advanced network security framework designed to detect anomalies in encrypted traffic using TLS Fingerprinting (JA3/JA3S), Machine Learning, and Active Verification techniques.
Status: Active Development (Data Collection & Pipeline Phase)
Type: Senior Design Project (Bachelor's Thesis)
As encryption standards (TLS 1.3) become ubiquitous, traditional Deep Packet Inspection (DPI) loses its effectiveness. This project aims to classify and analyze malicious traffic without decryption by leveraging TLS Fingerprinting (JA3) methods.
The system autonomously captures network traffic, extracts TLS handshake metadata, calculates unique fingerprints, and prepares datasets for Machine Learning models to detect C2 servers, malware, and phishing attempts.
-
π Automated Data Pipeline: Real-time traffic capture (Ring Buffer) and automated processing.
-
π JA3/JA3S Fingerprinting: Extracts and calculates MD5 hashes from ClientHello packets.
-
π Dataset Generation: Automatically builds CSV datasets suitable for AI/ML training.
-
π‘οΈ Active Verification (Planned): A feedback loop mechanism to verify suspicious fingerprints against external threat intelligence.
TLS-Project/
βββ src/
β βββ capture/ # PowerShell scripts for TShark automation & workflow management
β βββ processing/ # Python modules for JA3 extraction & data cleaning
βββ data/
β βββ raw_pcaps/ # Temporary storage for captured PCAP files (Not synced to Git)
β βββ processed_csvs/ # Generated datasets (Master CSVs)
β βββ logs/ # Operational logs for debugging
βββ docs/ # Survey papers and architectural diagrams
βββ requirements.txt # Python dependencies
To run this system, ensure you have the following installed:
Wireshark & TShark:
Must be installed with the TShark component selected.
Crucial: The Wireshark folder (e.g., C:\Program Files\Wireshark) must be added to your system's PATH environment variable.
Python 3.x:
Required for parsing and feature extraction.
PowerShell:
Required for running the automation scripts (Admin privileges recommended for capturing).
Clone the repository and install Python dependencies:
git clone https://github.com/YOUR_USERNAME/TLS-Project.git
cd TLS-Project
pip install -r requirements.txt
The system operates using two parallel processes: Capture and Watcher.
- Start Traffic Capture
This script captures network packets in a ring-buffer format. It will ask you to select the network interface.
cd src/capture
.\capture.ps1- Start the Watcher (Processor)
Open a new terminal window. This script monitors the capture folder. When a PCAP file is closed, it triggers the Python extractor, updates the dataset, and cleans up the raw file.
cd src/capture
.\watcher.ps1
This project is developed for academic and research purposes only. The tools provided here should be used only on networks where you have explicit permission to monitor traffic. The author assumes no responsibility for misuse.