Inferring(Services(over((Encrypted(Web(Flows�

ğSoJč�V�ĶÜ:P�((EB:7:71)(2014_3�20�(

(�ĶĐ?((�Ì·PV)ƣ�Ķ ((JST(ERATO)(

ã�(1)(web( ¾ŗ���ŭƟſƠƈƂƅƅƙƍŬƂųŗM0((ıWIDE(Mawi(Project(hMp://mawi.wide.ad.jp,(samplepoint(B,(F(ŗŴƙƍũe¶�

2002/12/1�

2012/12/1�

ŭƟſƠƈƂƅ�ŗOŁŗŸƠƌżľ(Web(hMp)(ŖÉì�

P2Pľ ¾�

Webľ ¾�

Ĩ�

ã�(2)(web(č�ŗ�90�ïĤâcŜ14�%ŗAndroid(ŗč�ũ6�ę÷«ņŋÚ�ũĜ÷(

IN( OUT(

hMps(

hMp(

SSL/TLS(ŖţŎő�90ńŧőĹŦHTTPč�(HTTPS)ŗ,:ľĥĹ(IJŽƠźƕƛƈƂƅƞƠųŢŰƟƙŭƟżƅƜƠŻÑŗ(ƊƠŽƇƛŕoJũċ7�ŇŦūƏƚŵƠźƘƟŗL.�

ĩ�

ŭƟſƠƈƂƅƅƙƍŬƂų÷«(ŗÀ½œþģ�

•  À½ƥĦƅƙƍŬƂų"ûŗx~(–  )j[Ăx~ƥ^Hŗ�©�Ŗ�ũƍŬƛſƠ[ĂœŇŧřţĹĽ(

•  2Ŗ(HTTP(ŒŘÔDľaŇŀŦ(

–  Ġòŗx~ƥŔŗţĺŕūƏƚŵƠźƘƟŖ[ŇŦò¥ľĥĹŗĽƧ(Ķ→ūƠŲƃųƁƕŗ�øơŲƕƂźƖŗúßŢWAN(�đ0ÑƢ(ıĹňŧšŅŎŁťœņŋÛ÷ľĸŧř1%(

•  þģƥĦ�UūƏƝƠƁŗě¸ũ��(–  ƒƠƅ¹9ŒŘoJĔľ\ŕŇŀŦ(–  ŸƠƉŗIPūƆƜżŒŘ�1%ơ�żƙŭƆƢ(–  DPI(ŗě¸:(SSL/TLS((¶�Ŗ(HTTP(ƐƂƀľ5¯ŒĿŕĹ(

Ī�

ŸƠƉŗIPūƆƜżŒŘ�1%ŕ��•  ČeĿũúXņőĹŕĹŵƠżľUF(•  ñ�ŗ(FQDN(ľŚœŏŗIPūƆƜżŒ�ŨŧőĹŦŵƠż(((ƑżƃŬƟŴŢCDN(Ñ)(

ī�

�ÅÎŗŷƠƛ�

•  ŭƟſƠƈƂƅƅƙƍŬƂųũµsņőĹŦWebūƏƚŵƠźƘƟơƦŸƠƌżƢũx~ŇŦ(– °Ŗ�90(Web(č�ũ[ĂœŇŦ(– 100%(ŗÕbũÀ{ŇšŗŒŘŕĹ(• 3´½ŖCĞĶIJĶŅŎŁťœņŋÛ÷ŗx~(

Ĭ�

DNS(ųůƚũ¶ĹŋūƏƝƠƁ�č�ŗĘRŖ�ÏŎőĦųƙŭūƟƅĽŤDNS(ŗ<+ö¦ľ»µŇŦŗŒƣŊŗoJũ¶ĹŧřƑżƅ<(FQDN)ŘŨĽŦ(

ųƙŭūƟƅ(C1�

DNSŸƠƉ�

HTTPSŸƠƉ(S1�

61.213.146.4((akamai)(NTT:COM�

10.1.2.3�

61.213.146.4:443(IJ(10.1.2.3:31587((=(www.apple.com((APPLE)�

www.apple.com?(IJ(61.213.146.4(from(10.1.2.3(

ĭ�

�UÅÎ:(DN(Hunter�•  Bermudez(et(al.,(“DNS(to(the(Rescue:(Discerning(Content(and(

Services(in(a(Tangled(Web”,(ACM(IMC(2012Ķ�

ıEġŘ�ùÿ�ţťe¶� Į�

�UÅÎœ}�u§ŗ£Ć�

%�÷«[m� Û÷½|X�

DN(Hunter� ij� ĵĶ(óŋšŗľŇŜő)�}�u§� Ĵ� ĴĶ(óőŕĹšŗš|X)�

ƋƂƅņŕĽŎŋK:ŖļĹőšď4ŗõ«ũšœŖ(Û÷½Ŗ|XŇŦ¬ľ�ôŕūŭƄŬū�

į�

}�u§ŗ ���

�

(1)(DNS(ųůƚoJũVà�

(2)(FQDNũ|X�

(3)(éķŕƋƖƠƚżƃŬƂų(FQDN(!((ŸƠƌż<|X(�)(mail.google.com(!(Google(mail�

FQDN�

}��dŗ�ò((1):(VàĦ�

•  ŸƠƉIPūƆƜż:(s(•  ųƙŭūƟƅIPūƆƜż:(c(•  �*:(t((È2�œŇŦ)(•  DNS(A(ƜŶƠƆ(query(ŖļłŦ(FQDN:(N(œņŋœĿ((ĶĶ{s,c,t}(!(N(ĶĶ{s,c}(!(N(ĶĶ{s}(!(N(ŗŇŜőũĎpē&Ŗ¼ĕ(ıQuery(response(Œñ�(A(ƜŶƠƆũiŋŤ(ĶĶĶĶĶĶŇŜő¼ĕ�

ųƙŭūƟƅ(c�

DNSŸƠƉ�

HTTPSŸƠƉ(s�

�*(t’�

�*(t�

Query(=(N(Answer(=(s�

Ĩħ�

}��dŗ�ò((2):(|X�•  |Xŗ[ĂœŕŦ(HTTPS(ƍƝƠŗ({s,(c,(t’}(ũy$(

•  ŭŴŹųƅƓƂƁ(–  {s,(c,(t’}(Ŗ[ŇŦ(N(ũ$-(

•  �ęňŤņ�×(–  Exact(match(ľQ�ņŋK:ƣ{s,(c,(t’}(ŗ(t’(ũªŤņྍ�×((t’(=(t’,(t’:1,(t’:2,(…,(t’:m)(•  DNS(ųůƚľ(HTTP(č�ĘRŖ�ÏŎő»µŇŦŵƠżľĸŦ(

•  Û÷½|X((MAP)(– �ùĹňŧšQ�ņŋK:ƣ{s,c}(ĸŦĹŘ({s}(ŗŞũ�Ŏő]šŤņĹFQDN(ũÛ÷½Ŗ|Xơ�PhƲ|XƢ�

ĨĨ�

�PhƲ|X((MAP)�●{s,(c}(ŗųůƚŖ[ŇŦmÒ(N={n1,(n2,(…,}(ŗ"ƣ]šŤņĹFQDNũ�ùŗţĺŖ|X((((ĸŦĦFQDN(Ŗ[ņő((s,(c)(ŗÙŞ:Ũʼnľ($³ŇŦƲ(

ĸŦĦFQDN(ŗ$³Ģb(ŸƠƌżŗ�¤b�

Ĩĩ�ıĶ�PhƲŗ÷ÓŖŘĹŁŏĽŗƉƚůƠźƘƟľáĻŤŧŦ�

●{s,(c}(ŗųůƚŖ[ŇŦmÒľŕĹK:Řųůƚũ({s}(œņő;�Ŗ|X(((

}��dŗ�ò((3):(ŸƠƌż|X�

•  FQDN(ũgsŇŦ�T&ŗ°kŖšœŐĿƣŸƠƌżũ|X(

•  Public(suffix(ũy$(– www.ieice.org(ŗ(public(suffix(=(ieice.org((

•  ¡ťŗ�T&Ŗ[ņő°k½ŕ�T&ŗ�­ũ'X(– mail,(blog,(planorm,(ad,(Ñ(

ĨĪ�

näý�YĤ�•  Ö2,000ŗÐ�ľč�ũņőĹŦAÝũ÷«(•  �90ńŧőĹŕĹ(HTTP(č�ũ(¶(–  Request(header(ĽŤÂŗ(FQDN(ũy$8ä(–  HTTP(ƚųůżƅ�:(30084(– �ę(=(Ö4000È(

•  DNSųůƚ(– �ù(HTTP(č�ŗ�ę^ũ>ş46000È(– Ö10�ųůƚ(

•  �AŗYĤý�ŒŘ|XÚ�ũ��ŗţĺŖK:%łũŇŦ(– |XFQDNœÂŗFQDN(ľW �ç((OK)(–  Public(suffix(ľ�ç((SIM)(– Ŋŧ�N((NG)( Ĩī�

ƊƙƔſ(m(œ�×Õb�

ĨĬ�

0%(10%(20%(30%(40%(50%(60%(70%(80%(90%(100%(

0( 1( 10( 60( 300( 3600(

frac%o

n�

m�

sim(MAP)(sim(qme_shis)(sim(exact)(ok(MAP)(ok(qme_shis)(ok(exact)(

m(ŖZŤňOK(Ř(90%ƣSIM(ľ(5%(ËbŗÕb(m(=(0((�ęňŤņ�×ŕņ)ŒšÕbŘèĹ((MAPŗ|XÚ�ľ�)(m(ũLŢŇœ�ęňŤņ�×ŗ|XÚ�ľ�œŕŦľÚ�Ř;��

ı(x(ąŘÝgŒŘŕĹŃœŖ¨q�

ƊƙƔſ(m(œ�×Ŷżƅ�

Ĩĭ�

0(

5(

10(

15(

20(

25(

0( 1( 10( 60( 300( 3600(

total+loo

kup+%m

e+(sec)�

m�

m(ŗL.œœšŖ�×ŶżƅľĥŝŦ(

ı(x(ąŘÝgŒŘŕĹŃœŖ¨q�

ůƙƠŗ3B�•  õ«ƄƠſ�Ą(– õ«�ę"Ŗõ«ņŋweb(ŸƠƉŗ(IP(ūƆƜżũ>şDNSųůƚľ»µņŕĹK:Ř|XŗņţĺľŕĹ(

•  ;�*Ŗ»µŇŦ({s,c,t}(ŗſƏƛ(– ³FŘ(t(ũÈ2�ŖŝŦŠőĹŦľƣšĺ\ņØĽĹ�ę%öäľlò(

ĶĶ�)(googleads.g.doubleclick.net(œ((ĶĶĶĶpagead2.googlesyndicaqon.com(ľ;�ŗ({s,c,t}(ũzŏ(

–  ŔōŤš(CNAME(=(pagead46.l.doubleclick.net(

ĨĮ�

ŝœŠœ�hŗþģ�

•  ď4ŗ(DNS(ųůƚũ5¯ņő�90(Web(č�ŗŸƠƌżũ|XŇŦu§ũ}�(

•  ÕbŘW �çľ(90%ƣpublic(suffix(�çľ5%Ëb(•  MAP(ũ�ĺŃœŒ�×ŶżƅũÃÞ8ä(

•  þģ((1)(Õb=�(–  ė�ęƄƠſŗ6ťĉŞƣ�ę%öäƣƋƖƠƚżƃŬƂųŗĘ»(

•  þģ((2)(żŵƠƙƌƚƃŬŗÆÏ(–  åPŕč�ƝŴśŗ[m(–  ď4ƄƠſŗêÍ(

Ĩį�

ĀĈ�

•  �ÅÎŗ�ĒŘJSPSÇÅăơ25880020ƣ�îĶ�Đ?Ƣŗ/sũ7łŋšŗŒŇƤ(

•  �ÅÎŖĚņőāÿĹŋŌĹŋNTTƈƂƅƞƠųI¿wíÅÎtŗÄ��`ÅÎ@ƣ�ëÅÎ@ƣ�·ÅÎ@ŖrĀņŝŇƤ�

Ĩİ�

SSL/TLS(ŗ(¶�•  SSL/TLS(Œ�90ńŧŋ(Web(č�ŖĚņőŘ!ĘĖü��ŖùćńŧŋĦCommonName((URL(ŗ(FQDN(œ�ç)(ŗ(¶ľ8äŒĸŦľƣFQDN(ŗx~ŖŘ�1%(

–  DN:Hunter(ÿ�((ACM(IMC(2012)(Œŗ%�Ú�(•  CN(=(FQDN(:(18%(•  ƞŭƛƆűƠƆü��:(19%(•  ŝŎŋŁºŕŦü��(?):(40%(•  ü��­ņ:(23%(

ĩħ�

)j�9œƄƠſ�9ŗ%ĝ�

ĩĩ�

ER�

ER�

ER�

DNS(ƜžƛƉ(

Û:((}�u§)�

DNS(()j�9)�

CR(�

GW�

Flow÷«ƄƠſ((ƄƠſ�9)�

3´½Ŗųůƚũõ«ŒĿŕĹŵƠż�

•  ƎƙŮŹŗ(DNS(ŲƕƂźƖ�äŢƗƠŹůƟƆŗƛƠſŖYðńŧŋ(DNS(ŲƕƂźƖŸƠƉŖţťƣõ«G¬Œ(DNS(ųůƚľõ«ŒĿŕĹ(

•  ÊŖIP(ūƆƜżÁvōŗŵƠżľĸŦ(•  Ð�ŗIPūƆƜż#,főŢĊ4�

ĩĪ�