| CPC H04L 63/166 (2013.01) [H04L 61/4511 (2022.05); H04L 63/0876 (2013.01); H04L 67/02 (2013.01)] | 20 Claims |
|
1. A method comprising:
receiving, by a computing device, an IP address and a port number related to a transport protocol and an application protocol version and other attributes related to an application protocol extracted from an encrypted client hello (ECH) enabled transport layer security (TLS) connection request from a client computing device;
extracting, by the computing device from a database of hostname to Internet Protocol (IP) address mappings related to a collected list of known hostnames and resolutions of the known hostnames, a set of all hostnames matching the IP address;
generating, by the computing device, a reduced list of the set of all hostnames matching the IP address by:
removing hostnames that do not support an ECH extension of a TLS standard;
removing intermediate content distribution network (CDN) hostnames; and
removing hostnames that do not support the application protocol version, service on the port number, and the transport protocol;
assigning, by the computing device, a confidence score to each hostname of the reduced list of the set of all hostnames based on at least one of: an alias count of the hostname and a popularity ranking of the hostname; and
generating, by the computing device, a prioritized list of one or more hostnames of the reduced list of the set of all hostnames based on the confidence score, the prioritized list indicating the one or more hostnames in the order of descending probability of being requested in the ECH enabled TLS connection request from the client computing device.
|