Steffen Schulz,Ahmad-Reza Sadeghi,Maria Zhdanova,Hossen A. Mustafa,Wenyuan Xu,Vijay Varadharajan

DOI: https://doi.org/10.1145/2185448.2185468

2012-01-01

Abstract:The rapidly increasing data usage and overload in mobile broadband networks has driven mobile network providers to actively detect and bill customers who tether tablets and laptops to their mobile phone for mobile Internet access. However, users may not be willing to pay additional fees only because they use their bandwidth dierently, and may consider tethering detection as violation of their privacy. Furthermore, accurate tethering detection is becoming harder for providers as many modern smartphones are under full control of the user, running customized, complex software and applications similar to desktop systems. In this work, we analyze the network characteristics available to network providers to detect tethering customers. We present and categorize possible detection mechanisms and derive cost factors based on how well the approach scales with large customer bases. For those characteristics that appear most reasonable and practical to deploy by large providers, we present elimination or obfuscation mechanisms and substantiate our design with a prototype Android App.

Deliang Chang,Qianli Zhang,Xing Li

2015-01-01

Abstract:OS fingerprinting and NAT detection are considered important in various researches like network troubleshooting, deployment of services. Previous passive approaches usually require raw network traffic, which is often difficult to deploy. In this paper, a novel method is designed to fingerprint the OS and classify the NAT only using DNS log. Features of the Windows, MacOS/iOs, Android and Linux operating systems can be automatically extracted from labelled DNS log. With these features a simple classifier can fingerprint the OS types of these devices accurately. We apply this algorithm on data set from a large scale network. Analysis also reveals that nowadays the Windows operating systems are widely used in tethering or NAT, which is contrary to our previous knowledge.

Ping Dong,Namin Hou,Yuting Tang,Yushi Cheng,Xiaoyu Ji

DOI: https://doi.org/10.1016/j.hcc.2024.100222

2024-01-01

High-Confidence Computing

Abstract:The development of wireless communication network technology has provided people with diversified and convenient services. However, with the expansion of network scale and the increase in the number of devices, malicious attacks on wireless communication are becoming increasingly prevalent, causing significant losses. Currently, wireless communication systems authenticate identities through certain data identifiers. However, this software-based data information can be forged or replicated. This article proposes the authentication of device identity using the hardware fingerprint of the terminal’s Radio Frequency (RF) components, which possesses properties of being genuine, unique, and stable, holding significant implications for wireless communication security. Through the collection and processing of raw data, extraction of various features including time-domain and frequency-domain features, and utilizing machine learning algorithms for training and constructing a legal fingerprint database, it is possible to achieve close to a 97% recognition accuracy for Fifth Generation (5G) terminals of the same model. This provides an additional and robust hardware-based security layer for 5G communication security, enhancing monitoring capability and reliability.

Yuxiang Lin,Yi Gao,Bingji Li,Wei Dong

DOI: https://doi.org/10.1145/3536423

2022-01-01

ACM Transactions on Sensor Networks

Abstract:The broadcast nature of wireless media makes WLANs easily attacked by rogue Access Points (APs) . Rogue AP attacks can potentially cause severe privacy leakage and financial loss. Hardware fingerprinting is the state-of-the-art technology to detect rogue APs since an attacker would find it difficult to set up a rogue AP with specific hardware fingerprints. However, existing hardware fingerprints not only depend on the AP but also depend on the client, significantly limiting their application scenarios. In this work, we investigate two novel client-agnostic fingerprints, which can be extracted using commercial off-the-shelf WiFi devices, to detect rogue APs. One is the power amplifier non-linearity fingerprint and the other is the frame interval distribution fingerprint . These two fingerprints remain consistent over time and space for the same AP but vary across different APs even with the same brand, model, and firmware. We use the fingerprint similarity between the candidate AP and the authorized AP for device authentication in typical indoor environments. We have also proposed a threshold-improved authentication scheme to improve the robustness of our system in dynamic environments. Our schemes can be implemented without modifying the infrastructural APs and can work well with new clients without rebuilding the fingerprint database. We evaluate our scheme in both in-lab and field scenarios, by analyzing 18 million WiFi packets. Results show that our scheme achieves an overall 96.55% positive detection rate and a 4.31% false alarm rate. Moreover, the threshold-improved authentication scheme can further reduce the false alarm rate by 13.0%-44.8% for dynamic environments.

Namin Hou,Yushi Cheng,Xiaoyu Ji,Wenyuan Xu

DOI: https://doi.org/10.1109/ICCCS61882.2024.10603286

2024-01-01

Abstract:The advancement of Fifth-Generation (5G) technology has greatly enriched individuals' access to a broad array of convenient services, offering significant benefits in mobile communications, autonomous driving, smart homes, and the Internet of Things. However, with the increase in the number of network access devices, large and frequent data interactions have brought potential security risks to wireless networks, which are related to user privacy security, traffic safety, and even social security. Malicious intrusions targeting wireless communications have resulted in significant disruptions and incurred substantial losses. Presently, user identities in wireless communications rely on software-based data identifiers, which can be forged easily. This paper proposes a hardware-level device authentication mechanism that uses the intrinsic hardware characteristics of the transmitter (shown as impairments in the radio signal of the transmission link) for identity authentication. The resulting fingerprint is naturally distinctive and highly resistant to counterfeiting attempts. We use 5 devices across different models and 10 devices of the same model for experimental evaluation. Then we apply machine learning algorithms to construct a fingerprint database and device authentication, achieving an average of 82.4% precision, 89.9% recall, and 85.9% F1-score, which can help to safeguard the security of 5G communication.

Yuxiang Lin,Yi Gao,Bingji Li,Wei Dong

DOI: https://doi.org/10.1109/percom45495.2020.9127375

2020-01-01

Abstract:The broadcast nature of wireless medium makes WLANs easily be attacked by rogue Access Points (APs). Rogue AP attacks can potentially cause severe privacy leakage and financial lost. Hardware fingerprinting is the state-of-the-art technology to detect rogue APs, since an attacker would find it difficult to set up a rogue AP with specific hardware fingerprints. However, existing hardware fingerprints not only depend on the AP, but also depend on the client, significantly limiting their applicable scenarios. In this work, we investigate two novel client-agnostic fingerprints, which can be extracted using commercial off-the-shelf WiFi devices, to detect rogue APs. One is the power amplifier non-linearity fingerprint and the other is the frame interval distribution fingerprint. These two fingerprints remain consistent over time and space for the same AP but vary across different APs even with the same brand, model and firmware. We use the fingerprint similarity between the candidate AP and the authorized AP for device authentication. Our scheme can be implemented without modifying the infrastructural APs and can work well with new clients without rebuilding the fingerprint database. We evaluate our scheme in both in-lab and field scenarios, by analyzing 12 million WiFi packets. Results shows that our scheme achieves an overall 96.55% positive detection rate and a 4.31% false alarm rate.

Sanorita Dey,Nirupam Roy,Wenyuan Xu,Srihari Nelakuditi

DOI: https://doi.org/10.1145/2542095.2542107

2013-01-01

Abstract:Device fingerprinting, similar to that of humans, if done well, can provide a convenient form of identification. In this poster, we explore whether constituent hardware sensors like accelerometers and gyroscopes of different smartphones can be exploited to fingerprint a smartphone. We observe that the readings of these sensors exhibit diverse features for different smartphones consistently when subjected to the same action.

Faqiang Sun,Li Zhao,Bo Zhou,Yong Wang

DOI: https://doi.org/10.1109/iccia49625.2020.00036

2020-06-01

Abstract:Network operators often need a clear visibility of the mobile APPs and their user scales running in the network traffic. This is critical for network management and network security. Analysis of the network traffic using the extracted APP features and user fingerprints is helpful for effective network operations, management, and security monitoring of LANs, MANs, and WANs. In China, the number of mobile APP users continues to increase, and the proportion of Internet users using mobile APPs to access the Internet far exceeds that of computers, making this task significant and difficult. The traditional methods are mainly APP identifications or identifications of specific APP users, which cannot satisfy the requirements of globally monitoring of APPs and their user scales at the same time. Especially when many users share the same network IPs (4G, home broadband, NAT), this work becomes challenging and time-consuming. This paper proposes an automatic fingerprint extraction approach of mobile APP users in network traffic. By analyzing the plaintext of the HTTP requests initiated by APPs in training datasets, we extract the APPs’ features and the users’ fingerprints simultaneously. Both of them are the combinations of strings which are distinguishable of APPs and their users in the network traffic. The proposed method is evaluated with the top 49 popular APPs in Huawei App Store. The experimental results show that the recalls of the extractions of APPs’ features and users’ fingerprints are respectively 77.5% and 55.1% in total.

Qing PU

DOI: https://doi.org/10.3969/j.issn.1000-1220.2005.04.006

2005-01-01

Abstract:Remote Hosts operation system fingerprinting has important situation in network security evaluation. By exploit the different feedbacks from the TCP/IP stacks of each host OS it can distinguish the types of them each other.This paper analyse the problems of existing OS fingerprinting tools,and then presents a more efficient and powerful way to detect a target host operation system by exploit the TCP Datagrams Retransmission Timeout mechanism.

王轶骏,薛质,李建华

DOI: https://doi.org/10.3969/j.issn.1000-3428.2004.18.003

2004-01-01

Abstract:Remote OS detection is an important technique in information network system security, because it closed links with security holes. This paper presents the remote OS detection based on TCP/IP stack fingerprinting, and gives emphasis on describing and analyzing two newl implemening techniques: fingerprinting via RTO sampling and fingerprinting via ICMP responses.

Xixun He,Yiyu Yang,Wei Zhou,Wenjie Wang,Peng Liu,Yuqing Zhang

DOI: https://doi.org/10.1109/jiot.2021.3093073

IF: 10.6

2022-02-01

IEEE Internet of Things Journal

Abstract:The Internet of Things (IoT) platforms have been widely used in many application scenarios, especially for the smart home. Under the management of the IoT platform, a massive amount of IoT devices have been connected between remote cloud servers and users' mobile terminals. While bringing unprecedented convenience for device manufacturers and smart home users, the existence of mainstream IoT platforms has also become the primary target for malicious attackers. Thus, many intrusion detection mechanisms of specific IoT platform traffic have been proposed. However, as a prerequisites work of intrusion detection or vulnerability assessment, identifying target IoT platform traffic among real-world network traffic has not been deeply studied. Given this situation, we first time proposed and achieved "fingerprinting" for IoT platform traffic. We designed a set of standardized workflows of traffic capturing, fingerprint feature extraction, and fingerprint model construction. Based on such workflow, we implemented a software tool named IoTPF for distinguishing the traffic between the mobile terminal and remote server of different mainstream IoT platforms among network traffic. We also tested the usability and performance of IoTPF. Finally, we discuss the application scenarios of fingerprinting on IoT platforms.

computer science, information systems,telecommunications,engineering, electrical & electronic

Chao Shen,Ruiyuan Lu,Saeid Samizade,Liang He

DOI: https://doi.org/10.1109/isba.2017.7947689

2017-01-01

Abstract:Passive wireless-device fingerprinting -the act of passively and automatically identifying specific types of wireless devices through sequential analysis of wireless traffic -is useful for network monitoring and management. This study presents a novel passive fingerprinting approach for wireless devices, by modeling network traffic with carefully chosen wireless parameters from 802.11 frames, and developing multi-level classification algorithm to perform task of device fingerprinting. Specifically, we systematically evaluate a set of traffic parameters with respect to their stability and discriminability of identifying wireless devices. We employ a distribution-based measurement to obtain signature for each wireless device. We then develop a decision-tree-based multi-level classifier for device fingerprinting. Experimental results show that the parameters of transmission time and inter-arrival time are much more stable for device fingerprinting, and the approach achieves a practically useful level of performance.

Yongle Chen,Jun Pan,Dan Yu,Yao Ma,Yuli Yang

DOI: https://doi.org/10.1109/tvt.2022.3169090

IF: 6.8

2022-01-01

IEEE Transactions on Vehicular Technology

Abstract:Due to the deployment of 5G technology, the number of IoV (Internet of Vehicle) devices connected to the Internet will explosively grow. However, as a kind of edge network device, IoV devices also face some problems including weak password authentication, lack of security protection, and lagged firmware updating, which largely threaten the security and legitimacy of these devices. IoV device identification is important in discovering, monitoring, and protecting these devices. Although existing proactive identification methods based on device fingerprints can be used to identify the large-scale Internet-connected IoV devices, they can not meet the fine-grained requirements for security risk assessment. Due to the increase in the types and brands of IoV devices, the fingerprint granularity will be insufficient. In this paper, we proposed a retransmission-based TCP fingerprints for large-scale fine-grained proactive device identification. Firstly, a probing scheme was designed to obtain TCP retransmission packet and increase the granularity space of traditional TCP fingerprint by selecting the multi-group features of TCP retransmission messages. Then, according to the bagging strategy of ensemble learning, a combined classifier with five predominant machine learning algorithms was generated. The experimental results showed that the identification accuracy and recall of IoV devices respectively reached 96.7% and 95.2%.

telecommunications,engineering, electrical & electronic,transportation science & technology

Xiaobo Ma,Jian Qu,Jianfeng Li,John C. S. Lui,Zhenhua Li,Wenmao Liu,Xiaohong Guan

DOI: https://doi.org/10.1109/tnet.2021.3112480

2020-01-01

Abstract:With the popularization of Internet of Things (IoT) devices in smart home and industry fields, a huge number of IoT devices are connected to the Internet. However, what devices are connected to a network may not be known by the Internet Service Provider (ISP), since many IoT devices are placed within small networks (e.g., home networks) and are hidden behind network address translation (NAT). Without pinpointing IoT devices in a network, it is unlikely for the ISP to appropriately configure security policies and effectively manage the network. In this paper, we design an efficient and scalable system via spatial-temporal traffic fingerprinting. Our system can accurately identify typical IoT devices in a network, with the additional capability of identifying what devices are hidden behind NAT and how many they are. Through extensive evaluation, we demonstrate that the system can generally identify IoT devices with an F-Score above 0.999, and estimate the number of the same type of IoT device behind NAT with an average error below 5%. We also perform small-scale (labor-intensive) experiments to show that our system is promising in detecting user-IoT interactions.

Jianfeng Li,Zheng Lin,Jian Qu,Shuohan Wu,Hao Zhou,Yangyang Liu,Xiaobo Ma,Ting Wang,Xiapu Luo,Xiaohong Guan

DOI: https://doi.org/10.1109/tnet.2024.3448621

2024-01-01

Abstract:Mobile apps have significantly transformed various aspects of modern life, leading to growing concerns about privacy risks. Despite widespread encrypted communication, app fingerprinting (AF) attacks threaten user privacy substantially. However, existing AF attacks, when targeted at wireless traffic, face four fundamental challenges, namely 1) sample inseparability; 2) app multiplexing; 3) signal attenuation; and 4) open-world recognition. In this paper, we advance a novel AF attack, dubbed, to recognize app user activities over the air in an open-world setting. We introduce two novel models, i.e., sequential XGBoost and hierarchical bag-of-words model, to tackle sample inseparability and enhance robustness against noise packets arising from app multiplexing. We also propose the environment-aware model enhancement to bolster ’s robustness in handling packet loss at the sniffer caused by signal attenuation. We conduct extensive experiments to evaluate the proposed attack in a series of challenging scenarios, including 1) open-world setting; 2) simultaneous use of different apps; 3) severe packet loss at the sniffer; and 4) cross-dataset recognition. The experimental results show that can accurately recognize app user activities. It achieves the average F1-score 0.947 for open-world app recognition and the average F1-score 0.959 for in-app user action recognition.

China Software Testing Center,Qu Hua,Liu Hailong,The Shanghai Trusted Industrial Control Platform Co., Ltd,Li Bo

DOI: https://doi.org/10.1007/s11265-021-01656-0

2021-01-01

Journal of Signal Processing Systems

Abstract:From a security perspective, identifying Industrial Internet of Things (IIoT) devices connected to a network has multiple applications such as penetration testing, vulnerability assessment, etc. In this work, we propose a feature-based methodology to perform device-type fingerprinting. A device fingerprint consists of the TCP/IP header features and port-based features extracted from the network traffic of the device. These features are collected by a hybrid mechanism which has a negligible impact on device functionality and can avoid the problem of the long TCP connection. Once the fingerprint of a device is generated, it will be fed to the classifiers based on Gradient Boosting to predict its type details. Based on our proposed method, we implement a prototype application called IIoT Device Type Fingerprinting (IDTF) which capable of automatically identifying the types of devices being connected to an IIoT network. We collect a dataset consisting of 19,174 fingerprints from real-world Internet-facing IIoT devices indexed by Shodan to train and evaluate the classifiers using ten-fold cross-validation. And we conduct comparative experiments in an IIoT testbed to compare the effectiveness of IDTF with two famous fingerprinting tools. The experimental result shows that the ability of our approach is confirmed by a high mean F-Measure of 95.76%. It also demonstrates that IDTF achieves the highest identification rate in the testbed and is non-intrusive for IIoT devices. Compared with existing works, our approach is more generic as it does not rely on a specific protocol or deep packet inspection and can distinguish almost all IIoT device-types.

Sunghyun Yu,Yoojae Won

DOI: https://doi.org/10.3934/mbe.2023101

Abstract:Privacy protection in computer communication is gaining attention because plaintext transmission without encryption can be eavesdropped on and intercepted. Accordingly, the use of encrypted communication protocols is on the rise, along with the number of cyberattacks exploiting them. Decryption is essential for preventing attacks, but it risks privacy infringement and incurs additional costs. Network fingerprinting techniques are among the best alternatives, but existing techniques are based on information from the TCP/IP stack. They are expected to be less effective because cloud-based and software-defined networks have ambiguous boundaries, and network configurations not dependent on existing IP address schemes increase. Herein, we investigate and analyze the Transport Layer Security (TLS) fingerprinting technique, a technology that can analyze and classify encrypted traffic without decryption while addressing the problems of existing network fingerprinting techniques. Background knowledge and analysis information for each TLS fingerprinting technique is presented herein. We discuss the pros and cons of two groups of techniques, fingerprint collection and artificial intelligence (AI)-based. Regarding fingerprint collection techniques, separate discussions on handshake messages ClientHello/ServerHello, statistics of handshake state transitions, and client responses are provided. For AI-based techniques, discussions on statistical, time series, and graph techniques according to feature engineering are presented. In addition, we discuss hybrid and miscellaneous techniques that combine fingerprint collection with AI techniques. Based on these discussions, we identify the need for a step-by-step analysis and control study of cryptographic traffic to effectively use each technique and present a blueprint.

Li Lu,Runzhe Wang,Jing Ding,Wubin Mao,Wei Chen,Hongzi Zhu

DOI: https://doi.org/10.1109/ifipnetworking.2015.7145328

2015-01-01

Abstract:In recent past, the rapid developing of mobile internet inspires the widespread use of WiFi (IEEE 802.11) technology. In WiFi, the access control of a terminal to the router remains a significant challenge because the PIN (password) and MAC address are easy to guess and forge. In this paper, we present FastID - a practical system that identifies WiFi terminals in real-time by fingerprinting their clocks. Previous approaches of clock fingerprinting require tens of minutes or even hours for clock data collection, and thus cannot be applied into real-time WiFi terminal identification. Even worse, unstable wireless communications and unknown status of terminals' OSes may further degrade the accuracy of fingerprint computation. In comparison, FastID performs fast clock fingerprinting based on the timestamps carried by terminals' ICMP packets. Moreover, FastID employs simple but efficient techniques to remove outliers of collected clock data and differentiate terminals based on the similarity of their distributions, making it suitable for fast terminals identification. FastID is implemented on an off-the-shelf commercial WiFi router and extensively evaluated based on 10 commodity WiFi terminals. Experimental results show that FastID is able to identify terminals with high accuracy and low cost within several seconds.

Arun Raghuramu,Parth H. Pathak,Hui Zang,Jinyoung Han,Chang Liu,Chen-Nee Chuah

DOI: https://doi.org/10.1016/j.comcom.2016.04.011

IF: 5.047

2016-01-01

Computer Communications

Abstract:This paper presents a measurement study that analyzes large-scale traffic data gathered from two different wireless scenarios: cellular and Wi-Fi networks. We first analyze packet traces and security event logs generated by over 2 million devices in a major US-based cellular network, and show that 0.17% of mobile devices are affected by security threats. We then analyze the aggregate network footprint of malicious and benign traffic in the cellular network, and demonstrate that statistical network features (e.g., uplink data transfer volume, IP entropy) can be effectively used to distinguish such malicious and benign traffic. We next investigate over 2.4 TB of Wi-Fi traffic data, which are generated by 27 K distinct users, in a university campus network. Based on the lessons learned from a comprehensive exploration of a large feature space consisting of over 500 statistical attributes derived from network traffic to/from malicious and benign domains, we propose a novel, in-house traffic screening method, which has the capability of effectively identifying potential malicious domains. Our method achieves over 90% accuracy with only using a small set of simple statistical network features, without using any additional specialized datasets (e.g., geo-location database) or resource-intensive solutions (e.g., DPI boxes to collect HTTP traffic.). (C) 2016 Elsevier B.V. All rights reserved.

Jiaqing Dong,Hao Yin,Lyu Yongqiang,Hao Li,Wei Wang

DOI: https://doi.org/10.1109/mcse.2017.12

2016-01-01

Computing in Science & Engineering

Abstract:Compared to desktop computers, smartphones frequently connect to the Internet via various applications through private protocols, resulting in severe difficulties in searching publicly shared information and in measuring network-layer performance. Most related work has focused on device-based software-assisted measurement, which suffers scalability as well as usability issues. In this article, the authors propose TAM, a transparent agent architecture to monitor applications in terms of both network performance and content. TAM sets up distributed virtual agents for target mobile applications and can enable parallel large-scale measurements through high-density computing resources, such as the cloud. TAM can also identify and measure the infrastructures that provide services to mobile applications. It does this without any built-in assistance from mobile devices, making TAM act as a transparent service in a scalable and usable manner. Experimental results of the prototype implementation verify the architecture.