Qiang Li,Xuan Feng,Lian Zhao,Limin Sun

DOI: https://doi.org/10.1109/MNET.2017.1700034

IF: 10.294

2017-01-01

IEEE Network

Abstract:Today, millions of physical devices are visible on the Internet through IP addresses, such as wearables, residential routers, cameras and industrial control devices. Users can access and control online devices, while attackers also target them, bringing potential security concerns. In this article, we propose a conceptual framework for discovering, recognizing and managing these online devices at the Internet-wide scale. It is the first work of Internet-wide device search, including three modules: network measurement, fingerprinting, and applications. We have implemented a prototype system and real-world experiments to illustrate the effectiveness of the framework. Furthermore, we explore the use and application of the system through searching camera devices in the whole IPv4 space. We deployed the system on Amazon EC2 to search for webcams and ICS devices nine times from April 2015 to April 2016, and we found 1.3 million webcams in total. In a comprehensive analysis of our dataset, we have characterized the use of online physical devices on the Internet.

Kai Yang,Qiang Li,Limin Sun

DOI: https://doi.org/10.1016/j.comnet.2018.11.013

IF: 5.493

2019-01-01

Computer Networks

Abstract:Nowadays, the cyberspace consists of an increasing number of IoT devices, such as net-printers, webcams, and routers. Illuminating the nature of online devices would provide insights into detecting potentially vulnerable devices on the Internet. However, there is a lack of device discovery in large-scale due to the massive number of device models (i.e., types, vendors, and products). In this paper, we propose an efficient approach to generate fingerprints of IoT devices. We observe that device manufacturers have different network system implementations on their products. We explore features spaces of IoT devices in three network layers, including the network-layer, transport-layer, and application-layer. Utilizing the feature of network protocols, we generate IoT device fingerprints based on neural network algorithms. Furthermore, we implement the prototype system and conduct real experiments to validate the performance of device fingerprints. Results show that our classification can generate device class labels with a 94% precision and 95% recall. We use those device fingerprints to discover 15.3 million network-connected devices and analyze their distribution characteristics in cyberspace.

Yushi Cheng,Xiaoyu Ji,Tianyang Lu,Wenyuan Xu

DOI: https://doi.org/10.1109/tmc.2019.2900919

IF: 6.075

2019-01-01

IEEE Transactions on Mobile Computing

Abstract:Wireless cameras are widely deployed in surveillance systems for security guarding. However, the privacy concerns associated with unauthorized videotaping, are drawing increasing attention recently. Existing detection methods for unauthorized wireless cameras are either limited by their detection accuracy or requiring dedicated devices. In this paper, we propose DeWiCam, a lightweight and effective detection mechanism using smartphones. The basic idea of DeWiCam is to utilize the intrinsic traffic patterns of flows from wireless cameras. Compared with traditional traffic pattern analysis, DeWiCam is more challenging because it cannot access the encrypted information in the data packets. Yet, DeWiCam overcomes the difficulty and can detect nearby wireless cameras reliably. To further identify whether a camera is in an interested room, we propose a human-assisted identification model. Extension functions of DeWiCam further enable the video resolution and audio channel inference to provide extra protection. We implemented DeWiCam on the Android platform and evaluated it with extensive experiments on 20 cameras. The evaluation results show that DeWiCam can detect cameras with an accuracy of 99 percent within $2.7\;\mathrm {s}$2.7s.

song xiaofeng,xie di,chen deren,zhang weize,tong ruofeng

DOI: https://doi.org/10.1007/978-3-642-03718-4_84

2012-01-01

Abstract:In this paper, we propose a system to acquire high resolution face image of a human in surveillance scene. Firstly, the system detects a full or partially occluded human body in the scene and zooms in to it automatically. And then a face detection and zooming process is running. Finally, a high resolution face image is captured and saved. The system can run real-time as the algorithms are accelerated by multi-core CPU and CPU. Experiments show that the system can capture most high resolution face image of human in the scene and can be implemented in the real surveillance systems. Our system provides an alternative method with better result to acquire high resolution face image comparing to face super-resolution methods.

Jian Qu,Xiaobo Ma,Wenmao Liu,Hongqing Sang,Jianfeng Li,Lei Xue,Xiapu Luo,Zhenhua Li,Li Feng,Xiaohong Guan

DOI: https://doi.org/10.1109/tnet.2023.3312162

2024-01-01

Abstract:Cyber search engines, such as Shodan and Censys, have gained popularity due to their strong capability of indexing the Internet of Things (IoT). They actively scan and fingerprint IoT devices for unearthing IP-device mapping. Because of the large address space of the Internet and the mapping's mutative nature, efficiently tracking the evolution of IP-device mapping with a limited budget of scans is essential for building timely cyber search engines. An intuitive solution is to use reinforcement learning to schedule more scans to networks with high churn rates of IP-device mapping. However, such an intuitive solution has never been systematically studied. In this paper, we take the first step toward demystifying this problem based on our experiences in maintaining a global IoT scanning platform. Inspired by the measurement study of large-scale real-world IoT scan records, we land reinforcement learning onto a system capable of smartly scanning IoT devices in a principled way. We disclose key parameters affecting the effectiveness of different scanning strategies, and real-world experiments demonstrate that our system can scan up to around 40 times as many IP-device mapping mutations as random/sequential scanning.

Xuan Feng,Qiang Li,Qi Han,Hongsong Zhu,Yan Liu,Limin Sun

DOI: https://doi.org/10.1109/ICC.2016.7511426

2016-01-01

Abstract:Nowadays industrial control devices are crucial for infrastructure-critical systems such as factories, power plants, and water treatment facilities. Devices with IP addresses are visible on the Internet and they connect cyber space and physical world. The first step in protecting devices from attackers is a deep understanding of the devices' characteristics in the cyber space. In this paper, we take a first step in this direction by investigating physical devices running one of the two specific protocols that are widely adopted in industrial control systems. In order to detect these devices in real-time, we propose a two-stage discovery mechanism: first filtering out unqualified hosts from 4 billion remote hosts and then identifying physical devices from qualified candidates. We have conducted a real-world experiment to verify the mechanism and identified dozens of thousands of physical devices from the entire Internet. Results show that our method discovers all devices in 20 hours with 89.5% precision and 79.3% recall.

Xuan Feng,Qiang Li,Qi Han,Hongsong Zhu,Yan Liu,Jie Cui,Limin Sun

DOI: https://doi.org/10.1109/ICCCN.2016.7568486

2016-01-01

Abstract:Nowadays, more and more physical devices embed computing and networking capabilities and are visible on the Internet. These devices include webcams, net-printers, and industrial control equipments, etc. Collecting information about these devices is crucial to preserve cyber-security and facilitate security auditing for system administrators. In this paper, we propose a scalable framework for physical device profiling. It leverages banner grabbing to identify device types and running services, and uses clock skew to determine a device ID. Our framework scales well. We implement a prototype system and use it to profile Webcams and industrial control device. The results show that our system can effectively profile and identify Webcams in real time. We deploy it on the cloud server and use it to detect 4 billion IP addresses to profile 1.2 million Webcams and more than 60 thousand industrial control devices in 20 hours.

Jiongyu Dai,Qiang Li,Haining Wang,Lingjia Liu

DOI: https://doi.org/10.1016/j.knosys.2023.111226

IF: 8.139

2024-01-01

Knowledge-Based Systems

Abstract:Closed-circuit television (CCTV) systems and surveillance devices have been widely used for monitoring the real world (e.g., streets, lanes, buildings). Illumination of the nature of surveillance devices’ images can help in deterring criminal activity and provide insights for improving the infrastructure safety of CCTV systems. However, millions of outdated surveillance devices are still in use today, which suffer noise, the field of view, low-light conditions, and low visual quality. In this work, we conduct a large-scale empirical study of images of surveillance devices in the wild. For data collection, we deploy a web crawler to gather webcam images in the wild covering 100 websites that distribute the live streams to the public, such as a plaza and an industrial area. To enhance the low-light quality of images, we propose a new framework called ImCam for enhancing the quality of webcam images in the wild, including the retinex model and generative adversarial network (GAN). We develop a prototype of ImCam and evaluate its effectiveness over three classification systems, AlexNet, ResNet, and Vision Transformer (ViT), and Machine Learning as a Service (MLaaS) in three cloud service providers (Azure, Baidu, and Tencent). Our results show that ImCam is capable of improving low-light images for CCTV systems, making them acceptable in practice. Finally, leveraging 203,786 live streams and our ImCam, we conduct an analysis of webcam images in the wild and shed light on the nature of security usage for CCTV systems.

Ryan Dailey,Aniesh Chawla,Andrew Liu,Sripath Mishra,Ling Zhang,Josh Majors,Yung-Hsiang Lu,George K. Thiruvathukal

DOI: https://doi.org/10.48550/arXiv.2103.12286

2021-03-23

Information Retrieval

Abstract:Reduction in the cost of Network Cameras along with a rise in connectivity enables entities all around the world to deploy vast arrays of camera networks. Network cameras offer real-time visual data that can be used for studying traffic patterns, emergency response, security, and other applications. Although many sources of Network Camera data are available, collecting the data remains difficult due to variations in programming interface and website structures. Previous solutions rely on manually parsing the target website, taking many hours to complete. We create a general and automated solution for aggregating Network Camera data spread across thousands of uniquely structured web pages. We analyze heterogeneous web page structures and identify common characteristics among 73 sample Network Camera websites (each website has multiple web pages). These characteristics are then used to build an automated camera discovery module that crawls and aggregates Network Camera data. Our system successfully extracts 57,364 Network Cameras from 237,257 unique web pages.

Jinke Song,Qiang Li,Haining Wang,Limin Sun

DOI: https://doi.org/10.1145/3379471

2020-01-01

Proceedings of the ACM on Measurement and Analysis of Computing Systems

Abstract:Given the central role of webcams in monitoring physical surroundings, it behooves the research community to understand the characteristics of webcams' distribution and their privacy/security implications. In this paper, we conduct the first systematic study on live webcams from both aggregation sites and individual webcams (webpages/IP hosts). We propose a series of efficient, automated techniques for detecting and fingerprinting live webcams. In particular, we leverage distributed algorithms to detect aggregation sites and generate webcam fingerprints by utilizing the Graphical User Interface (GUI) of the built-in web server of a device. Overall, we observe 0.85 million webpages from aggregation sites hosting live webcams and 2.2 million live webcams in the public IPv4 space. Our study reveals that aggregation sites have a typical long-tail distribution in hosting live streams (5.8% of sites contain 90.44% of live streaming contents), and 85.4% of aggregation websites scrape webcams from others. Further, we observe that (1) 277,239 webcams from aggregation sites and IP hosts (11.7%) directly expose live streams to the public, (2) aggregation sites expose 187,897 geolocation names and more detailed 23,083 longitude/latitude pairs of webcams, (3) the default usernames and passwords of 38,942 webcams are visible on aggregation sites in plaintext, and (4) 1,237 webcams are detected as having been compromised to conduct malicious behaviors.

Xuan Feng,Qiang Li,Haining Wang,Limin Sun

DOI: https://doi.org/10.1109/icnp.2016.7784407

2016-01-01

Abstract:Industrial control system (ICS) devices with IP addresses are accessible on the Internet and play a crucial role for critical infrastructures like power grid. However, there is a lack of deep understanding of these devices' characteristics in the cyberspace. In this paper, we take a first step in this direction by investigating these accessible industrial devices on the Internet. Because of critical nature of industrial control systems, the detection of online ICS devices should be done in a real-time and non-intrusive manner. Thus, we first analyze 17 industrial protocols widely used in industrial control systems, and train a probability model through the learning algorithm to improve detection accuracy. Then, we discover online ICS devices in the IPv4 space while reducing the noise of industrial honeypots. To observe the dynamics of ICS devices in a relatively long run, we have deployed our discovery system on Amazon EC2 and detected online ICS devices in the whole IPv4 space for eight times from August 2015 to March 2016. Based on the ICS device data collection, we conduct a comprehensive data analysis to characterize the usage of ICS devices, especially in the answer to the following three questions: (1) what are the distribution features of ICS devices, (2) who use these ICS devices, and (3) what are the functions of these ICS devices.

Jian Qu,Xiaobo Ma,Wenmao Liu,Hongqing Sang,Jianfeng Li,Lei Xue,Xiapu Luo,Zhenhua Li,Li Feng,Xiaohong Guan

DOI: https://doi.org/10.1109/infocom48880.2022.9796737

2022-01-01

Abstract:Cyber search engines, such as Shodan and Censys, have gained popularity due to their strong capability of indexing the Internet of Things (IoT). They actively scan and fingerprint IoT devices for unearthing IP-device mapping. Because of the large address space of the Internet and the mapping’s mutative nature, efficiently tracking the evolution of IP-device mapping with a limited budget of scans is essential for building timely cyber search engines. An intuitive solution is to use reinforcement learning to schedule more scans to networks with high churn rates of IP-device mapping. However, such an intuitive solution has never been systematically studied. In this paper, we take the first step toward demystifying this problem based on our experiences in maintaining a global IoT scanning platform. Inspired by the measurement study of large-scale real-world IoT scan records, we land reinforcement learning onto a system capable of smartly scanning IoT devices in a principled way. We disclose key parameters affecting the effectiveness of different scanning strategies, and find that our system would achieve growing advantages with the proliferation of IoT devices.

Yu Jiang,Ke-Bin Jia

DOI: https://doi.org/10.1109/CMSP.2011.119

2011-01-01

Abstract:Surveillance systems are very effective and important for security management, besides IP (Internet protocol)-based surveillance system is widely used now. However, as the development of the Internet, the scarcity of IP address becomes a serious problem for the massive application of IP-based surveillance system. With the help of IPv6 network, RFID (Radio Frequency Identification) and the multimedia technology, an IPv6-based intelligent surveillance system is given in the paper to overcome the problem as well as giving a new way for the inspecting work. The system with the multi-functions of video surveillance, entrance guard, localization and SMS (Short Message Services) alarm has been successfully deployed in the unattended computer room in China Uniform for real-time surveillance and it has been proved stable and accurate.

Peng Fang,Liusheng Huang,Hongli Xu,Qijian He

DOI: https://doi.org/10.1007/978-3-319-94268-1_11

2018-01-01

Abstract:Detecting devices connected to a network has become of serious importance for the network. Different devices differ in CPU scheduler, screen resolution and clock frequency, resulting in different performances when loading the same webpage. In this paper, we present a content-agnostic device identification method, a technique which decomposes webpage loading time and loads as the features to identify physical devices. This proposed method can deal with various types of devices such as mobiles, laptops, and other smart devices. We conduct experiments to evaluate the performance of the proposed method with realworld traffic. The experiment results demonstrate that the proposed method can accurately identify the types of devices from encrypted traffic and the recognition rate can reach 98.4%. To demonstrate the scalability of the method, we heuristically applied it to website identification and found that it has better effects than existing methods.

Xiaobo Ma,Jian Qu,Jianfeng Li,John C. S. Lui,Zhenhua Li,Wenmao Liu,Xiaohong Guan

DOI: https://doi.org/10.1109/tnet.2021.3112480

2020-01-01

Abstract:With the popularization of Internet of Things (IoT) devices in smart home and industry fields, a huge number of IoT devices are connected to the Internet. However, what devices are connected to a network may not be known by the Internet Service Provider (ISP), since many IoT devices are placed within small networks (e.g., home networks) and are hidden behind network address translation (NAT). Without pinpointing IoT devices in a network, it is unlikely for the ISP to appropriately configure security policies and effectively manage the network. In this paper, we design an efficient and scalable system via spatial-temporal traffic fingerprinting. Our system can accurately identify typical IoT devices in a network, with the additional capability of identifying what devices are hidden behind NAT and how many they are. Through extensive evaluation, we demonstrate that the system can generally identify IoT devices with an F-Score above 0.999, and estimate the number of the same type of IoT device behind NAT with an average error below 5%. We also perform small-scale (labor-intensive) experiments to show that our system is promising in detecting user-IoT interactions.

Jinke Song,Qiang Li,Haining Wang,Limin Sun

DOI: https://doi.org/10.1145/3410048.3410093

2020-01-01

ACM SIGMETRICS Performance Evaluation Review

Abstract:Given the central role of webcams in monitoring physical surroundings, it behooves the research community to understand the characteristics of webcams' distribution and their privacy/security implications. In this paper, we conduct the first systematic study on live webcams from both aggregation sites and individual webcams (webpages/IP hosts). We propose a series of efficient, automated techniques for detecting and fingerprinting live webcams. In particular, we leverage distributed algorithms to detect aggregation sites and generate webcam fingerprints by utilizing the Graphical User Interface (GUI) of the built-in web server of a device. Overall, we observe 0.85 million webpages from aggregation sites hosting live webcams and 2.2 million live webcams in the public IPv4 space. Our study reveals that aggregation sites have a typical long-tail distribution in hosting live streams (5.8% of sites contain 90.44% of live streaming contents), and 85.4% of aggregation websites scrape webcams from others. Further, we observe that (1) 277,239 webcams from aggregation sites and IP hosts (11.7%) directly expose live streams to the public, (2) aggregation sites expose 187,897 geolocation names and more detailed 23,083 longitude/latitude pairs of webcams, (3) the default usernames and passwords of 38,942 webcams are visible on aggregation sites in plaintext, and (4) 1,237 webcams are detected as having been compromised to conduct malicious behaviors.

Yan Li,Peiyi Han,Chuanyi Liu,Binxing Fang

DOI: https://doi.org/10.1109/dsc.2018.00042

2018-01-01

Abstract:According to the statistics of BrightPlanet in 2012, the information contained in Deep Web is 400-500 times more than those in the Surface Web. Automatic data collection under Deep Web has become one of the research hotspots in the domain of web crawlers. During the exploration of automatic dynamic web crawlers, we discover two inevitable situations which have not been processed properly by existing tools. One is that some websites adopt CSS pseudo-class to locate clickable elements, which prevents the existing technologies from simulating user actions. Another is that pop-up windows can be triggered during automatically elements clicking, where the existing web crawler procedures will be terminated. Addressing the CSS pseudo-class problem, we adopt a proxy server in our system to analyze JavaScript code of target websites both statically and dynamically. In the meantime, we propose a checking mechanism to handle the pop-up windows. Finally, we implement an automatic web crawler AutoCrawler with the aid of the proxy server. Evaluation results indicate that AutoCrawler can not only cover more dynamic interactions but also obtain more valuable data from the real-world web applications.

Mengying Wu,Geng Hong,Jinsong Chen,Qi Liu,Shujun Tang,Youhao Li,Baojun Liu,Haixin Duan,Min Yang

DOI: https://doi.org/10.14722/ndss.2025.241924

2024-12-20

Abstract:In the digital age, device search engines such as Censys and Shodan play crucial roles by scanning the internet to catalog online devices, aiding in the understanding and mitigation of network security risks. While previous research has used these tools to detect devices and assess vulnerabilities, there remains uncertainty regarding the assets they scan, the strategies they employ, and whether they adhere to ethical guidelines. This study presents the first comprehensive examination of these engines' operational and ethical dimensions. We developed a novel framework to trace the IP addresses utilized by these engines and collected 1,407 scanner IPs. By uncovering their IPs, we gain deep insights into the actions of device search engines for the first time and gain original findings. By employing 28 honeypots to monitor their scanning activities extensively in one year, we demonstrate that users can hardly evade scans by blocklisting scanner IPs or migrating service ports. Our findings reveal significant ethical concerns, including a lack of transparency, harmlessness, and anonymity. Notably, these engines often fail to provide transparency and do not allow users to opt out of scans. Further, the engines send malformed requests, attempt to access excessive details without authorization, and even publish personally identifiable information (PII) and screenshots on search results. These practices compromise user privacy and expose devices to further risks by potentially aiding malicious entities. This paper emphasizes the urgent need for stricter ethical standards and enhanced transparency in the operations of device search engines, offering crucial insights into safeguarding against invasive scanning practices and protecting digital infrastructures.

Cryptography and Security

Baiyang Li,Yujia Zhu,Qingyun Liu,Zhou,Li Guo

DOI: https://doi.org/10.1109/icc.2019.8761517

2019-01-01

Abstract:Nowadays, the rapid growth of cloud computing and IoT enabled services among multiple organizations brings both promising prospects and security & privacy challenges. IP cameras have become a top target for hackers because of their relatively high computing power and throughput. To understand the risks of these threats requires learning about IP cameras-where are they, how many are there? Active scanning is considered to be an effective way, like SHODAN. However, deployment of smart cameras in the network address translation (NAT) environments with dynamic locations is usually desired. To find these Invisible Cameras, CamHunter: (i) introduces three statements of smart cameras when they are online, (ii) concludes the most popular smart cameras in China have very similar communication patterns, (iii) proposes a model to detect smart cameras in a passive way constructed by nineteen feature sets, and (iv) raises alarms for IoT manufacturers. Our real-world experiments demonstrate the effectiveness of CamHunter in finding smart cameras even if they are behind NATs and using encrypted connections like SSL/TLS or private protocols. We argue that CamHunter represents an important view of IoT security and privacy, and it can guide the effort of designing and protecting smart cameras.

Akash Deep Singh,Luis Garcia,Joseph Noor,Mani Srivastava

DOI: https://doi.org/10.48550/arXiv.2005.03068

2021-04-18

Abstract:The increasing ubiquity of low-cost wireless sensors has enabled users to easily deploy systems to remotely monitor and control their environments. However, this raises privacy concerns for third-party occupants, such as a hotel room guest who may be unaware of deployed clandestine sensors. Previous methods focused on specific modalities such as detecting cameras but do not provide a generalized and comprehensive method to capture arbitrary sensors which may be "spying" on a user. In this work, we propose SnoopDog, a framework to not only detect common Wi-Fi-based wireless sensors that are actively monitoring a user, but also classify and localize each device. SnoopDog works by establishing causality between patterns in observable wireless traffic and a trusted sensor in the same space, e.g., an inertial measurement unit (IMU) that captures a user's movement. Once causality is established, SnoopDog performs packet inspection to inform the user about the monitoring device. Finally, SnoopDog localizes the clandestine device in a 2D plane using a novel trial-based localization technique. We evaluated SnoopDog across several devices and various modalities and were able to detect causality for snooping devices 95.2% of the time and localize devices to a sufficiently reduced sub-space.

Cryptography and Security,Human-Computer Interaction