Yi-Chao Chen,Yong Liao,Mario Baldi,Sung-Ju Lee,Lili Qiu

DOI: https://doi.org/10.1145/2663716.2663745

2014-01-01

Abstract:Fingerprinting the Operating System(OS) running on a device based on its traffic has several applications, such as NAT detection, policy enforcement in enterprise networks, and billing for shared access in mobile networks. In this paper, we propose to utilize several features in TCP/IP headers for OS identification, and use real traffic traces to evaluate the accuracy of fingerprinting. Our trace-driven study shows that several techniques that successfully fingerprint desktop OSes are not effective for fingerprinting mobile devices. Therefore, we propose new features for fingerprinting OSes on mobile devices. We also consider NAT/tethering detection, an important application of OS fingerprinting. We use the presence of multiple OSes from the same IP address along with TCP times-tamp, clock frequency, and boot time to detect tethering. Evaluation shows that our approach effectively detects tethering and outperforms existing schemes.

Ping Dong,Namin Hou,Yuting Tang,Yushi Cheng,Xiaoyu Ji

DOI: https://doi.org/10.1016/j.hcc.2024.100222

2024-01-01

High-Confidence Computing

Abstract:The development of wireless communication network technology has provided people with diversified and convenient services. However, with the expansion of network scale and the increase in the number of devices, malicious attacks on wireless communication are becoming increasingly prevalent, causing significant losses. Currently, wireless communication systems authenticate identities through certain data identifiers. However, this software-based data information can be forged or replicated. This article proposes the authentication of device identity using the hardware fingerprint of the terminal’s Radio Frequency (RF) components, which possesses properties of being genuine, unique, and stable, holding significant implications for wireless communication security. Through the collection and processing of raw data, extraction of various features including time-domain and frequency-domain features, and utilizing machine learning algorithms for training and constructing a legal fingerprint database, it is possible to achieve close to a 97% recognition accuracy for Fifth Generation (5G) terminals of the same model. This provides an additional and robust hardware-based security layer for 5G communication security, enhancing monitoring capability and reliability.

Yinan Zhong,Mingyu Pan,Yanjiao Chen,Wenyuan Xu

DOI: https://doi.org/10.3390/sym16040443

2024-01-01

Abstract:The past few years have witnessed a wider adoption of Internet of Things (IoT) devices. Since IoT devices are usually deployed in an open and uncertain environment, device authentication is of great importance. However, traditional device fingerprint (DF) extraction methods have several disadvantages. First, existing DF extraction methods need private information from devices to compute DFs, which puts the privacy of devices at stake. Second, the manually designing features-based methods suffer from poor performance. To tackle these limitations, we propose a Linear Residual Neural Network-based DF extraction method, Res-DFNN, which utilizes network packet data in the pcap file to generate DF. The key block is designed according to symmetry, and it is verified by simulation that our method achieves better performance in both non-private and privacy-preserving scenarios.

Steffen Schulz,Ahmad-Reza Sadeghi,Maria Zhdanova,Hossen A. Mustafa,Wenyuan Xu,Vijay Varadharajan

DOI: https://doi.org/10.1145/2185448.2185468

2012-01-01

Abstract:The rapidly increasing data usage and overload in mobile broadband networks has driven mobile network providers to actively detect and bill customers who tether tablets and laptops to their mobile phone for mobile Internet access. However, users may not be willing to pay additional fees only because they use their bandwidth dierently, and may consider tethering detection as violation of their privacy. Furthermore, accurate tethering detection is becoming harder for providers as many modern smartphones are under full control of the user, running customized, complex software and applications similar to desktop systems. In this work, we analyze the network characteristics available to network providers to detect tethering customers. We present and categorize possible detection mechanisms and derive cost factors based on how well the approach scales with large customer bases. For those characteristics that appear most reasonable and practical to deploy by large providers, we present elimination or obfuscation mechanisms and substantiate our design with a prototype Android App.

Faqiang Sun,Li Zhao,Bo Zhou,Yong Wang

DOI: https://doi.org/10.1109/iccia49625.2020.00036

2020-06-01

Abstract:Network operators often need a clear visibility of the mobile APPs and their user scales running in the network traffic. This is critical for network management and network security. Analysis of the network traffic using the extracted APP features and user fingerprints is helpful for effective network operations, management, and security monitoring of LANs, MANs, and WANs. In China, the number of mobile APP users continues to increase, and the proportion of Internet users using mobile APPs to access the Internet far exceeds that of computers, making this task significant and difficult. The traditional methods are mainly APP identifications or identifications of specific APP users, which cannot satisfy the requirements of globally monitoring of APPs and their user scales at the same time. Especially when many users share the same network IPs (4G, home broadband, NAT), this work becomes challenging and time-consuming. This paper proposes an automatic fingerprint extraction approach of mobile APP users in network traffic. By analyzing the plaintext of the HTTP requests initiated by APPs in training datasets, we extract the APPs’ features and the users’ fingerprints simultaneously. Both of them are the combinations of strings which are distinguishable of APPs and their users in the network traffic. The proposed method is evaluated with the top 49 popular APPs in Huawei App Store. The experimental results show that the recalls of the extractions of APPs’ features and users’ fingerprints are respectively 77.5% and 55.1% in total.

Chang Deliang,Zhang Qianli,Li Xing

DOI: https://doi.org/10.13245/j.hust.161123

2016-01-01

Abstract:To solve the problems that many approaches focus on flow analysis ,which is unrealistic for a large‐scale network ,a method of user online detection algorithm was proposed based on passive DNS log analysis .T his method avoided the complexity of traffic or raw packet analysis by utilizing DNS (domain name system) logs ,and exploited the silence of users′DNS activities when they were offline to identify users′online time length or join/departure time .The method was validated with real‐world data from the campus network of Tsinghua University ,with a 90 .6% precision rate and a recall rate of 96 .3% .Further study indicates that the users of wireless network often have shorter online time length and change faster ,and the network characteristics in workdays are different from weekends . These results show that this algorithm is capable of being utilized in a real‐world large‐scale network .

Qing PU

DOI: https://doi.org/10.3969/j.issn.1000-1220.2005.04.006

2005-01-01

Abstract:Remote Hosts operation system fingerprinting has important situation in network security evaluation. By exploit the different feedbacks from the TCP/IP stacks of each host OS it can distinguish the types of them each other.This paper analyse the problems of existing OS fingerprinting tools,and then presents a more efficient and powerful way to detect a target host operation system by exploit the TCP Datagrams Retransmission Timeout mechanism.

王轶骏,薛质,李建华

DOI: https://doi.org/10.3969/j.issn.1000-3428.2004.18.003

2004-01-01

Abstract:Remote OS detection is an important technique in information network system security, because it closed links with security holes. This paper presents the remote OS detection based on TCP/IP stack fingerprinting, and gives emphasis on describing and analyzing two newl implemening techniques: fingerprinting via RTO sampling and fingerprinting via ICMP responses.

Senmiao Wang,Luli Sun,Sujuan Qin,WenMin Li,Wentao Liu

DOI: https://doi.org/10.1016/j.cose.2022.102818

2022-09-01

Abstract:Nowadays, DNS channel attacks on mobile devices have become a challenging threat. Attackers usually attack mobile devices and steal information with the help of DNS channel. It is difficult for users to detect this kind of attack, especially when attackers covert sensitive information in the DNS response. In this paper, we proposed a method for DNS tunnel detection based on isolated forest for Android. We constructed a framework for mobile devices to collect DNS tunnel traffic. Based on the analysis of DNS tunnel traffic generated on mobile devices, we extracted features based on DNS request and response and constructed the feature set. We proposed a DNS tunnel detector, KRTunnel, for mobile devices. Experiments showed that KRTunnel can identify unseen DNS tunnel traffic with the accuracy of 98.1%.

computer science, information systems

Yue Wang,Anmin Zhou,Shan Liao,Rongfeng Zheng,Rong Hu,Lei Zhang

DOI: https://doi.org/10.1016/j.comnet.2021.108322

IF: 5.493

2021-10-01

Computer Networks

Abstract:<p>Domain Name System (DNS) tunnels, established between the controlled host and master server disguised as the authoritative domain name server, can be used as a secret data communication channel for malicious activities. Owing to the ready evasion of the DNS traffic to bypass the network security mechanism, DNS tunnelling can cause severe damage. Thus, an in-depth and comprehensive understanding of the various detection technologies is of considerable importance when facing this type of threat. However, most of the existing reviews focus on a single aspect of the DNS tunnel detection technologies, such as methods based on machine learning, traffic, and payload analysis. In addition, few studies have conducted comprehensive investigation that includes a sequentially integrated range of literature in this researchfield, or have analysed the latest literature on DNS tunnels. This paper reviews these detection technologies from a novel perspective of rule-based and model-based methods with descriptions and analyses of the DNS-based tools and their corresponding features. To the best of our knowledge, this is the first study to comprehensively discuss and analyse DNS tunnel detection in a novel and specific classification fashion from various aspects in detail, covering almost all the detection methods developed from 2006 to 2020. Furthermore, a comparative analysis of detection methods and several suggestions for future research directions are presented.</p>

computer science, information systems,telecommunications,engineering, electrical & electronic, hardware & architecture

Xixun He,Yiyu Yang,Wei Zhou,Wenjie Wang,Peng Liu,Yuqing Zhang

DOI: https://doi.org/10.1109/jiot.2021.3093073

IF: 10.6

2022-02-01

IEEE Internet of Things Journal

Abstract:The Internet of Things (IoT) platforms have been widely used in many application scenarios, especially for the smart home. Under the management of the IoT platform, a massive amount of IoT devices have been connected between remote cloud servers and users' mobile terminals. While bringing unprecedented convenience for device manufacturers and smart home users, the existence of mainstream IoT platforms has also become the primary target for malicious attackers. Thus, many intrusion detection mechanisms of specific IoT platform traffic have been proposed. However, as a prerequisites work of intrusion detection or vulnerability assessment, identifying target IoT platform traffic among real-world network traffic has not been deeply studied. Given this situation, we first time proposed and achieved "fingerprinting" for IoT platform traffic. We designed a set of standardized workflows of traffic capturing, fingerprint feature extraction, and fingerprint model construction. Based on such workflow, we implemented a software tool named IoTPF for distinguishing the traffic between the mobile terminal and remote server of different mainstream IoT platforms among network traffic. We also tested the usability and performance of IoTPF. Finally, we discuss the application scenarios of fingerprinting on IoT platforms.

computer science, information systems,telecommunications,engineering, electrical & electronic

Shuaike Dong,Zhou Li,Di Tang,Jiongyi Chen,Menghan Sun,Kehuan Zhang

DOI: https://doi.org/10.48550/arXiv.1909.00104

2019-08-31

Abstract:The IoT (Internet of Things) technology has been widely adopted in recent years and has profoundly changed the people's daily lives. However, in the meantime, such a fast-growing technology has also introduced new privacy issues, which need to be better understood and measured. In this work, we look into how private information can be leaked from network traffic generated in the smart home network. Although researchers have proposed techniques to infer IoT device types or user behaviors under clean experiment setup, the effectiveness of such approaches become questionable in the complex but realistic network environment, where common techniques like Network Address and Port Translation (NAPT) and Virtual Private Network (VPN) are enabled. Traffic analysis using traditional methods (e.g., through classical machine-learning models) is much less effective under those settings, as the features picked manually are not distinctive any more. In this work, we propose a traffic analysis framework based on sequence-learning techniques like LSTM and leveraged the temporal relations between packets for the attack of device identification. We evaluated it under different environment settings (e.g., pure-IoT and noisy environment with multiple non-IoT devices). The results showed our framework was able to differentiate device types with a high accuracy. This result suggests IoT network communications pose prominent challenges to users' privacy, even when they are protected by encryption and morphed by the network gateway. As such, new privacy protection methods on IoT traffic need to be developed towards mitigating this new issue.

Cryptography and Security

Jun Bi,Lei Zhao,Miao Zhang

DOI: https://doi.org/10.1007/11893004_87

2006-01-01

Abstract:NAT-aware routers are required by ISPs to administrate network address translation and enhance the management and security of access network. In this paper, we propose the new fingerprinting for NAT-aware router based on application-level presence information, which is usually not easily modified by network address translation gateways or the fingerprinted hosts behind gateways.

Jianfeng Li,Xiaobo Ma,Li Guodong,Xiapu Luo,Junjie Zhang,Wei Li,Xiaohong Guan

DOI: https://doi.org/10.1109/infocom.2018.8486210

2018-01-01

Abstract:Domain Name System (DNS) is one of the pillars of today's Internet. Due to its appealing properties such as low data volume, wide-ranging applications and encryption free, DNS traffic has been extensively utilized for network monitoring. Most existing studies of DNS traffic, however, focus on domain name reputation. Little attention has been paid to understanding and profiling what people are doing from DNS traffic, a fundamental problem in the areas including Internet demographics and network behavior analysis. Consequently, simple questions like “How to determine whether a DNS query for www.google.com means searching or any other behaviors?” cannot be answered by existing studies. In this paper, we take the first step to identify user activities from raw DNS queries. We advance a multiscale hierarchical framework to tackle two practical challenges, i.e., behavior ambiguity and behavior polymorphism. Under this framework, a series of novel methods, such as pattern upward mapping and multi-scale random forest classifier, are proposed to characterize and identify user activities of interest. Evaluation using both synthetic and real-world DNS traces demonstrates the effectiveness of our method.

Chao Shen,Ruiyuan Lu,Saeid Samizade,Liang He

DOI: https://doi.org/10.1109/isba.2017.7947689

2017-01-01

Abstract:Passive wireless-device fingerprinting -the act of passively and automatically identifying specific types of wireless devices through sequential analysis of wireless traffic -is useful for network monitoring and management. This study presents a novel passive fingerprinting approach for wireless devices, by modeling network traffic with carefully chosen wireless parameters from 802.11 frames, and developing multi-level classification algorithm to perform task of device fingerprinting. Specifically, we systematically evaluate a set of traffic parameters with respect to their stability and discriminability of identifying wireless devices. We employ a distribution-based measurement to obtain signature for each wireless device. We then develop a decision-tree-based multi-level classifier for device fingerprinting. Experimental results show that the parameters of transmission time and inter-arrival time are much more stable for device fingerprinting, and the approach achieves a practically useful level of performance.

Xiaoguang Yang,Yong Huang,Junli Guo,Dalong Zhang,Qingxian Wang

2024-08-14

Abstract:While smartphones and WiFi networks are bringing many positive changes to people's lives, they are susceptible to traffic analysis attacks, which infer user's private information from encrypted traffic. Existing traffic analysis attacks mainly target TCP/IP layers or are limited to the closed-world assumption, where all possible apps and actions have been involved in the model training. To overcome these limitations, we propose MACPrint, a novel system that infers mobile apps and in-app actions based on WiFi MAC layer traffic in the open-world setting. MACPrint first extracts rich statistical and contextual features of encrypted wireless traffic. Then, we develop Label Recorder, an automatic traffic labeling app, to improve labeling accuracy in the training phase. Finally, TCN models with OpenMax functions are used to recognize mobile apps and actions in the open world accurately. To evaluate our system, we collect MAC layer traffic data over 125 hours from more than 40 apps. The experimental results show that MAC-Print can achieve an accuracy of over 96% for recognizing apps and actions in the closed-world setting, and obtains an accuracy of over 86% in the open-world setting.

Cryptography and Security

Xingchuan Liu,Sheng Zhang,Jinguo Quan,Xiaokang Lin

DOI: https://doi.org/10.1109/ICCT.2010.5689160

2010-01-01

Abstract:In recent years, the demand of ubiquitous computing and location-based services (LBS) has risen. The most challenge in LBS is the location of mobile terminals. Existing location techniques have poor performance in urban environments due to severe multipath and NLOS propagation. Fingerprint localization based on wireless-LAN (WLAN) has been preferred for those types of environments. Although location fingerprinting has been researched in some previous works, there are only few studies that investigate the performance of outdoor positioning system according to physical parameters and the underlying environment. In this paper, we present an experimental analysis for outdoor fingerprinting system, implemented over the WLAN. On the basis of this experimental analysis, we demonstrate that it is indeed feasible to perform outdoor locating with reasonable accuracy using 802.11-based positioning. Secondly, we further work out certain crucial control parameters, which we can adopt to different cases and scenario, to achieve better positioning accuracy.

Chang Deliang,Zhang Qianli,Li Xing

DOI: https://doi.org/10.1109/itnec.2016.7560375

2016-01-01

Abstract:Internet is playing a more and more important role in today's society. Wireless network and mobile devices are becoming part of our lives. So it's significant to learn about the information of the users or network usage for both network researchers and managers of fixed/wireless network. Previous methods of user characterizing and network usage are mostly based on TCP traffic study. But when facing to a large amount of users, raw packet capturing and storing would be difficult. Also, there were previous methods researched the fixed network or wireless network, but a comparative study is hardly seen. So in this paper, we measured the large-scale fixed and wireless network of our campus via DHCP analysis. We analyzed the user behavior such as distribution of user online time, user count and join/leave time-stamps. We also studied about users' operating systems by introducing DHCP OS fingerprinting. We found some interesting results, which revealed the trend of mobile network and some challenges might be brought in.

Jianfeng Li,Zheng Lin,Jian Qu,Shuohan Wu,Hao Zhou,Yangyang Liu,Xiaobo Ma,Ting Wang,Xiapu Luo,Xiaohong Guan

DOI: https://doi.org/10.1109/tnet.2024.3448621

2024-01-01

Abstract:Mobile apps have significantly transformed various aspects of modern life, leading to growing concerns about privacy risks. Despite widespread encrypted communication, app fingerprinting (AF) attacks threaten user privacy substantially. However, existing AF attacks, when targeted at wireless traffic, face four fundamental challenges, namely 1) sample inseparability; 2) app multiplexing; 3) signal attenuation; and 4) open-world recognition. In this paper, we advance a novel AF attack, dubbed, to recognize app user activities over the air in an open-world setting. We introduce two novel models, i.e., sequential XGBoost and hierarchical bag-of-words model, to tackle sample inseparability and enhance robustness against noise packets arising from app multiplexing. We also propose the environment-aware model enhancement to bolster ’s robustness in handling packet loss at the sniffer caused by signal attenuation. We conduct extensive experiments to evaluate the proposed attack in a series of challenging scenarios, including 1) open-world setting; 2) simultaneous use of different apps; 3) severe packet loss at the sniffer; and 4) cross-dataset recognition. The experimental results show that can accurately recognize app user activities. It achieves the average F1-score 0.947 for open-world app recognition and the average F1-score 0.959 for in-app user action recognition.

Sunghyun Yu,Yoojae Won

DOI: https://doi.org/10.3934/mbe.2023101

Abstract:Privacy protection in computer communication is gaining attention because plaintext transmission without encryption can be eavesdropped on and intercepted. Accordingly, the use of encrypted communication protocols is on the rise, along with the number of cyberattacks exploiting them. Decryption is essential for preventing attacks, but it risks privacy infringement and incurs additional costs. Network fingerprinting techniques are among the best alternatives, but existing techniques are based on information from the TCP/IP stack. They are expected to be less effective because cloud-based and software-defined networks have ambiguous boundaries, and network configurations not dependent on existing IP address schemes increase. Herein, we investigate and analyze the Transport Layer Security (TLS) fingerprinting technique, a technology that can analyze and classify encrypted traffic without decryption while addressing the problems of existing network fingerprinting techniques. Background knowledge and analysis information for each TLS fingerprinting technique is presented herein. We discuss the pros and cons of two groups of techniques, fingerprint collection and artificial intelligence (AI)-based. Regarding fingerprint collection techniques, separate discussions on handshake messages ClientHello/ServerHello, statistics of handshake state transitions, and client responses are provided. For AI-based techniques, discussions on statistical, time series, and graph techniques according to feature engineering are presented. In addition, we discuss hybrid and miscellaneous techniques that combine fingerprint collection with AI techniques. Based on these discussions, we identify the need for a step-by-step analysis and control study of cryptographic traffic to effectively use each technique and present a blueprint.