A Robust Classifier for Passive TCP/IP Fingerprinting

Beverly, Robert

doi:10.1007/978-3-540-24668-8_16

Cited by 91 publications

(60 citation statements)

References 9 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Table 2 shows that fewer clients negotiated ECN on incoming connections; 4.2% to less than 0.1% depending on population. To better understand this discrepancy, we employ stack fingerprinting to the TCP SYN/ACK packets [5] to infer the operating system of the client. Table 3 shows a striking difference between the ECN capable and non-ECN capable populations: the vast majority of ECN capable hosts are Linux (88.4%).…”

Section: Server Resultsmentioning

confidence: 99%

Measuring the state of ECN readiness in servers, clients,and routers

Bauer

Beverly

Berger

2011

Proceedings of the 2011 ACM SIGCOMM Conference on Internet Measurement Conference

Self Cite

View full text Add to dashboard Cite

Better exposing congestion can improve traffic management in the wide-area, at peering points, among residential broadband connections, and in the data center. TCP's network utilization and efficiency depends on congestion information, while recent research proposes economic and policy models based on congestion. Such motivations have driven widespread support of Explicit Congestion Notification (ECN) in modern operating systems. We reappraise the Internet's ECN readiness, updating and extending previous measurements. Across large and diverse server populations, we find a three-fold increase in ECN support over prior studies. Using new methods, we characterize ECN within mobile infrastructure and at the client-side, populations previously unmeasured. Via large-scale path measurements, we find the ECN feedback loop failing in the core of the network 40% of the time, typically at AS boundaries. Finally, we discover new examples of infrastructure violating ECN Internet standards, and discuss remaining impediments to running ECN while suggesting mechanisms to aid adoption.

show abstract

Section: Server Resultsmentioning

confidence: 99%

Measuring the state of ECN readiness in servers, clients,and routers

Bauer

Beverly

Berger

2011

Proceedings of the 2011 ACM SIGCOMM Conference on Internet Measurement Conference

Self Cite

View full text Add to dashboard Cite

show abstract

“…More relevant to our work are passive fingerprinting techniques that infer the implementations of network applications or operating systems based solely on observing the traffic they send. Passive fingerprinting tools and techniques are numerous, though most focus on identifying TCP/IP implementations and utilize specific information [4,5,6] that is unavailable in coarse flow records. While passive techniques have more recently been proposed to identify the application (e.g., peer-to-peer file transfers versus web retrievals) or the class of application (e.g., interactive sessions versus bulk-data transfers) reflected in packet traces [7,8,9,10,11], few proposals (e.g., [12,13,14,15]) have done so from coarse flow records.…”

Section: Related Workmentioning

confidence: 99%

“…More specifically, the classifier type that we utilize is Support Vector Machines (SVM) 6 , which have been widely applied to many supervised learning problems [27,28]. Given two sets of labeled data, the SVM finds a hyperplane that separates the data and maximizes the distance to each data set.…”

Section: Browser Identification From Flow Recordsmentioning

confidence: 99%

Browser Fingerprinting from Coarse Traffic Summaries: Techniques and Implications

Yen

Huang

Monrose

et al. 2009

Detection of Intrusions and Malware, and Vulnerability Assessment

View full text Add to dashboard Cite

Abstract. We demonstrate that the browser implementation used at a host can be passively identified with significant precision and recall, using only coarse summaries of web traffic to and from that host. Our techniques utilize connection records containing only the source and destination addresses and ports, packet and byte counts, and the start and end times of each connection. We additionally provide two applications of browser identification. First, we show how to extend a network intrusion detection system to detect a broader range of malware. Second, we demonstrate the consequences of web browser identification to the deanonymization of web sites in flow records that have been anonymized.

show abstract

“…Bayesian networks, neural networks, etc.). In [130], Beverly et al leverage probabilistic learning for TCP/IP stack fingerprinting and develop a Naïve Bayesian classifier to passively infer host operating systems from packet headers. The approach relies on observations made over TTL Window SYN packet sizes, and "do not fragment" bits as well as the use of Bayesian matching.…”

Section: Fingerprinting Techniquesmentioning

confidence: 99%

“…For this reason, over the training phase, a user links the model (also, "Decision Model") derived by the captured data to a textual description of the system it belongs to. However, sophisticated fingerprinting tools are able to automatically refine their datasets (e.g., thanks to machine learning techniques [124,130]). Finally, Model Generation ensures that every model is consistent and unambiguous and avoids overlaps in the dataset.…”

Section: Reference Modelmentioning

confidence: 99%

Intrusion detection in networked control systems : from system knowledge to network security

Caselli¹

View full text Add to dashboard Cite

A Robust Classifier for Passive TCP/IP Fingerprinting

Cited by 91 publications

References 9 publications

Measuring the state of ECN readiness in servers, clients,and routers

Measuring the state of ECN readiness in servers, clients,and routers

Browser Fingerprinting from Coarse Traffic Summaries: Techniques and Implications

Intrusion detection in networked control systems : from system knowledge to network security

Contact Info

Product

Resources

About