No NAT'd User Left Behind: Fingerprinting Users behind NAT from NetFlow Records Alone

Abstract: Abstract-It is generally recognized that the traffic generated by an individual connected to a network acts as his biometric signature. Several tools exploit this fact to fingerprint and monitor users. Often, though, these tools assume to access the entire traffic, including IP addresses and payloads. This is not feasible on the grounds that both performance and privacy would be negatively affected. In reality, most ISPs convert user traffic into NetFlow records for a concise representation that does not inclu… Show more

“…To achieve user profiling, we use web transaction logs that provide more fine grained information than e.g. IP flow records used in most state-of-the-art solutions [3], [5], [11], [13]. While few other techniques rely on full packet payload analysis for traffic modelling [12], [14], we are the first to use web transaction logs augmented with service specific knowledge for profiling user.…”

“…They use 802.11 traffic characteristics such as SSID probes or broadcast packet sizes, which limit the application of their technique to WiFi connected devices. Closer to our work is the identification of individual users behind a NAT service using IP flow data [11]. Verde et al extract features including the direction of a flow, the gap between two flows, the number of packets and bytes, etc.…”

“…It requires only few minutes of observation to identify if a user is using a given machine in contrast with the several hours required by most existing solutions [3], [4], [8], [11].…”

“…While network traffic monitoring has also been used to profile host communications [3], [5], [13], little attention has been given to profiling a specific user based on the network traffic she generates. The few existing techniques [3], [8], [11] use coarse-grained features of communication such as IP flow records. Thus, they require a long period of traffic monitoring to reliably identify the communicating user, which limits their application.…”

“…We use an optimization method to compute the best parameters for building these models. In contrast to state-of-the-art user profiling solutions [3], [11] relying on IP flows, we use web transaction logs augmented with information about the requested service, i.e. website category, application type, etc., to build our user profiles.…”

Profiling Users by Modeling Web Transactions

“…To achieve user profiling, we use web transaction logs that provide more fine grained information than e.g. IP flow records used in most state-of-the-art solutions [3], [5], [11], [13]. While few other techniques rely on full packet payload analysis for traffic modelling [12], [14], we are the first to use web transaction logs augmented with service specific knowledge for profiling user.…”

“…They use 802.11 traffic characteristics such as SSID probes or broadcast packet sizes, which limit the application of their technique to WiFi connected devices. Closer to our work is the identification of individual users behind a NAT service using IP flow data [11]. Verde et al extract features including the direction of a flow, the gap between two flows, the number of packets and bytes, etc.…”

“…It requires only few minutes of observation to identify if a user is using a given machine in contrast with the several hours required by most existing solutions [3], [4], [8], [11].…”

“…While network traffic monitoring has also been used to profile host communications [3], [5], [13], little attention has been given to profiling a specific user based on the network traffic she generates. The few existing techniques [3], [8], [11] use coarse-grained features of communication such as IP flow records. Thus, they require a long period of traffic monitoring to reliably identify the communicating user, which limits their application.…”

“…We use an optimization method to compute the best parameters for building these models. In contrast to state-of-the-art user profiling solutions [3], [11] relying on IP flows, we use web transaction logs augmented with information about the requested service, i.e. website category, application type, etc., to build our user profiles.…”

Profiling Users by Modeling Web Transactions

Convolutional Recurrent Neural Networks for Computer Network Analysis

Context-Aware IPv6 Address Hopping