Skip to main content
SpringerLink
Log in

A Novel Data Mining Approach for Analysis and Pattern Recognition of Active Fingerprinting Components

  • Published:
Wireless Personal Communications Aims and scope Submit manuscript

Abstract

Active fingerprinting is an effective penetration testing technique to know about vulnerability of hosts against security threats and network as a whole. Sometimes firewalls may block fingerprinting packets, hence making the probes infeasible. Measured Round Trip Time (RTTm) is a benign number that can be obtained from communication based on legitimate non malicious packets. In this paper, RTTm has been used along with other timers namely Smoothened Round-trip Time (SRTT), Round-trip Time Variance (RTTVar), Retransmission Time Out (RTO) and Scantime for pattern recognition and association analysis with the aid of cross-correlations. Experimental relationship among these timers are derived to back-up existing theoretical knowledge. A novel method to estimate IP-ID Sequence classes and network-traffic intensity based on these timers has been proposed. Results show that the model can be used to accurately derive (about 100% accuracy) active fingerprinting components IP-ID sequences and link traffic estimation. Analytical results obtained by this study can help in designing high-performance realistic networks and dynamic congestion control techniques.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10
Fig. 11
Fig. 12
Fig. 13
Fig. 14
Fig. 15
Fig. 16

Similar content being viewed by others

References

  1. Edge, C., Barker, W., Hunter, B., & Sullivan, G. (2010). Network scanning, intrusion detection, and intrusion prevention tools. In Enterprise mac security (pp. 485–504). Apress. https://doi.org/10.1007/978-1-4302-2731-1_17.

  2. Aikat, J., Kaur, J., Smith, F. D., & Jeffay, K. (2003). Variability in TCP round-trip times. In Proceedings of the 3rd ACM SIGCOMM conference on internet measurement (pp. 279–284). ACM.  https://doi.org/10.1145/948205.948241.

  3. Im, S. Y., Shin, S. H., Ryu, K. Y., & Roh, B. H. (2016). Performance evaluation of network scanning tools with operation of firewall. In Ubiquitous and future networks (ICUFN), 2016 eighth international conference on (pp. 876–881). IEEE. https://doi.org/10.1109/ICUFN.2016.7537162.

  4. Barnett, R. J., & Irwin, B. (2008). Towards a taxonomy of network scanning techniques. In Proceedings of the 2008 annual research conference of the South African institute of computer scientists and information technologists on IT research in developing countries: Riding the wave of technology (pp. 1–7). ACM. https://doi.org/10.1145/1456659.1456660.

  5. Lyon, G. F. (2009). Nmap network scanning: The official Nmap project guide to network discovery and security scanning. Insecure.

  6. Beverly, R., & Berger, A. (2015). Server siblings: Identifying shared IPv4/IPv6 infrastructure via active fingerprinting. In J. Mirkovic, & Y. Liu (Eds.), Passive and active measurement. PAM 2015. Lecture Notes in Computer Science (Vol. 8995). Cham: Springer. ​https://doi.org/10.1007/978-3-319-15509-8_12.

    Google Scholar 

  7. Xu, Q., et al. (2016). Device fingerprinting in wireless networks: Challenges and opportunities. IEEE Communications Surveys & Tutorials, 18(1), 94–104. https://doi.org/10.1109/COMST.2015.2476338.

    Article  MathSciNet  Google Scholar 

  8. Jirsík, T., & Čeleda, P. (2014). Identifying operating system using flow-based traffic fingerprinting. In Meeting of the European network of universities and companies in information and communication engineering (Vol. 8846, pp. 70–73). Cham: Springer. https://doi.org/10.1007/978-3-319-13488-8_7​.

  9. Ghiëtte, V., Blenn, N., & Doerr, C. (2016). Remote identification of port scan toolchains. In New technologies, mobility and security (NTMS), 2016 8th IFIP international conference on (pp. 1–5). IEEE. https://doi.org/10.1109/NTMS.2016.7792471.

  10. Qin, F., Shi, P., Du, J., Cheng, R., & Zhou, Y. (2017). Research on network scanning strategy based on information granularity. In Journal of physics: Conference series (Vol. 910, No. 1, pp. 012001). IOP Publishing.

  11. Shamsi, Z., et al. (2016). Hershel: Single-packet OS fingerprinting. IEEE/ACM Transactions on Networking (TON), 24(4), 2196–2209.

    Article  Google Scholar 

  12. Jacobson, V. (1988). Congestion avoidance and control. ACM SIGCOMM Computer Communication Review, 18(4), 314–329.

    Article  Google Scholar 

  13. Jain, R. (1989). A delay-based approach for congestion avoidance in interconnected heterogeneous computer networks. ACM SIGCOMM Computer Communication Review, 19(5), 56–71.

    Article  Google Scholar 

  14. Brakmo, L. S., O’Malley, S. W., & Peterson, L. L. (1994). TCP Vegas: New techniques for congestion detection and avoidance (Vol. 24, No. 4, pp. 24–35). ACM.

  15. Wang, Z., & Crowcroft, J. (1991). A new congestion control scheme: Slow start and search (Tri-S). ACM SIGCOMM Computer Communication Review, 21(1), 32–43.

    Article  Google Scholar 

  16. Biaz, S., & Vaidya, N. H. (2003). Is the round-trip time correlated with the number of packets in flight? In Proceedings of the 3rd ACM SIGCOMM conference on internet measurement (vol. 278). https://doi.org/10.1145/948205.948240.

  17. Padhye, J., Firoiu, V., Towsley, D., & Kurose, J. (1998). Modeling TCP throughput: A simple model and its empirical validation. ACM SIGCOMM Computer Communication Review, 28(4), 303–314.

    Article  Google Scholar 

  18. Hengartner, U., Bolliger, J., & Gross, T. (2000). TCP Vegas revisited. In IEEE proceedings of the nineteenth annual joint conference of the IEEE computer and communications societies (INFOCOM 2000) (Vol. 3, pp. 1546–1555). IEEE.

  19. Andren, J., Hilding, M., & Veitch, D. (1998). Understanding end-to-end internet traffic dynamics. In IEEE Global telecommunications conference, 1998 (GLOBECOM 1998). The Bridge to Global Integration (Vol. 2, pp. 1118–1122). IEEE.

  20. Martin, J., Nilsson, A., & Rhee, I. (2003). Delay-based congestion avoidance for TCP. IEEE/ACM Transactions on Networking, 11(3), 356–369.

    Article  Google Scholar 

  21. Martin, J., Nilsson, A., & Rhee, I. (2000). The incremental deployability of RTT-based congestion avoidance for high speed TCP Internet connections. ACM SIGMETRICS Performance Evaluation Review, 28(1), 134–144.

    Article  Google Scholar 

  22. Morris, R. J. (1979). Fixing timeout intervals for lost packet detection in computer communication networks. In AFIPS conference proceedings.

  23. Velten, D, Hinden, R., & Sax, J. (1984). Reliable data protocol; RFC908. In ARPANET Working Group requests for comments, no. 908. Menlo Park, CA: SRI International.

  24. Sanghi, D., Subramaniam, M. C., Shankar, A. U., Gudmundsson, O., & Jalote, P. (1990). A TCP instrumentation and its use in evaluating roundtrip-time estimators (No. UMIACS-TR-90-38). Maryland Univ College Park Inst for Advanced Computer Studies.

  25. Postel, J. (1981). Transmission control protocol, RFC 793. Information Sciences Institute, University of Southern California.

  26. Karn, P., & Partridge, C. (1987). Improving round-trip time estimates in reliable transport protocols. ACM SIGCOMM Computer Communication Review, 17(5), 2–7. https://doi.org/10.1145/55483.55484.

    Article  Google Scholar 

  27. Mills, D. (1983). Internet delay experiments; RFC889. ARPANET Working Group Requests for Comments (889).

  28. Allman, M., & Paxson, V. (1999). On estimating end-to-end network path properties. ACM SIGCOMM Computer Communication Review, 29(4), 263–274.

    Article  Google Scholar 

  29. Gujral, H. (2017). (Newtein). GitHub Repository—RTT analysis. https://github.com/newtein/RTT_Analysis. Retrieved on December 20, 2017.

  30. Lyon, G. (1997). Nmap (Version: 7.01) [Software]. https://nmap.org/download.html. Retrieved on December 20, 2017.

  31. Paxson, V., & Allman, M. (2000). RFC 2988, Computing TCP’s retransmission Timer.

  32. Paxson, V., Allman, M., Chu, J., & Sargent, M. (2011). RFC 6298, Computing TCP’s retransmission Timer.

  33. Allman, M. (2000). A web server’s view of the transport layer. ACM SIGCOMM Computer Communication Review, 30(5), 10–20.

    Article  Google Scholar 

  34. Jiang, H., & Dovrolis, C. (2002). Passive estimation of TCP round-trip times. ACM SIGCOMM Computer Communication Review, 32(3), 75–88.

    Article  Google Scholar 

  35. Jaiswal, S., Iannaccone, G., Diot, C., Kurose, J., & Towsley, D. (2007). Measurement and classification of out-of-sequence packets in a tier-1 IP backbone. IEEE/ACM Transactions on Networking (ToN), 15(1), 54–66.

    Article  Google Scholar 

  36. Prigent, G., Vichot, F., & Harrouet, F. (2010). IpMorph: Fingerprinting spoofing unification. Journal in Computer Virology, 6(4), 329–342. https://doi.org/10.1007/s11416-009-0134-4​.

    Article  Google Scholar 

  37. Veal, B., Li, K., & Lowenthal, D. (2005). New methods for passive estimation of TCP round-trip times. In International workshop on passive and active network measurement (Vol. 3431, pp. 121–134). Berlin, Heidelberg: Springer. ​https://doi.org/10.1007/978-3-540-31966-5_10.

  38. Pearson, K. (1895). Note on regression and inheritance in the case of two parents. Proceedings of the Royal Society of London, 58, 240–242. Retrieved from http://www.jstor.org/stable/115794.

    Article  Google Scholar 

  39. Farmer, S. F., Halliday, D. M., Conway, B. A., Stephens, J. A., & Rosenberg, J. R. (1997). A review of recent applications of cross-correlation methodologies to human motor unit recording. Journal of Neuroscience Methods, 74(2), 175–187.

    Article  Google Scholar 

  40. Bacia, K., Kim, S. A., & Schwille, P. (2006). Fluorescence cross-correlation spectroscopy in living cells. Nature Methods, 3(2), 83.

    Article  Google Scholar 

  41. Cliff, A. D., & Ord, K. (1970). Spatial autocorrelation: A review of existing and new measures with applications. Economic Geography, 46(sup1), 269–292.

    Article  Google Scholar 

  42. Kohno, T., Broido, A., & Claffy, K. C. (2005). Remote physical device fingerprinting. IEEE Transactions on Dependable and Secure Computing, 2(2), 93–108. https://doi.org/10.1109/TDSC.2005.26.

    Article  Google Scholar 

  43. Crotti, M., Dusi, M., Gringoli, F., & Salgarelli, L. (2007). Traffic classification through simple statistical fingerprinting. ACM SIGCOMM Computer Communication Review, 37(1), 5–16. ​https://doi.org/10.1145/1198255.1198257.

    Article  Google Scholar 

  44. Spangler, R. (2003). Analysis of remote active operating system fingerprinting tools. Madison: University of Wisconsin.

    Google Scholar 

  45. Geurts, P., Ernst, D., & Wehenkel, L. (2006). Extremely randomized trees. Machine Learning, 63(1), 3–42. https://doi.org/10.1007/s10994-006-6226-1.

    Article  MATH  Google Scholar 

  46. Pedregosa, F., Varoquaux, G., Gramfort, A., Michel, V., Thirion, B., Grisel, O., et al. (2011). Scikit-learn: Machine learning in python. Journal of machine learning research, 12, 2825–2830.

    MathSciNet  MATH  Google Scholar 

  47. Olshen, R. A., & Stone, C. J. (1984). Classification and regression trees. Belmont, CA: The Wadsworth and Brook.

    MATH  Google Scholar 

  48. Hastie, T., & Tibshirani, R., & Friedman, J. H. (2009). 10. Boosting and Additive Trees. In The elements of statistical learning (2nd ed., pp. 337–384). New York: Springer.

  49. Breiman, L., & Cutler, A. (2007). Random forests-classification description (p. 2). Berkeley: Department of Statistics.

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Department of Computer Science Engineering and IT, Jaypee Institute of Information Technology, Block A, Sector 62, Noida, India

    Harshit Gujral, Sangeeta Mittal & Abhinav Sharma

Authors
  1. Harshit Gujral
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Sangeeta Mittal
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Abhinav Sharma
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Harshit Gujral.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Gujral, H., Mittal, S. & Sharma, A. A Novel Data Mining Approach for Analysis and Pattern Recognition of Active Fingerprinting Components. Wireless Pers Commun 105, 1039–1068 (2019). https://doi.org/10.1007/s11277-019-06135-1

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11277-019-06135-1

Keywords

Search

Navigation