Abstract
Active fingerprinting is an effective penetration testing technique to know about vulnerability of hosts against security threats and network as a whole. Sometimes firewalls may block fingerprinting packets, hence making the probes infeasible. Measured Round Trip Time (RTTm) is a benign number that can be obtained from communication based on legitimate non malicious packets. In this paper, RTTm has been used along with other timers namely Smoothened Round-trip Time (SRTT), Round-trip Time Variance (RTTVar), Retransmission Time Out (RTO) and Scantime for pattern recognition and association analysis with the aid of cross-correlations. Experimental relationship among these timers are derived to back-up existing theoretical knowledge. A novel method to estimate IP-ID Sequence classes and network-traffic intensity based on these timers has been proposed. Results show that the model can be used to accurately derive (about 100% accuracy) active fingerprinting components IP-ID sequences and link traffic estimation. Analytical results obtained by this study can help in designing high-performance realistic networks and dynamic congestion control techniques.
Similar content being viewed by others
References
Edge, C., Barker, W., Hunter, B., & Sullivan, G. (2010). Network scanning, intrusion detection, and intrusion prevention tools. In Enterprise mac security (pp. 485–504). Apress. https://doi.org/10.1007/978-1-4302-2731-1_17.
Aikat, J., Kaur, J., Smith, F. D., & Jeffay, K. (2003). Variability in TCP round-trip times. In Proceedings of the 3rd ACM SIGCOMM conference on internet measurement (pp. 279–284). ACM. https://doi.org/10.1145/948205.948241.
Im, S. Y., Shin, S. H., Ryu, K. Y., & Roh, B. H. (2016). Performance evaluation of network scanning tools with operation of firewall. In Ubiquitous and future networks (ICUFN), 2016 eighth international conference on (pp. 876–881). IEEE. https://doi.org/10.1109/ICUFN.2016.7537162.
Barnett, R. J., & Irwin, B. (2008). Towards a taxonomy of network scanning techniques. In Proceedings of the 2008 annual research conference of the South African institute of computer scientists and information technologists on IT research in developing countries: Riding the wave of technology (pp. 1–7). ACM. https://doi.org/10.1145/1456659.1456660.
Lyon, G. F. (2009). Nmap network scanning: The official Nmap project guide to network discovery and security scanning. Insecure.
Beverly, R., & Berger, A. (2015). Server siblings: Identifying shared IPv4/IPv6 infrastructure via active fingerprinting. In J. Mirkovic, & Y. Liu (Eds.), Passive and active measurement. PAM 2015. Lecture Notes in Computer Science (Vol. 8995). Cham: Springer. https://doi.org/10.1007/978-3-319-15509-8_12.
Xu, Q., et al. (2016). Device fingerprinting in wireless networks: Challenges and opportunities. IEEE Communications Surveys & Tutorials, 18(1), 94–104. https://doi.org/10.1109/COMST.2015.2476338.
Jirsík, T., & Čeleda, P. (2014). Identifying operating system using flow-based traffic fingerprinting. In Meeting of the European network of universities and companies in information and communication engineering (Vol. 8846, pp. 70–73). Cham: Springer. https://doi.org/10.1007/978-3-319-13488-8_7.
Ghiëtte, V., Blenn, N., & Doerr, C. (2016). Remote identification of port scan toolchains. In New technologies, mobility and security (NTMS), 2016 8th IFIP international conference on (pp. 1–5). IEEE. https://doi.org/10.1109/NTMS.2016.7792471.
Qin, F., Shi, P., Du, J., Cheng, R., & Zhou, Y. (2017). Research on network scanning strategy based on information granularity. In Journal of physics: Conference series (Vol. 910, No. 1, pp. 012001). IOP Publishing.
Shamsi, Z., et al. (2016). Hershel: Single-packet OS fingerprinting. IEEE/ACM Transactions on Networking (TON), 24(4), 2196–2209.
Jacobson, V. (1988). Congestion avoidance and control. ACM SIGCOMM Computer Communication Review, 18(4), 314–329.
Jain, R. (1989). A delay-based approach for congestion avoidance in interconnected heterogeneous computer networks. ACM SIGCOMM Computer Communication Review, 19(5), 56–71.
Brakmo, L. S., O’Malley, S. W., & Peterson, L. L. (1994). TCP Vegas: New techniques for congestion detection and avoidance (Vol. 24, No. 4, pp. 24–35). ACM.
Wang, Z., & Crowcroft, J. (1991). A new congestion control scheme: Slow start and search (Tri-S). ACM SIGCOMM Computer Communication Review, 21(1), 32–43.
Biaz, S., & Vaidya, N. H. (2003). Is the round-trip time correlated with the number of packets in flight? In Proceedings of the 3rd ACM SIGCOMM conference on internet measurement (vol. 278). https://doi.org/10.1145/948205.948240.
Padhye, J., Firoiu, V., Towsley, D., & Kurose, J. (1998). Modeling TCP throughput: A simple model and its empirical validation. ACM SIGCOMM Computer Communication Review, 28(4), 303–314.
Hengartner, U., Bolliger, J., & Gross, T. (2000). TCP Vegas revisited. In IEEE proceedings of the nineteenth annual joint conference of the IEEE computer and communications societies (INFOCOM 2000) (Vol. 3, pp. 1546–1555). IEEE.
Andren, J., Hilding, M., & Veitch, D. (1998). Understanding end-to-end internet traffic dynamics. In IEEE Global telecommunications conference, 1998 (GLOBECOM 1998). The Bridge to Global Integration (Vol. 2, pp. 1118–1122). IEEE.
Martin, J., Nilsson, A., & Rhee, I. (2003). Delay-based congestion avoidance for TCP. IEEE/ACM Transactions on Networking, 11(3), 356–369.
Martin, J., Nilsson, A., & Rhee, I. (2000). The incremental deployability of RTT-based congestion avoidance for high speed TCP Internet connections. ACM SIGMETRICS Performance Evaluation Review, 28(1), 134–144.
Morris, R. J. (1979). Fixing timeout intervals for lost packet detection in computer communication networks. In AFIPS conference proceedings.
Velten, D, Hinden, R., & Sax, J. (1984). Reliable data protocol; RFC908. In ARPANET Working Group requests for comments, no. 908. Menlo Park, CA: SRI International.
Sanghi, D., Subramaniam, M. C., Shankar, A. U., Gudmundsson, O., & Jalote, P. (1990). A TCP instrumentation and its use in evaluating roundtrip-time estimators (No. UMIACS-TR-90-38). Maryland Univ College Park Inst for Advanced Computer Studies.
Postel, J. (1981). Transmission control protocol, RFC 793. Information Sciences Institute, University of Southern California.
Karn, P., & Partridge, C. (1987). Improving round-trip time estimates in reliable transport protocols. ACM SIGCOMM Computer Communication Review, 17(5), 2–7. https://doi.org/10.1145/55483.55484.
Mills, D. (1983). Internet delay experiments; RFC889. ARPANET Working Group Requests for Comments (889).
Allman, M., & Paxson, V. (1999). On estimating end-to-end network path properties. ACM SIGCOMM Computer Communication Review, 29(4), 263–274.
Gujral, H. (2017). (Newtein). GitHub Repository—RTT analysis. https://github.com/newtein/RTT_Analysis. Retrieved on December 20, 2017.
Lyon, G. (1997). Nmap (Version: 7.01) [Software]. https://nmap.org/download.html. Retrieved on December 20, 2017.
Paxson, V., & Allman, M. (2000). RFC 2988, Computing TCP’s retransmission Timer.
Paxson, V., Allman, M., Chu, J., & Sargent, M. (2011). RFC 6298, Computing TCP’s retransmission Timer.
Allman, M. (2000). A web server’s view of the transport layer. ACM SIGCOMM Computer Communication Review, 30(5), 10–20.
Jiang, H., & Dovrolis, C. (2002). Passive estimation of TCP round-trip times. ACM SIGCOMM Computer Communication Review, 32(3), 75–88.
Jaiswal, S., Iannaccone, G., Diot, C., Kurose, J., & Towsley, D. (2007). Measurement and classification of out-of-sequence packets in a tier-1 IP backbone. IEEE/ACM Transactions on Networking (ToN), 15(1), 54–66.
Prigent, G., Vichot, F., & Harrouet, F. (2010). IpMorph: Fingerprinting spoofing unification. Journal in Computer Virology, 6(4), 329–342. https://doi.org/10.1007/s11416-009-0134-4.
Veal, B., Li, K., & Lowenthal, D. (2005). New methods for passive estimation of TCP round-trip times. In International workshop on passive and active network measurement (Vol. 3431, pp. 121–134). Berlin, Heidelberg: Springer. https://doi.org/10.1007/978-3-540-31966-5_10.
Pearson, K. (1895). Note on regression and inheritance in the case of two parents. Proceedings of the Royal Society of London, 58, 240–242. Retrieved from http://www.jstor.org/stable/115794.
Farmer, S. F., Halliday, D. M., Conway, B. A., Stephens, J. A., & Rosenberg, J. R. (1997). A review of recent applications of cross-correlation methodologies to human motor unit recording. Journal of Neuroscience Methods, 74(2), 175–187.
Bacia, K., Kim, S. A., & Schwille, P. (2006). Fluorescence cross-correlation spectroscopy in living cells. Nature Methods, 3(2), 83.
Cliff, A. D., & Ord, K. (1970). Spatial autocorrelation: A review of existing and new measures with applications. Economic Geography, 46(sup1), 269–292.
Kohno, T., Broido, A., & Claffy, K. C. (2005). Remote physical device fingerprinting. IEEE Transactions on Dependable and Secure Computing, 2(2), 93–108. https://doi.org/10.1109/TDSC.2005.26.
Crotti, M., Dusi, M., Gringoli, F., & Salgarelli, L. (2007). Traffic classification through simple statistical fingerprinting. ACM SIGCOMM Computer Communication Review, 37(1), 5–16. https://doi.org/10.1145/1198255.1198257.
Spangler, R. (2003). Analysis of remote active operating system fingerprinting tools. Madison: University of Wisconsin.
Geurts, P., Ernst, D., & Wehenkel, L. (2006). Extremely randomized trees. Machine Learning, 63(1), 3–42. https://doi.org/10.1007/s10994-006-6226-1.
Pedregosa, F., Varoquaux, G., Gramfort, A., Michel, V., Thirion, B., Grisel, O., et al. (2011). Scikit-learn: Machine learning in python. Journal of machine learning research, 12, 2825–2830.
Olshen, R. A., & Stone, C. J. (1984). Classification and regression trees. Belmont, CA: The Wadsworth and Brook.
Hastie, T., & Tibshirani, R., & Friedman, J. H. (2009). 10. Boosting and Additive Trees. In The elements of statistical learning (2nd ed., pp. 337–384). New York: Springer.
Breiman, L., & Cutler, A. (2007). Random forests-classification description (p. 2). Berkeley: Department of Statistics.
Author information
Authors and Affiliations
Corresponding author
Additional information
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
About this article
Cite this article
Gujral, H., Mittal, S. & Sharma, A. A Novel Data Mining Approach for Analysis and Pattern Recognition of Active Fingerprinting Components. Wireless Pers Commun 105, 1039–1068 (2019). https://doi.org/10.1007/s11277-019-06135-1
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11277-019-06135-1