Advertisement

Browser Fingerprinting from Coarse Traffic Summaries: Techniques and Implications

  • Ting-Fang Yen
  • Xin Huang
  • Fabian Monrose
  • Michael K. Reiter
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5587)

Abstract

We demonstrate that the browser implementation used at a host can be passively identified with significant precision and recall, using only coarse summaries of web traffic to and from that host. Our techniques utilize connection records containing only the source and destination addresses and ports, packet and byte counts, and the start and end times of each connection. We additionally provide two applications of browser identification. First, we show how to extend a network intrusion detection system to detect a broader range of malware. Second, we demonstrate the consequences of web browser identification to the deanonymization of web sites in flow records that have been anonymized.

Keywords

Application fingerprinting traffic deanonymization malware detection machine learning 

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Yen, T.-F., Reiter, M.K.: Traffic aggregation for malware detection. In: Zamboni, D. (ed.) DIMVA 2008. LNCS, vol. 5137, pp. 207–227. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  2. 2.
    Comer, D.E., Lin, J.C.: Probing TCP implementations. In: Proceedings of the USENIX Summer 1994 Technical Conference (June 1994)Google Scholar
  3. 3.
    Padhye, J., Floyd, S.: On inferring TCP behavior. In: Proceedings of ACM SIGCOMM, August 2001, pp. 287–298 (2001)Google Scholar
  4. 4.
    Paxson, V.: Automated packet trace analysis of TCP implementations. In: Proceedings of ACM SIGCOMM, pp. 167–179 (1997)Google Scholar
  5. 5.
    Lippmann, R., Fried, D., Piwowarski, K., Streilein, W.: Passive operating system identification from TCP/IP packet headers. In: Proceedings of the ICDM Workshop on Data Mining for Computer Security (2003)Google Scholar
  6. 6.
    Beverly, R.: A robust classifier for passive TCP/IP fingerprinting. In: Barakat, C., Pratt, I. (eds.) PAM 2004. LNCS, vol. 3015, pp. 158–167. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  7. 7.
    Karagiannis, T., Papagiannaki, K., Faloutsos, M.: BLINC: multilevel traffic classification in the dark. In: Proceedings of ACM SIGCOMM, August 2005, pp. 229–240 (2005)Google Scholar
  8. 8.
    Bernaille, L., Teixeira, R., Akodkenou, I., Soule, A., Salamatian, K.: Traffic classification on the fly. ACM SIGCOMM Computer Communication Review 36(2), 23–26 (2006)CrossRefGoogle Scholar
  9. 9.
    Hernandez-Campos, F., Nobel, A.B., Smith, F.D., Jeffay, K.: Understanding patterns of TCP connection usage with statistical clustering. In: Proceedings of 13th Symposium on Modeling, Analysis, and Simulation of Computer and Telecommunication Systems, September 2005, pp. 35–44 (2005)Google Scholar
  10. 10.
    Roughan, M., Sen, S., Spatscheck, O., Duffield, N.: Class-of-service mapping for QoS: A statistical signature-based approach to IP traffic classification. In: Proceedings of the 4th ACM SIGCOMM conference on Internet measurement, October 2004, pp. 135–148 (2004)Google Scholar
  11. 11.
    Crotti, M., Dusi, M., Gringoli, F., Salgarelli, L.: Traffic classification through simple statistical fingerprinting. ACM SIGCOMM Computer Communication Review 37(1) (2007)Google Scholar
  12. 12.
    Collins, M.P., Reiter, M.K.: Finding peer-to-peer file-sharing using coarse network behaviors. In: Gollmann, D., Meier, J., Sabelfeld, A. (eds.) ESORICS 2006. LNCS, vol. 4189, pp. 1–17. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  13. 13.
    Zander, S., Nguyen, T., Armitage, G.: Automated traffic classification and application identification using machine learning. In: Proceedings of the 2005 IEEE Conference on Local Computer Networks (2005)Google Scholar
  14. 14.
    Moore, A.W., Papagiannaki, K.: Toward the accurate identification of network applications. In: Dovrolis, C. (ed.) PAM 2005. LNCS, vol. 3431, pp. 41–54. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  15. 15.
    Erman, J., Mahanti, A., Arlitt, M., Williamson, C.: Identifying and discriminating between web and peer-to-peer traffic in the network core. In: Proceedings of the 16th International World Wide Web Conference (May 2007)Google Scholar
  16. 16.
    Koukis, D., Antonatos, S., Anagnostakis, K.: On the privacy risks of publishing anonymized IP network traces. In: Proceedings of Communications and Multimedia Security, October 2006, pp. 22–32 (2006)Google Scholar
  17. 17.
    Coull, S.E., Wright, C.V., Monrose, F., Collins, M.P., Reiter, M.K.: Playing devil’s advocate: Inferring sensitive information from anonymized network traces. In: Proceedings of the 2007 ISOC Network and Distributed System Security Symposium (February 2007)Google Scholar
  18. 18.
    Coull, S.E., Collins, M.P., Wright, C.V., Monrose, F., Reiter, M.K.: On web browsing privacy in anonymized NetFlows. In: Proceedings of the 16th USENIX Security Symposium, August 2007, pp. 339–352 (2007)Google Scholar
  19. 19.
    Shankar, U., Paxson, V.: Active mapping: Resisting NIDS evasion without altering traffic. In: Proceedings of the 2003 IEEE Symposium on Security and Privacy (May 2003)Google Scholar
  20. 20.
    QoSient LLC: Argus - auditing network activity, http://qosient.com/argus/
  21. 21.
    Brownlee, N., Mills, C., Ruth, G.: Traffic flow measurement: Architecture. RFC 2722 (1999)Google Scholar
  22. 22.
    Handelman, S., Stibler, S., Brownlee, N., Ruth, G.: New attributes for traffic flow measurement. RFC 2724 (1999)Google Scholar
  23. 23.
    Spiliopoulou, M., Mobasher, B., Berendt, B.: A framework for the evaluation of session reconstruction heuristics in web-usage analysis. INFORMS Journal on Computing 15(2) (2003)Google Scholar
  24. 24.
    Chun, B., Culler, D., Roscoe, T., Bavier, A., Peterson, L., Wawrzoniak, M., Bowman, M.: PlanetLab: an overlay testbed for broad-coverage services. ACM SIGCOMM Computer Communication Review 33(3), 3–12 (2003)CrossRefGoogle Scholar
  25. 25.
    Bellard, F.: QEMU, a fast and portable dynamic translator. In: USENIX Annual Technical Conference, FREENIX Track (2005)Google Scholar
  26. 26.
    Witten, I., Frank, E.: Data Mining: Practical machine learning tools and techniques. Morgan Kaufmann, San Francisco (2005)zbMATHGoogle Scholar
  27. 27.
    Joachims, T.: Text categorization with support vector machines: Learning with many relevant features. In: Nédellec, C., Rouveirol, C. (eds.) ECML 1998. LNCS, vol. 1398. Springer, Heidelberg (1998)Google Scholar
  28. 28.
    Osuna, E., Freund, R., Girosit, F.: Training support vector machines: an application to face detection. In: Proceedings of the IEEE Computer Society Conference on Computer Vision and Pattern Recognition (June 1997)Google Scholar
  29. 29.
    Karasaridis, A., Rexroad, B., Hoeflin, D.: Wide-scale botnet detection and characterization. In: Proceedings of the 1st Workshop on Hot Topics in Understanding Botnets (April 2007)Google Scholar
  30. 30.
    Gates, C., Becknel, B.: Host anomalies from network data. In: Proceedings of the 6th IEEE Systems, Man and Cybernetics Information Assurance Workshop (June 2005)Google Scholar
  31. 31.
    Gu, G., Perdisci, R., Zhang, J., Lee, W.: Botminer: Clustering analysis of network traffic for protocol- and structure-independent botnet detection. In: Proceedings of the USENIX Security Symposium (August 2008)Google Scholar
  32. 32.
    Collins, M.P., Reiter, M.K.: Hit-list worm detection and bot identification in large networks using protocol graphs. In: Kruegel, C., Lippmann, R., Clark, A. (eds.) RAID 2007. LNCS, vol. 4637, pp. 276–295. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  33. 33.
    Xu, K., Zhang, Z., Bhattacharyya, S.: Profiling internet backbone traffic: Behavior models and applications. In: Proceedings of ACM SIGCOMM (August 2005)Google Scholar
  34. 34.
    Aiello, W., Kalmanek, C., McDaniel, P., Sen, S., Spatscheck, O., Van der Merwe, J.E.: Analysis of communities of interest in data networks. In: Dovrolis, C. (ed.) PAM 2005. LNCS, vol. 3431, pp. 83–96. Springer, Heidelberg (2005)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2009

Authors and Affiliations

  • Ting-Fang Yen
    • 1
  • Xin Huang
    • 2
  • Fabian Monrose
    • 2
  • Michael K. Reiter
    • 2
  1. 1.Carnegie Mellon UniversityPittsburghUSA
  2. 2.University of North CarolinaChapel HillUSA

Personalised recommendations