Skip to main content
SpringerLink
Log in

Advanced Network Fingerprinting

  • Conference paper
Book cover Recent Advances in Intrusion Detection (RAID 2008)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 5230))

Included in the following conference series:

Abstract

Security assessment tasks and intrusion detection systems do rely on automated fingerprinting of devices and services. Most current fingerprinting approaches use a signature matching scheme, where a set of signatures are compared with traffic issued by an unknown entity. The entity is identified by finding the closest match with the stored signatures. These fingerprinting signatures are found mostly manually, requiring a laborious activity and needing advanced domain specific expertise. In this paper we describe a novel approach to automate this process and build flexible and efficient fingerprinting systems able to identify the source entity of messages in the network. We follow a passive approach without need to interact with the tested device. Application level traffic is captured passively and inherent structural features are used for the classification process. We describe and assess a new technique for the automated extraction of protocol fingerprints based on arborescent features extracted from the underlying grammar. We have successfully applied our technique to the Session Initiation Protocol (SIP) used in Voice over IP signalling.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 89.00
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, A., Peterson, J., Sparks, R., Handley, M., Schooler, E.: SIP: Session Initiation Protocol (2002)

    Google Scholar 

  2. Crocker, D.H., Overell, P.: Augmented BNF for Syntax Specifications: ABNF (1997)

    Google Scholar 

  3. Buttler, D.: A Short Survey of Document Structure Similarity Algorithms. In: Arabnia, H.R., Droegehorn, O. (eds.) International Conference on Internet Computing, pp. 3–9. CSREA Press (2004)

    Google Scholar 

  4. Broder, A.Z.: On the Resemblance and Containment of Documents. In: SEQUENCES 1997: Proceedings of the Compression and Complexity of Sequences 1997, Washington, DC, USA, p. 21. IEEE Computer Society, Los Alamitos (1997)

    Google Scholar 

  5. Nash, J.F.: Non-Cooperative Games. The Annals of Mathematics 54(2), 286–295 (1951)

    Article  MathSciNet  Google Scholar 

  6. Caballero, J., Venkataraman, S., Poosankam, P., Kang, M.G., Song, D., Blum, A.: FiG: Automatic Fingerprint Generation. In: The 14th Annual Network & Distributed System Security Conference (NDSS 2007) (February 2007)

    Google Scholar 

  7. DParser, http://dparser.sourceforge.net/

  8. Comer, D., Lin, J.C.: Probing TCP Implementations. In: USENIX Summer, pp. 245–255 (1994)

    Google Scholar 

  9. Nmap, http://www.insecure.org/nmap/

  10. P0f, http://lcamtuf.coredump.cx/p0f.shtml

  11. Yan, H., Sripanidkulchai, K., Zhang, H.: Incorporating Active Fingerprinting into SPIT Prevention Systems. In: Third Annual VoIP Security Workshop (June 2006)

    Google Scholar 

  12. Scholz, H.: SIP Stack Fingerprinting and Stack Difference Attacks. Black Hat Briefings (2006)

    Google Scholar 

  13. Watson, D., Smart, M., Malan, G.R., Jahanian, F.: Protocol scrubbing: network security through transparent flow modification. IEEE/ACM Trans. Netw. 12(2), 261–273 (2004)

    Article  Google Scholar 

  14. Open Source FastTrack P2P Protocol (2007), http://gift-fasttrack.berlios.de/

  15. Fritzler, A.: UnOfficial AIM/OSCAR Protocol Specification (2007), http://www.oilcan.org/oscar/

  16. Beddoe, M.: The Protocol Informatics Project. Toorcon (2004)

    Google Scholar 

  17. Gopalratnam, K., Basu, S., Dunagan, J., Wang, H.J.: Automatically Extracting Fields from Unknown Network Protocols. In: Systems and Machine Learning Workshop 2006 (2006)

    Google Scholar 

  18. Wondracek, G., Comparetti, P.M., Kruegel, C., Kirda, E.: Automatic Network Protocol Analysis. In: Proceedings of the 15th Annual Network and Distributed System Security Symposium (NDSS 2008) (2008)

    Google Scholar 

  19. Newsome, J., Brumley, D., Franklin, J., Song, D.: Replayer: automatic protocol replay by binary analysis. In: CCS 2006: Proceedings of the 13th ACM conference on Computer and communications security, pp. 311–321. ACM, New York (2006)

    Chapter  Google Scholar 

  20. Cui, W., Kannan, J., Wang, H.J.: Discoverer: automatic protocol reverse engineering from network traces. In: SS 2007: Proceedings of 16th USENIX Security Symposium on USENIX Security Symposium, Berkeley, CA, USA, pp. 1–14. USENIX Association (2007)

    Google Scholar 

  21. Brumley, D., Caballero, J., Liang, Z., Newsome, J., Song, D.: Towards automatic discovery of deviations in binary implementations with applications to error detection and fingerprint generation. In: SS 2007: Proceedings of 16th USENIX Security Symposium on USENIX Security Symposium, Berkeley, CA, USA, pp. 1–16. USENIX Association (2007)

    Google Scholar 

  22. Lin, Z., Jiang, X., Xu, D., Zhang, X.: Automatic Protocol Format Reverse Engineering through Context-Aware Monitored Execution. In: 15th Symposium on Network and Distributed System Security (2008)

    Google Scholar 

  23. Bonfiglio, D., Mellia, M., Meo, M., Rossi, D., Tofanelli, P.: Revealing skype traffic: when randomness plays with you. SIGCOMM Comput. Commun. Rev. 37(4), 37–48 (2007)

    Article  Google Scholar 

  24. Wright, C.V., Ballard, L., Monrose, F., Masson, G.M.: Language identification of encrypted VoIP traffic: Alejandra y Roberto or Alice and Bob? In: SS 2007: Proceedings of 16th USENIX Security Symposium on USENIX Security Symposium, Berkeley, CA, USA, pp. 1–12. USENIX Association (2007)

    Google Scholar 

  25. Chang, M., Poon, C.K.: Catching the Picospams. In: Hacid, M.-S., Murray, N.V., Raś, Z.W., Tsumoto, S. (eds.) ISMIS 2005. LNCS (LNAI), vol. 3488, pp. 641–649. Springer, Heidelberg (2005)

    Google Scholar 

  26. Haffner, P., Sen, S., Spatscheck, O., Wang, D.: ACAS: automated construction of application signatures. In: MineNet 2005: Proceedings of the 2005 ACM SIGCOMM workshop on Mining network data, pp. 197–202. ACM, New York (2005)

    Chapter  Google Scholar 

  27. Borisov, N., Brumley, D.J., Wang, H.J.: Generic Application-Level Protocol Analyzer and its Language. In: 14th Symposium on Network and Distributed System Security (2007)

    Google Scholar 

  28. Ma, J., Levchenko, K., Kreibich, C., Savage, S., Voelker, G.M.: Unexpected means of protocol inference. In: IMC 2006: Proceedings of the 6th ACM SIGCOMM conference on Internet measurement, pp. 313–326. ACM, New York (2006)

    Chapter  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Centre de Recherche INRIA Nancy, Grand Est 615, rue du jardin botanique, Villers-les-Nancy, France

    Humberto J. Abdelnur, Radu State & Olivier Festor

Authors
  1. Humberto J. Abdelnur
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Radu State
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Olivier Festor
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Richard Lippmann Engin Kirda Ari Trachtenberg

Rights and permissions

Reprints and permissions

Copyright information

© 2008 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Abdelnur, H.J., State, R., Festor, O. (2008). Advanced Network Fingerprinting. In: Lippmann, R., Kirda, E., Trachtenberg, A. (eds) Recent Advances in Intrusion Detection. RAID 2008. Lecture Notes in Computer Science, vol 5230. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-87403-4_20

Download citation

  • DOI: https://doi.org/10.1007/978-3-540-87403-4_20

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-87402-7

  • Online ISBN: 978-3-540-87403-4

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation