Skip to main content
SpringerLink
Log in
SpringerLink
Log in

Automated Behavioral Fingerprinting

  • Conference paper
Recent Advances in Intrusion Detection (RAID 2009)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 5758))

Included in the following conference series:

Abstract

This paper addresses the fingerprinting of devices that speak a common, yet unknown to the fingerprinting engine, protocol. We consider a behavioral approach, where the fingerprinting of an unknown protocol is based on detecting and exploiting differences in the observed behavior from two or more devices. Our approach assumes zero knowledge about the syntax and state machine underlying the protocol. The main contribution of this paper consists in a two phased method. The first phase identifies the different message types using an unsupervised support vector clustering algorithm. The second phase is leveraging recent advances in tree support kernel in order to learn and differentiate different implementations of that protocol. The key idea is to represent behavior in terms of trees and learn the distinctive subtrees that are specific to one particular device. Our solution is passive and does not assume active and stimulus triggered behavior templates. We instantiate our solution to the particular case of a VoIP specific protocol (SIP) and validate it using extensive data sets collected on a large size VoIP testbed.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Tridgell, A.: How samba was written, http://samba.org/ftp/tridge/misc/french_cafe.txt (accessed on 03/16/09)

  2. Lin, Z., Jiang, X., Xu, D., Zhang, X.: Automatic protocol format reverse engineering through conectect-aware monitored execution. In: 15th Symposium on Network and Distributed System Security, NDSS (2008)

    Google Scholar 

  3. Cui, W., Paxson, V., Weaver, N., Katz, R.H.: Protocol-independent adaptive replay of application dialog. In: Symposium on Network and Distributed System Security, NDSS (2006)

    Google Scholar 

  4. Leita, C., Mermoud, K., Dacier, M.: Scriptgen: an automated script generation tool for honeyd. In: Computer Security Applications Conference, Annual, pp. 203–214 (2005)

    Google Scholar 

  5. Arkin, O.: Icmp usage in scanning: The complete know-how, version 3 (June 2001) (accessed on 03/16/09)

    Google Scholar 

  6. tcpdump, http://www.tcpdump.org/ (accessed on 02/05/09)

  7. Beddoe, M.: Protocol informatics, http://www.4tphi.net (accessed on 02/05/09)

  8. Cui, W., Peinado, M., Chen, K., Wang, H.J., Irun-Briz, L.: Tupni: automatic reverse engineering of input formats. In: CCS 2008: Proceedings of the 15th ACM conference on Computer and communications security, pp. 391–402. ACM, New York (2008)

    Chapter  Google Scholar 

  9. Caballero, J., Yin, H., Liang, Z., Song, D.: Polyglot: automatic extraction of protocol message format using dynamic binary analysis. In: CCS 2007: Proceedings of the 14th ACM conference on Computer and communications security, pp. 317–329. ACM, New York (2007)

    Google Scholar 

  10. Gopalratnam, K., Basu, S., Dunagan, J., Wang, H.J.: Automatically extracting fields from unknown network protocols (June 2006)

    Google Scholar 

  11. Weidong: Discoverer: Automatic protocol reverse engineering from network traces, pp. 199–212

    Google Scholar 

  12. Wondracek, G., Comparetti, P.M., Kruegel, C., Kirda, E.: Automatic network protocol analysis. In: Proceedings of the 15th Annual Network and Distributed System Security Symposium, NDSS 2008 (2008)

    Google Scholar 

  13. Shevertalov, M., Mancoridis, S.: A reverse engineering tool for extracting protocols of networked applications, October 2007, pp. 229–238 (2007)

    Google Scholar 

  14. Newsome, J., Brumley, D., Franklin, J., Song, D.: Replayer: automatic protocol replay by binary analysis. In: CCS 2006: Proceedings of the 13th ACM conference on Computer and communications security, pp. 311–321. ACM, New York (2006)

    Google Scholar 

  15. Comer, D., Lin, J.C.: Probing TCP Implementations. In: USENIX Summer, pp. 245–255 (1994)

    Google Scholar 

  16. P0f, http://lcamtuf.coredump.cx/p0f.shtml

  17. Nmap, http://www.insecure.org/nmap/

  18. Caballero, J., Venkataraman, S., Poosankam, P., Kang, M.G., Song, D., Blum, A.: FiG: Automatic Fingerprint Generation. In: The 14th Annual Network & Distributed System Security Conference (NDSS 2007) (February 2007)

    Google Scholar 

  19. Scholz, H.: SIP Stack Fingerprinting and Stack Difference Attacks. Black Hat Briefings (2006)

    Google Scholar 

  20. Yan, H., Sripanidkulchai, K., Zhang, H., yin Shae, Z., Saha, D.: Incorporating Active Fingerprinting into SPIT Prevention Systems. In: Third Annual VoIP Security Workshop (June 2006)

    Google Scholar 

  21. Ma, J., Levchenko, K., Kreibich, C., Savage, S., Voelker, G.M.: Unexpected means of protocol inference. In: Almeida, J.M., Almeida, V.A.F., Barford, P. (eds.) Internet Measurement Conference, pp. 313–326. ACM, New York (2006)

    Google Scholar 

  22. Haffner, P., Sen, S., Spatscheck, O., Wang, D.: Acas: automated construction of application signatures. In: Proceedings of the 2005 ACM SIGCOMM workshop on Mining network data (Minet), pp. 197–202. ACM, New York (2005)

    Chapter  Google Scholar 

  23. Abdelnur, H.J., State, R., Festor, O.: Advanced Network Fingerprinting. In: Lippmann, R., Kirda, E., Trachtenberg, A. (eds.) RAID 2008. LNCS, vol. 5230, pp. 372–389. Springer, Heidelberg (2008)

    Chapter  Google Scholar 

  24. Crocker, D., Overell, P.: Augmented BNF for Syntax Specifications: ABNF. RFC 2234 (Proposed Standard) (1997)

    Google Scholar 

  25. Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, A., Peterson, J., Sparks, R., Handley, M., Schooler, E.: SIP: Session Initiation Protocol. RFC 3261 (Proposed Standard), Updated by RFCs 3265, 3853, 4320, 4916, 5393 (2002)

    Google Scholar 

  26. Schulzrinne, H., Casner, S., Frederick, R., Jacobson, V.: RTP: A Transport Protocol for Real-Time Applications. RFC 3550 (Standard), Updated by RFC 5506 (2003)

    Google Scholar 

  27. Krügel, C., Toth, T., Kirda, E.: Service specific anomaly detection for network intrusion detection. In: SAC 2002: Proceedings of the 2002 ACM symposium on Applied computing, pp. 201–208. ACM, New York (2002)

    Google Scholar 

  28. Ben-hur, A., Horn, D., Siegelmann, H.T., Vapnik, V.: Support vector clustering. Journal of Machine Learning Research 2, 125–137 (2001)

    MATH  Google Scholar 

  29. Day, W.H., Edelsbrunner, H.: Efficient algorithms for agglomerative hierarchical clustering methods. Journal of Classification 1(1), 7–24 (1984)

    Article  MATH  Google Scholar 

  30. Cortes, C., Vapnik, V.: Support-vector networks. Machine Learning 20(3), 273–297 (1995)

    MATH  Google Scholar 

  31. Wang, L. (ed.): Support Vector Machines: Theory and Applications. Studies in Fuzziness and Soft Computing, vol. 177. Springer, Heidelberg (2005)

    MATH  Google Scholar 

  32. Berkhin, P.: A survey of clustering data mining techniques. In: Grouping Multidimensional Data, pp. 25–71 (2006)

    Google Scholar 

  33. Klensin, J.: Simple Mail Transfer Protocol. RFC 2821 (Proposed Standard), Obsoleted by RFC 5321, updated by RFC 5336 (April 2001)

    Google Scholar 

  34. Crispin, M.: Internet Message Access Protocol - Version 4rev1. RFC 3501 (Proposed Standard), Updated by RFCs 4466, 4469, 4551, 5032, 5182 (March 2003)

    Google Scholar 

  35. Salvador, S., Chan, P.: Determining the number of clusters/segments in hierarchical clustering/segmentation algorithms. In: ICTAI 2004: Proceedings of the 16th IEEE International Conference on Tools with Artificial Intelligence, Washington, DC, USA, pp. 576–584. IEEE Computer Society, Los Alamitos (2004)

    Google Scholar 

  36. Rivest, R.L., Schapire, R.E.: Inference of finite automata using homing sequences. In: STOC 1989: Proceedings of the twenty-first annual ACM symposium on Theory of computing, pp. 411–420. ACM, New York (1989)

    Chapter  Google Scholar 

  37. Angluin, D.: Learning regular sets from queries and counterexamples. Inf. Comput. 75(2), 87–106 (1987)

    Article  MathSciNet  MATH  Google Scholar 

  38. Schapire, R.E.: Diversity-based inference of finite automata. Technical report, Cambridge, MA, USA (1988)

    Google Scholar 

  39. Collins, M., Duffy, N.: New ranking algorithms for parsing and tagging: kernels over discrete structures, and the voted perceptron. In: ACL 2002: Proceedings of the 40th Annual Meeting on Association for Computational Linguistics, Morristown, NJ, USA, pp. 263–270 (2002)

    Google Scholar 

  40. Vishwanathan, S., Smola, A.: Fast kernels on strings and trees. In: Proceedings of Neural Information Processing Systems (2002)

    Google Scholar 

  41. Moschitti, A.: Making tree kernels practical for natural language learning. In: Proceedings of the Eleventh International Conference on European Association for Computational Linguistics (2006)

    Google Scholar 

  42. Moschitti, A.: Efficient convolution kernels for dependency and constituent syntactic trees. In: Fürnkranz, J., Scheffer, T., Spiliopoulou, M. (eds.) ECML 2006. LNCS (LNAI), vol. 4212, pp. 318–329. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  43. Moschitti, A., Pighin, D., Basili, R.: Tree kernel engineering for proposition re-ranking. In: Proceedings of Mining and Learning with Graphs, MLG 2006 (2006)

    Google Scholar 

  44. Moschitti, A.: M-light-tk 1.2 (feature vector set and tree forest) (2009)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. MADYNES - INRIA Nancy-Grand Est, France

    Jérôme François, Humberto Abdelnur & Olivier Festor

  2. CNRS, Nancy-Université, France

    Jérôme François

  3. University of Luxembourg, Luxembourg

    Radu State

Authors
  1. Jérôme François
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Humberto Abdelnur
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Radu State
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Olivier Festor
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Institute Eurecom, 2229 Route des Cretes, 06560, Sophia-Antipolis Cedex, France

    Engin Kirda  & Davide Balzarotti  & 

  2. Computer Sciences Department, University of Wisconsin, 53706, Madison, WI, USA

    Somesh Jha

Rights and permissions

Reprints and permissions

Copyright information

© 2009 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

François, J., Abdelnur, H., State, R., Festor, O. (2009). Automated Behavioral Fingerprinting. In: Kirda, E., Jha, S., Balzarotti, D. (eds) Recent Advances in Intrusion Detection. RAID 2009. Lecture Notes in Computer Science, vol 5758. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-04342-0_10

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-04342-0_10

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-04341-3

  • Online ISBN: 978-3-642-04342-0

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation