5.24M
Категория: ИнформатикаИнформатика
Похожие презентации:
Anomaly detection
Anomaly detection
Computer Software. Operating systems. Desktop applications
Computer Software. Operating systems. Desktop applications
Introduction to operation systems (OS)
Introduction to operation systems (OS)
Telecommunications and Networks
Telecommunications and Networks
Neural networks
Neural networks
Networks and Telecommunications
Networks and Telecommunications
Protecting the Network
Protecting the Network
Microsoft Windows RPC Security Vulnerabilities
Microsoft Windows RPC Security Vulnerabilities
Artificial neural networks
Artificial neural networks
Load Balancing and Termination Detection
Load Balancing and Termination Detection

OS Fingerprinting and Tethering Detection in Mobile Networks

1.

OS Fingerprinting and Tethering
Detection in Mobile Networks
Yi-Chao Chen
The University of Texas at Austin
Joint work:
Yong Liao‡, Mario Baldi‡, Sung-Ju Lee‡, Lili Qiu†
Narus Inc. ‡, The University of Texas at Austin†
IMC 2014

2.

Mobile OS Fingerprinting
Problem statement
Infer
what operating system a device is running by
analyzing the packets it’s generating.
Tethering detection: identify mobile devices which
are sharing the Internet access
?
?
?

3.

Importance
Tethering detection
Billing
for shared access in mobile networks
Security
Policy
IMC 2014
enforcement in enterprise networks
3

4.

Existing Works
Application
• HTTP user agent [P0f], DHCP options [Satori]
Transport
• TCP handshake, timeout, MTU, flags, init seq.
number [P0f, NMap, VEYSET02, PAM04, RAID03],
TCP Timestamp [INFOCOM99, IMW02]
Network
• IP TTL, ID, dest address [P0f, PAM04]
Link
IMC 2014
• 802.11 MAC fields, SSID, frame size
[MOBICOM07]
4

5.

Limitation of Existing Works
Existing works focus on the Internet traffic
Mobile networks impose new challenges:
Dynamic
Clock
Short
TCP
skew, boot time estimation, …
connections
flavors, initial sequence number, …
Features
TCP
IMC 2014
frequency due to power saving
might have changed in mobile OSes
MTU, IP flags, …
5

6.

Approach
Identify features to fingerprint mobile device OSes
Detect tethering
Clock
frequency stability, boot time estimation
IP Time-to-Live, ID Monotonicity
TCP timestamp option, window size scale option,
timestamp monotonicity
Combine multiple features
Quantify the performance
Individual
and combined features
OS fingerprinting and tethering detection
IMC 2014
6

7.

Dataset
Lab trace
56
mobile user traces
14
10
Android phones and tablets traces
Samsung Galaxy S5, HTC Ones, HTC Inspire phones,
Google Nexus 10 tablet
iOS traces
iPhone 4s, iPhone5s, iPad 2, iPod Touch
iOS 5.1.1, iOS 6.1
32
Each
IMC 2014
Windows laptops traces
running Windows XP or Windows 7
capture lasts 10~30 minutes
7

8.

Other Datasets
Trace
Time
Duration # IPs
Lab Trace
SIGCOMM08 Trace
Oct. 2013
2 hours
56
Aug. 2008
1 day
223
OSDI06 trace
Nov. 2006
1 day
292
IMC 2014
8

9.

Features
Clock Frequency
i
1
i
1
The
frequency is stable in Android and Windows,
High clock frequency std. suggests iOS
but vary over time in iOS devices
Frac. hosts with std > x
- timestamp
timestamp
freq =
rcv_ time - rcv_ time
1.0
Android
Windows
iOS
0.8
0.6
0.4
0.2
0.0
0
5
10 15 20 25 30 35
Stdev of clock frequency
40
9

10.

Features
IP ID Monotonicity
Android:
iOS:
Windows:
randomize
IP ID
the
consistently
IP ID of increase
each packet
monotonically
High violation ratio suggests iOS;
Some devices completely randomize the IP IDs
low violation ratio suggests Windows.
Some
Frac. hosts with ratio < x
periodically reset to random values.
1.0
0.8
0.6
0.4
Android
iOS
Windows
0.2
0.0
0
0.2
0.4
0.6
0.8
1
Ratio of packets violating IP ID monotonicity
10

11.

Features
TCP Timestamp Option
iOS
and Android have TCP TS Option,
Low ratio of TCP TS option suggests Windows.
but Windows doesn’t
Frac. hosts with ratio > x
1.0
0.8
0.6
0.4
0.2
Windows
Android
iOS
0.0
0.6
0.8
1.0
0.0
0.2
0.4
ratio of pkts with TCP Timestamp Option
11

12.

Features
iOS
Android
Windows
IP Time-To-Live
TCP Window Size
Scale Option
Boot time estimation
Ratio of packets
1.0
0.8
0.6
0.4
0.2
0.0
64 128
WS=1
WS=2
1.0
64 128
WS=4
WS=8
64 128
WS=16
WS=64
WS=256
Ratio
0.8
0.6
0.4
0.2
IMC 2014
0.0
Android
iOS
Windows

13.

served in Section 3.2, different features may work well in differen
scenarios. This motivates us to develop a technique to leverag
multiple features to improve accuracy. We design a probability
based technique by applying the navïe Bayes classi er to effec
tively
combine multiple features. Speci cally, given the set of ob
No single feature works in all scenarios
served features f 1 ∼ f k , the probability of being OSx can be com
Naï
ve Bayes
classifier
puted
as Equation
(1) if
features f 1 ∼ f k are independent.
Combining Features
P r (f i , ..., f k | OSx )
P r (OSx | f 1 , ..., f k ) = P r (OSx )
P r (f i , ..., f k )
Probability of
being OSx
= P r (OSx )
k
i= 1
P r (f i | OSx )
k
i= 1
P r (f i )
.
(1
finding
P r (OSx ) andProbability
P r (f i |OSof
)
x are learned from the training traces
feature
x’s traffic
We then compute
P rfi(fini )OS
based
on all packets from an IP addres
in the testing trace and use Equation
1 to compute
Probability
of findingthe probabilit
IMC 2014
13
that the IP uses OSx . The OS isfeature
then identi ed
as
the
one
with
th
fi in all traffic

14.

Tethering Detection
Apply the same technique for tethering
detection.
Features which identify mobile devices
IP
Time-To-Live
TCP timestamp monotonicity
Clock frequency
Boot time estimation
Multiple OSes
IMC 2014
14

15.

Evaluation – Single Feature
No single feature identifies all OSes accurately.
tp
recall =
tp+ fn
Recall
F-score
1.0
1.0
0.8
0.8
Value
tp
precision =
tp+ fp
Value
Precision
0.6
0.4
0.2
0.6
0.4
0.2
0.0
0.0
Android
iOS
Windows
Android
prec´ recall
prec+ recall
Windows
(b) IP ID monotonicity
1.0
1.0
0.8
0.8
Value
F1 = 2
Value
(a) TTL
iOS
0.6
0.4
0.2
0.6
0.4
0.2
0.0
0.0
Android
iOS
Windows
(c) TCP window scale
Android
iOS
Windows
(d) Clock frequency stability

16.

Evaluation – Combing Features
Combining all features yields the best result.
Precision
1.0
Recall
F1-score
Value
0.8
0.6
0.4
0.2
0.0
Android
iOS
Windows
16

17.

Combining
all
features
also
yields
the
best
lab trace
osdi06
sigcomm08
result
in tethering1.0detection.
1.0 osdi06
sigcomm08
0.6
0.4
0.2
1.0
max
0.8
0.6
0.8
Recall
0.8
Recall
Recall
Evaluation – Tethering Detection
max
0.6
max
0.4
0.2
0.4
0.0
0.0
TT TS0.2fre bo OS Co
TT TS fre bo OS Co
o
L
L
mo q st t ti
mo q st ot ti
de mbi
de
m
m
d
d
t
n
n
n
oto ev
e s tect
0.0 oton ev e st ectio e
tde
Co
TSde frne
bo
OS Co nici
icTitT
v
v
o
ty
q
L
m
m
y
m
t
d
s
ete bin
ete bin
on
tde tim
e
cti
o
de
n
v (a) Precision >
0.95
oto
v
n ic
it y
es
(b)
e
cti
o
tPrecision
de
n
>
v
0.8
17

18.

Conclusion
Contributions
Identify
new features for mobile OS fingerprinting and
tethering detection
Develop a probabilistic scheme that combines multiple
features
Evaluate the individual and combined features
Combing
multiple features yields the best performance
OS fingerprinting: 100% precision, 80% recall
Tethering detection: 79%-89% recall when targeting
80% precision
IMC 2014
18

19.

Thank You!
[email protected]
IMC 2014

20.

20
Backup Slides
IMC 2014

21.

Mobile OS Fingerprinting
IMC 2014
21

22.

Features
IP Time-To-Live (TTL)
Windows:
64 or 128
iOS and Android: 64
iOS
Android
Windows
1.0
Ratio of packets
0.8
0.6
0.4
0.2
0.0
64 128
64 128
64 128
22

23.

Features
TCP Window Size Scale Option
iOS:
16
Windows and Android: 2, 4, 64, or 256
1.0
WS=1
WS=2
WS=4
WS=8
WS=16
WS=64
WS=256
0.8
Ratio
0.6
0.4
0.2
0.0
23
Android
iOS
Windows

24.

Evaluation – Comparing Classifiers
Probability based classifier outperforms other
classifiers by 5~21% in F1-score measurement.
24
English     Русский Правила