Похожие презентации:
OS Fingerprinting and Tethering Detection in Mobile Networks
1.
OS Fingerprinting and TetheringDetection in Mobile Networks
Yi-Chao Chen
The University of Texas at Austin
Joint work:
Yong Liao‡, Mario Baldi‡, Sung-Ju Lee‡, Lili Qiu†
Narus Inc. ‡, The University of Texas at Austin†
IMC 2014
2.
Mobile OS FingerprintingProblem statement
Infer
what operating system a device is running by
analyzing the packets it’s generating.
Tethering detection: identify mobile devices which
are sharing the Internet access
?
?
?
3.
ImportanceTethering detection
Billing
for shared access in mobile networks
Security
Policy
IMC 2014
enforcement in enterprise networks
3
4.
Existing WorksApplication
• HTTP user agent [P0f], DHCP options [Satori]
Transport
• TCP handshake, timeout, MTU, flags, init seq.
number [P0f, NMap, VEYSET02, PAM04, RAID03],
TCP Timestamp [INFOCOM99, IMW02]
Network
• IP TTL, ID, dest address [P0f, PAM04]
Link
IMC 2014
• 802.11 MAC fields, SSID, frame size
[MOBICOM07]
4
5.
Limitation of Existing WorksExisting works focus on the Internet traffic
Mobile networks impose new challenges:
Dynamic
Clock
Short
TCP
skew, boot time estimation, …
connections
flavors, initial sequence number, …
Features
TCP
IMC 2014
frequency due to power saving
might have changed in mobile OSes
MTU, IP flags, …
5
6.
ApproachIdentify features to fingerprint mobile device OSes
Detect tethering
Clock
frequency stability, boot time estimation
IP Time-to-Live, ID Monotonicity
TCP timestamp option, window size scale option,
timestamp monotonicity
Combine multiple features
Quantify the performance
Individual
and combined features
OS fingerprinting and tethering detection
IMC 2014
6
7.
DatasetLab trace
56
mobile user traces
14
10
Android phones and tablets traces
Samsung Galaxy S5, HTC Ones, HTC Inspire phones,
Google Nexus 10 tablet
iOS traces
iPhone 4s, iPhone5s, iPad 2, iPod Touch
iOS 5.1.1, iOS 6.1
32
Each
IMC 2014
Windows laptops traces
running Windows XP or Windows 7
capture lasts 10~30 minutes
7
8.
Other DatasetsTrace
Time
Duration # IPs
Lab Trace
SIGCOMM08 Trace
Oct. 2013
2 hours
56
Aug. 2008
1 day
223
OSDI06 trace
Nov. 2006
1 day
292
IMC 2014
8
9.
FeaturesClock Frequency
i
1
i
1
The
frequency is stable in Android and Windows,
High clock frequency std. suggests iOS
but vary over time in iOS devices
Frac. hosts with std > x
- timestamp
timestamp
freq =
rcv_ time - rcv_ time
1.0
Android
Windows
iOS
0.8
0.6
0.4
0.2
0.0
0
5
10 15 20 25 30 35
Stdev of clock frequency
40
9
10.
FeaturesIP ID Monotonicity
Android:
iOS:
Windows:
randomize
IP ID
the
consistently
IP ID of increase
each packet
monotonically
High violation ratio suggests iOS;
Some devices completely randomize the IP IDs
low violation ratio suggests Windows.
Some
Frac. hosts with ratio < x
periodically reset to random values.
1.0
0.8
0.6
0.4
Android
iOS
Windows
0.2
0.0
0
0.2
0.4
0.6
0.8
1
Ratio of packets violating IP ID monotonicity
10
11.
FeaturesTCP Timestamp Option
iOS
and Android have TCP TS Option,
Low ratio of TCP TS option suggests Windows.
but Windows doesn’t
Frac. hosts with ratio > x
1.0
0.8
0.6
0.4
0.2
Windows
Android
iOS
0.0
0.6
0.8
1.0
0.0
0.2
0.4
ratio of pkts with TCP Timestamp Option
11
12.
FeaturesiOS
Android
Windows
IP Time-To-Live
TCP Window Size
Scale Option
Boot time estimation
Ratio of packets
1.0
0.8
0.6
0.4
0.2
0.0
64 128
WS=1
WS=2
1.0
64 128
WS=4
WS=8
64 128
WS=16
WS=64
WS=256
Ratio
0.8
0.6
0.4
0.2
IMC 2014
0.0
Android
iOS
Windows
13.
served in Section 3.2, different features may work well in differenscenarios. This motivates us to develop a technique to leverag
multiple features to improve accuracy. We design a probability
based technique by applying the navïe Bayes classi er to effec
tively
combine multiple features. Speci cally, given the set of ob
No single feature works in all scenarios
served features f 1 ∼ f k , the probability of being OSx can be com
Naï
ve Bayes
classifier
puted
as Equation
(1) if
features f 1 ∼ f k are independent.
Combining Features
P r (f i , ..., f k | OSx )
P r (OSx | f 1 , ..., f k ) = P r (OSx )
P r (f i , ..., f k )
Probability of
being OSx
= P r (OSx )
k
i= 1
P r (f i | OSx )
k
i= 1
P r (f i )
.
(1
finding
P r (OSx ) andProbability
P r (f i |OSof
)
x are learned from the training traces
feature
x’s traffic
We then compute
P rfi(fini )OS
based
on all packets from an IP addres
in the testing trace and use Equation
1 to compute
Probability
of findingthe probabilit
IMC 2014
13
that the IP uses OSx . The OS isfeature
then identi ed
as
the
one
with
th
fi in all traffic
14.
Tethering DetectionApply the same technique for tethering
detection.
Features which identify mobile devices
IP
Time-To-Live
TCP timestamp monotonicity
Clock frequency
Boot time estimation
Multiple OSes
IMC 2014
14
15.
Evaluation – Single FeatureNo single feature identifies all OSes accurately.
tp
recall =
tp+ fn
Recall
F-score
1.0
1.0
0.8
0.8
Value
tp
precision =
tp+ fp
Value
Precision
0.6
0.4
0.2
0.6
0.4
0.2
0.0
0.0
Android
iOS
Windows
Android
prec´ recall
prec+ recall
Windows
(b) IP ID monotonicity
1.0
1.0
0.8
0.8
Value
F1 = 2
Value
(a) TTL
iOS
0.6
0.4
0.2
0.6
0.4
0.2
0.0
0.0
Android
iOS
Windows
(c) TCP window scale
Android
iOS
Windows
(d) Clock frequency stability
16.
Evaluation – Combing FeaturesCombining all features yields the best result.
Precision
1.0
Recall
F1-score
Value
0.8
0.6
0.4
0.2
0.0
Android
iOS
Windows
16
17.
Combiningall
features
also
yields
the
best
lab trace
osdi06
sigcomm08
result
in tethering1.0detection.
1.0 osdi06
sigcomm08
0.6
0.4
0.2
1.0
max
0.8
0.6
0.8
Recall
0.8
Recall
Recall
Evaluation – Tethering Detection
max
0.6
max
0.4
0.2
0.4
0.0
0.0
TT TS0.2fre bo OS Co
TT TS fre bo OS Co
o
L
L
mo q st t ti
mo q st ot ti
de mbi
de
m
m
d
d
t
n
n
n
oto ev
e s tect
0.0 oton ev e st ectio e
tde
Co
TSde frne
bo
OS Co nici
icTitT
v
v
o
ty
q
L
m
m
y
m
t
d
s
ete bin
ete bin
on
tde tim
e
cti
o
de
n
v (a) Precision >
0.95
oto
v
n ic
it y
es
(b)
e
cti
o
tPrecision
de
n
>
v
0.8
17
18.
ConclusionContributions
Identify
new features for mobile OS fingerprinting and
tethering detection
Develop a probabilistic scheme that combines multiple
features
Evaluate the individual and combined features
Combing
multiple features yields the best performance
OS fingerprinting: 100% precision, 80% recall
Tethering detection: 79%-89% recall when targeting
80% precision
IMC 2014
18
19.
Thank You![email protected]
IMC 2014
20.
20Backup Slides
IMC 2014
21.
Mobile OS FingerprintingIMC 2014
21
22.
FeaturesIP Time-To-Live (TTL)
Windows:
64 or 128
iOS and Android: 64
iOS
Android
Windows
1.0
Ratio of packets
0.8
0.6
0.4
0.2
0.0
64 128
64 128
64 128
22
23.
FeaturesTCP Window Size Scale Option
iOS:
16
Windows and Android: 2, 4, 64, or 256
1.0
WS=1
WS=2
WS=4
WS=8
WS=16
WS=64
WS=256
0.8
Ratio
0.6
0.4
0.2
0.0
23
Android
iOS
Windows
24.
Evaluation – Comparing ClassifiersProbability based classifier outperforms other
classifiers by 5~21% in F1-score measurement.
24