On the Resemblance and Containment of Documents
SEQUENCES '97 Proceedings of the Compression and Complexity of Sequences 1997
Protocol scrubbing: network security through transparent flow modification
IEEE/ACM Transactions on Networking (TON)
ACAS: automated construction of application signatures
Proceedings of the 2005 ACM SIGCOMM workshop on Mining network data
Unexpected means of protocol inference
Proceedings of the 6th ACM SIGCOMM conference on Internet measurement
Replayer: automatic protocol replay by binary analysis
Proceedings of the 13th ACM conference on Computer and communications security
USTC'94 Proceedings of the USENIX Summer 1994 Technical Conference on USENIX Summer 1994 Technical Conference - Volume 1
Revealing skype traffic: when randomness plays with you
Proceedings of the 2007 conference on Applications, technologies, architectures, and protocols for computer communications
Language identification of encrypted VoIP traffic: Alejandra y Roberto or Alice and Bob?
SS'07 Proceedings of 16th USENIX Security Symposium on USENIX Security Symposium
Discoverer: automatic protocol reverse engineering from network traces
SS'07 Proceedings of 16th USENIX Security Symposium on USENIX Security Symposium
SS'07 Proceedings of 16th USENIX Security Symposium on USENIX Security Symposium
ISMIS'05 Proceedings of the 15th international conference on Foundations of Intelligent Systems
Automated Behavioral Fingerprinting
RAID '09 Proceedings of the 12th International Symposium on Recent Advances in Intrusion Detection
Hi-index | 0.00 |
Security assessment tasks and intrusion detection systems do rely on automated fingerprinting of devices and services. Most current fingerprinting approaches use a signature matching scheme, where a set of signatures are compared with traffic issued by an unknown entity. The entity is identified by finding the closest match with the stored signatures. These fingerprinting signatures are found mostly manually, requiring a laborious activity and needing advanced domain specific expertise. In this paper we describe a novel approach to automate this process and build flexible and efficient fingerprinting systems able to identify the source entity of messages in the network. We follow a passive approach without need to interact with the tested device. Application level traffic is captured passively and inherent structural features are used for the classification process. We describe and assess a new technique for the automated extraction of protocol fingerprints based on arborescent features extracted from the underlying grammar. We have successfully applied our technique to the Session Initiation Protocol (SIP) used in Voice over IP signalling.