Browser Fingerprinting from Coarse Traffic Summaries: Techniques and Implications

Authors:
Ting-Fang Yen;Xin Huang;Fabian Monrose;Michael K. Reiter
Affiliations:
Carnegie Mellon University, Pittsburgh;University of North Carolina, Chapel Hill;University of North Carolina, Chapel Hill;University of North Carolina, Chapel Hill
Venue:
DIMVA '09 Proceedings of the 6th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment
Year:
2009

Citing 27
Cited 1

Automated packet trace analysis of TCP implementations

SIGCOMM '97 Proceedings of the ACM SIGCOMM '97 conference on Applications, technologies, architectures, and protocols for computer communication
On inferring TCP behavior

Proceedings of the 2001 conference on Applications, technologies, architectures, and protocols for computer communications
Text Categorization with Suport Vector Machines: Learning with Many Relevant Features

ECML '98 Proceedings of the 10th European Conference on Machine Learning
Training Support Vector Machines: an Application to Face Detection

CVPR '97 Proceedings of the 1997 Conference on Computer Vision and Pattern Recognition (CVPR '97)
Active Mapping: Resisting NIDS Evasion without Altering Traffic

SP '03 Proceedings of the 2003 IEEE Symposium on Security and Privacy
PlanetLab: an overlay testbed for broad-coverage services

ACM SIGCOMM Computer Communication Review
A Framework for the Evaluation of Session Reconstruction Heuristics in Web-Usage Analysis

INFORMS Journal on Computing
Class-of-service mapping for QoS: a statistical signature-based approach to IP traffic classification

Proceedings of the 4th ACM SIGCOMM conference on Internet measurement
Profiling internet backbone traffic: behavior models and applications

Proceedings of the 2005 conference on Applications, technologies, architectures, and protocols for computer communications
BLINC: multilevel traffic classification in the dark

Proceedings of the 2005 conference on Applications, technologies, architectures, and protocols for computer communications
Understanding Patterns of TCP Connection Usage with Statistical Clustering

MASCOTS '05 Proceedings of the 13th IEEE International Symposium on Modeling, Analysis, and Simulation of Computer and Telecommunication Systems
Automated Traffic Classification and Application Identification using Machine Learning

LCN '05 Proceedings of the The IEEE Conference on Local Computer Networks 30th Anniversary
Traffic classification on the fly

ACM SIGCOMM Computer Communication Review
Traffic classification through simple statistical fingerprinting

ACM SIGCOMM Computer Communication Review
Data Mining: Practical Machine Learning Tools and Techniques, Second Edition (Morgan Kaufmann Series in Data Management Systems)

Data Mining: Practical Machine Learning Tools and Techniques, Second Edition (Morgan Kaufmann Series in Data Management Systems)
Identifying and discriminating between web and peer-to-peer traffic in the network core

Proceedings of the 16th international conference on World Wide Web
QEMU, a fast and portable dynamic translator

ATEC '05 Proceedings of the annual conference on USENIX Annual Technical Conference
Probing TCP implementations

USTC'94 Proceedings of the USENIX Summer 1994 Technical Conference on USENIX Summer 1994 Technical Conference - Volume 1
Wide-scale botnet detection and characterization

HotBots'07 Proceedings of the first conference on First Workshop on Hot Topics in Understanding Botnets
On web browsing privacy in anonymized NetFlows

SS'07 Proceedings of 16th USENIX Security Symposium on USENIX Security Symposium
Traffic Aggregation for Malware Detection

DIMVA '08 Proceedings of the 5th international conference on Detection of Intrusions and Malware, and Vulnerability Assessment
BotMiner: clustering analysis of network traffic for protocol- and structure-independent botnet detection

SS'08 Proceedings of the 17th conference on Security symposium
Hit-list worm detection and bot identification in large networks using protocol graphs

RAID'07 Proceedings of the 10th international conference on Recent advances in intrusion detection
Toward the accurate identification of network applications

PAM'05 Proceedings of the 6th international conference on Passive and Active Network Measurement
Analysis of communities of interest in data networks

PAM'05 Proceedings of the 6th international conference on Passive and Active Network Measurement
Finding peer-to-peer file-sharing using coarse network behaviors

ESORICS'06 Proceedings of the 11th European conference on Research in Computer Security
On the privacy risks of publishing anonymized IP network traces

CMS'06 Proceedings of the 10th IFIP TC-6 TC-11 international conference on Communications and Multimedia Security

NetGator: malware detection using program interactive challenges

DIMVA'12 Proceedings of the 9th international conference on Detection of Intrusions and Malware, and Vulnerability Assessment

Quantified Score

Hi-index	0.00

Visualization

Abstract

We demonstrate that the browser implementation used at a host can be passively identified with significant precision and recall, using only coarse summaries of web traffic to and from that host. Our techniques utilize connection records containing only the source and destination addresses and ports, packet and byte counts, and the start and end times of each connection. We additionally provide two applications of browser identification. First, we show how to extend a network intrusion detection system to detect a broader range of malware. Second, we demonstrate the consequences of web browser identification to the deanonymization of web sites in flow records that have been anonymized.