A Robust Classifier for Passive TCP/IP Fingerprinting

Robert Beverly.
Proceedings of the 5th Passive and Active Measurement Workshop (PAM 2004),
pp. 158-167, Juan-les-Pins, France, April 2004

Using probabilistic learning, we develop a naive Bayesian classifier to passively infer a host's operating system from packet headers. We analyze traffic captured from an Internet exchange point and compare our classifier to rule-based inference tools. While the host operating system distribution is heavily skewed, we find operating systems that constitute a small fraction of the host count contribute a majority of total traffic. Finally as an application of our classifier, we count the number of hosts masquerading behind NAT devices and evaluate our results against prior techniques. We find a host count inflation factor due to NAT of approximately 9\% in our traces.

[Postscript(119KB)] [PDF(134KB)] [BibTeX]
[Presentation Slides]

[ Return to publications ]