Vis enkel innførsel

dc.contributor.authorHagos, Desta Haileselassie
dc.contributor.authorYazidi, Anis
dc.contributor.authorKure, Øivind
dc.contributor.authorEngelstad, Paal
dc.coverage.spatialNorwayen_US
dc.date.accessioned2021-06-10T10:23:52Z
dc.date.available2021-06-10T10:23:52Z
dc.date.created2021-02-01T21:35:16Z
dc.date.issued2020-09-15
dc.identifier.citationD. H. Hagos, A. Yazidi, Ø. Kure and P. E. Engelstad, "A Machine-Learning-Based Tool for Passive OS Fingerprinting With TCP Variant as a Novel Feature," in IEEE Internet of Things Journal, vol. 8, no. 5, pp. 3534-3553, 1 March1, 2021, doi: 10.1109/JIOT.2020.3024293.en_US
dc.identifier.issn2327-4662
dc.identifier.urihttps://hdl.handle.net/11250/2758792
dc.description.abstractWith the emergence of Internet of Things (IoT), securing and managing large, complex enterprise network infrastructure requires capturing and analyzing network traffic traces in real-time. An accurate passive Operating System (OS) fingerprinting plays a critical role in effective network management and cybersecurity protection. Passive fingerprinting doesn’t send probes that introduce extra load to the network and hence it has a clear advantage over active fingerprinting since it also reduces the risk of triggering false alarms. This paper proposes and evaluates an advanced classification approach to passive OS fingerprinting by leveraging state-of-the-art classical machine learning and deep learning techniques. Our controlled experiments on benchmark data, emulated and realistic traffic is performed using two approaches. Through an Oracle-based machine learning approach, we found that the underlying TCP variant is an important feature for predicting the remote OS. Based on this observation, we develop a sophisticated tool for OS fingerprinting that first predicts the TCP flavor using passive traffic traces and then uses this prediction as an input feature for another machine learning algorithm for predicting the remote OS from passive measurements. This paper takes the passive fingerprinting problem one step further by introducing the underlying predicted TCP variant as a distinguishing feature. In terms of accuracy, we empirically demonstrate that accurately predicting the TCP variant has the potential to boost the evaluation performance from 84% to 94% on average across all our validation scenarios and across different types of traffic sources. We also demonstrate a practical example of this potential, by increasing the performance to 91.3% and 95.22% on average using a tool for loss-based and a combination of loss and delay-based TCP variant prediction in an emulated setting. To the best of our knowledge, this is the first study that explores the potential for using the knowledge of the TCP variant to significantly boost the accuracy of passive OS fingerprinting.en_US
dc.language.isoengen_US
dc.publisherInstitute of Electrical and Electronics Engineersen_US
dc.relation.ispartofseriesIEEE Internet of Things Journal;Volume: 8, Issue: 5
dc.subjectOperating systemsen_US
dc.subjectFingerprintingen_US
dc.subjectMachine learningen_US
dc.subjectDeep learningen_US
dc.subjectInternet of thingsen_US
dc.subjectIoTen_US
dc.subjectPassive traffic measurementsen_US
dc.titleA Machine Learning-based Tool for Passive OS Fingerprinting with TCP Variant as a Novel Featureen_US
dc.title.alternativeA Deep Learning-based Universal Tool for Operating Systems Fingerprinting from Passive Measurementsen_US
dc.typePeer revieweden_US
dc.typeJournal articleen_US
dc.description.versionacceptedVersionen_US
dc.rights.holder© 2020 IEEE.en_US
cristin.ispublishedtrue
cristin.fulltextpostprint
cristin.qualitycode2
dc.identifier.doihttps://doi.org/10.1109/JIOT.2020.3024293
dc.identifier.cristin1885555
dc.source.journalIEEE Internet of Things Journalen_US
dc.source.volume8en_US
dc.source.issue5en_US
dc.source.pagenumber1-18en_US


Tilhørende fil(er)

Thumbnail

Denne innførselen finnes i følgende samling(er)

Vis enkel innførsel