Automated Behavioral Fingerprinting

Abstract : This paper addresses the fingerprinting of devices that speak a common, yet unknown to the fingerprinting engine, protocol. We consider a behavioral approach, where the fingerprinting of an unknown protocol is based on detecting and exploiting differences in the observed behavior from two or more devices. Our approach assumes zero knowledge about the syntax and state machine underlying the protocol. The main contribution of this paper consists in a two phased method. The first phase identifies the different message types using an unsupervised support vector clustering algorithm. The second phase is leveraging recent advances in tree support kernel in order to learn and differentiate different implementations of that protocol. The key idea is to represent behavior in terms of trees and learn the distinctive subtrees that are specific to one particular device. Our solution is passive and does not assume active and stimulus triggered behavior templates. We instantiate our solution to the particular case of a VoIP specific protocol (SIP) and validate it using extensive data sets collected on a large size VoIP testbed.
Type de document :
Communication dans un congrès
Engin Kirda and Somesh Jha Davide Balzarotti. 12th International Symposium on Recent Advances in Intrusion Detection - RAID 2009, Sep 2009, St Malo, France. Springer Berlin / Heidelberg, 5758, 2009, Lecture Notes in Computer Science. 〈http://springerlink.com/content/0k6v607507924160/?p=bfc618b857a94fb5a8c4b57fe3fa70df&pi=0〉. 〈10.1007/978-3-642-04342-0_10〉
Liste complète des métadonnées

https://hal.inria.fr/inria-00428972
Contributeur : Jérôme François <>
Soumis le : vendredi 30 octobre 2009 - 11:04:13
Dernière modification le : jeudi 11 janvier 2018 - 06:19:49
Document(s) archivé(s) le : jeudi 30 juin 2011 - 11:54:32

Fichier

classif.pdf
Fichiers produits par l'(les) auteur(s)

Identifiants

Collections

Citation

Jérôme François, Humberto Abdelnur, Radu State, Olivier Festor. Automated Behavioral Fingerprinting. Engin Kirda and Somesh Jha Davide Balzarotti. 12th International Symposium on Recent Advances in Intrusion Detection - RAID 2009, Sep 2009, St Malo, France. Springer Berlin / Heidelberg, 5758, 2009, Lecture Notes in Computer Science. 〈http://springerlink.com/content/0k6v607507924160/?p=bfc618b857a94fb5a8c4b57fe3fa70df&pi=0〉. 〈10.1007/978-3-642-04342-0_10〉. 〈inria-00428972〉

Partager

Métriques

Consultations de la notice

368

Téléchargements de fichiers

275