Systems and methods for fingerprinting physical devices and device types based on network traffic

US 9,225,732 B2
Filed: 11/29/2012
Issued: 12/29/2015
Est. Priority Date: 11/29/2011
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

capturing, at a listening node in communication with a network, network traffic originating from a first device in communication with the network and routed to a destination node in communication with the network;

measuring, independent of network traffic type, protocol or packet payload, one or more traffic properties of the captured network traffic;

generating a feature vector based on at least a portion of the one or more measured traffic properties;

analyzing one or more statistical properties of the feature vector; and

generating a first device signature based on the analyzed one or more statistical properties, wherein the first device signature comprises encoded information about a hardware and software architecture of the first device;

comparing the first device signature with one or more known signatures; and

determining, based on the comparing, and without prior knowledge of the network traffic type, protocol or packet payload, a type of the first device and an identity of the first device.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for providing device and/or device type fingerprinting based on properties of network traffic originating from a device to be identified. In one implementation, the method includes capturing packets routed through a network at an intermediate node between the originating device to be identified and destination, measuring properties of the captured traffic, including packet inter-arrival time, and generating a signature based on the measured properties that includes identifying information about the hardware and/or software architecture of the device. Various implementations do not require deep packet inspection, do not require a managed device-side client, are protocol and packet payload agnostic, and effective for MAC or IP-level encrypted streams. Also, various implementations can provide wired-side detection of wireless devices and device types and can detect both previously detected and unknown devices.

Citations

14 Claims

1. A method comprising:
- capturing, at a listening node in communication with a network, network traffic originating from a first device in communication with the network and routed to a destination node in communication with the network;
  
  measuring, independent of network traffic type, protocol or packet payload, one or more traffic properties of the captured network traffic;
  
  generating a feature vector based on at least a portion of the one or more measured traffic properties;
  
  analyzing one or more statistical properties of the feature vector; and
  
  generating a first device signature based on the analyzed one or more statistical properties, wherein the first device signature comprises encoded information about a hardware and software architecture of the first device;
  
  comparing the first device signature with one or more known signatures; and
  
  determining, based on the comparing, and without prior knowledge of the network traffic type, protocol or packet payload, a type of the first device and an identity of the first device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1 further comprising determining an identity of a second device, wherein:
    - the identity of the first device is determined to be a first unknown device;
      
      the identity of the second device is determined to be a second unknown device; and
      
      the first unknown device and second unknown device are determined to be different devices.
  - 3. The method of claim 1, wherein the first device is in wireless communication with the network and the network traffic is routed over a wired segment to reach the destination node, and wherein the listening node captures the network traffic from the wired segment.
  - 4. The method of claim 1, wherein the captured network traffic is at least partially encrypted.
  - 5. The method of claim 1, wherein the network comprises network access control and the first device does not comprise a network access control client compatible with the network access control.
  - 6. The method of claim 1, wherein the network traffic is passively captured.
  - 7. The method of claim 1, wherein the measured traffic properties comprise packet inter-arrival time.
  - 8. The method of claim 1, wherein the feature vector is a time series of measured values.

9. A computer-readable medium that stores instructions that, when executed by at least one processor in a system, cause the system to perform a method comprising:
- receiving, at a listening node in communication with a network, packets routed from a first device in communication with the network and routed to a destination node in communication with the network;
  
  determining, independent of network traffic type, protocol or packet payload, one or more traffic properties of the received packets;
  
  generating a feature vector based on at least a portion of the one or more determined traffic properties;
  
  analyzing one or more statistical properties of the feature vector; and
  
  generating a first device signature based on the analyzed one or more statistical properties, wherein the first device signature comprises encoded information about a hardware and software architecture of the first device;
  
  comparing the first device signature with one or more known signatures; and
  
  determining, based on the comparing, and without prior knowledge of the network traffic type, protocol or packet payload, a type of the first device and an identity of the first device.
- View Dependent Claims (10, 11, 12, 13)
- - 10. The method of claim 9 further comprising determining a type of a second device, wherein:
    - the type of the first device is determined to be a first unknown device type;
      
      the type of the second device is determined to be a second unknown device type; and
      
      the first unknown device type and second unknown device type are determined to be different device types.
  - 11. The method of claim 9, wherein the first device is in wireless communication with the network and the listening node is in wireless communication with the network.
  - 12. The method of claim 9 further comprising sending data to the first device intended to prompt the sending of one or more packets from the first device for capture at the listening node.
  - 13. The method of claim 9, wherein the determined traffic properties comprise packet round-trip time.

14. A method comprising:
- capturing, passively by a listening node in wired communication with a network, network traffic originating from a first device in wireless communication with the network, the network traffic routed over a wired segment to arrive at a destination node in communication with the network, wherein the listening node captures the network traffic from the wired segment;
  
  measuring, independent of network traffic type, protocol or packet payload, one or more traffic properties including packet inter-arrival times of the captured network traffic;
  
  generating a feature vector based on at least the one or more traffic properties;
  
  analyzing one or more statistical properties of the feature vector;
  
  generating a first device signature based on the analyzed one or more statistical properties, wherein the first device signature comprises encoded information about the hardware and software architecture of the first device;
  
  comparing the first device signature with one or more known signatures; and
  
  determining, based on the comparing, and without prior knowledge of network traffic type, protocol or packet payload, a type of the first device and an identity of the first device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Georgia Tech Research Corporation (University System of Georgia)
Original Assignee
Georgia Tech Research Corporation (University System of Georgia)
Inventors
Beyah, Abdul Raheem, Corbett, Cherita La'Quale
Primary Examiner(s)
Nguyen, Thu Ha

Application Number

US13/689,748
Publication Number

US 20130139263A1
Time in Patent Office

1,125 Days
Field of Search

726 22- 25, 713/168
US Class Current

1/1
CPC Class Codes

H04L 63/1408 by monitoring network traff...

Systems and methods for fingerprinting physical devices and device types based on network traffic

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

14 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for fingerprinting physical devices and device types based on network traffic

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

14 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links