Systems and methods for fingerprinting physical devices and device types based on network traffic
First Claim
1. A method comprising:
- capturing, at a listening node in communication with a network, network traffic originating from a first device in communication with the network and routed to a destination node in communication with the network;
measuring, independent of network traffic type, protocol or packet payload, one or more traffic properties of the captured network traffic;
generating a feature vector based on at least a portion of the one or more measured traffic properties;
analyzing one or more statistical properties of the feature vector; and
generating a first device signature based on the analyzed one or more statistical properties, wherein the first device signature comprises encoded information about a hardware and software architecture of the first device;
comparing the first device signature with one or more known signatures; and
determining, based on the comparing, and without prior knowledge of the network traffic type, protocol or packet payload, a type of the first device and an identity of the first device.
1 Assignment
0 Petitions
Accused Products
Abstract
Systems and methods for providing device and/or device type fingerprinting based on properties of network traffic originating from a device to be identified. In one implementation, the method includes capturing packets routed through a network at an intermediate node between the originating device to be identified and destination, measuring properties of the captured traffic, including packet inter-arrival time, and generating a signature based on the measured properties that includes identifying information about the hardware and/or software architecture of the device. Various implementations do not require deep packet inspection, do not require a managed device-side client, are protocol and packet payload agnostic, and effective for MAC or IP-level encrypted streams. Also, various implementations can provide wired-side detection of wireless devices and device types and can detect both previously detected and unknown devices.
-
Citations
14 Claims
-
1. A method comprising:
-
capturing, at a listening node in communication with a network, network traffic originating from a first device in communication with the network and routed to a destination node in communication with the network; measuring, independent of network traffic type, protocol or packet payload, one or more traffic properties of the captured network traffic; generating a feature vector based on at least a portion of the one or more measured traffic properties; analyzing one or more statistical properties of the feature vector; and generating a first device signature based on the analyzed one or more statistical properties, wherein the first device signature comprises encoded information about a hardware and software architecture of the first device; comparing the first device signature with one or more known signatures; and determining, based on the comparing, and without prior knowledge of the network traffic type, protocol or packet payload, a type of the first device and an identity of the first device. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A computer-readable medium that stores instructions that, when executed by at least one processor in a system, cause the system to perform a method comprising:
-
receiving, at a listening node in communication with a network, packets routed from a first device in communication with the network and routed to a destination node in communication with the network; determining, independent of network traffic type, protocol or packet payload, one or more traffic properties of the received packets; generating a feature vector based on at least a portion of the one or more determined traffic properties; analyzing one or more statistical properties of the feature vector; and generating a first device signature based on the analyzed one or more statistical properties, wherein the first device signature comprises encoded information about a hardware and software architecture of the first device; comparing the first device signature with one or more known signatures; and determining, based on the comparing, and without prior knowledge of the network traffic type, protocol or packet payload, a type of the first device and an identity of the first device. - View Dependent Claims (10, 11, 12, 13)
-
-
14. A method comprising:
-
capturing, passively by a listening node in wired communication with a network, network traffic originating from a first device in wireless communication with the network, the network traffic routed over a wired segment to arrive at a destination node in communication with the network, wherein the listening node captures the network traffic from the wired segment; measuring, independent of network traffic type, protocol or packet payload, one or more traffic properties including packet inter-arrival times of the captured network traffic; generating a feature vector based on at least the one or more traffic properties; analyzing one or more statistical properties of the feature vector; generating a first device signature based on the analyzed one or more statistical properties, wherein the first device signature comprises encoded information about the hardware and software architecture of the first device; comparing the first device signature with one or more known signatures; and determining, based on the comparing, and without prior knowledge of network traffic type, protocol or packet payload, a type of the first device and an identity of the first device.
-
Specification