See 2010

Behavioral and Syntactic Device Fingerprinting


Jérôme François (INRIA Nancy - Grand Est)


14 April 2010






The growth of computer networks like the Internet entailed the huge increase of networked applications and the apparition of multiple, various protocols. Besides, there are many distinct applications for a single protocol which can be remotely identified thanks to device fingerprinting techniques whose the domain of application is related to security and network management. For example, the rogue devices can be detected. Device fingerprinting helps to automatically construct an up-to-date inventory database which is an useful tool for rapid patching in case of 0-day attacks for example. Other applications include a reinforced authentication system as for instance for wireless protocols with an additional check based on fingerprinting.

The presentation focuses on two novel passive device fingerprinting techniques. The first one is based on the behavioral representation of devices which corresponds to the interactions of devices. A new formalism is proposed for aggregating the sequences of messages into a tree with delay indications. Thus, this representation needs only message types which may be easily inferred by a reverse protocol engineering tool. Other approaches need to know the grammar of the protocol which is more difficult to get by reverse protocol engineering. Hence, this novel method is well adapted for unknown or proprietary protocols.

The second method highlighted in the presentation relies on the protocol syntax. Although common methods consider the flat content of the messages or the value of some fields, the syntactic fingerprinting is based on the syntactic tree representation of messages. This structure contains more valuable information and is more difficult to fake than a single field as the user-agent field defined for many protocols which contains the device identity.

Finally, the behavioral and syntactic fingerprinting are totally automatic whereas most of the current approaches need manual analysis. These new fingerprinting methods are based on classification and learning machine algorithms especially support vectors machines which have to be adapted for dealing with tree representation thanks to new kernel functions and/or distance metrics based on tree isomorphism.


Jérôme François is a Ph.D. research engineer at INRIA Nancy - Grand Est. He studied at ESIAL (Ecole Supérieure d'Informatique et ses Applications de Lorraine), a French leading school in computer science. In 2006, he obtained a Masters diploma in computer research. He began his PhD three years ago on the supervision of Olivier Festor and Radu State in the Madynes team in Loria laboratory (INRIA Lorraine - Nancy Grand Est France). He received his Ph.D. on robustness and identification of communicating applications from the Université Henry Poincaré in Nancy, France, in December 2009. Their current research activities are related to network security (fingerprinting and intrusion detection).