Download presentation
Presentation is loading. Please wait.
Published byHortense Lang Modified over 9 years ago
1
Remote Hardware Fingerprinting: A Statistical Approach R. Fink ~ May, 2006
2
Problem Identify Specific Machines via Remote Network Fingerprinting Passive Networked Physical properties of the machine Use to: Identify endpoints in a communication Show that an endpoint participated in a transaction Show that an endpoint did not participate in a transaction Challenges: What properties? Similar machines? Network delay factors?
3
TCP Timestamp Option 32-bit TS Value indicates clock tick, bound to oscillator circuit, crystal Present in most TCP packets by default (all of Linux, Windows can be tricked) Best part: independent of network time server corrections! Timestamps Flags Reser ved Off set Source PortDestination Port Sequence Number Acknowledgement Number Checksum Window Size Urgent Pointer Options + Padding TCPTCP Kind=8Len=10TS Reply (32) TS Value (32)
4
Approach Passively collect TS values from observed machine, t o IP address identifies machine during collection phase Record t o along with measurer system time, t m Scatter-plot t o versus t m Fit a regression line to the slope Slope is the clock skew of the observed machine: that is, the amount of drift relative to the measurer per unit time Group similar drifts to sort out individual machines tmtm toto Clock skew Clock skew B Clock skew C
5
Previous Research Kohno, Claffy, Broido 63 Campus Machines 38 days of data (12 hour spans) Convex Hull Method of Fit Posed, but did not address: Required sample size Effect of differing topology Ignored Statistical Techniques ~ Using a convex hull technique, instead of a linear regression technique, throws out the whole body of error analysis theory!
6
Current Work Recreated Experiment 4 identical Dell GX-150 machines, one observer Collected initial data on fast switch Extended the Research Skew via linear regression algorithm Error analysis theory to estimate required number of samples Simulated WAN delay (via Linux Netfilter hacking) in progress Measured PCI bus with frequency counter to verify the physical link to clock skew
7
Results 1.PCI bus clock speed is directly related to clock skew 2.Linear regression (in LAN case) uniquely identifies machines to within a couple parts per million (ppm) 3.Number of samples required is directly proportional to observed timestamp error and confidence interval, inversely proportional to collection interval and allowed ppm tolerance Validated on repeated population subsets 4.Showed clock skew varies with machine temperature 5.In progress – experiments on WAN data
8
Summary Highlights Clock skew is a repeatable way to fingerprint a specific machine Linear regression, a simple machine learning concept, is readily applied Statistical error analysis tells us how much to collect Lowlights TCP timestamp options are, well, OPTIONAL ~ can just turn them off Future Research Wireless mobile devices: effect of battery, topology, mobility, clock stepping Other protocol properties, not just timestamps
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.