This Article 
   
 Share 
   
 Bibliographic References 
   
 Add to: 
 
Digg
Furl
Spurl
Blink
Simpy
Google
Del.icio.us
Y!MyWeb
 
 Search 
   
Remote Physical Device Fingerprinting
April-June 2005 (vol. 2 no. 2)
pp. 93-108
We introduce the area of remote physical device fingerprinting, or fingerprinting a physical device, as opposed to anoperating system or class of devices, remotely, and without the fingerprinted device?s known cooperation. We accomplish this goal by exploiting small, microscopic deviations in device hardware: clock skews. Our techniques do not require any modification to the fingerprinted devices. Our techniques report consistent measurements when the measurer is thousands of miles, multiple hops, and tens of milliseconds away from the fingerprinted device and when the fingerprinted device is connected to the Internet from different locations and via different access technologies. Further, one can apply our passive and semipassive techniques when the fingerprinted device is behind a NAT or firewall, and also when the device?s system time is maintained via NTP or SNTP. One can use our techniques to obtain information about whether two devices on the Internet, possibly shifted in time or IP addresses, are actually the same physical device. Example applications include: computer forensics; tracking, with some probability, a physical device as it connects to the Internet from different public access points; counting the number of devices behind a NAT even when the devices use constant or random IP IDs; remotely probing a block of addresses to determine if the addresses correspond to virtual hosts, e.g., as part of a virtual honeynet; and unanonymizing anonymized network traces.

[1] Endace measurement systems, http:/www.endace.com/, 2004.
[2] Nmap free security scanner, http://www.insecure.orgnmap/, 2004.
[3] Project details for p0f, http://freshmeat.net/projectsp0f/, 2004.
[4] VMware virtual infrastructure, http:/www.vmware.com/, 2004.
[5] Xprobe official home, http://www.sys-security.comindex. php?page=xprobe , 2004.
[6] K.G. Anagnostakis, M. Greenwald, and R.S. Ryger, “cing: Measuring Network-Internal Delays Using Only Existing Infrastructure,” Proc. INFOCOM Conf., 2003.
[7] S.M. Bellovin, “A Technique for Counting NATted Hosts,” Proc. Internet Measurement Workshop, 2002.
[8] R. Bhagwan, S. Savage, and G.M. Voelker, “Understanding Availability,” Proc. Second Int'l Workshop Peer-to-Peer Systems, 2003.
[9] A. Broido, Y. Hyun, and K. Claffy, “Spectroscopy of Traceroute Delays,” Proc. Int'l Workshop Passive and Active Measurement, 2005.
[10] A. Broido, R. King, E. Nemeth, and K. Claffy, “Radon Spectroscopy of Inter-Packet Delay,” Proc. IEEE High-Speed Networking Workshop, 2003.
[11] A. Broido, E. Nemeth, and K. Claffy, “Spectroscopy of DNS Update Traffic,” Proc. SIGMETRICS, 2003.
[12] S. Donnelly, “High Precision Timing In Passive Measurements of Data Networks,” PhD thesis, Univ. of Waikato, Hamilton, New Zealand, 2002.
[13] M.E. Dyer, “Linear Time Algorithms for Two- and Three-Variable Linear Programs,” SIAM J. Computing, vol. 13, 1984.
[14] Y. Etsion, D. Tsafrir, and D.G. Feitelson, “Effects of Clock Resolution On the Scheduling of Interactive and Soft Real-Time Processes,” Proc. SIGMETRICS, 2003.
[15] I.D. Graham, M. Pearson, J. Martens, and S. Donnelly, “Dag— A Cell Capture Board for ATM Measurement Systems,” http://dag.cs.waikato.ac.nz/dag/papersdag1997.html , 1997.
[16] R.L. Graham, “An Efficient Algorithm for Determining the Convex Hull of a Finite Planar Set,” Information Processing Letters, vol. 1, 1972.
[17] A. Hussain, J. Heidemann, and C. Papadopoulos, “A Framework for Classifying Denial of Service Attacks,” Proc. SIGCOMM, 2003.
[18] V. Jacobson, R. Braden, and D. Borman, “TCP Extensions for High Performance,” RFC 1323, May 1992
[19] K. Keys, D. Moore, R. Koga, E. Lagache, M. Tesch, and K. Claffy, “The Architecture of the Coralreef Internet Traffic Monitoring Software Suite,” Proc. Int'l Workshop Passive and Active Measurement, 2001.
[20] T. Kohno, A. Broido, and K. Claffy, “Remote Physical Device Fingerprinting,” Proc. IEEE Symp. Security and Privacy, 2005.
[21] B. McDanel, “TCP Timestamping and Remotely Gathering Uptime Information,” bugtraq@securityfocus.com, 2001.
[22] N. Megiddo, “Linear-Time Algorithms for Linear Programming in $R^3$ and Related Problems,” SIAM J. Computers, vol. 12, 1983.
[23] J. Micheel, S. Donnelly, and I. Graham, “Precision Timestamping of Network Packets,” Proc. Internet Measurement Workshop, 2001.
[24] D. Mills, “Simple Network Time Protocol (SNTP) Version 4 for IPv4, IPv6 and OSI,” RFC 2030, 1996.
[25] D.L. Mills, “Network Time Protocol (Version 3): Specification, Implementation and Analysis,” RFC 1305, 1992.
[26] S.B. Moon, P. Skelly, and D. Towsley, “Estimation and Removal of Clock Skew From Network Delay Measurements,” Proc. INFOCOM Conf., 1999
[27] C. Partridge, D. Cousins, A.W. Jackson, R. Krishnan, T. Saxena, and W.T. Strayer, “Using Signal Processing to Analyze Wireless Data Traffic,” Proc. ACM Workshop Wireless Security, 2002.
[28] A. Pásztor and D. Veitch, “PC Based Precision Timing without GPS,” Proc. SIGMETRICS Conf., 2002.
[29] V. Paxson, “On Calibrating Measurements of Packet Transit Times,” Proc. SIGMETRICS Conf., 1998
[30] J. Postel, “Internet Control Message Protocol,” RFC 792, 1981.
[31] N. Provos, “A Virtual Honeypot Framework,” Proc. Usenix Security Conf., 2004.
[32] R. Rager XMIT_ID version 2.61, http://xmit.penguinman.comxmit_id.html, 2005.
[33] C. Shannon, The Mathematical Theory of Communication. Urbana, Il.: Univ. of Illinois Press, 1949.
[34] D. Veitch, S. Babu, and A. Pásztor, “Robust Synchronization of Software Clocks Across the Internet,” Proc. Fourth ACM SIGCOMM Conf. Internet Measurement, 2004.
[35] F. Veysset, O. Courtay, and O. Heen, “New Tool and Technique for Remote Operating System Fingerprinting,” http://www. intranode.com/fr/docring-short-paper.pdf , 2002.
[36] J. Xu, J. Fan, M. Ammar, and S.B. Moon, “On the Design and Performance of Prefix-Preserving IP Traffic Trace Anonymization,” Proc. Fourth ACM SIGCOMM Conf. Internet Measurement, 2001.
[37] J. Xu, J. Fan, M.H. Ammar, and S.B. Moon, “Prefix-Preserving IP Address Anonymization: Measurement-Based Security Evaluation and a New Cryptography-Based Scheme,” Proc. IEEE Int'l Conf. Network Protocols, 2002.

Index Terms:
Index Terms?Network-level security and protection, privacy.
Citation:
Tadayoshi Kohno, Andre Broido, K.C. Claffy, "Remote Physical Device Fingerprinting," IEEE Transactions on Dependable and Secure Computing, vol. 2, no. 2, pp. 93-108, April-June 2005, doi:10.1109/TDSC.2005.26
Usage of this product signifies your acceptance of the Terms of Use.