Team Madynes

Overall Objectives
Scientific Foundations
Application Domains
New Results
Contracts and Grants with Industry
Other Grants and Activities

Section: New Results


Participants : Olivier Festor [ contact ] , Humberto Abdelnur, Jérôme François.

The goal of this work is to propose new methods to identify automatically the type of a device (hardware or software). This challenging task is related to network management as it can help to build an inventory of the different active devices. Besides, security domain is also covered by device fingerprinting as for instance to detect potential victims of a new attacks, in order to rapidly provide them a patch, or to track abnormal devices like attackers. In this way, a reinforced authentication mechanism can be based on fingerprinting to identify the devices.

The first method we propose aims to infer the type of a device without strong knowledge about the employed protocol by only considering the types of the exchanged messages. Hence, a first step of protocol reverse engineering needs to be applied. We propose a novel method based only on network traces which benefits from recent classification techniques (Support Vector Clustering) [16] . Regarding other similar techniques, our main advantage is a limited complexity. The first fingerprinting method introduces a new formalization: “Random Tree Parameterized Extended Finite State Machine” (TR-FSM) which represents the behavior of the devices. The behavior is a set of sequences of exchanged messages from one device with other ones. In order to apply the support vector machines multi-class classification algorithm, a new kernel function was introduced providing very good results [39] with the SIP protocol, a widely used protocol by VoIP operators today for which many threats exist.

The second fingerprinting techniques assumes the grammar protocol knowledge to build the syntactic tree of a message. Indeed, most of other current approaches are very specific by studying some fields of a protocol. Our approach is not related to a specific protocol and don't focus on the semantic of certain fields but more on the hierarchical organization of the message content. A new similarity function is defined to compare two syntactic trees. The results on the SIP protocol are very encouraging (90%). Besides, we extend the ROCK classification algorithm to propose an unsupervised method for identifying devices without any learning process [38] .


Logo Inria