A Pipeline for DNS-Based Software Fingerprinting

In this paper, we present the modular design and implementation of DONUT, a novel tool for identifying software running on a device. Our tool uses a rule-based approach to detect software-specific DNS fingerprints (stored in an easily extendable database) in passively monitored DNS traffic. We automated the rule extraction process for DONUT with the help of ATLAS, a novel tool we developed for labeling network traffic by the software that created it. We demonstrate the functionality of our pipeline by generating rules for a number of applications, evaluate the performance as well as scalability of the analysis, and confirm the functional correctness of DONUT using an artificial data set for which the ground-truth is known. In addition, we evaluate DONUT's analysis results on a large real-world data set with unknown ground truth.