Seqnature: Extracting Network Fingerprints from Packet Sequences

This paper proposes a general network fingerprinting framework, Seqnature, that uses packet sequences as its basic data unit and that makes it simple to implement any fingerprinting technique that can be formulated as a problem of identifying packet exchanges that consistently occur when the fingerprinted event is triggered. We demonstrate the versatility of Seqnature by using it to implement five different fingerprinting techniques, as special cases of the framework, which broadly fall into two categories: (i) fingerprinting techniques that consider features of each individual packet in a packet sequence, e.g., size and direction; and (ii) fingerprinting techniques that only consider stream-wide features, specifically what Internet endpoints are contacted. We illustrate how Seqnature facilitates comparisons of the relative performance of different fingerprinting techniques by applying the five fingerprinting techniques to datasets from the literature. The results confirm findings in prior work, for example that endpoint information alone is insufficient to differentiate between individual events on Internet of Things devices, but also show that smart TV app fingerprints based exclusively on endpoint information are not as distinct as previously reported.