research-article

HeadPrint: detecting anomalous communications through header-based application fingerprinting

Authors:

Riccardo Bortolameotti,

Andrea Continella,

Thomas Hupperich,

Maarten H. Everts,

Andreas PeterAuthors Info & Claims

SAC '20: Proceedings of the 35th Annual ACM Symposium on Applied Computing

Pages 1696 - 1705

https://doi.org/10.1145/3341105.3373862

Published: 30 March 2020 Publication History

Abstract

Passive application fingerprinting is a technique to detect anomalous outgoing connections. By monitoring the network traffic, a security monitor passively learns the network characteristics of the applications installed on each machine, and uses them to detect the presence of new applications (e.g., malware infection).

In this work, we propose HeadPrint, a novel passive fingerprinting approach that relies only on two orthogonal network header characteristics to distinguish applications, namely the order of the headers and their associated values. Our approach automatically identifies the set of characterizing headers, without relying on a predetermined set of header features. We implement HeadPrint, evaluate it in a real-world environment and we compare it with the state-of-the-art solution for passive application fingerprinting. We demonstrate our approach to be, on average, 20% more accurate and 30% more resilient to application updates than the state-of-the-art. Finally, we evaluate our approach in the setting of anomaly detection, and we show that HeadPrint is capable of detecting the presence of malicious communication, while generating significantly fewer false alarms than existing solutions.

References

[1]

Daniel Bakkelund. 2009. An LCS-based string metric. Olso, Norway: University of Oslo (2009).

[2]

Károly Boda, Ádám Máté Földes, Gábor György Gulyás, and Sándor Imre. 2011. User tracking on the web via cross-browser fingerprinting. In Nordic Conference on Secure IT Systems. Springer, 31--46.

[3]

Kevin Borders and Atul Prakash. 2004. Web tap: detecting covert web traffic. In Proc. of the conference on Computer and Communications Security.

Digital Library

[4]

Shyam Boriah, Varun Chandola, and Vipin Kumar. 2008. Similarity Measures for Categorical Data: A Comparative Evaluation. In Proc. of the International Conference on Data Mining.

[5]

Riccardo Bortolameotti, Thijs van Ede, Marco Caselli, Maarten H Everts, Pieter Hartel, Rick Hofstede, Willem Jonker, and Andreas Peter. 2017. DECANTeR: DEteCtion of Anomalous outbouNd HTTP TRaffic by Passive Application Fingerprinting. In Proc. of the ACM Annual Computer Security Applications Conference.

Digital Library

[6]

Riccardo Bortolameotti, Thijs van Ede, Andrea Continella, Maarten Everts, Willem Jonker, Pieter Hartel, and Andreas Peter. 2019. Victim-Aware Adaptive Covert Channels. In Proc. of the Conference on Security and Privacy in Communication Networks (SecureComm). Orlando, FL.

[7]

Yinzhi Cao, Song Li, and Erik Wijmans. 2017. (Cross-) Browser Fingerprinting via OS and Hardware Level Features. In Annual Network and Distributed System Security Symposium (NDSS).

[8]

Andrea Continella, Yanick Fratantonio, Martina Lindorfer, Alessandro Puccetti, Ali Zand, Christopher Kruegel, and Giovanni Vigna. 2017. Obfuscation-Resilient Privacy Leak Detection for Mobile Apps Through Differential Analysis. In Proc. of the Network and Distributed System Security Symposium (NDSS).

[9]

Manuel Crotti, Maurizio Dusi, Francesco Gringoli, and Luca Salgarelli. 2007. Traffic classification through simple statistical fingerprinting. Computer Communication Review 37, 1 (2007), 5--16.

Digital Library

[10]

Shuaifu Dai, Alok Tongaonkar, Xiaoyin Wang, Antonio Nucci, and Dawn Song. 2013. Networkprofiler: Towards automatic fingerprinting of android apps. In Proc. of the IEEE INFOCOM Conference.

[11]

Zakir Durumeric, Zane Ma, Drew Springall, Richard Barnes, Nick Sullivan, Elie Bursztein, Michael Bailey, J. Alex Halderman, and Vem Paxson. 2017. The Security Impact of HTTPS Interception. In Proc. of the Annual Network and Distributed System Security Symposium (NDSS).

[12]

Peter Eckersley. 2010. How unique is your web browser?. In International Symposium on Privacy Enhancing Technologies Symposium. Springer, 1--18.

Digital Library

[13]

Electronic Frontier Foundation. [n. d.]. Kaspersky User-Agent Strings - NSA. ([n. d.]). https://www.eff.org/it/node/86529

[14]

Steven Englehardt and Arvind Narayanan. 2016. Online Tracking: A 1-million-site Measurement and Analysis. In Proc. of the ACM SIGSAC Conference on Computer and Communications Security, Vienna, Austria, October 24--28, 2016. 1388--1401.

Digital Library

[15]

David Fifield and Serge Egelman. 2015. Fingerprinting Web Users Through Font Metrics. In Proc. of the Financial Cryptography and Data Security International Conference (FC).

[16]

Martin Roesch. [n. d.]. Cisco Announces OpenAppID, the Next Open Source Game Changer in Cybersecurity. ([n. d.]). https://blogs.cisco.com/security/cisco-announces-openappid-the-next-open-source-game-changer-in-cybersecurity

[17]

Martin Roesch. [n. d.]. Firepower Management Center Configuration Guide. ([n. d.]). https://www.cisco.com/c/en/us/td/docs/security/firepower/610/configuration/guide/fpmc-config-guide-v61/application_detection.html?bookSearch=true

[18]

Stanislav Miskovic, Gene Moo Lee, Yong Liao, and Mario Baldi. 2015. AppPrint: automatic fingerprinting of mobile applications in network traffic. In International Conference on Passive and Active Network Measurement. Springer, 57--69.

[19]

MITRE. [n. d.]. Commonly Used Ports, MITRE. ([n. d.]). https://attack.mitre.org/techniques/T1043/

[20]

Jose Nazario and Thorsten Holz. 2008. As the net churns: Fast-flux botnet observations. In Malicious and Unwanted Software, 2008. MALWARE 2008. 3rd International Conference on. IEEE, 24--31.

[21]

Terry Nelms, Roberto Perdisci, and Mustaque Ahamad. 2013. ExecScent: Mining for New C&C Domains in Live Networks with Adaptive Control Protocol Templates. In Proc. of the USENIX Security Symposium.

[22]

Vern Paxson. 1999. Bro: a system for detecting network intruders in real-time. Computer networks 31, 23-24 (1999), 2435--2463.

[23]

F. Pedregosa, G. Varoquaux, A. Gramfort, V. Michel, B. Thirion, O. Grisel, M. Blondel, P. Prettenhofer, R. Weiss, V. Dubourg, J. Vanderplas, A. Passos, D. Cournapeau, M. Brucher, M. Perrot, and E. Duchesnay. 2011. Scikit-learn: Machine Learning in Python. Journal of Machine Learning Research 12 (2011), 2825--2830.

Digital Library

[24]

Roberto Perdisci, Wenke Lee, and Nick Feamster. 2010. Behavioral Clustering of HTTP-Based Malware and Signature Generation Using Malicious Network Traces. In Proc. of the USENIX Symposium on Networked Systems Design and Implementation, NSDI 2010, April 28--30, 2010, San Jose, CA, USA. 391--404.

[25]

Ponemon Institute. [n. d.]. 2018 Cost of a Data Breach Study by Ponemon. ([n. d.]). https://www.ibm.com/security/data-breach

[26]

M Zubair Rafique and Juan Caballero. 2013. Firma: Malware clustering and network signature generation with mixed network behaviors. In International Workshop on Recent Advances in Intrusion Detection. Springer, 144--163.

[27]

John W Ratcliff and David E Metzener. 1988. Pattern-matching-the gestalt approach. Dr Dobbs Journal 13, 7 (1988), 46.

[28]

Martin Roesch. 1999. Snort: Lightweight Intrusion Detection for Networks. In Proc. of the Conference on Systems Administration (LISA-99), Seattle, WA, USA, November 7--12, 1999. 229--238.

[29]

Guido Schwenk and Konrad Rieck. 2011. Adaptive detection of covert communication in http requests. In Computer Network Defense (EC2ND), 2011 Seventh European Conference on. IEEE, 25--32.

[30]

Robin Sommer and Vern Paxson. 2010. Outside the Closed World: On Using Machine Learning for Network Intrusion Detection. In Proc. fo the IEEE Symposium on Security and Privacy (S&P).

Digital Library

[31]

Aditya K. Sood, Sherali Zeadally, and Richard J. Enbody. 2016. An Empirical Study of HTTP-based Financial Botnets. IEEE Trans. Dependable Sec. Comput. 13, 2 (2016), 236--251.

Digital Library

[32]

Vincent F Taylor, Riccardo Spolaor, Mauro Conti, and Ivan Martinovic. 2016. Appscanner: Automatic fingerprinting of smartphone apps from encrypted network traffic. In Proc. of the IEEE European Symposium on Security and Privacy.

[33]

Antoine Vastel, Pierre Laperdrix, Walter Rudametkin, and Romain Rouvoy. 2018. FP-STALKER: Tracking Browser Fingerprint Evolutions. In IEEE S&P 2018-39th IEEE Symposium on Security and Privacy. IEEE, 1--14.

[34]

Qiang Xu, Yong Liao, Stanislav Miskovic, Z Morley Mao, Mario Baldi, Antonio Nucci, and Thomas Andrews. 2015. Automatic generation of mobile app signatures from traffic observations. In Proc. of the IEEE INFOCOM Conference.

[35]

Hongyi Yao, Gyan Ranjan, Alok Tongaonkar, Yong Liao, and Zhuoqing Morley Mao. 2015. Samples: Self adaptive mining of persistent lexical snippets for classifying mobile application traffic. In Proc. of the Annual International Conference on Mobile Computing and Networking. ACM, 439--451.

Digital Library

[36]

Ali Zand, Giovanni Vigna, Xifeng Yan, and Christopher Kruegel. 2014. Extracting probable command and control signatures for detecting botnets. In Symposium on Applied Computing, SAC.

Digital Library

[37]

Sebastian Zander, Grenville J. Armitage, and Philip Branch. 2007. A survey of covert channels and countermeasures in computer network protocols. IEEE Communications Surveys and Tutorials 9, 1-4 (2007), 44--57.

Digital Library

[38]

Apostolis Zarras, Antonis Papadogiannakis, Robert Gawlik, and Thorsten Holz. 2014. Automated generation of models for fast and precise detection of HTTP-based malware. In Privacy, Security and Trust (PST), 2014 Twelfth Annual International Conference on. IEEE, 249--256.

Cited By

Olímpio GCamargos LMiani RFaria E(2023)Model Update for Intrusion Detection: Analyzing the Performance of Delayed Labeling and Active Learning StrategiesComputers & Security10.1016/j.cose.2023.103451(103451)Online publication date: Aug-2023
https://doi.org/10.1016/j.cose.2023.103451
Białczak PMazurczyk W(2021)Hfinger: Malware HTTP Request FingerprintingEntropy10.3390/e2305050723:5(507)Online publication date: 23-Apr-2021
https://doi.org/10.3390/e23050507
Olimpio GSilva PCamargos LMiani Rde Faria E(2021)Intrusion Detection over Network Packets using Data Stream Classification Algorithms2021 IEEE 33rd International Conference on Tools with Artificial Intelligence (ICTAI)10.1109/ICTAI52525.2021.00157(985-990)Online publication date: Nov-2021
https://doi.org/10.1109/ICTAI52525.2021.00157

Index Terms

HeadPrint: detecting anomalous communications through header-based application fingerprinting
1. Social and professional topics

Index terms have been assigned to the content through auto-classification.

Recommendations

DECANTeR: DEteCtion of Anomalous outbouNd HTTP TRaffic by Passive Application Fingerprinting
ACSAC '17: Proceedings of the 33rd Annual Computer Security Applications Conference

We present DECANTeR, a system to detect anomalous outbound HTTP communication, which passively extracts fingerprints for each application running on a monitored host. The goal of our system is to detect unknown malware and backdoor communication ...
Hybrid Intrusion Detection with Weighted Signature Generation over Anomalous Internet Episodes

This paper reports the design principles and evaluation results of a new experimental hybrid intrusion detection system (HIDS). This hybrid system combines the advantages of low false-positive rate of signature-based intrusion detection system (IDS) and ...
Optimizing network anomaly detection scheme using instance selection mechanism
GLOBECOM'09: Proceedings of the 28th IEEE conference on Global telecommunications

Network anomaly detection is a classically difficult research topic in intrusion detection. However, existing research has been solely focused on the detection algorithm. An important issue that has not been well studied so far is the selection of ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

SAC '20: Proceedings of the 35th Annual ACM Symposium on Applied Computing

March 2020

2348 pages

ISBN:9781450368667

DOI:10.1145/3341105

Conference Chairs:
Chih-Cheng Hung
Kennesaw State University
,
Tomas Cerny
Baylor University
,
Program Chairs:
Dongwan Shin
New Mexico Tech
,
Alessio Bechini
University of Pisa, Italy

Copyright © 2020 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

SIGAPP: ACM Special Interest Group on Applied Computing

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 30 March 2020

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

SAC '20

Sponsor:

SIGAPP

SAC '20: The 35th ACM/SIGAPP Symposium on Applied Computing

March 30 - April 3, 2020

Brno, Czech Republic

Acceptance Rates

Overall Acceptance Rate 1,650 of 6,669 submissions, 25%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

3
Total Citations
View Citations
229
Total Downloads

Downloads (Last 12 months)29
Downloads (Last 6 weeks)4

Reflects downloads up to 24 Oct 2024

Other Metrics

View Author Metrics

Citations

Cited By

Olímpio GCamargos LMiani RFaria E(2023)Model Update for Intrusion Detection: Analyzing the Performance of Delayed Labeling and Active Learning StrategiesComputers & Security10.1016/j.cose.2023.103451(103451)Online publication date: Aug-2023
https://doi.org/10.1016/j.cose.2023.103451
Białczak PMazurczyk W(2021)Hfinger: Malware HTTP Request FingerprintingEntropy10.3390/e2305050723:5(507)Online publication date: 23-Apr-2021
https://doi.org/10.3390/e23050507
Olimpio GSilva PCamargos LMiani Rde Faria E(2021)Intrusion Detection over Network Packets using Data Stream Classification Algorithms2021 IEEE 33rd International Conference on Tools with Artificial Intelligence (ICTAI)10.1109/ICTAI52525.2021.00157(985-990)Online publication date: Nov-2021
https://doi.org/10.1109/ICTAI52525.2021.00157

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents