A Novel Data Mining Approach for Analysis and Pattern Recognition of Active Fingerprinting Components

Active fingerprinting is an effective penetration testing technique to know about vulnerability of hosts against security threats and network as a whole. Sometimes firewalls may block fingerprinting packets, hence making the probes infeasible. Measured Round Trip Time (RTTm) is a benign number that can be obtained from communication based on legitimate non malicious packets. In this paper, RTTm has been used along with other timers namely Smoothened Round-trip Time (SRTT), Round-trip Time Variance (RTTVar), Retransmission Time Out (RTO) and Scantime for pattern recognition and association analysis with the aid of cross-correlations. Experimental relationship among these timers are derived to back-up existing theoretical knowledge. A novel method to estimate IP-ID Sequence classes and network-traffic intensity based on these timers has been proposed. Results show that the model can be used to accurately derive (about 100% accuracy) active fingerprinting components IP-ID sequences and link traffic estimation. Analytical results obtained by this study can help in designing high-performance realistic networks and dynamic congestion control techniques.