HeadPrint: Detecting Anomalous Communications through Header-based APplication Fingerprinting

Riccardo Bortolameotti*, Thijs Sebastiaan van Ede, Andrea Continella, Thomas Michael Hupperich, Maarten Hinderik Everts, Reza Rafati, Willem Jonker, Pieter Hendrik Hartel, Andreas Peter

*Corresponding author for this work

Research output: Chapter in Book/Report/Conference proceedingConference contributionAcademicpeer-review

7 Downloads (Pure)

Abstract

Passive application fingerprinting is a technique to detect anomalous outgoing connections. By monitoring the network traffic, a security monitor passively learns the network characteristics of the applications installed on each machine, and uses them to detect the presence of new applications (e.g., malware infection).

In this work, we propose HeadPrint, a novel passive fingerprint-ing approach that relies only on two orthogonal network header characteristics to distinguish applications, namely the order of the headers and their associated values. Our approach automatically identifies the set of characterizing headers, without relying on a predetermined set of header features. We implement HeadPrint, evaluate it in a real-world environment and we compare it with the state-of-the-art solution for passive application fingerprinting. We demonstrate our approach to be, on average, 20% more accurate and 30% more resilient to application updates than the state-of-the-art. Finally, we evaluate our approach in the setting of anomaly detection, and we show that HeadPrint is capable of detecting the presence of malicious communication, while generating significantly fewer false alarms than existing solutions.
Original languageEnglish
Title of host publicationSAC'20
Pages1696-1705
Number of pages10
ISBN (Electronic)978-1-4503-6866-7
DOIs
Publication statusPublished - 30 Mar 2020
Event35th Annual ACM Symposium on Applied Computing, SAC 2020 - Brno, Czech Republic
Duration: 30 Mar 20203 Apr 2020
Conference number: 35
https://www.sigapp.org/sac/sac2020/#notice

Conference

Conference35th Annual ACM Symposium on Applied Computing, SAC 2020
Abbreviated titleSAC 2020
CountryCzech Republic
CityBrno
Period30/03/203/04/20
Internet address

Keywords

  • application fingerprinting
  • network security
  • anomaly detection

Fingerprint Dive into the research topics of 'HeadPrint: Detecting Anomalous Communications through Header-based APplication Fingerprinting'. Together they form a unique fingerprint.

  • Cite this

    Bortolameotti, R., van Ede, T. S., Continella, A., Hupperich, T. M., Everts, M. H., Rafati, R., ... Peter, A. (2020). HeadPrint: Detecting Anomalous Communications through Header-based APplication Fingerprinting. In SAC'20 (pp. 1696-1705) https://doi.org/10.1145/3341105.3373862