OS Fingerprinting and Tethering Detection in Mobile Networks

Mobile OS Fingerprinting

Problem statement
Infer what operating system a device is running by

Importance

Tethering detection
Billing for shared access in mobile networks
Security
Policy enforcement in enterprise networks

IMC

Existing Works

IMC 2014

Limitation of Existing Works

Existing works focus on the Internet traffic
Mobile networks impose

Approach

Identify features to fingerprint mobile device OSes
Detect tethering
Clock frequency stability, boot time

Dataset

IMC 2014

Lab trace
56 mobile user traces
14 Android phones and tablets traces
Samsung Galaxy

Other Datasets

IMC 2014

Features

Clock Frequency
The frequency is stable in Android and Windows,
but vary over

Features

IP ID Monotonicity

Android:
Some devices completely randomize the IP IDs
Some periodically reset to

Features

TCP Timestamp Option
iOS and Android have TCP TS Option,
but Windows doesn’t

Features

IP Time-To-Live
TCP Window Size Scale Option
Boot time estimation

IMC 2014

Probability of finding feature fi in all traffic

Probability of finding feature fi

Tethering Detection

Apply the same technique for tethering detection.
Features which identify mobile devices
IP

Evaluation – Single Feature

No single feature identifies all OSes accurately.

Evaluation – Combing Features

Combining all features yields the best result.

Evaluation – Tethering Detection

Combining all features also yields the best result in

Conclusion

Contributions
Identify new features for mobile OS fingerprinting and tethering detection
Develop a

Thank You!

IMC 2014

yichao@cs.utexas.edu

Backup Slides

IMC 2014

Mobile OS Fingerprinting

IMC 2014

Features

IP Time-To-Live (TTL)
Windows: 64 or 128
iOS and Android: 64

Features

TCP Window Size Scale Option
iOS: 16
Windows and Android: 2, 4, 64, or