{"title":"ZPredict: ML-Based IPID Side-channel Measurements","authors":"Haya Schulmann, Shujie Zhao","doi":"10.1145/3672560","DOIUrl":null,"url":null,"abstract":"<p>Network reconnaissance and measurements play a central role in improving Internet security and are important for understanding the current deployments and trends. Such measurements often require coordination with the measured target. This limits the scalability and the coverage of the existing proposals. IP Identification (IPID) provides a side channel for remote measurements without requiring the targets to install agents or visit the measurement infrastructure. However, current IPID-based techniques have technical limitations due to their reliance on the idealistic assumption of stable IPID changes or prior knowledge, making them challenging to adopt for practical measurements. </p><p>In this work, we aim to tackle the limitations of existing techniques by introducing a novel approach: predictive analysis of IPID counter behavior. This involves utilizing a machine learning (ML) model to understand the historical patterns of IPID counter changes and predict future IPID values. To validate our approach, we implement six ML models and evaluate them on realistic IPID data collected from 4,698 Internet sources. Our evaluations demonstrate that among the six models, the GP (Gaussian Process) model has superior accuracy in tracking and predicting IPID values. </p><p>Using the GP-based predictive analysis, we implement a tool, called ZPredict, to infer various favorable information about target networks or servers. Our evaluation on a large dataset of public servers demonstrates its effectiveness in idle port scanning, measuring Russian censorship, and inferring Source Address Validation (SAV). </p><p>Our study methodology is ethical and was developed to mitigate any potential harm, taking into account the concerns associated with measurements.</p>","PeriodicalId":56050,"journal":{"name":"ACM Transactions on Privacy and Security","volume":"170 1","pages":""},"PeriodicalIF":3.0000,"publicationDate":"2024-06-20","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"ACM Transactions on Privacy and Security","FirstCategoryId":"94","ListUrlMain":"https://doi.org/10.1145/3672560","RegionNum":4,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q2","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}
引用次数: 0
Abstract
Network reconnaissance and measurements play a central role in improving Internet security and are important for understanding the current deployments and trends. Such measurements often require coordination with the measured target. This limits the scalability and the coverage of the existing proposals. IP Identification (IPID) provides a side channel for remote measurements without requiring the targets to install agents or visit the measurement infrastructure. However, current IPID-based techniques have technical limitations due to their reliance on the idealistic assumption of stable IPID changes or prior knowledge, making them challenging to adopt for practical measurements.
In this work, we aim to tackle the limitations of existing techniques by introducing a novel approach: predictive analysis of IPID counter behavior. This involves utilizing a machine learning (ML) model to understand the historical patterns of IPID counter changes and predict future IPID values. To validate our approach, we implement six ML models and evaluate them on realistic IPID data collected from 4,698 Internet sources. Our evaluations demonstrate that among the six models, the GP (Gaussian Process) model has superior accuracy in tracking and predicting IPID values.
Using the GP-based predictive analysis, we implement a tool, called ZPredict, to infer various favorable information about target networks or servers. Our evaluation on a large dataset of public servers demonstrates its effectiveness in idle port scanning, measuring Russian censorship, and inferring Source Address Validation (SAV).
Our study methodology is ethical and was developed to mitigate any potential harm, taking into account the concerns associated with measurements.
期刊介绍:
ACM Transactions on Privacy and Security (TOPS) (formerly known as TISSEC) publishes high-quality research results in the fields of information and system security and privacy. Studies addressing all aspects of these fields are welcomed, ranging from technologies, to systems and applications, to the crafting of policies.