Intelligent Network Device Identification based on Active TCP/IP Stack Probing

With the continuous development of network devices, there are increasingly types and quantities of network devices. Accurate identification of device types helps proactively protect potentially vulnerable devices exposed on the Internet. Among the network device identification methods, the TCP/IP stack active detection method is an important kind since it does not require many open ports of target devices. However, its performance is limited by the rule/fingerprint database quality. Maintaining such a database requires a lot of expert effort, making the method difficult to scale up. To solve the scalability problem, our insight in this paper is to use machine learning methods to generate network device classifiers without needing expert effort. However, generating labeled datasets, extracting features, and selecting features without expert effort is non-trivial. We propose IntelliNDI , an intelligent and active network device identification method. IntelliNDI collects network device type information from multiple cyberspace search engines and filter out the network devices with different types on different search engines. We regard the approximately consistent network device types as the ground truth network device types. As for feature extraction, we use the same attributes employed in the well-known Nmap protocol stack detection to avoid the requirements for constructing features. Finally, we select features with basic ML methods. We implement IntelliNDI for several kinds of typical network devices. The trained classifiers in our experiments can achieve 90 percent accuracy.