Featured Technology:
Passive Forensic Identification of Network TCP/IP Communication Endpoints

LEARN MORE  Market Need | Features | Technology Description | Availability | Product Contacts

Market Need

The biggest headlines in network security seem to feature the dark world of outside hackers, worms and viruses. In reality, however, a company's computer network is more likely to be compromised by people inside the organization, either due to malicious acts or simple non-compliance to established security protocols.  Sometimes it is hard to identify who the users are when a company uses Network Address Translation (NAT) in order to enable multiple hosts on a private network to access the internet using a single public IP address.

A traditional approach to find out who the non-compliant user is would be to remove drives from suspicious computers after hours, image them and then replace them in order to analyze deleted files, fragments, inodes, logs and histories to find evidence of malicious or non-compliant use.  The problem with this approach is that it is very labor intensive and there is a real chance that the adversary will discover he or she is under investigation and destroys evidence.

Researchers at the Johns Hopkins University Applied Physics Laboratory (JHU/APL) have developed a way to identify specific machines through Remote Network Fingerprinting.


  • Passive
  • Networked
  • Stealth
  • Exploits the physical uniqueness of the machine
  • Identifies the endpoints in a communication
  • Shows that an endpoint participated in a transaction or was not involved in a transaction

Technology Description

The University of California San Diego (UCSD) developed an approach that exploits small, microscopic deviations in device hardware: clock skews, to create a "fingerprint" of a machine.  The UCSD methodology collects time stamp values from an observed machine (during a collection phase) and plots these values against a measurer system time in a scatter plot.  After this step is completed, a Convex Hull Method of fit is plotted and the slope of this line is the clock skew of the observed machine.  The investigator would then group similar drifts to sort out individual machines.  This method posed but did not address the required sampling size and the effect of differing topologies.  It also ignored statistical techniques.  Using a convex hull technique, instead of a linear regression technique, throws out the whole body of error analysis theory.

The researchers at JHU/APL expanded the UCSD research by estimating skew via linear regression and used error analysis theory to determine the required sample size.  They simulated WAN delay and measured PCI bus to link clock skew to the physical world and found that PCI bus clock speed is directly related to clock skew.  Linear regression uniquely identifies machines to within a couple parts per million.  Also, the number of samples required is directly proportional to the observed timestamp error and confidence interval, while it is inversely proportional to collection interval and allowed parts per million tolerance.

The JHU/APL approach to Passive Forensic Identification of Networked TCP/IP communication endpoints allows for a repeatable way to fingerprint a specific machine using the simple technique of linear regression and statistical error analysis guides the investigator on how much information needs to be collected.


This technology is currently available for licensing.

Product Contacts

Licensing Information:

Norma Lee Todd
443/778-4528 (Baltimore Metro Area)
FAX: 443/778-5882
BACK TO: Featured Technology | Top of Page