Transferability of TCP/IP-based OS fingerprinting models
Creators
- 1. CESNET
-
2.
Czech Technical University in Prague
-
3.
Czech Education and Scientific Network
Description
Datasets, published with the research paper "Transferability of TCP/IP-based OS fingerprinting models" presented on "2025 IFIP Networking Conference (IFIP Networking)".
Datasets contain OS annotated networks flow, exported via ipfixprobe. Four datasets (subnet1, subnet2, subnet3, subnet4) were captured in the reserach network CESNET3 and annotated using HTTP user-agent, HTTP Host Name, TLS SNI, QUIC SNI, hand annotation, reverse DNS lookup and Shodan. The first subnet (subnet1) contains networks of several small institutions, the other three (subnet2-4) belong to large universities.
Dataset local was captured on local private network and was annotated manually with information from DHCP logs and intern clients database.
All data were captured same day in September 2024.
Link to the research paper and citation will be added, when available.
----------------------------------------------------------------------------
Datasets contents:
| Dataset | Flow count | Unique devices | Features | Unique OS |
|----------|------------|----------------|----------|-----------|
| subnet1 | 2,072,414 | 8,634 | 20 | 5 |
| subnet2 | 5,543,868 | 4,667 | 20 | 5 |
| subnet3 | 4,061,360 | 5,266 | 20 | 5 |
| subnet4 | 14,082,272 | 5,680 | 20 | 5 |
| local | 16,919,278 | 984 | 6 | 5 |
|----------|------------|----------------|----------|-----------|
| Total | 42,678,919 | 25,231 |
----------------------------------------------------------------------------
Class distribution across the datasets:
| Dataset | Android | iOS | Linux | macOS | Windows |
|---------|------------|------------|------------|------------|-------------|
| subnet1 | 56,824 | 413 | 116,269 | 118,905 | 1,780,003 |
| subnet2 | 102,409 | 15,431 | 228,793 | 248,529 | 4,948,706 |
| subnet3 | 266,743 | 10,029 | 109,599 | 284,994 | 3,391,995 |
| subnet4 | 9,534 | 2,273 | 10,299,005 | 108,759 | 3,662,701 |
| local | 4,126,053 | 1,586,040 | 177,842 | 1,398,778 | 9,630,565 |
----------------------------------------------------------------------------
Included features in datasets subnet1, subnet2, subnet3 and subnet4:
| OS_LABEL | OS annotation label |
| DST_PORT | transport layer destination port |
| SRC_PORT | transport layer source port |
| TCP_SYN_SIZE | TCP SYN packet size |
| TCP_WIN | TCP window size |
| TCP_WIN_REV | TCP window size |
| TCP_MSS | TCP maximum segment size |
| PACKETS | number of packets in data flow (src to dst) |
| PACKETS_REV | number of packets in data flow (dst to src) |
| BYTES | number of bytes in data flow (src to dst) |
| BYTES_REV | number of bytes in data flow (dst to src) |
| TCP_OPTIONS | TCP options bitfield |
| TCP_OPTIONS_REV| TCP options bitfield |
| DIR_BIT_FIELD | bit field for determining outgoing/incoming traffic |
| FLOW_END_REASON| FlowEndReason [RFC5102] |
| L3_FLAGS | L3 FLAGS |
| L3_FLAGS_REV | L3 FLAGS |
| PROTOCOL | transport protocol |
| TCP_FLAGS | TCP protocol flags (src to dst) |
| TTL | IP TTL field (rounded to nearest higher power of two) |
| TTL_REV | IP TTL field |
----------------------------------------------------------------------------
Included features in dataset local1:
| OS_LABEL | OS annotation label |
| SRC_PORT | transport layer source port |
| TCP_SYN_SIZE | TCP SYN packet size |
| TCP_WIN | TCP window size |
| TCP_MSS | TCP maximum segment size |
| PROTOCOL | transport protocol |
| TTL | IP TTL field (rounded to nearest higher power of two) |
Detailed information about included fields can be found on the website:
https://github.com/CESNET/ipfixprobe
or
https://ipfixprobe.cesnet.cz/en/plugins
----------------------------------------------------------------------------
For more information, contact author via email address(hulakmat@fit.cvut.cz).
Files
OS_datasets_0924.zip
Files
(281.3 MB)
| Name | Size | Download all |
|---|---|---|
|
md5:63e69bc1c92818ea3ed5bd094cc557fe
|
281.3 MB | Preview Download |