Remote Identification of IoT Devices via Analysis of Temporal Dynamics of TCP Sequence Numbers
Abstract
Due to their computational restrictions and incorrect configurations, devices in the Internet of Things (IoT) are easy targets for various attacks. In this paper, a novel approach based on the ordinal patterns transformations is proposed for the remote identification of Operating Systems (OSs), a fundamental step to identify possible vulnerabilities in these devices. For that, the dynamic behavior of the initial sequence numbers (ISN), contained within the header of the Transmission Control Protocol (TCP), is analyzed. We verified the method’s ability to detect similarities and differences between classic and modern OSs, comparing them with IoT devices. The experiments prove its effectiveness in recognizing OSs by their different ISN generation patterns, outperforming consolidated tools such as Nmap, as well as being able to classify them with 100% accuracy in certain cases.
Keywords:
Remote Identification of Operating Systems, Internet of Things, Ordinal Pattern Transformation, Computer Network Security
References
Bandt, C. and Pompe, B. (2002). Permutation entropy: A natural complexity measure for time series. Physical Review Letters, 88(17):174102.
Beck, F., Festor, O., and Chrisment, I. (2007). IPv6 Neighbor Discovery Protocol based OS fingerprinting. report, INRIA. Pages: 27.
Bertino, E. and Islam, N. (2017). Botnets and IoT Security. Computer, 50:76–79.
Borges, J. B., Medeiros, J. P. S., Barbosa, L. P. A., Ramos, H. S., and Loureiro, A. A. F. (2023). IoT Botnet Detection Based on Anomalies of Multiscale Time Series Dynamics. IEEE Transactions on Knowledge and Data Engineering, 35(12):12282–12294.
Borges, J. B., Ramos, H. S., and Loureiro, A. A. F. (2022). A classification strategy for internet of things data based on the class separability analysis of time series dynamics. ACM Transactions on Internet of Things, 3(3):23:1–23:30.
Borges, J. B., Ramos, H. S., Mini, R. A. F., Rosso, O. A., Frery, A. C., and Loureiro, A. A. F. (2019). Learning and distinguishing time series dynamics via ordinal patterns transition graphs. Applied Mathematics and Computation, 362(C):1–1.
Chagas, E. T. C., Borges, J. B., and Ramos, H. S. (2022). Uso de padrões ordinais na caracterização e análise de ataques de botnets em internet das coisas (iot). In Simpósio Brasileiro de Sistemas Multimídia e Web (WebMedia), page 133–137. SBC.
Eddy, W. (2022). Transmission Control Protocol (TCP). RFC 9293.
Fan, H., Kong, B., Li, G., Li, J., Zhang, J., An, Y., Wan, J., Zhang, Z., and Fan, J. (2022). A random forest-based operating system recognition algorithm for network security. In 2022 International Conference on Computer Engineering and Artificial Intelligence (ICCEAI), pages 539–550.
Feldman, D. P. and Crutchfield, J. P. (1998). Measures of statistical complexity: Why? Physics Letters A, 238(4–5):244–252.
Gont, F. and Bellovin, S. (2012). Defending against Seq. Number Attacks. RFC 6528.
Laštovička, M., Husák, M., Velan, P., Jirsík, T., and Čeleda, P. (2023). Passive operating system fingerprinting revisited: Evaluation and current challenges. Computer Networks, 229:109782.
Lyon, G. F. (2009). Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning. Insecure, Sunnyvale, CA, USA.
Medeiros, J. P. S., Brito, A. M., and Motta Pires, P. S. (2010). An effective tcp/ip fingerprinting technique based on strange attractors classification. In Data Privacy Management and Autonomous Spontaneous Security, pages 208–221, Berlin, Heidelberg. Springer Berlin Heidelberg.
Ordorica, A. (2017). Operating System Identification by IPv6 Communication using Machine Learning Ensembles. Graduate Theses and Dissertations.
Rosso, O. A., Larrondo, H. A., Martin, M. T., Plastino, A., and Fuentes, M. A. (2007). Distinguishing noise from chaos. Physical Review Letters, 99(15):154102.
Shamsi, Z., Nandwani, A., Leonard, D., and Loguinov, D. (2016). Hershel: Single-packet os fingerprinting. IEEE/ACM Transactions on Networking, 24(4):2196–2209.
Song, J., Cho, C., and Won, Y. (2019). Analysis of operating system identification via fingerprinting and machine learning. Computers & Electrical Engineering, 78:1–10.
Tan, E., Algar, S. D., Corrêa, D., Stemler, T., and Small, M. (2023). Network representations of attractors for change point detection. Communications Physics, 6(1):1–14.
Zanin, M. (2023). Continuous ordinal patterns: Creating a bridge between ordinal analysis and deep learning. Chaos: An Interdisciplinary Journal of Nonlinear Science, 33(3):033114.
Beck, F., Festor, O., and Chrisment, I. (2007). IPv6 Neighbor Discovery Protocol based OS fingerprinting. report, INRIA. Pages: 27.
Bertino, E. and Islam, N. (2017). Botnets and IoT Security. Computer, 50:76–79.
Borges, J. B., Medeiros, J. P. S., Barbosa, L. P. A., Ramos, H. S., and Loureiro, A. A. F. (2023). IoT Botnet Detection Based on Anomalies of Multiscale Time Series Dynamics. IEEE Transactions on Knowledge and Data Engineering, 35(12):12282–12294.
Borges, J. B., Ramos, H. S., and Loureiro, A. A. F. (2022). A classification strategy for internet of things data based on the class separability analysis of time series dynamics. ACM Transactions on Internet of Things, 3(3):23:1–23:30.
Borges, J. B., Ramos, H. S., Mini, R. A. F., Rosso, O. A., Frery, A. C., and Loureiro, A. A. F. (2019). Learning and distinguishing time series dynamics via ordinal patterns transition graphs. Applied Mathematics and Computation, 362(C):1–1.
Chagas, E. T. C., Borges, J. B., and Ramos, H. S. (2022). Uso de padrões ordinais na caracterização e análise de ataques de botnets em internet das coisas (iot). In Simpósio Brasileiro de Sistemas Multimídia e Web (WebMedia), page 133–137. SBC.
Eddy, W. (2022). Transmission Control Protocol (TCP). RFC 9293.
Fan, H., Kong, B., Li, G., Li, J., Zhang, J., An, Y., Wan, J., Zhang, Z., and Fan, J. (2022). A random forest-based operating system recognition algorithm for network security. In 2022 International Conference on Computer Engineering and Artificial Intelligence (ICCEAI), pages 539–550.
Feldman, D. P. and Crutchfield, J. P. (1998). Measures of statistical complexity: Why? Physics Letters A, 238(4–5):244–252.
Gont, F. and Bellovin, S. (2012). Defending against Seq. Number Attacks. RFC 6528.
Laštovička, M., Husák, M., Velan, P., Jirsík, T., and Čeleda, P. (2023). Passive operating system fingerprinting revisited: Evaluation and current challenges. Computer Networks, 229:109782.
Lyon, G. F. (2009). Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning. Insecure, Sunnyvale, CA, USA.
Medeiros, J. P. S., Brito, A. M., and Motta Pires, P. S. (2010). An effective tcp/ip fingerprinting technique based on strange attractors classification. In Data Privacy Management and Autonomous Spontaneous Security, pages 208–221, Berlin, Heidelberg. Springer Berlin Heidelberg.
Ordorica, A. (2017). Operating System Identification by IPv6 Communication using Machine Learning Ensembles. Graduate Theses and Dissertations.
Rosso, O. A., Larrondo, H. A., Martin, M. T., Plastino, A., and Fuentes, M. A. (2007). Distinguishing noise from chaos. Physical Review Letters, 99(15):154102.
Shamsi, Z., Nandwani, A., Leonard, D., and Loguinov, D. (2016). Hershel: Single-packet os fingerprinting. IEEE/ACM Transactions on Networking, 24(4):2196–2209.
Song, J., Cho, C., and Won, Y. (2019). Analysis of operating system identification via fingerprinting and machine learning. Computers & Electrical Engineering, 78:1–10.
Tan, E., Algar, S. D., Corrêa, D., Stemler, T., and Small, M. (2023). Network representations of attractors for change point detection. Communications Physics, 6(1):1–14.
Zanin, M. (2023). Continuous ordinal patterns: Creating a bridge between ordinal analysis and deep learning. Chaos: An Interdisciplinary Journal of Nonlinear Science, 33(3):033114.
Published
2025-05-19
How to Cite
OLIVEIRA, Manoel Anízio Azevedo de; BARBOSA, Luiz Paulo de Assis; LOUREIRO, Antonio Alfredo Ferreira; MEDEIROS, João Paulo de Souza; BORGES, João Batista.
Remote Identification of IoT Devices via Analysis of Temporal Dynamics of TCP Sequence Numbers. In: URBAN COMPUTING WORKSHOP (COURB), 9. , 2025, Natal/RN.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2025
.
p. 251-264.
ISSN 2595-2706.
DOI: https://doi.org/10.5753/courb.2025.9529.
