Abstract
The ubiquity of Network Address Translation (NAT) and mobile hotspots that aggregate source IP addresses of connected devices to a single IP address makes it difficult for an observer in the Internet to learn anything about the internal network. The IP Identification header field of Domain Name System requests and the TCP Timestamp (TCP TS) header field of TCP SYN packets are the main features for counting devices in the internal network and association of packets to these devices, also known as DeNATing. This paper introduces a new method that relies on polynomial least-squares curve fitting for DeNATing. Evaluation of our model is performed on multiple real-world datasets containing Windows and Unix devices behind a router using NAT and a mobile hotspot. The proposed method outperforms other state-of-the-art methods for all of the used datasets on all types of devices. Successful DeNATing may help in cybersecurity, anti-fraud, and other use cases.
Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
