How Polynomial Regression Improves DeNATing

Ari Adler, Lior Bass, Yuval Elovici, Rami Puzis

IEEE Transactions on Network and Service Management, 2023

The ubiquity of Network Address Translation (NAT) and mobile hotspots that aggregate source IP addresses of connected devices to a single IP address makes it difficult for an observer in the Internet to learn anything about the internal network. The IP Identification header field of Domain Name System requests and the TCP Timestamp (TCP TS) header field of TCP SYN packets are the main features for counting devices in the internal network and association of packets to these devices, also known as DeNATing. This paper introduces a new method that relies on polynomial least-squares curve fitting for DeNATing. Evaluation of our model is performed on multiple real-world datasets containing Windows and Unix devices behind a router using NAT and a mobile hotspot. The proposed method outperforms other state-of-the-art methods for all of the used datasets on all types of devices. Successful DeNATing may …