{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,3,20]],"date-time":"2026-03-20T15:58:15Z","timestamp":1774022295502,"version":"3.50.1"},"reference-count":43,"publisher":"MDPI AG","issue":"9","license":[{"start":{"date-parts":[[2020,9,2]],"date-time":"2020-09-02T00:00:00Z","timestamp":1599004800000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"funder":[{"DOI":"10.13039\/501100010418","name":"Institute for Information and Communications Technology Promotion","doi-asserted-by":"publisher","award":["IITP-2020-2018-0-01431"],"award-info":[{"award-number":["IITP-2020-2018-0-01431"]}],"id":[{"id":"10.13039\/501100010418","id-type":"DOI","asserted-by":"publisher"}]},{"DOI":"10.13039\/501100002619","name":"Ajou University","doi-asserted-by":"publisher","award":["S-2019-G0001-00046"],"award-info":[{"award-number":["S-2019-G0001-00046"]}],"id":[{"id":"10.13039\/501100002619","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["Symmetry"],"abstract":"<jats:p>Although network address translation (NAT) provides various advantages, it may cause potential threats to network operations. For network administrators to operate networks effectively and securely, it may be necessary to verify whether an assigned IP address is using NAT or not. In this paper, we propose a supervised learning-based active NAT device (NATD) identification using port response patterns. The proposed model utilizes the asymmetric port response patterns between NATD and non-NATD. In addition, to reduce the time and to solve the security issue that supervised learning approaches exhibit, we propose a fast and stealthy NATD identification method. The proposed method can perform the identification remotely, unlike conventional methods that should operate in the same network as the targets. The experimental results demonstrate that the proposed method is effective, exhibiting a F1 score of over 90%. With the efficient features of the proposed methods, we recommend some practical use cases that can contribute to managing networks securely and effectively.<\/jats:p>","DOI":"10.3390\/sym12091444","type":"journal-article","created":{"date-parts":[[2020,9,2]],"date-time":"2020-09-02T11:07:14Z","timestamp":1599044834000},"page":"1444","update-policy":"https:\/\/doi.org\/10.3390\/mdpi_crossmark_policy","source":"Crossref","is-referenced-by-count":6,"title":["Supervised Learning-Based Fast, Stealthy, and Active NAT Device Identification Using Port Response Patterns"],"prefix":"10.3390","volume":"12","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-7939-1889","authenticated-orcid":false,"given":"Seungwoon","family":"Lee","sequence":"first","affiliation":[{"name":"Department of Computer Engineering, Ajou University, Suwon 16499, Korea"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-7073-2491","authenticated-orcid":false,"given":"Si Jung","family":"Kim","sequence":"additional","affiliation":[{"name":"Howard R. Hughes College of Engineering, University of Nevada, Las Vegas, NV 89154, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Jungtae","family":"Lee","sequence":"additional","affiliation":[{"name":"Department of Computer Engineering, Ajou University, Suwon 16499, Korea"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-2509-4210","authenticated-orcid":false,"given":"Byeong-hee","family":"Roh","sequence":"additional","affiliation":[{"name":"Department of Computer Engineering, Ajou University, Suwon 16499, Korea"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"1968","published-online":{"date-parts":[[2020,9,2]]},"reference":[{"key":"ref_1","unstructured":"Srisuresh, P., and Holdrege, M. (2019, October 10). IP Network Address Translator (NAT) Terminology and Considerations. RFC 2663, IETF. Available online: https:\/\/www.hjp.at\/doc\/rfc\/rfc2663.html."},{"key":"ref_2","unstructured":"Smith, M., and Hunt, R. (2002, January 27\u201330). Network security using NAT and NAPT. Proceedings of the ICON\u20192002, Singapore."},{"key":"ref_3","doi-asserted-by":"crossref","unstructured":"Wicherski, G., Weingarten, F., and Meyer, U. (2013, January 21\u201324). IP agnostic real-time traffic filtering and host identification using TCP timestamps. Proceedings of the LCN\u20192013, Sydney, Australia.","DOI":"10.1109\/LCN.2013.6761302"},{"key":"ref_4","doi-asserted-by":"crossref","unstructured":"Bellovin, S.M. (2002, January 6\u20138). A technique for counting NATted hosts. Proceedings of the IMW\u20192002, Marseille, France.","DOI":"10.1145\/637201.637243"},{"key":"ref_5","unstructured":"Phaal, P. (2019, October 10). Detecting NAT Devices Using sFlow. sFlow.org. Available online: https:\/\/ci.nii.ac.jp\/naid\/10019397892\/."},{"key":"ref_6","doi-asserted-by":"crossref","first-page":"93","DOI":"10.1109\/TDSC.2005.26","article-title":"Remote physical device fingerprinting","volume":"2","author":"Kohno","year":"2005","journal-title":"IEEE Trans. Dependable Secur. Comput."},{"key":"ref_7","doi-asserted-by":"crossref","unstructured":"Park, H., Shin, S., Roh, B., and Lee, C. (2016, January 19\u201321). Identification of hosts behind a NAT device utilizing multiple fields of IP and TCP. Proceedings of the ICTC\u20192016, Jeju Island, Korea.","DOI":"10.1109\/ICTC.2016.7763518"},{"key":"ref_8","first-page":"32","article-title":"Advertising power consumption of bluetooth low energy systems","volume":"Volume 6519","author":"Maier","year":"2011","journal-title":"Proceedings of the PAM\u20192011"},{"key":"ref_9","doi-asserted-by":"crossref","unstructured":"Li, R., Zhu, H., Xin, Y., Yang, Y., and Wang, C. (2009, January 19\u201320). Remote NAT Detect Algorithm Based on Support Vector Machine. Proceedings of the ICIES\u20192009, Wuhan, China.","DOI":"10.1109\/ICIECS.2009.5365286"},{"key":"ref_10","doi-asserted-by":"crossref","unstructured":"Abt, S., Dietz, C., Baier, H., and Petrovi\u0107, S. (2013, January 25\u201328). Passive remote source NAT detection using behavior statistics derived from netflow. Proceedings of the AIMS\u20192013, UPC Barcelona, Spain.","DOI":"10.1007\/978-3-642-38998-6_18"},{"key":"ref_11","doi-asserted-by":"crossref","unstructured":"Gokcen, Y., Foroushani, V.A., and Heywood, A. (2014, January 17\u201318). Can we identify NAT behavior by analyzing Traffic Flows?. Proceedings of the SPW\u20192014, San Jose, CA, USA.","DOI":"10.1109\/SPW.2014.28"},{"key":"ref_12","doi-asserted-by":"crossref","unstructured":"Komarek, T., Grill, M., and Pevny, T. (2016, January 4\u20137). Passive NAT detection using HTTP access logs. Proceedings of the WIFS\u20192016, Abu Dhabi, UAE.","DOI":"10.1109\/WIFS.2016.7823896"},{"key":"ref_13","unstructured":"Ford, B., Srisuresh, P., and Kegel, D. (2005, January 10\u201315). Peer-to-Peer Communication Across Network Address Translators. Proceedings of the USENIX Annual Technical Conference, Anaheim, CA, USA."},{"key":"ref_14","doi-asserted-by":"crossref","unstructured":"Murakami, R., Yamai, N., and Okayama, K. (2010, January 19\u201323). A MAC-address Relaying NAT Router for PC Identification from Outside of a LAN. Proceedings of the SAINT\u20192010, Seoul, Korea.","DOI":"10.1109\/SAINT.2010.97"},{"key":"ref_15","doi-asserted-by":"crossref","unstructured":"Ishikawa, Y., Yamai, N., Okayama, K., and Nakamura, M. (2011, January 18\u201321). An identification method of PCs behind NAT router with proxy authentication on HTTP communication. Proceedings of the SAINT\u20192011, Munich, Bavaria, Germany.","DOI":"10.1109\/SAINT.2011.83"},{"key":"ref_16","doi-asserted-by":"crossref","unstructured":"Rytilahti, T., and Holz, T. (2020, January 23\u201326). On Using Application-Layer Middlebox Protocols for Peeking Behind NAT Gateways. Proceedings of the Network and Distributed System Security Symposium (NDSS) 2020, San Diego, CA, USA.","DOI":"10.14722\/ndss.2020.24389"},{"key":"ref_17","doi-asserted-by":"crossref","first-page":"756","DOI":"10.1109\/TNSM.2017.2710623","article-title":"Leveraging SDN and WebRTC for Rogue Access Point Security","volume":"14","author":"Cox","year":"2017","journal-title":"IEEE Trans. Netw. Serv. Manag."},{"key":"ref_18","doi-asserted-by":"crossref","first-page":"2445","DOI":"10.1109\/TMC.2014.2309953","article-title":"A Location-Privacy Threat Stemming from the Use of Shared Public IP Addresses","volume":"13","author":"Vratonjic","year":"2014","journal-title":"IEEE Trans. Mob. Comput."},{"key":"ref_19","doi-asserted-by":"crossref","first-page":"69","DOI":"10.1007\/978-3-030-00434-7_4","article-title":"DNS-DNS: DNS-Based De-NAT Scheme","volume":"Volume 11124","author":"Orevi","year":"2018","journal-title":"Proceedings of the Cryptology and Network Security (CANS 2018)"},{"key":"ref_20","unstructured":"Zhang, L. (2018). Exploring NAT Detection and Host Identification. [Master\u2019s Thesis, Dalhousie University]."},{"key":"ref_21","unstructured":"Meidan, Y., Sachidananda, V., Elovici, Y., and Shabtai, A. (2019). Privacy-Preserving Detection of IoT Devices Connected Behind a NAT in a Smart Home Setup. arXiv, Available online: https:\/\/arxiv.org\/abs\/1905.13430."},{"key":"ref_22","doi-asserted-by":"crossref","unstructured":"Beverly, R. (2004, January 19\u201320). A robust classifier for passive TCP\/IP fingerprinting. Proceedings of the PAM\u20192004, Antibes Juan-les-Pins, France.","DOI":"10.1007\/978-3-540-24668-8_16"},{"key":"ref_23","unstructured":"Postel, J. (2019, October 10). Internet Control Message Protocol. RFC 792, IETF. Available online: https:\/\/www.hjp.at\/doc\/rfc\/rfc792.html."},{"key":"ref_24","unstructured":"Lyon, G.F. (2009). Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning, Insecure."},{"key":"ref_25","doi-asserted-by":"crossref","unstructured":"Rumelhart, D.E., Hinton, G.E., and Williams, R.J. (1985). Learning Internal Representations by Error Propagation, California Univ San Diego La Jolla Inst for Cognitive Science. Technical Report.","DOI":"10.21236\/ADA164453"},{"key":"ref_26","first-page":"2825","article-title":"Scikit-learn: Machine Learning in Python","volume":"12","author":"Pedregosa","year":"2011","journal-title":"J. Mach. Learn. Res."},{"key":"ref_27","unstructured":"(2020, August 15). SL Based NAT Identification. GitHub. Available online: https:\/\/github.com\/combatreadiness\/SL-based_NAT_identification."},{"key":"ref_28","doi-asserted-by":"crossref","unstructured":"Boser, B.E., Guyon, I.M., and Vapnik, V.N. (1992, January 27\u201329). A training algorithm for optimal margin classifiers. Proceedings of the COLT\u201992, Pittsburgh, PA, USA.","DOI":"10.1145\/130385.130401"},{"key":"ref_29","doi-asserted-by":"crossref","first-page":"238","DOI":"10.2307\/1403797","article-title":"Discriminatory analysis. Nonparametric discrimination: Consistency properties","volume":"57","author":"Fix","year":"1989","journal-title":"Int. Stat. Rev."},{"key":"ref_30","doi-asserted-by":"crossref","first-page":"21","DOI":"10.1109\/TIT.1967.1053964","article-title":"Nearest neighbor pattern classification","volume":"13","author":"Cover","year":"1967","journal-title":"IEEE Trans. Inf. Theory"},{"key":"ref_31","unstructured":"Quinlan, J.R. (1993). C4.5: Programs for Machine Learning, Morgan Kaufmann Publishers Inc."},{"key":"ref_32","doi-asserted-by":"crossref","first-page":"5","DOI":"10.1023\/A:1010933404324","article-title":"Random forests","volume":"45","author":"Breiman","year":"2001","journal-title":"Mach. Learn."},{"key":"ref_33","doi-asserted-by":"crossref","unstructured":"Trabelsi, Z., and Alketbi, L. (2013, January 1\u20133). Using network packet generators and snort rules for teaching denial of service attacks. Proceedings of the ITiCSE\u201913, Canterbury, UK.","DOI":"10.1145\/2462476.2465580"},{"key":"ref_34","unstructured":"Thermos, P., and Takanen, A. (2007). Securing VoIP Networks: Threats, Vulnerabilities, and Countermeasures, Pearson Education."},{"key":"ref_35","unstructured":"Cisco (2014). Security Configuration Guide: Denial of Service Attack Prevention, Cisco Systems, Inc."},{"key":"ref_36","unstructured":"Juniper Networks (2019). Attack Detection and Prevention Feature Guide for Security Devices, Juniper Networks, Inc."},{"key":"ref_37","doi-asserted-by":"crossref","first-page":"1364","DOI":"10.1109\/JIOT.2019.2954539","article-title":"Efficient Delay-Based Internet-Wide Scanning Method for IoT Devices in Wireless LAN","volume":"7","author":"Hashida","year":"2020","journal-title":"IEEE Internet Things J."},{"key":"ref_38","doi-asserted-by":"crossref","unstructured":"Kim, H., Kim, T., and Jang, D. (2018). An Intelligent Improvement of Internet-Wide Scan Engine for Fast Discovery of Vulnerable IoT Devices. Symmetry, 10.","DOI":"10.3390\/sym10050151"},{"key":"ref_39","doi-asserted-by":"crossref","unstructured":"Jung, Y., and Agulto, R. (2019). Integrated Management of Network Address Translation, Mobility and Security on the Blockchain Control Plane. Sensors, 20.","DOI":"10.3390\/s20010069"},{"key":"ref_40","doi-asserted-by":"crossref","first-page":"9020","DOI":"10.1109\/JIOT.2019.2926099","article-title":"Design and Development of an IoT Gateway for Smart Building Applications","volume":"6","author":"Nugur","year":"2019","journal-title":"IEEE Internet Things J."},{"key":"ref_41","doi-asserted-by":"crossref","first-page":"28","DOI":"10.1109\/MIC.2019.2952064","article-title":"Container NATs and Session-Oriented Standards: Friends or Foe?","volume":"23","author":"Amirante","year":"2019","journal-title":"IEEE Internet Comput."},{"key":"ref_42","doi-asserted-by":"crossref","unstructured":"Tekeoglu, A., Altiparmak, N., and Tosun, A.S. (August, January 31). Approximating the number of active nodes behind a NAT device. Proceedings of the ICCCN\u20192011, Maui, HI, USA.","DOI":"10.1109\/ICCCN.2011.6006048"},{"key":"ref_43","doi-asserted-by":"crossref","unstructured":"Mongkolluksamee, S., Fukuda, K., and Pongpaibool, P. (2012, January 10\u201315). Counting NATted hosts by observing TCP\/IP field behaviors. Proceedings of the ICC\u20192012, Ottawa, ON, Canada.","DOI":"10.1109\/ICC.2012.6364596"}],"container-title":["Symmetry"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.mdpi.com\/2073-8994\/12\/9\/1444\/pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,10,11]],"date-time":"2025-10-11T10:05:46Z","timestamp":1760177146000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.mdpi.com\/2073-8994\/12\/9\/1444"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2020,9,2]]},"references-count":43,"journal-issue":{"issue":"9","published-online":{"date-parts":[[2020,9]]}},"alternative-id":["sym12091444"],"URL":"https:\/\/doi.org\/10.3390\/sym12091444","relation":{},"ISSN":["2073-8994"],"issn-type":[{"value":"2073-8994","type":"electronic"}],"subject":[],"published":{"date-parts":[[2020,9,2]]}}}