IPvest: Clustering the IP Traffic of Network Entities Hidden Behind a Single IP Address Using Machine Learning

IP Networks serve a variety of connected network entities (NEs) such as personal computers, servers, mobile devices, virtual machines, hosted containers, etc. The growth in the number of NEs and technical considerations has led to a reality where a single IP address is used by multiple NEs. A typical example is a home router using Network Address Translation (NAT). In organizations and cloud environments, a single IP can be used by multiple virtual machines or containers running on a single device. Discovering the number of NEs served by an IP address and clustering their traffic correctly is of value in many use cases for security, lawful interception, asset management, and other purposes. In this paper, we introduce IPvest, a system that incorporates unsupervised and supervised learning algorithms based on various features for counting and clustering network traffic of NEs masqueraded by a single IP. The features are based on the characteristics of operating systems (OSs), NAT behavior, and users' habits. Our model is evaluated on real-world datasets including Windows, Linux-based, Android, and iOS-based devices, containers, virtual machines, and load-balancers. We show that IPvest can count the number of NEs and cluster their traffic with high precision, even for containers running on a single device and servers behind a load-balancer.