Ali Safari KhatouniLan ZhangKhurram AzizIbrahim ZincirNur Zincir-HeywoodH LutfiyyaYX DiaoN Zincir-HeywoodR BadonnelE Madeira V GetovJL GaudiotN YamaiS CimatoM ChangY TeranishiJJ YangHV LeongH ShahriarM TakemotoD ToweyH TakakuraA ElciSusumuS Puri2025-10-062019978-3-903176-24-92165-960510.23919/cnsm46954.2019.9012684http://dx.doi.org/10.23919/cnsm46954.2019.9012684https://gcris.yasar.edu.tr/handle/123456789/6855The usage of Network Address Translation (NAT) devices is common among end users organizations and Internet Service Providers. NAT provides anonymity for users within an organization by replacing their internal IP addresses with a single external wide area network address. While such anonymity provides an added measure of security for legitimate users it can also be taken advantage of by malicious users hiding behind NAT devices. Thus identifying NAT devices and hosts behind them is essential to detect malicious behaviors in traffic and application usage. In this paper we propose a machine learning based solution to detect hosts behind NAT devices by using flow level statistics (excluding IP addresses port numbers and application layer information) from passive traffic measurements. We capture a large dataset and perform an extensive evaluation of our proposed approach with four existing approaches from the literature. Our results show that the proposed approach could identify NAT behaviors and hosts not only with higher accuracy but also demonstrates the impact of parameter sensitivity of the proposed approach.EnglishConference Object