Magnifier: Detecting Network Access via Lightweight Traffic-Based Fingerprints

Network access detection plays a crucial role in global network management, enabling efficient network monitoring and topology measurement by identifying unauthorized network access and gathering detailed information about mobile devices. Existing methods for endpoint-based detection primarily rely on deploying monitoring software to recognize network connections. However, the challenges associated with developing and maintaining such systems have limited their universality and coverage in practical deployments, especially given the cost implications of covering a wide array of devices with heterogeneous operating systems. To tackle the issues, we propose Magnifier for mobile device network access detection that, for the first time, passively infers access patterns from backbone traffic at the gateway level. Magnifier’s foundation is the creation of device-specific access patterns using the innovative Domain Name Forest (dnForest) fingerprints. We then employ a two-stage distillation algorithm to fine-tune the weights of individual Domain Name Trees (dnTree) within each dnForest, emphasizing the unique device fingerprints. With these meticulously crafted fingerprints, Magnifier efficiently infers network access from backbone traffic using a lightweight fingerprint matching algorithm. Our experimental results, conducted in real-world scenarios, demonstrate that Magnifier exhibits exceptional universality and coverage in both initial and repetitive network access detection in real-time. To facilitate further research, we have thoughtfully curated the NetCess2025 dataset, comprising network access data from 42 different models across 9 brands, covering the majority of mainstream mobile devices. We have also made both the Magnifier prototype and the NetCess2025 dataset publicly available (https://github.com/SecTeamPolaris/Magnifier).