Behavioral Fingerprinting: Operational Signatures
- Behavioral fingerprinting is a method that identifies entities via stable operational patterns rather than static identifiers, applicable to devices, browsers, and AI agents.
- It employs various representations—from browsing routines to deep learning response embeddings—to extract unique, robust signatures for reliable attribution and anomaly detection.
- This approach underpins applications in device identification, misuse detection, model forensics, and integrity verification while addressing context-dependent challenges.
Behavioral fingerprinting is the identification, attribution, monitoring, or integrity checking of an entity from stable patterns in what it does rather than from explicit identifiers or embedded marks. In the recent literature, the entity may be a web user, browser, IoT device, BLE implementation, single-board computer, DNN, LLM endpoint, AI coding agent, AI browsing agent, AI attack agent, or quantum channel, while the observable behavior may be a browsing routine, a timing vector, a service-usage profile, a learned protocol automaton, a pull-request artifact set, a shell-command sequence, an output distribution, a refusal-vector geometry, or an expectation-value signature (Oliveira et al., 2023, Pan et al., 2022, Xu et al., 10 Feb 2026, Leshin et al., 19 Mar 2026).
1. Conceptual scope and distinguishing features
Behavioral fingerprinting replaces nominal identity with operational regularity. The survey literature frames the field around two major scenarios: device identification and misbehavior detection. In the first, the fingerprint answers what a device or model is; in the second, it represents normal behavior so that deviations expose attacks, faults, or unauthorized substitutions. This already indicates that the term covers both attribution and integrity verification, not only re-identification in the narrow privacy sense (Sánchez et al., 2020).
A central distinction is between behavioral fingerprints and static or declarative identifiers. The web-browsing literature explicitly contrasts habitual domain visits with traditional browser fingerprinting based on low-level device or browser attributes, while IoT and SBC work similarly separates behavioral traces from MAC addresses, software labels, or other cloneable identifiers. In model forensics, MetaV further distinguishes fingerprinting from watermarking: watermarking embeds a secret into parameters and may degrade utility, whereas behavioral fingerprinting is positioned as a passive forensic method based on queries and outputs (Oliveira et al., 2023, Sánchez et al., 2021, Pan et al., 2022).
Across domains, the recurrent evaluative properties are uniqueness, stability, robustness, and comparability. Web browsing work measures uniqueness and re-identifiability; service-level IoT fingerprints are evaluated through convergence and recurrence; refusal-vector fingerprints define uniqueness, robustness, and efficient comparison explicitly; endpoint monitoring introduces stability periods and change events. This suggests a common operational criterion: a behavioral fingerprint is useful only if it is sufficiently distinctive, sufficiently persistent over time or transformation, and sufficiently compact to compare at scale (Oliveira et al., 2023, Azizi et al., 18 Dec 2025, Xu et al., 10 Feb 2026, Leshin et al., 19 Mar 2026).
2. Representations and inference procedures
The literature uses several families of representations. Some are explicit symbolic or count-based summaries. Web-browsing fingerprints are defined as an ordered top- tuple of most visited domains,
with order ignored during uniqueness counting. Service-level IoT work defines three related representations over a time window: Service List, Service Prevalence, and a generalized granularity-controlled form . BLE fingerprinting represents a device as a learned deterministic Mealy machine . In AI attack-agent forensics, an entire terminal session is treated as the concatenation of executed commands in order, then vectorized with TF-IDF over unigrams and bigrams; in AI coding-agent attribution, the representation is a 41-feature vector spanning commit messages, PR structure, code changes, patch-level code characteristics, and temporal features (Oliveira et al., 2023, Azizi et al., 18 Dec 2025, Pferscher et al., 2022, Ediga et al., 2 May 2026, Ghaleb, 24 Jan 2026).
Other systems learn the fingerprint jointly with the verifier or extract it from latent geometry. MetaV defines an adaptive fingerprint and a meta-verifier , where the verification decision is made from the concatenated outputs of a suspect model on the learned inputs. Refusal-vector provenance tracking computes layer-wise directions from harmful-versus-harmless hidden-state centroids and averages middle-layer unit vectors into a final normalized fingerprint . LLM endpoint stability monitoring instead treats a fingerprint as a set of sampled response embeddings per prompt and compares successive fingerprints with a summed energy-distance statistic and permutation-test -values. QML-PipeGuard defines the fingerprint of a quantum channel as a vector of observable expectation values,
These formulations show that “behavior” can be observed either externally from outputs or internally from hidden states, depending on the access model (Pan et al., 2022, Xu et al., 10 Feb 2026, Leshin et al., 19 Mar 2026, Yeniaras, 24 May 2026).
Comparison rules are correspondingly heterogeneous. Some works use direct counting or matching: browsing-history uniqueness is the fraction of non-duplicate fingerprints, stepwise identification narrows a candidate set until it reaches size $1$, and re-identification counts correct cross-slice matches. Others use similarity scores such as cosine similarity for refusal vectors and service-level IoT fingerprints, nearest-neighbor matching over Euclidean or Mahalanobis distances for WebAssembly timing vectors, or maximum cosine similarity against a fingerprint pool for device classification. Still others use discriminative classifiers: XGBoost for AI coding-agent PRs, LinearSVC for terminal command sequences, and XGBoost again for AI browsing-agent event features. Endpoint monitoring and QML integrity work replace classification with hypothesis testing and thresholded contract verification, respectively (Oliveira et al., 2023, Guri et al., 31 May 2025, Azizi et al., 18 Dec 2025, Ghaleb, 24 Jan 2026, Ediga et al., 2 May 2026, Yeniaras, 24 May 2026).
3. Web, browser, and browsing-agent settings
In web privacy research, behavioral fingerprinting is demonstrated most directly by browsing routines themselves. Using top-domain fingerprints, merely the four most visited domains identify 95% of individuals in the dataset, with similarly high uniqueness across demographic subgroups. A stepwise procedure requires only 2.45 steps on average to isolate a user. The same traces also persist over time: re-identification reaches 80% with fingerprint length 0 and 90% with 1. Even observation restricted to the Top-100 domains overall still yields 82% unique users at 2, leading the paper to emphasize that tracking only about 0.2% of all domains can still identify most users (Oliveira et al., 2023).
At the browser and script level, two distinct but related lines appear. One uses runtime behavior as the fingerprint source: a WebAssembly method runs 20 timing tests and stores a 20-dimensional latency vector, distinguishing Chromium-based browsers from non-Chromium ones even when the User-Agent is spoofed. On 158 browser instances across Intel, AMD, and ARM devices, multiple operating systems, and several virtualized environments, the threshold-based Chromium detector reaches 99.29% success with a false-positive rate below 1% (Guri et al., 31 May 2025). The other uses behavior not to fingerprint users but to fingerprint the fingerprinters: FPNET extends FPMON with script-level monitoring over 115 fingerprinting-related properties and functions grouped into 40 feature groups, scans the Alexa Top 10,000, uncovers 379 fingerprinting networks and 104 actors, and shows that behavior-based signatures can re-identify almost 9,000 scripts whose filename or domain changed, while over 86% of scripts without URL changes remain directly re-identifiable (Neef, 2022).
AI browsing agents add a third layer: the browser environment they expose is often less informative than how they interact. In a controlled honey-website study of seven agents and a human group across flight booking, shopping, and forum tasks, browser-fingerprint features provide only moderate multi-class performance, whereas behavioral features from typing, scrolling, and mouse activity are nearly perfectly discriminative. For browsing agents only, browser fingerprints yield precision 0.8674, recall 0.8179, and F1 0.7969, while behavioral fingerprints yield precision 0.9993, recall 0.9994, and F1 0.9993; the combined model reaches 1.0000 for all three metrics. In a Cloudflare case study, the behavioral system detects all seven agents, whereas Cloudflare fully blocks only Manus (Wang et al., 2 May 2026).
4. Devices, IoT systems, and protocol implementations
Device-oriented behavioral fingerprinting spans externally observed network traces, in-device telemetry, hardware-comparison signals, and actively learned protocol behavior. The survey literature emphasizes this diversity explicitly, listing network communications, clock skew, electromagnetic signals, hardware events, resource usage, software and process traces, and sensor or actuator values as candidate behavioral sources. It also notes that network data dominates large-scale practice, whereas individual device identification often requires lower-level sources with tighter stability constraints (Sánchez et al., 2020).
Packet- and flow-based IoT work illustrates two different granularities. IoTSense models a device by five consecutive packets, extracting 17 binary header features and 3 payload-based features per packet, yielding a 100-dimensional vector. Across 14 IoT device types, it reports identification rates of 86–99% and mean accuracy of 99%, with cross-instance recognition of 99.7–100% for tested device models (Bezawada et al., 2018). A later macroscopic approach moves upward from packets and flows to long-term service usage. It defines service-level fingerprints through binary presence, counts, and a generalized granularity parameter 3, evaluates them on about 10 million IPFIX flow records collected over a 1.5-year period, and shows that more than 90% of exported fingerprints converge within 8 days. In augmented closed-set classification, the best configuration is 4 and 5, achieving macro precision 0.98 and macro recall 0.97 (Azizi et al., 18 Dec 2025).
Host-based and hardware-comparison approaches use behavioral fingerprints as state encodings or anomaly baselines. For zero-day defense on a Raspberry Pi spectrum sensor, one RL framework reduces 75 perf events to 46 behavioral events and feeds the resulting state vector to an autoencoder plus DQN; it learns appropriate moving-target-defense actions for all attacks except a passive rootkit while consuming under 1 MB of storage, under 55% CPU, and under 80% RAM (Celdrán et al., 2022). CyberSpec applies a similar philosophy to spectrum sensing data falsification, collecting Linux kernel events in 50-second windows and detecting five of seven attacks almost perfectly with end-to-end delay under 60 seconds; its on-sensor overhead is reported as 0.5–2% of one core, 900 kB memory, and 7.8 kB storage (Celdrán et al., 2022). For identical single-board computers, hardware behavior is fingerprinted through CPU/GPU cycle-counter relations under controlled workloads, producing a 150-feature vector and yielding 91.92% average TPR with XGBoost, while all 25 Raspberry Pi devices are correctly identified using a 50% decision threshold (Sánchez et al., 2021).
Protocol-level fingerprinting replaces feature vectors with inferred machines. BLE fingerprinting via automata learning treats a physical device as a black box and learns a deterministic Mealy machine over abstracted packet alphabets. The learned models expose device-specific transitions, output traces, deviations from the BLE specification, and even a crashing sequence for one device. The paper gives an explicit distinguishing input sequence, scan_req . connection_req . feature_rsp . scan_req . connection_req . version_req, whose output traces separate the tested SoCs (Pferscher et al., 2022). A more distributed IoT trust model uses GRU-based behavioral fingerprints over packet-symbol sequences between device pairs, converts average misprediction rate into trust scores, and aggregates them through path consensus plus blockchain-backed reliability management (Arazzi et al., 2023).
5. Models, endpoints, provenance, and integrity verification
In DNN forensics, behavioral fingerprinting is often framed as a response to model piracy or silent model replacement. MetaV generalizes classifier-specific fingerprinting into a task-agnostic framework built from a learned adaptive fingerprint and a learned meta-verifier. Because it assumes only shared input and output dimensions, it extends to classification, regression, and generative modeling. On ResNet-18 for skin-cancer diagnosis, it is the only evaluated method to achieve 100% true positives and 100% true negatives on 70 suspect models, with ARUC 6, about 220% relative improvement over the best baseline on that benchmark; on regression and generative tasks, the robustness and uniqueness curves remain at 1 for most thresholds, with ARUC above 0.98 (Pan et al., 2022).
For LLM provenance, one white-box line exploits alignment geometry rather than prompt-response stylometry. Refusal-vector fingerprinting computes normalized centroid differences between harmful and harmless prompts across layers, aggregates a middle-layer band, and compares resulting vectors by cosine similarity. The method is reported to be robust to quantization, adapters/LoRA, supervised finetuning, and model merging; independently trained models have average absolute similarity below 0.01, and a closed-set identification task across 76 offspring models achieves 100% Top-1 accuracy for source-family identification. The same work also sketches a public-verification path via SimHash and zero-knowledge proofs, although that component remains theoretical in the paper’s own description (Xu et al., 10 Feb 2026).
A black-box alternative monitors endpoint behavior statistically over time. Stability Monitor fixes a prompt set, samples multiple outputs per prompt, embeds them, and compares fingerprints using summed energy distance plus permutation-test 7-values aggregated sequentially into change evidence. One fingerprint requires 800 inference requests. In controlled validation, the system detects changes to model family, version, inference stack, quantization, and behavioral parameters; with one exception, change events appear on the next fingerprint after intervention, while a small temperature shift from 0.7 to 0.6 requires 18 fingerprints to trigger detection. In live multi-provider monitoring of the same nominal model, the paper reports substantial provider-to-provider and within-provider stability differences, including a confirmed hardware-provider switch behind one detected change event (Leshin et al., 19 Mar 2026).
Behavioral fingerprinting also appears as an evaluative framework for LLM behavioral profiles rather than provenance alone. A 21-prompt Diagnostic Prompt Suite scored by Claude Opus 4.1 across 18 models reports convergence on abstract and causal reasoning among top models but marked divergence in alignment-related behaviors such as sycophancy and semantic robustness. The paper highlights sycophancy-resistance scores ranging from 1.00 for Claude Opus 4.1 and LLaMA-3.1-405B-Instruct to 0.25 for Grok-4, and documents a default persona clustering around ISTJ and ESTJ types (Pei et al., 2 Sep 2025). In QML, the same behavioral logic becomes runtime integrity verification: QML-PipeGuard fingerprints a pipeline by a vector of observable expectation values, tolerates benign drift within a calibrated threshold, and flags channel substitution when the observable contract is violated. On a two-qubit QSVM pipeline on IBM Heron r2, the prescribed budget of about 8 shots fits in a single batched job, a weak 9 contract accepts a sneaky substitution, and the fuller Pauli-family fingerprint detects it with a wide safety margin (Yeniaras, 24 May 2026).
6. Authorship attribution and operational forensics
Behavioral fingerprints increasingly serve as authorship signals for AI systems operating through human-facing artifacts. In software repositories, PRs produced by AI coding agents can be attributed from commit messages, PR structure, code changes, and patch-level code characteristics. On 33,580 PRs from OpenAI Codex, GitHub Copilot, Devin, Cursor, and Claude Code, XGBoost reaches weighted F1 97.2% in multi-class identification. The most important global feature is multiline commit ratio at 44.7%; agent-specific fingerprints are more interpretable in one-vs-rest analysis, including multiline commit messages for OpenAI Codex at 67.5% importance and conditional density for Claude Code at 27.2% importance. The stated applications are repository governance, authorship attribution, and contamination control in empirical software-engineering datasets (Ghaleb, 24 Jan 2026).
Terminal behavior supports an analogous form of model-family attribution in offensive-security settings. Trace represents each attack session as the ordered concatenation of executed shell commands, vectorizes it with TF-IDF over 0-grams, and classifies model family with a balanced LinearSVC. Over 2,028 sessions from three scaffolds and seven frontier families, the system reports macro F1 1 and accuracy 98.1%; under leave-one-scaffold-out evaluation, mean macro F1 is 0.815. Attribution is not merely descriptive: it routes family-calibrated defensive prompt injection payloads, yielding system-prompt extraction from 81.9% of non-Claude sessions on average, up to 98.3%, with Sentence-BERT fidelity 0.736, which the paper states is 1.88x higher than blind deployment. On an unseen proprietary scaffold, average attribution accuracy is about 78% (Ediga et al., 2 May 2026).
These operational settings show that behavioral fingerprints need not be tied to latent internal states or to long-term user records. They may instead arise from operational style in artifacts that were ostensibly produced under a human account or within a compromised shell. A plausible implication is that, as AI systems act through ordinary workflows, behavioral fingerprinting becomes a generalized authorship and provenance layer over interaction traces rather than a special-purpose anti-piracy technique.
7. Limitations, misconceptions, and policy implications
A common misconception is that fingerprinting is mainly a matter of static identifiers, cookies, or advertising scripts. The reviewed work contradicts that view from several directions. Browsing behavior itself can identify users even when only a few domains are observed; WebAssembly timing exposes browser-engine behavior even under User-Agent spoofing; and mobile anti-fingerprinting measures focused on advertising miss much of the SDK market because only 30.56% of likely fingerprinting SDKs are Ads SDKs, while 23.92% fall into an Unclear/Not Found category and Security and Authentication accounts for 11.7% (Oliveira et al., 2023, Guri et al., 31 May 2025, Specter et al., 27 Jun 2025).
Another misconception is that more behavior always yields robust attribution. Several papers instead show strong dependence on access model, task, scaffold, or observable family. Refusal-vector provenance requires white-box access and is weakened by alignment-breaking attacks; FP-Agent’s behavioral features are highly discriminative in a closed world but degrade under task holdout, with behavioral-only F1 dropping to 0.6303 in one held-out-task setting; Trace generalizes less well to unseen scaffolds than to seen ones, particularly under rigid ReAct-style control; QML-PipeGuard demonstrates that a weak observable contract can be evaded even when a richer one detects substitution; and CyberSpec and the RL-based SBC defense both struggle with attacks whose behavior stays too close to normal, such as Repeat, Freeze, or the passive rootkit Beurk (Xu et al., 10 Feb 2026, Wang et al., 2 May 2026, Ediga et al., 2 May 2026, Yeniaras, 24 May 2026, Celdrán et al., 2022, Celdrán et al., 2022).
The same literature also identifies broader methodological gaps. The device-behavior survey emphasizes the scarcity of public datasets beyond network traffic, unresolved scalability for individual device identification, and the need for stronger privacy and security guarantees in the fingerprinting pipeline itself. QML-PipeGuard notes that larger observable families improve coverage but raise shot cost; refusal-vector provenance leaves public black-box verification largely theoretical; and endpoint stability monitoring shows that even nominally identical hosted models can diverge substantially across providers, complicating benchmarking and compliance (Sánchez et al., 2020, Yeniaras, 24 May 2026, Xu et al., 10 Feb 2026, Leshin et al., 19 Mar 2026).
Taken together, the literature presents behavioral fingerprinting as neither a single algorithm nor a single threat model. It is a family of methods for turning operational regularities into signatures that support identification, re-identification, provenance, anomaly detection, and runtime integrity checks. Its power derives from the fact that behavior is often more stable and more distinctive than nominal identity. Its limitation is the same fact in reverse: behavior is contingent on context, instrumentation, and incentives, so every fingerprint is also a measurement design choice.