Systems and methods for characterizing a client device

What is claimed is: 1. A computer-implemented method, comprising: passively generating, by a server, observation data corresponding to one or more sessions of network traffic between an unclassified host and a computer system, the unclassified host being a physical computing device, a virtual machine, or a container; processing, by the server and using a machine learning classifier, the generated observation data, wherein the machine learning classifier is trained with a set of training data that includes a plurality of sessions of network traffic from a plurality of training data hosts, each session of the network traffic including an exchange of a plurality of packets, each exchange including a first plurality of packets sent from the training data hosts and a second plurality of packets received by the training data hosts; characterizing, by the server and based on a result of the processing of the generated observation data, the unclassified host as one of the physical computing device, the virtual machine, or the container; and when the unclassified host is characterized as the virtual machine or the container, recording a transaction associated with the unclassified host as a potentially fraudulent transaction. 2. The computer-implemented method of claim 1 , wherein the machine learning classifier is a random forest-based machine learning classifier. 3. The computer-implemented method of claim 1 , wherein the observation data includes a time difference between receipt, by the computer system, of a first packet from the unclassified host and a receipt, by the computer system, of a second packet from the unclassified host. 4. The computer-implemented method of claim 3 , wherein the first packet is a synchronize packet, and wherein the second packet is an acknowledge packet. 5. The computer-implemented method of claim 1 , wherein the observation data includes header data. 6. The computer-implemented method of claim 5 , wherein the header data includes one or more of an Internet Protocol address, a port number, a window size, a time to live value, a window scale, or an initial sequence number. 7. The computer-implemented method of claim 1 , wherein the observation data includes a time per hop for constituent packets of the one or more sessions of network traffic between the unclassified host and the computer system. 8. The computer-implemented method of claim 1 , further comprising: determining an identifier of the unclassified host; determining whether the identifier of the unclassified host matches a stored identifier for a classified host, the stored identifier for the classified host associated with a computing device classification for the classified host; and comparing the result of the processing with the computing device classification for the classified host. 9. The computer-implemented method of claim 1 , further comprising: requesting additional verifications from the unclassified host in response to the recording. 10. A non-transitory machine-readable medium having stored thereon machine-readable instructions executable to cause a machine to perform operations comprising: passively generating observation data corresponding to one or more sessions of network traffic between an unclassified host and a computer system, the unclassified host being a physical computing device, a virtual machine, or a container; processing the generated observation data using a machine learning classifier trained with a set of training data that includes a plurality of sessions of network traffic from a plurality of training data hosts, each session of the network traffic including an exchange of a plurality of packets, each exchange including a first plurality of packets sent from the training data hosts and a second plurality of packets received by the training data hosts; characterizing, based on a result of the processing of the generated observation data, the unclassified host as one of the physical computing device, the virtual machine, or the container; and when the unclassified host is characterized as the virtual machine or the container, recording a transaction associated with the unclassified host as a potentially fraudulent transaction. 11. The non-transitory machine-readable medium of claim 10 , wherein the machine learning classifier is a random forest-based machine learning classifier. 12. The non-transitory machine-readable medium of claim 10 , wherein the observation data includes a time difference between receipt, by the computer system, of a first packet from the unclassified host and a receipt, by the computer system, of a second packet from the unclassified host. 13. The non-transitory machine-readable medium of claim 12 , wherein the first packet is a synchronize packet, and wherein the second packet is an acknowledge packet. 14. The non-transitory machine-readable medium of claim 10 , wherein the observation data includes transmission control protocol header data. 15. A device characterization system, comprising: a non-transitory memory; and one or more hardware processors coupled to the non-transitory memory and configured to read instructions from the non-transitory memory to cause the device characterization system to perform operations comprising: passively generating observation data corresponding to one or more sessions of network traffic between an unclassified host and a computer system, the unclassified host being a physical computing device, a virtual machine, or a container; accessing a machine learning classifier trained with a set of training data that includes a plurality of sessions of network traffic from a plurality of training data hosts, each session of the network traffic including an exchange of a plurality of packets, each exchange including a first plurality of packets sent from the training data hosts and a second plurality of packets received by the training data hosts processing, using the machine learning classifier, the generated observation data; characterizing, based on a result of the processing of the generated observation data, the unclassified host as one of the physical computing device, the virtual machine, or the container; and when the unclassified host is characterized as the virtual machine or the container, recording a transaction associated with the unclassified host as a potentially fraudulent transaction. 16. The device characterization system of claim 15 , wherein the machine learning classifier is a random forest-based machine learning classifier. 17. The device characterization system of claim 15 , wherein the observation data includes a time difference between receipt, by the computer system, of a first packet from the unclassified host and a receipt, by the computer system, of a second packet from the unclassified host. 18. The device characterization system of claim 17 , wherein the first packet is a synchronize packet, and wherein the second packet is an acknowledge packet. 19. The device characterization system of claim 15 , wherein the observation data includes transmission control protocol header data. 20. The device characterization system of claim 15 , the operations further comprising: requesting additional verifications from the unclassified host in response to the recording.