Systems and Methods for Characterizing a Client Device

What is claimed is: 1 . A computer-implemented method, comprising: passively generating, by a server, observation data corresponding to one or more sessions of network traffic between an unclassified host and a second computer system; processing, by the server and using a machine learning classifier, the generated observation data, wherein the machine learning classifier is trained with a set of training data that includes a plurality of sessions of network traffic from a plurality of training data hosts, each session of the network traffic including an exchange of a plurality of packets, each exchange including a first plurality of packets sent from the training data hosts and a second plurality of packets received by the training data hosts; and characterizing, by the server and based on the processing, the unclassified host as one of a physical computing device, a virtual machine, or a container. 2 . The computer-implemented method of claim 1 , wherein the machine learning classifier is a random forest-based machine learning classifier. 3 . The computer-implemented method of claim 1 , wherein the observation data includes a time difference between receipt, by the second computer system, of a first packet from the unclassified host and receipt, by the second computer system, of a second packet from the unclassified host. 4 . The computer-implemented method of claim 3 , wherein the first packet is a synchronize packet, and wherein the second packet is an acknowledge packet. 5 . The computer-implemented method of claim 1 , wherein the observation data includes header data. 6 . The computer-implemented method of claim 5 , wherein the header data includes one or more of an Internet Protocol address, a port number, a window size, a time to live value, a window scale, or an initial sequence number. 7 . The computer-implemented method of claim 1 , wherein the observation data includes a time per hop for constituent packets of the one or more sessions of network traffic between the unclassified host and the second computer system. 8 . The computer-implemented method of claim 1 , further comprising: determining an identifier of the unclassified host; determining whether the identifier of the unclassified host matches a stored identifier for a classified host, the identifier for the classified host associated with a computing device classification for the classified host; and comparing the result of the characterizing step of the unclassified host with the computing device classification for the classified host. 9 . The computer-implemented method of claim 1 , further comprising: receiving an indication of a transaction associated with the unclassified host; and transmitting a malicious transaction notification corresponding to the transaction to a payment processing system in response to the unclassified host being characterized as one of a virtual machine or a container. 10 . A non-transitory machine-readable medium having stored thereon machine-readable instructions executable to cause a machine to perform operations comprising: passively generating observation data corresponding to one or more sessions of network traffic between an unclassified host and a second computer system; processing the generated observation data using a machine learning classifier trained with a set of training data that includes a plurality of sessions of network traffic from a plurality of training data hosts, each session of the network traffic including an exchange of a plurality of packets, each exchange including a first plurality of packets sent from the training data hosts and a second plurality of packets received by the training data hosts; and characterizing, based on the processing, the unclassified host as one of a physical computing device, a virtual machine, or a container. 11 . The non-transitory machine-readable medium of claim 10 , wherein the machine learning classifier is a random forest-based machine learning classifier. 12 . The non-transitory machine-readable medium of claim 10 , wherein the observation data includes a time difference between receipt, by the second computer system, of a first packet from the unclassified host and receipt, by the second computer system, of a second packet from the unclassified host. 13 . The non-transitory machine-readable medium of claim 12 , wherein the first packet is a synchronize packet, and wherein the second packet is an acknowledge packet. 14 . The non-transitory machine-readable medium of claim 10 , wherein the observation data includes transmission control protocol header data. 15 . A device characterization system, comprising: a non-transitory memory; and one or more hardware processors coupled to the non-transitory memory and configured to read instructions from the non-transitory memory to cause the system to perform operations comprising: passively generating observation data corresponding to one or more sessions of network traffic between an unclassified host and a second computer system; accessing a machine learning classifier trained with a set of training data that includes a plurality of sessions of network traffic from a plurality of training data hosts, each session of the network traffic including an exchange of a plurality of packets, each exchange including a first plurality of packets sent from the training data hosts and a second plurality of packets received by the training data hosts processing, using the machine learning classifier, the generated observation data; and characterizing, based on the processing, the unclassified host as one of a physical computing device, a virtual machine, or a container. 16 . The device characterization system of claim 15 , wherein the machine learning classifier is a random forest-based machine learning classifier. 17 . The device characterization system of claim 15 , wherein the observation data includes a time difference between receipt, by the second computer system, of a first packet from the unclassified host and receipt, by the second computer system, of a second packet from the unclassified host. 18 . The device characterization system of claim 17 , wherein the first packet is a synchronize packet, and wherein the second packet is an acknowledge packet. 19 . The device characterization system of claim 15 , wherein the observation data includes transmission control protocol header data. 20 . The device characterization system of claim 15 , the operations further comprising: receiving an indication of a transaction associated with the unclassified host; and transmitting a malicious transaction notification corresponding to the transaction to a payment processing system in response to the unclassified host being characterized as one of a virtual machine or a container.