An Effective TCP/IP Fingerprinting Technique Based on Strange Attractors Classification

Medeiros, Jorge L.; Brito, Agostinho M.; Pires, Paulo F.

doi:10.1007/978-3-642-11207-2_16

“…Over the last 20 years, these observations have led to a variety of methods [2], [3], [4], [6], [8], [16], [22], [25], [41], [42], [43], [45], [46], [50], [52], [53], [54] that perform classification using application-layer traffic, TCP/IP/UDP headers, ICMP packets, or some combination thereof. These algorithms are useful not only in network security (i.e., detection of outdated/unpatched hosts), but also market analysis [28] and Internet characterization [17], [23], [29], [31], [45].…”

Section: Introductionmentioning

confidence: 99%

Hershel: Single-Packet OS Fingerprinting

Shamsi

¹

,

Nandwani²,

Leonard

³

et al. 2016

IEEE/ACM Trans. Networking

View full text Add to dashboard Cite

Traditional TCP/IP fingerprinting tools (e.g., nmap) are poorly suited for Internet-wide use due to the large amount of traffic and intrusive nature of the probes. This can be overcome by approaches that rely on a single SYN packet to elicit a vector of features from the remote server; however, these methods face difficult classification problems due to the high volatility of the features and severely limited amounts of information contained therein. Since these techniques have not been studied before, we first pioneer stochastic theory of single-packet OS fingerprinting, build a database of 116 OSes, design a classifier based on our models, evaluate its accuracy in simulations, and then perform OS classification of 37.8M hosts from an Internet-wide scan.

show abstract

“…The second aspect is the amount of outbound traffic required by the classifier, which ranges from a single SYN probe [3], [50] to lengthy multi-packet exchanges [25], [29], [42], [46], [52]. Ideally, fingerprinting should be performed with no extra overhead to scan traffic, which rules out techniques [29], [52] that expect to reach the target on multiple open ports, using different protocols (e.g., ICMP, TCP, UDP), and elicit responses on closed ports.…”

Section: Methodology and Objectivesmentioning

confidence: 99%

“…Additional work includes fuzzy matching [52], automatic generation of OS features that aid fingerprinting [8], [38], application of formal testing methods to the detection problem [16], and classification using lengthy observations (up to 100K packets) of Initial Sequence Numbers (ISNs) from the TCP header [25].…”

Section: Multiple Packetsmentioning

confidence: 99%

“…Over the last 20 years, these observations have led to a variety of methods [2], [3], [4], [6], [8], [16], [22], [25], [41], [42], [43], [45], [46], [50], [52], [53], [54] that perform classification using application-layer traffic, TCP/IP/UDP headers, ICMP packets, or some combination thereof. These algorithms are useful not only in network security (i.e., detection of outdated/unpatched hosts), but also market analysis [28] and Internet characterization [17], [23], [29], [31], [45].…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Hershel

Shamsi

¹

,

Nandwani

²

,

Leonard

³

et al. 2014

The 2014 ACM International Conference on Measurement and Modeling of Computer Systems

19

0

View full text Add to dashboard Cite

Traditional TCP/IP fingerprinting tools (e.g., nmap) are poorly suited for Internet-wide use due to the large amount of traffic and intrusive nature of the probes. This can be overcome by approaches that rely on a single SYN packet to elicit a vector of features from the remote server; however, these methods face difficult classification problems due to the high volatility of the features and severely limited amounts of information contained therein. Since these techniques have not been studied before, we first pioneer stochastic theory of single-packet OS fingerprinting, build a database of 116 OSes, design a classifier based on our models, evaluate its accuracy in simulations, and then perform OS classification of 37.8M hosts from an Internet-wide scan.

show abstract

“…2 With hundreds of transmitted probes, several protocols that must pass remote firewalls, and complaints from network administrators during fingerprinting of their networks, Nmap is not generally considered suitable for Internet-scale use. Additional classifiers in this category include p0f [34], Xprobe [33], and several others [2], [18], [28]. They have a smaller presence and significantly fewer signatures, but most of their ideas have been ported to Nmap. The second direction in Fig.…”

Section: A Remote Os Classificationmentioning

confidence: 99%

Unsupervised Clustering Under Temporal Feature Volatility in Network Stack Fingerprinting

Shamsi

¹

,

Loguinov

²

2017

IEEE/ACM Trans. Networking

1

0

View full text Add to dashboard Cite

Maintaining and updating signature databases are tedious tasks that normally require a large amount of user effort. The problem becomes harder when features can be distorted by observation noise, which we call volatility. To address this issue, we propose algorithms and models to automatically generate signatures in the presence of noise, with a focus on single-probe stack fingerprinting, which is a research area that aims to discover the operating system of remote hosts using their response to a TCP SYN packet. Armed with this framework, we construct a database with 420 network stacks, label the signatures, develop a robust classifier for this database, and fingerprint 66M visible webservers on the Internet. We compare the obtained results against Nmap and discover interesting limitations of its classification process that prevent correct operation when its auxiliary probes (e.g., TCP rainbow, TCP ACK, and UDP to a closed port) are blocked by firewalls.Index Terms-OS fingerprinting, internet measurement.

show abstract

An Effective TCP/IP Fingerprinting Technique Based on Strange Attractors Classification

Cited by 15 publications

References 6 publications

Hershel: Single-Packet OS Fingerprinting

Hershel: Single-Packet OS Fingerprinting

Hershel

Unsupervised Clustering Under Temporal Feature Volatility in Network Stack Fingerprinting

Contact Info

Product

Resources

About