IpMorph: fingerprinting spoofing unification

Prigent, Guillaume; Vichot, Florian; Harrouet, Fabrice

doi:10.1007/s11416-009-0134-4

Cited by 23 publications

(11 citation statements)

References 0 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…where 1 is an indicator variable and Using WolframAlpha's integral solver [32] yields (22). Replacing Hershel's p(δ|δ , X ) with (22) and keeping the rest of the method unchanged gives rise to a technique we call Hershel+.…”

Section: B Hershel+mentioning

confidence: 99%

“…Replacing Hershel's p(δ|δ , X ) with (22) and keeping the rest of the method unchanged gives rise to a technique we call Hershel+. Our next step is to verify that its accuracy is no worse than that of Hershel even when the assumed Erlang model for T , which uses ν = 4 in all computation below, does not match the true distribution.…”

Section: B Hershel+mentioning

confidence: 99%

“…Assuming a is a measurement from some IP, (21)- (22) can be used to obtain similarity score p(a|A j , X ) for each OS j, the highest of which is selected as the match after normaliza- tion. Fig.…”

Section: B Os Popularity and Confidencementioning

confidence: 99%

See 2 more Smart Citations

Unsupervised Clustering Under Temporal Feature Volatility in Network Stack Fingerprinting

Shamsi

Loguinov

2017

IEEE/ACM Trans. Networking

View full text Add to dashboard Cite

Maintaining and updating signature databases are tedious tasks that normally require a large amount of user effort. The problem becomes harder when features can be distorted by observation noise, which we call volatility. To address this issue, we propose algorithms and models to automatically generate signatures in the presence of noise, with a focus on single-probe stack fingerprinting, which is a research area that aims to discover the operating system of remote hosts using their response to a TCP SYN packet. Armed with this framework, we construct a database with 420 network stacks, label the signatures, develop a robust classifier for this database, and fingerprint 66M visible webservers on the Internet. We compare the obtained results against Nmap and discover interesting limitations of its classification process that prevent correct operation when its auxiliary probes (e.g., TCP rainbow, TCP ACK, and UDP to a closed port) are blocked by firewalls.Index Terms-OS fingerprinting, internet measurement.

show abstract

Section: B Hershel+mentioning

confidence: 99%

Section: B Hershel+mentioning

confidence: 99%

See 1 more Smart Citation

Unsupervised Clustering Under Temporal Feature Volatility in Network Stack Fingerprinting

Shamsi

Loguinov

2017

IEEE/ACM Trans. Networking

View full text Add to dashboard Cite

show abstract

“…A similar direction is to deploy network honeypots [35], [49] or standalone systems [51] that spoof arbitrary operating systems and their services. Placing obfuscation into the network gives rise to intermediate devices known as fingerprint scrubbers [34], [43].…”

Section: Common Defensesmentioning

confidence: 99%

“…Besides user interference, vector uj may be modified by intermediate devices along the path (e.g., NAT, IDS, fingerprint scrubbers [10], [34], [40], [43], [51]), whose actions can be clumped under the same umbrella of (16). Since buffering packets for periods of time comparable to RTO (i.e., 3 − 6 seconds) and per-flow state are expensive, it is often safe to assume that these devices do not alter the RTO pattern in significant ways and thus leave enough features by which the OS can still be identified.…”

Section: User Featuresmentioning

confidence: 99%

Hershel

Shamsi

Nandwani

Leonard

et al. 2014

The 2014 ACM International Conference on Measurement and Modeling of Computer Systems

View full text Add to dashboard Cite

Traditional TCP/IP fingerprinting tools (e.g., nmap) are poorly suited for Internet-wide use due to the large amount of traffic and intrusive nature of the probes. This can be overcome by approaches that rely on a single SYN packet to elicit a vector of features from the remote server; however, these methods face difficult classification problems due to the high volatility of the features and severely limited amounts of information contained therein. Since these techniques have not been studied before, we first pioneer stochastic theory of single-packet OS fingerprinting, build a database of 116 OSes, design a classifier based on our models, evaluate its accuracy in simulations, and then perform OS classification of 37.8M hosts from an Internet-wide scan.

show abstract

ShoVAT: Shodan‐based vulnerability assessment tool for Internet‐facing services

Genge

Enăchescu

2015

Security Comm Networks

View full text Add to dashboard Cite

Shodan has been acknowledged as one of the most popular search engines available today, designed to crawl the Internet and to index discovered services. This paper expands the features exposed by Shodan with advanced vulnerability assessment capabilities embedded into a novel tool called Shodan‐based vulnerability assessment tool (ShoVAT). ShoVAT takes the output of traditional Shodan queries and performs an in‐depth analysis of service‐specific data, that is, service banners. It embodies specially crafted algorithms which rely on novel in‐memory data structures to automatically reconstruct Common Platform Enumeration names and to proficiently extract vulnerabilities from National Vulnerability Database. Compared with the state of the art, ShoVAT brings several novel and significant contributions because it encompasses automated vulnerability identification techniques, it can return highly accurate results with customized and even purposefully modified service banners, and it supports historical service vulnerability analysis without the need to deploy additional monitoring infrastructures. The experiments performed on 1501 services in 12 different institutions across different sectors revealed high accuracy of results and a total of 3922 known vulnerabilities. Copyright © 2015 John Wiley & Sons, Ltd.

show abstract

IpMorph: fingerprinting spoofing unification

Cited by 23 publications

References 0 publications

Unsupervised Clustering Under Temporal Feature Volatility in Network Stack Fingerprinting

Unsupervised Clustering Under Temporal Feature Volatility in Network Stack Fingerprinting

Hershel

ShoVAT: Shodan‐based vulnerability assessment tool for Internet‐facing services

Contact Info

Product

Resources

About