A Robust Classifier for Passive TCP/IP Fingerprinting
نویسنده
چکیده
Using probabilistic learning, we develop a naive Bayesian classifier to passively infer a host’s operating system from packet headers. We analyze traffic captured from an Internet exchange point and compare our classifier to rule-based inference tools. While the host operating system distribution is heavily skewed, we find operating systems that constitute a small fraction of the host count contribute a majority of total traffic. Finally as an application of our classifier, we count the number of hosts masquerading behind NAT devices and evaluate our results against prior techniques. We find a host count inflation factor due to NAT of approximately 9% in our traces.
منابع مشابه
Using Machine Learning Techniques for Advanced Passive Operating System Fingerprinting
TCP/IP fingerprinting is the active or passive collection of information usually extracted from a remote computer’s network stack. The combination of such information can be then used to infer the remote operating system (OS fingerprinting). OS fingerprinting is traditionally based on a database of “signatures”. A signature comprises several features (i.e., pairs attribute/value) extracted from...
متن کاملSYNSCAN: Towards Complete TCP/IP Fingerprinting
A tool for TCP stack testing and TCP/IP fingerprinting (a.k.a. OS detection) is introduced. While tools presently exist to do either OS detection[1, 2] or TCP stack testing[3, 4], the methods they employ are limited by the techniques and analysis performed, sometimes resulting in incorrect results or no results at all. We introduce synscan, a tool whose objective is to fingerprint every aspect ...
متن کاملBlackhat fingerprinting of the wired and wireless honeynet
TCP/IP fingerprinting is a common technique used to detect unique network stack characteristics of an Operating System (OS). Its usage for network compromise is renowned for performing host discovery and in aiding the blackhat to determine a tailored exploit of detected OSs. The honeyd honeynet is able to countermeasure blackhats utilising TCP/IP fingerprinting via host device emulation on a vi...
متن کاملOS fingerprint classification using a support vector machine
An evaluation of using a support vector machine (SVM) to classify operating system fingerprints in the Nmap security scanner. In solving a simplified version of operating system classification, the SVM got marginally more accurate results than Nmap’s built-in classifier.
متن کاملAmbiguity Resolution via Passive OS Fingerprinting
With more widespread use of tools (such as fragrouter and fragroute[11]) that exploit differences in common operating systems to evade IDS detection, it has become more important for IDS sensors to accurately represent the variety of end hosts’ network stacks. The approach described in this paper uses the passively detected OS fingerprint of the end host in an attempt to correctly resolve ambig...
متن کامل