8002824265

Passive operating system fingerprinting using neural networks and induction of decision rules

Bartosz Bielski, Przemysław Klęsk

Szczecin University of Technology,

Faculty of Computer Science and Information Technology

Abstract:

One of the most difficult task for people managing big- or even medium-size Computer network is determining the accurate number ofhosts that are protected. This Information is really helpful for accurately configuring network-based devices such as intrusion detection Systems. Exact knowledge of the operating systems (residing in hosts) can be useful for excluding many alerts that cannot apply to a remote operating system that is being examined. In this context, we consider a classification problem (we try to recognize the class of operating system) w hen some of the characteristics of the system are modified by its user or any other program (e.g. for internet connection tuning). We use neural networks (MLP, RBF) and rule induction techniques. It should be stressed that existing fingerprinting tools get high accuracy results when tested on the “clean" versions of operating systems, but they fail to detect systems with modified TCP/IP parameters.

Keywords:

passive OS fingerprinting, TCP/IP fingerprinting, operating systems recognition, neural networks, induction of decision rules

1. Introduction

Accurate operating system fingerprinting by passive analysis of the network traffic can be used for maintaining a security access policy. This type of policy may list the types of hosts that are allowed and disallowed (for example administrator can disallow really old versions of operating systems which may have serious bugs).

Remote operating systems fingerprinting is the way of determining the operating system of a remote host. It is based on the fact that the the TCP/IP protocol specification does not clearly describe how to use all fields in the TCP and IP header. Due to this fact developers of operating systems implement differently the TCP/IP stack - which can be used for identification. Even versions and patches can be identified, because program-mers are using e.g. other security features in the systems.

Remote operating systems can be identified by three approaches - “just looking”, active and passive fingerprinting. “Just looking” method is really not accurate and may give inadeąuate results, because of the easy way to modify given presented information; active scanning provides detailed information by actively sending packets and passive analysis provides real-time (but usually less detailed) information. Nevertheless, scanning consumes hosts resources and network bandwidth and it requires morę time on