8002824266

16 Bartosz Bielski, Przemysław Klęsk

broad networks. Moreover, it can cause some network devices to stop servicing. Passive fingerprinting hase nonę of the flaws mentioned above.

16 Bartosz Bielski, Przemysław Klęsk

Application

Application

Transport

Transport

HTTP	FTP
Soc	kets
TCP	UDP
ICMP IB ' ^IP ARP

Network Interface

Physical

Figurę 1. OSI and TCP/IP stack

(source: http://tutorials.beginners.co.uk/introducing-tcp-ip.htm?p=2)

Passive fingerprinting is a method of recognizing operating systems based only on the packet traffic which is already transmitted. There is no need to send extra packets to remote host, because all the packets may be used to identify attacker or any person that is doing a security audit.

A main goal of this research is to determine how accurately remote operating Systems can be detected using passive fingerprinting by means of neural networks and induction of decision rules. Other goal is to evaluate the fingerprinting on some user-modified TCP/IP stacks on which current recognition tools fail to work and determine how well neural networks can identify operating systems that were not in the training set.

2. Passive OS fingerprinting - existing Solutions

Based on our observations, which were confirmed by some of earlier researches [3], we can say that currently existing fingerprinting tools are mostly: rule based (very sim-ple rules) or nearest neighbour implementation (usually 1-NN). Using such approach there is no way to accurately fingerprint operating systems having any modifications that were not included in the fingerprinting database of the systems. On the other hand, there is no way to include all such information in the database because of the variety of possible modifications.