8002824267

17

Passive operating system fmgerprinting using neural networks...

3. Passive OS fingerprinting using neural networks

We try the application of neural networks - MLP, RBF - to our problem, knowing their successful application in such pattern-recognition areas as: handwriting recogni-tion, identifying vehicles, medicine, etc.

The database of the operating systems was taken from the open-source tool named ettercap [13], which at present includes the largest set of the OS examples - 1765.

The structure of values included in the ettercap set of operating systems is presented in Figurę 2.

WWWW    :    4    digit    hex    field    indicating    the    TCP    Window    Size

MSS    :    4    digit    hex    field    indicating    the    TCP    Option    Maximum    Segment Size

if omitted in the packet or unknown it is "_MSS"

TTL    :    2    digit    hex    field    indicating    the    IP Time To    Live

WS    :    2    digit    hex    field    indicating    the    TCP    Option    Window    Scalę

if omitted in the packet or unknown it is "WS"

: 1 digit    field    indicating    if    the    TCP    Option SACK permitted    is    true

1 digit    field    indicating    if    the    TCP    Options contain a NOP

1 digit    field    indicating    if    the    IP Don't Fragment flag is    set

1 digit    field    indicating    if    the    TCP    Timestamp is present

1 digit ascii field indicating the flag of the packet S = SYN A = SYN + ACK

: 2 digit hex field indicating the length of the packet if irrelevant or unknown it is "LT"

: an ascii string representing the OS

Figurę 2. TCP/IP parameters used to identify operating system (source: ettercap database)

First of all, different detailed versions of operating systems were grouped into larger classes - in order to have a sensible proportion: number of examples / number of classes, see Table 1. Experiments in which we tried to identify the exact OS version were conducted later.

As seen on Figurę 3 in State of fuli knowledge about operating systems and fuli trust researched neural network can identify systems with about 100% probability, just like current rule-based tools. There is already very rare situation when we can give trust computers and systems we do not own.