Passive operating system fingerprinting using neural networks and induction of decision rules

• Autorzy: Bielski B. , Klęsk P.
• Języki publikacji: EN

Abstrakty

EN

One of the most difficult task for people managing big- or even medium-size computer network is determining the accurate number of hosts that are protected. This information is really helpful for accurately configuring network-based devices such as intrusion detection systems. Exact knowledge of the operating systems (residing in hosts) can be useful for excluding many alerts that cannot apply to a remote operating system that is being examined. In this context, we consider a classification problem (we try to recognize the class of operating system) when some of the characteristics of the system are modified by its user or any other program (e.g. for internet connection tuning). We use neural networks (MLP, RBF) and rule induction techniques. It should be stressed that existing fingerprinting tools get high accuracy results when tested on the “clean” versions of operating systems, but they fail to detect systems with modified TCP/IP parameters.

Słowa kluczowe

EN

passive OS fingerprinting; TCP/IP fingerprinting; operating systems recognition; neural; networks; induction of decision rules

• Wydawca: Komisja Informatyki Polskiej Akademii Nauk, Oddział w Gdańsku
• Czasopismo: Metody Informatyki Stosowanej
• Rocznik: 2008
• Tom: nr 4 (Tom 17)
• Strony: 15--25
• Opis fizyczny: bibliogr. 13 poz., rys.

Twórcy

autor

Bielski B.

• Szczecin University of Technology, Faculty of Computer Science and Information Technology

autor

Klęsk P.

• Szczecin University of Technology, Faculty of Computer Science and Information Technology

Bibliografia

• [1] Berrueta D. B. A practical approach for defeating Nmap OS-Fingerprinting. [online] http://www.zog.net/Docs/nmap.html. [06/12/2007]
• [2] Hortop P. Active OS Fingerprinting Tools. [online] http://www.networkintrusion.co.uk/ osfa.htm, 2006a. [20/02/2008]
• [3] Lippmann R., Fried D., Piwowarski K., Streilein W. Passive Operating System Identication From TCP/IP Packet Headers, 2003. [20/02/2008]
• [4] Internetworking Basics, [online] http://www.cisco.com/univercd/cc/td/doc/cisintwk/ito_ doc/introint.htm [07/10/2007]
• [5] Introducing TCP/IP, http://tutorials.beginners.co.uk/introducing-tcp-ip.htm?p=2. [08/11/2007]
• [6] Dawson K. T. Linux – podręcznik administratora sieci. OReilly, Wydawnictwo RM, Warszawa 2000.
• [7] Kosiński R. Sztuczne sieci neuronowe. Dynamika nieliniowa i chaos. Wydawnictwa Naukowo-Techniczne, Warszawa 2007
• [8] Kwiatkowska A. Systemy wspomagania decyzji. Wydawnictwa Naukowe PWN/MIKOM, Warszawa 2007
• [9] Osowski S. Sieci neuronowe w ujęciu algorytmicznym. Wydawnictwa Naukowo-Techniczne, Warszawa 1996.
• [10] Agrawal R., Imielinski T., Swami A. Mining associations between sets of items in massive databases, in Proceedings of the 1993 ACM-SIGMOID Int’l Conf. on Management of Data, 1993, pp. 207–216.
• [11] Gray R. M. Entropy and Information Theory, Springer Verlag, New York, USA. Information Systems Laboratory, Electrical Engineering Department, Stanford University, 1990.
• [12] Słowiński R., Brzezińska I., Greco S. Application of bayesian confirmation measures for mining rules from support-confidence pareto-optimal set, in Rutkowski, Tadeusiewicz, śurada, 8th International Conference, Zakopane, Poland, June 2006 pp. 1018–1026.
• [13] Ettercap – remote fingerprinting tool, http://ettercap.sourceforge.net [20/05/2008]