OS fingerprinting: New techniques and a study of information gain and obfuscation

Passive operating system fingerprinting reveals valuable information to the defenders of heterogeneous private networks; at the same time, attackers can use fingerprinting to reconnoiter networks, so defenders need obfuscation techniques to foil them. We present an effective approach for passive fingerprinting that uses data features from TLS as well as the TCP/IP and HTTP protocols in a multi-session model, which is applicable whenever several sessions can be observed within a time window. In experiments on a real-world private network, our approach identified operating system major and minor versions with accuracies of 99.4% and 97.5%, respectively, and provided significant information gain. We also show that obfuscation strategies can often be defeated due to the difficulty of manipulating data features from all protocols, especially TLS, by studying how obfuscation affects our fingerprinting system. Because devices running unpatched operating systems on private networks create significant vulnerabilities, their detection is critical; our approach achieved over 98% accuracy at this important goal.

[1]  Gaël Varoquaux,et al.  Scikit-learn: Machine Learning in Python , 2011, J. Mach. Learn. Res..

[2]  Daniel Kahn Gillmor,et al.  Negotiated Finite Field Diffie-Hellman Ephemeral Parameters for Transport Layer Security (TLS) , 2016, RFC.

[3]  Donald F. Towsley,et al.  Passive online rogue access point detection using sequential hypothesis testing with TCP ACK-pairs , 2007, IMC '07.

[4]  David Lee,et al.  Network Protocol System Fingerprinting - A Formal Approach , 2006, Proceedings IEEE INFOCOM 2006. 25TH IEEE International Conference on Computer Communications.

[5]  Lloyd G. Greenwald,et al.  Toward Undetected Operating System Fingerprinting , 2007, WOOT.

[6]  Nick Sullivan,et al.  The Security Impact of HTTPS Interception , 2017, NDSS.

[7]  Adam Langley,et al.  Transport Layer Security (TLS) Application-Layer Protocol Negotiation Extension , 2014, RFC.

[8]  Hovav Shacham,et al.  Fingerprinting Information in JavaScript Implementations , 2011 .

[9]  Charles Elkan,et al.  The Foundations of Cost-Sensitive Learning , 2001, IJCAI.

[10]  T. Kohno,et al.  Remote physical device fingerprinting , 2005, 2005 IEEE Symposium on Security and Privacy (S&P'05).

[11]  Raheem A. Beyah,et al.  Who's in Control of Your Control System? Device Fingerprinting for Cyber-Physical Systems , 2016, NDSS.

[12]  Bill Cheswick,et al.  Firewalls and internet security - repelling the wily hacker , 2003, Addison-Wesley professional computing series.

[13]  Dimitris Gritzalis,et al.  The Big Four - What We Did Wrong in Advanced Persistent Threat Detection? , 2013, 2013 International Conference on Availability, Reliability and Security.

[14]  Ming Di,et al.  Joy , 1889, The Hospital.

[15]  Pavel Celeda,et al.  Network-Based HTTPS Client Identification Using SSL/TLS Fingerprinting , 2015, 2015 10th International Conference on Availability, Reliability and Security.

[16]  Bodo Möller,et al.  Network Working Group Elliptic Curve Cryptography (ecc) Cipher Suites for Transport Layer Security (tls) , 2006 .

[17]  Sushil Jajodia,et al.  A deception based approach for defeating OS and service fingerprinting , 2015, 2015 IEEE Conference on Communications and Network Security (CNS).

[18]  Eric Rescorla,et al.  The Transport Layer Security (TLS) Protocol Version 1.2 , 2008, RFC.

[19]  Kulsoom Abdullah,et al.  Passive visual fingerprinting of network attack tools , 2004, VizSEC/DMSEC '04.

[20]  Craig Smith,et al.  Know Your Enemy : Passive Fingerprinting , 2001 .

[21]  Leyla Bilge,et al.  Before we knew it: an empirical study of zero-day attacks in the real world , 2012, CCS.

[22]  B. S. Manoj,et al.  Packet Inspection for Unauthorized OS Detection in Enterprises , 2015, IEEE Security & Privacy.

[23]  R. Lippmann,et al.  Passive Operating System Identification From TCP / IP Packet Headers * , 2003 .