Packet Inspection for Unauthorized OS Detection in Enterprises

Many recent malware implementations employ virtual machines to carry out their malicious activities. These are hard to detect because their states can't be accessed by antivirus software running in the native OS. An approach for OS fingerprinting using TCP SYN packets in an enterprise environment can detect the presence of unauthorized OSs.

[1]  Akira Yamada,et al.  Passive OS Fingerprinting by DNS Traffic Analysis , 2013, 2013 IEEE 27th International Conference on Advanced Information Networking and Applications (AINA).

[2]  R. Lippmann,et al.  Passive Operating System Identification From TCP / IP Packet Headers * , 2003 .

[3]  Philip Almquist,et al.  Type of Service in the Internet Protocol Suite , 1992, RFC.

[4]  Helen J. Wang,et al.  SubVirt: implementing malware with virtual machines , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[5]  Robert T. Braden,et al.  Requirements for Internet Hosts - Communication Layers , 1989, RFC.