Passive os fingerprinting methods in the jungle of wireless networks

Operating system fingerprinting methods are well- known in the domain of static networks and managed environments. Yet few studies tackled this challenge in real networks, where users can bring and connect any device. We evaluate the performance of three OS fingerprinting methods on a large dataset collected from university wireless network. Our results show that method based on HTTP User-agents is the most accurate but can identify only low portion of the traffic. TCP/IP parameters method proved to be the opposite with high coverage but low accuracy. We also implemented a new method based on detection of communication to OS-specific domains. Its performance is comparable to the two established ones. Next, we discuss the impacts of traffic encryption and embracing new protocols such as IPv6 or HTTP/2.0 on OS fingerprinting. Our findings suggest that OS identification based on specific domain detection is viable and corresponds to the current directions of network traffic evolution, while methods based on TCP/IP parameters and User-agents will become ineffective in the future.

[1]  Sushil J. Louis,et al.  Operating system fingerprinting via automated network traffic analysis , 2017, 2017 IEEE Congress on Evolutionary Computation (CEC).

[2]  Mehmet Hadi Gunes,et al.  Operating System Classification Performance of TCP/IP Protocol Headers , 2016, 2016 IEEE 41st Conference on Local Computer Networks Workshops (LCN Workshops).

[3]  Akira Yamada,et al.  Passive OS Fingerprinting by DNS Traffic Analysis , 2013, 2013 IEEE 27th International Conference on Advanced Information Networking and Applications (AINA).

[4]  Benoit Claise,et al.  Specification of the IP Flow Information Export (IPFIX) Protocol for the Exchange of Flow Information , 2013, RFC.

[5]  Ondrej Rysavý,et al.  Towards identification of operating systems from the internet traffic: IPFIX monitoring with fingerprinting and clustering , 2014, 2014 5th International Conference on Data Communication Networking (DCNET).

[6]  Jon Postel,et al.  Transmission Control Protocol , 1981, RFC.

[7]  Roy T. Fielding,et al.  Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content , 2014, RFC.

[8]  B. S. Manoj,et al.  Packet Inspection for Unauthorized OS Detection in Enterprises , 2015, IEEE Security & Privacy.

[9]  R. Lippmann,et al.  Passive Operating System Identification From TCP / IP Packet Headers * , 2003 .

[10]  Patrick Crowley,et al.  k-p0f: A high-throughput kernel passive OS fingerprinter , 2013, Architectures for Networking and Communications Systems.

[11]  Bofeng Zhang,et al.  Remote Operation System Detection Base on Machine Learning , 2009, 2009 Fourth International Conference on Frontier of Computer Science and Technology.

[12]  Alexander Kott,et al.  Cyber Defense and Situational Awareness , 2015, Advances in Information Security.

[13]  Guy Pujolle,et al.  Fingerprinting OpenFlow Controllers: The First Step to Attack an SDN Control Plane , 2016, 2016 IEEE Global Communications Conference (GLOBECOM).

[14]  Tadayoshi Kohno,et al.  The limits of automatic OS fingerprint generation , 2010, AISec '10.

[15]  Benoit Claise,et al.  Specification of the IP Flow Information Export (IPFIX) Protocol for the Exchange of IP Traffic Flow Information , 2008, RFC.

[16]  Pavel Celeda,et al.  HTTPS traffic analysis and client identification using passive SSL/TLS fingerprinting , 2016, EURASIP J. Inf. Secur..

[17]  Fan Yang,et al.  The QUIC Transport Protocol: Design and Internet-Scale Deployment , 2017, SIGCOMM.

[18]  Martin Thomson,et al.  Hypertext Transfer Protocol Version 2 (HTTP/2) , 2015, RFC.

[19]  Pavel Celeda,et al.  Identifying Operating System Using Flow-Based Traffic Fingerprinting , 2014, EUNICE.

[20]  Aiko Pras,et al.  Flow Monitoring Explained: From Packet Capture to Data Analysis With NetFlow and IPFIX , 2014, IEEE Communications Surveys & Tutorials.

[21]  Siebren Mossel Passive OS detection by monitoring network flows , 2012 .

[22]  Mqhele E. Dlodlo,et al.  TCP/IP header classification for detecting spoofed DDoS attack in Cloud environment , 2015, IEEE EUROCON 2015 - International Conference on Computer as a Tool (EUROCON).

[23]  François Gagnon,et al.  A hybrid approach to operating system discovery based on diagnosis , 2011, Int. J. Netw. Manag..

[24]  Guy Lapalme,et al.  A systematic analysis of performance measures for classification tasks , 2009, Inf. Process. Manag..