论文信息 - Ambiguity Resolution via Passive OS Fingerprinting

Ambiguity Resolution via Passive OS Fingerprinting

With more widespread use of tools (such as fragrouter and fragroute [11]) that exploit differences in common operating systems to evade IDS detection, it has become more important for IDS sensors to accurately represent the variety of end hosts’ network stacks. The approach described in this paper uses the passively detected OS fingerprint of the end host in an attempt to correctly resolve ambiguities between different network stack implementations. Additionally, a new technique is described to increase the confidence level of a fingerprint match by looking more extensively at TCP connection negotiations.

Greg Taleck | Greg Taleck

[1] Douglas Comer,et al. Probing TCP Implementations , 1994, USENIX Summer.

[2] Vern Paxson,et al. Automated packet trace analysis of TCP implementations , 1997, SIGCOMM '97.

[3] Vern Paxson,et al. Bro: a system for detecting network intruders in real-time , 1998, Comput. Networks.

[4] Thomas Henry Ptacek,et al. Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection , 1998 .

[5] John Linwood Griffin,et al. Testing Protocol Implementation Robustness , 1999 .

[6] Sally Floyd,et al. Identifying the tcp behavior of web servers , 2000, SIGCOMM 2000.

[7] Farnam Jahanian,et al. Defeating TCP/IP Stack Fingerprinting , 2000, USENIX Security Symposium.

[8] Mark Handley,et al. Network Intrusion Detection: Evasion, Traffic Normalization, and End-to-End Protocol Semantics , 2001, USENIX Security Symposium.

[9] Franck Veysset,et al. New Tool And Technique For Remote Operating System Fingerprinting , 2002 .

[10] Vern Paxson,et al. Active mapping: resisting NIDS evasion without altering traffic , 2003, 2003 Symposium on Security and Privacy, 2003..