A hybrid approach to operating system discovery based on diagnosis theory

Motivated by the increasing importance of knowing which operating systems are running in a given network, we evaluated operating system discovery (OSD) tools. The results indicated a serious lack of accuracy in current OSD tools. This thesis proposes a new approach to OS discovery which addresses the limitations of existing tools and leads to a more flexible, less intrusive, and much more accurate tool. Moreover, unlike existing OSD tools which are completely ad hoc, our approach is formal and follows the principles of diagnosis problem solving. This formalism allows us to: (a) characterize the complexity of OSD; (b) use well-tested algorithms and (c) benefit from numerous possible extensions. To fully address the needs of OSD, we generalize the theory of diagnosis with a query-based extension. This extension leads to a spectrum of test selection algorithms to solve each query.

[1]  Vern Paxson,et al.  Active mapping: resisting NIDS evasion without altering traffic , 2003, 2003 Symposium on Security and Privacy, 2003..

[2]  Michael Gelfond,et al.  Logic programming and knowledge representation—The A-Prolog perspective , 2002 .

[3]  Peter Szolovits,et al.  Causal Understanding of Patient Illness in Medical Diagnosis , 1981, IJCAI.

[4]  François Gagnon,et al.  Using Answer Set Programming to Enhance Operating System Discovery , 2009, LPNMR.

[5]  Brian C. Williams,et al.  Diagnosing Multiple Faults , 1987, Artif. Intell..

[6]  Mikhail J. Atallah,et al.  Algorithms and Theory of Computation Handbook , 2009, Chapman & Hall/CRC Applied Algorithms and Data Structures series.

[7]  Steven S. Warren The VMware Workstation 5 Handbook (Networking & Security) , 2005 .

[8]  David Poole,et al.  Normality and Faults in Logic-Based Diagnosis , 1989, IJCAI.

[9]  Carsten Lund,et al.  Efficient probabilistically checkable proofs and applications to approximations , 1993, STOC.

[10]  Jeff Dike,et al.  User-mode Linux , 2006, Annual Linux Showcase & Conference.

[11]  Victor W. Marek,et al.  The Logic Programming Paradigm: A 25-Year Perspective , 2011 .

[12]  Francois Gagnon,et al.  VNEC - A Virtual Network Experiment Controller , 2008, SVM.

[13]  François Gagnon Operating System Discovery Using Answer Set Programming , 2007 .

[14]  Raymond Reiter,et al.  A Theory of Diagnosis from First Principles , 1986, Artif. Intell..

[15]  Pierluigi Crescenzi,et al.  A short guide to approximation preserving reductions , 1997, Proceedings of Computational Complexity. Twelfth Annual IEEE Conference.

[16]  David Poole,et al.  Representing Knowledge for Logic-Based Diagnosis , 1988, FGCS.

[17]  Peter Norvig,et al.  Artificial Intelligence: A Modern Approach , 1995 .

[18]  Carsten Lund,et al.  On the hardness of approximating minimization problems , 1994, JACM.

[19]  S. Safra,et al.  On the hardness of approximating minimum vertex cover , 2005 .

[20]  Michael R. Genesereth,et al.  The Use of Design Descriptions in Automated Diagnosis , 1984, Artif. Intell..

[21]  Frederic Massicotte,et al.  Passive Network Discovery for Real Time Situation Awareness , 2004 .

[22]  François Gagnon,et al.  A query-based approach for test selection in diagnosis , 2009, Artificial Intelligence Review.

[23]  David Poole,et al.  Representing diagnosis knowledge , 1994, Annals of Mathematics and Artificial Intelligence.

[24]  Paul Murray,et al.  SmartFrog: Configuration and Automatic Ignition of Distributed Applications , 2003 .

[25]  Wolfgang Faber,et al.  A logic programming approach to knowledge-state planning: Semantics and complexity , 2004, TOCL.

[26]  Annie De Montigny-Leboeuf A Multi-Packet Signature Approach to Passive Operating System Detection , 2005 .

[27]  Reuven Bar-Yehuda,et al.  Approximating the dense set-cover problem , 2004, J. Comput. Syst. Sci..

[28]  Daniel P. Newman,et al.  Penetration Testing and Network Defense , 2005 .

[29]  Sheila A. McIlraith Generating Tests Using Abduction , 1994, KR.

[30]  Vern Paxson,et al.  Enhancing byte-level network intrusion detection signatures with context , 2003, CCS '03.

[31]  François Gagnon,et al.  Automatic Evaluation of Intrusion Detection Systems , 2006, 2006 22nd Annual Computer Security Applications Conference (ACSAC'06).

[32]  Burak Dayioglu,et al.  USE OF PASSIVE NETWORK MAPPING TO ENHANCE SIGNATURE QUALITY OF MISUSE NETWORK INTRUSION DETECTION SYSTEMS , 2001 .

[33]  Thomas Henry Ptacek,et al.  Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection , 1998 .

[34]  Frederic Massicotte,et al.  Using a VMware Network Infrastructure to Collect Traffic Traces for Intrusion Detection Evaluation , 2005 .

[35]  S. Impedovo,et al.  Optical Character Recognition - a Survey , 1991, Int. J. Pattern Recognit. Artif. Intell..

[36]  Hervé Debar,et al.  Aggregation and Correlation of Intrusion-Detection Alerts , 2001, Recent Advances in Intrusion Detection.

[37]  Max Crochemore,et al.  Algorithms and Theory of Computation Handbook , 2010 .

[38]  Kenneth Steiglitz,et al.  Combinatorial Optimization: Algorithms and Complexity , 1981 .

[39]  Albert Benveniste,et al.  Distributed diagnosis for large discrete event dynamic systems , 2002 .

[40]  François Gagnon,et al.  A hybrid approach to operating system discovery based on diagnosis , 2011, Int. J. Netw. Manag..

[41]  Werner Lotz Communication Research Centre , 2007 .

[42]  Chitta Baral,et al.  Knowledge Representation, Reasoning and Declarative Problem Solving , 2003 .

[43]  M. Bellare,et al.  Efficient probabilistic checkable proofs and applications to approximation , 1994, STOC '94.

[44]  François Gagnon,et al.  A Hybrid Approach to Operating System Discovery using Answer Set Programming , 2007, 2007 10th IFIP/IEEE International Symposium on Integrated Network Management.

[45]  Bernard Golden,et al.  Virtualization For Dummies , 2007 .

[46]  François Gagnon,et al.  Network in a box , 2010, 2010 International Conference on Data Communication Networking (DCNET).

[47]  Dorit S. Hochbaum,et al.  Approximation Algorithms for the Set Covering and Vertex Cover Problems , 1982, SIAM J. Comput..

[48]  Hervé Debar,et al.  Correlation of Intrusion Symptoms: An Application of Chronicles , 2003, RAID.

[49]  François Gagnon,et al.  Using Contextual Information for IDS Alarm Classification (Extended Abstract) , 2009, DIMVA.

[50]  Vladimir Lifschitz,et al.  Action Languages, Answer Sets, and Planning , 1999, The Logic Programming Paradigm.

[51]  Babak Esfandiari,et al.  SCE-0808 On the Effectiveness of Target Configuration as Contextual Information for IDS Alarm Classification , 2008 .

[52]  Farnam Jahanian,et al.  Defeating TCP/IP Stack Fingerprinting , 2000, USENIX Security Symposium.

[53]  David S. Johnson,et al.  Computers and Intractability: A Guide to the Theory of NP-Completeness , 1978 .

[54]  Greg Taleck,et al.  Ambiguity Resolution via Passive OS Fingerprinting , 2003, RAID.

[55]  Samir Khuller,et al.  Applied algorithms and data structures series , 2010 .

[56]  Vladimir Lifschitz,et al.  Answer Set Planning (Abstract) , 1999, LPNMR.

[57]  Francois Gagnon,et al.  Using Contextual Information for IDS Alarm Classification , 2009 .

[58]  Kwang-Ting Cheng,et al.  Fundamentals of algorithms , 2009 .

[59]  Wolfgang Faber,et al.  The Diagnosis Frontend of the dlv System , 1999, AI Commun..

[60]  Matt Bishop,et al.  Verify results of network intrusion alerts using lightweight protocol analysis , 2005, 21st Annual Computer Security Applications Conference (ACSAC'05).

[61]  John McHugh,et al.  Testing Intrusion detection systems: a critique of the 1998 and 1999 DARPA intrusion detection system evaluations as performed by Lincoln Laboratory , 2000, TSEC.

[62]  Eran Halperin,et al.  Improved approximation algorithms for the vertex cover problem in graphs and hypergraphs , 2000, SODA '00.

[63]  R.K. Cunningham,et al.  Evaluating intrusion detection systems: the 1998 DARPA off-line intrusion detection evaluation , 2000, Proceedings DARPA Information Survivability Conference and Exposition. DISCEX'00.

[64]  Yvan Labiche,et al.  Context-Based Intrusion Detection Using Snort, Nessus and Bugtraq Databases , 2005, PST.

[65]  Peter Struss Testing for Discrimination of Diagnoses , 2007 .

[66]  Piotr Berman,et al.  On the Complexity of Approximating the Independent Set Problem , 1989, Inf. Comput..

[67]  G. Chartrand,et al.  Graphs & Digraphs , 1986 .

[68]  Wolfgang Nejdl,et al.  Choosing Observations and Actions in Model-Based Diagnosis/Repair Systems , 1992, KR.

[69]  Sheila A. McIlraith,et al.  What Sensing Tells Us: Towards a Formal Theory of Testing for Dynamical Systems , 2000, AAAI/IAAI.

[70]  Tran Cao Son,et al.  Formulating diagnostic problem solving using an action language with narratives and sensing , 2000, KR.

[71]  Piergiorgio Bertoli,et al.  Solving Power Supply Restoration Problems with Planning via Symbolic Model Checking , 2002, ECAI.

[72]  Sheila A. McIlraith Explanatory Diagnosis: Conjecturing Actions to Explain Observations , 1998, KR.

[73]  Pietro Torasso,et al.  A spectrum of logical definitions of model‐based diagnosis 1 , 1991, Comput. Intell..

[74]  Anthony T. Mann The Rational Guide To: Microsoft Virtual PC 2004 , 2004 .

[75]  Gordon I. McCalla,et al.  The knowledge frontier: essays in the representation of knowledge , 1987 .

[76]  Marie-Odile Cordier,et al.  Supply Restoration in Power Distribution Systems: A Case Study in Integrating Model-Based Diagnosis and Repair Planning , 1996, UAI.

[77]  David S. Johnson,et al.  Approximation algorithms for combinatorial problems , 1973, STOC.

[78]  Samuel Patton,et al.  An Achilles Heel in Signature-Based IDS : Squealing False Positives in SNORT , 2001 .

[79]  Christopher Krügel,et al.  Alert Verification Determining the Success of Intrusion Attempts , 2004, DIMVA.