Towards Identification of Operating Systems from the Internet Traffic - IPFIX Monitoring with Fingerprinting and Clustering

Petr Matoušek, Ondřej Ryšavý, Matěj Grégr, Martin Vymlátil

2014

Abstract

This paper deals with identification of operating systems (OSs) from the Internet traffic. Every packet injected on the network carries a specific information in its packet header that reflects the initial settings of a host’s operating system. The set of such features forms a fingerprint. The OS fingerprint usually includes an initial TTL time, a TCP initial window time, a set of specific TCP options, and other values obtained from IP and TCP headers. Identification of OSs can be useful for monitoring a traffic on a local network and also for security purposes. In our paper we focus on the passive fingerprinting using TCP SYN packets that is incorporated to a IPFIX probe. Our tool enhances standard IPFIX records by additional information about OSs. Then, it sends the records to an IPFIX collector where network statistics are stored and presented to the network administrator. If identification is not successful, a further HTTP header check is employed and the fingerprinting database in the probe is updated. Our fingerprinting technique can be extended using cluster analysis as presented in this paper. As we show the clustering adds flexibility and dynamics to the fingerprinting. We also discuss the impact of IPv6 protocol on the passive fingerprinting.

References

  1. Allen, J. M. (2007). OS and Application Fingerprinting Techniques. Infosec reading room, SANS Institute.
  2. Beck, F., Festor, O., and Chrisment, I. (2007). IPv6 Neighbor Discovery Protocol based OS fingerprinting. Technical report, INRIA.
  3. Caballero, J., Venkataraman, S., Poosankam, P., Kang, M. G., Song, D., and Blum, A. (2007). FiG: Automatic fingerprint generation. Department of Electrical and Computing Engineering, page 27.
  4. Carpenter, B. and Jiang, S. (2013). Transmission and Processing of IPv6 Extension Headers. IETF RFC 7045.
  5. Chapelle, O., Schölkopf, B., and Zien, A., editors (2006). Semi-Supervised Learning. MIT Press, Cambridge, MA.
  6. Claise, B. (2004). Cisco Systems NetFlow Services Export Version 9. IETF RFC 3954.
  7. Claise, B. and Trammel, B. (2013). Information Model for IP Flow Information Export (IPFIX). IETF RFC 7012.
  8. Claise, B., Trammel, B., and Aitken, P. (2013). Specification of the IP Flow Information Export (IPFIX) Protocol for the Exchange of Flow Information. IETF RFC 7011.
  9. Duda, R., Hart, P., and Stork, D. (2001). Pattern classification. Pattern Classification and Scene Analysis: Pattern Classification. Wiley.
  10. Eckstein, C. (2011). OS fingerprinting with IPv6. Infosec reading room, SANS Institute.
  11. Jain, A. K. (2010). Data clustering: 50 years beyond kmeans. Pattern Recognition Letters, 31(8):651-666.
  12. Krishnan, S., Woodyatt, J., Kline, E., Hoagland, J., and Bhatia, M. (2012). A Uniform Format for IPv6 Extension Headers. IETF RFC 6564.
  13. Krmicek, V. (2011). Hardware-Accelerated Anomaly Detection in High-Speed Networks. PhD. Thesis, Masaryk University, Brno, Czech Republic.
  14. Lippmann, R., Fried, D., Piwowarski, K., and Streilein, W. (2013). Passive Operating System Identification from TCP/IP Packet Headers. In Proceedings Workshop on Data Mining for Computer Security (DMSEC).
  15. Nerakis, E. (2006). IPv6 Host Fingerprint. Thesis, Naval Postgraduate School, Monterey, California.
  16. Richardson, D. W., Gribble, S. D., and Kohno, T. (2010). The Limits of Automatic OS Fingerpritn Generation. In Proceedings of AISec'10, Chicago, Illinois, USA.
  17. Sanders, C. (2011). Practical Packet Analysis. No Starch Press, 2nd edition.
  18. Schwartzenberg, J. (2010). Using machine learning techniques for advanced passive operating system fingerprinting. Msc. theses.
  19. S.Deering and R.Hinden (1998). Internet Protocol, Version 6 (IPv6) Specification. RFC 2460.
  20. T.Narten, E.Nordmark, W.Simpson, and H.Soliman (2007). Neighbor Discovery for IP version 6 (IPv6). RFC 4861.
  21. Velan, P. (2012). Processing of a Flexible Network Traffic Flow Information. Msc. thesis, Masaryk University, Fakulty of Informatics, Brno, Czech Republic.
  22. Zelinka, I., Merhaut, F., and Skanderova, L. (2013). Investigation on operating systems identification by means of fractal geometry and os pseudorandom number generators. In International Joint Conference CISIS'12-ICEUTE'12-SOCO'12 Special Sessions Advances in Intelligent Systems and Computing, volume 189, pages 151-158. Springer.
Download


Paper Citation


in Harvard Style

Matoušek P., Ryšavý O., Grégr M. and Vymlátil M. (2014). Towards Identification of Operating Systems from the Internet Traffic - IPFIX Monitoring with Fingerprinting and Clustering . In Proceedings of the 5th International Conference on Data Communication Networking - Volume 1: DCNET, (ICETE 2014) ISBN 978-989-758-042-0, pages 21-27. DOI: 10.5220/0005099500210027


in Bibtex Style

@conference{dcnet14,
author={Petr Matoušek and Ondřej Ryšavý and Matěj Grégr and Martin Vymlátil},
title={Towards Identification of Operating Systems from the Internet Traffic - IPFIX Monitoring with Fingerprinting and Clustering},
booktitle={Proceedings of the 5th International Conference on Data Communication Networking - Volume 1: DCNET, (ICETE 2014)},
year={2014},
pages={21-27},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0005099500210027},
isbn={978-989-758-042-0},
}


in EndNote Style

TY - CONF
JO - Proceedings of the 5th International Conference on Data Communication Networking - Volume 1: DCNET, (ICETE 2014)
TI - Towards Identification of Operating Systems from the Internet Traffic - IPFIX Monitoring with Fingerprinting and Clustering
SN - 978-989-758-042-0
AU - Matoušek P.
AU - Ryšavý O.
AU - Grégr M.
AU - Vymlátil M.
PY - 2014
SP - 21
EP - 27
DO - 10.5220/0005099500210027