A Multi-Packet Signature Approach to Passive Operating System Detection
Abstract
Remote operating system discovery can provide valuable contextual information regarding the computers connected to the network. In particular, operating system discovery can help identify potential vulnerable computers or may help prioritize alarms and responses in times of attack. The Network Security Research Group at the Communication Research Centre (CRC) has developed novel techniques for passive operating system discovery. The methodology developed allows derivation of a signature from a set of packets. The tests are conducted passively on regular traffic. They are non-intrusive and do not rely on access to application or user data. Because they are passive, the techniques do not consume bandwidth and do not disrupt network assets. Over a dozen tests have been developed to analyse headers of packets seen on a network. The tests are conducted on headers of various types of protocols: ARP, IP, ICMP, UDP and TCP. This document describes the tests in detail. They have been implemented in a prototype written in JAVA, which includes a database containing the "fingerprints" of almost 200 versions of operating systems. The prototype was used to collect these signatures from our testbed and was also used on real user traffic for preliminary evaluation of the tests' performance.
Document Details
- Document Type
- Technical Report
- Publication Date
- Jan 01, 2005
- Accession Number
- ADA436420
Entities
People
- Annie De Montigny-leboeuf
Organizations
- Defence Research and Development Canada