A Multi-Packet Signature Approach to Passive Operating System Detection

PDF

Authors
  1. De Montigny-Leboeuf, A.
Corporate Authors
Defence R&D Canada - Ottawa, Ottawa ONT (CAN);Communications Research Centre, Ottawa ONT (CAN)
Abstract
Remote operating system discovery can provide valuable contextual information regarding the computers connected to the network. In particular, operating system discovery can help identify potential vulnerable computers or may help prioritize alarms and responses in times of attack. The Network Security Research Group at the Communication Research Centre (CRC) has developed novel techniques for passive operating system discovery. The methodology developed allows derivation of a signature from a set of packets. The tests are conducted passively on regular traffic. They are non-intrusive and do not rely on access to application or user data. Because they are passive, the techniques do not consume bandwidth and do not disrupt network assets. Over a dozen tests have been developed to analyse headers of packets seen on a network. The tests are conducted on headers of various types of protocols: ARP, IP, ICMP, UDP and TCP. This document describes the tests in detail. They have been implemented in a prototype written in JAVA, which includes a database containing the “fingerprints” of almost 200 versions of operating systems. The prototype was used to collect these signatures from our testbed and was also used on real user traffic for preliminary evaluation of the tests’ performance.

Il y a un résumé en français ici.

Keywords
assive network traffic monitoring;operating system fingerprinting;multi-packet signatures
Report Number
DRDC-OTTAWA-TM-2005-018;CRC-TN-2005-001 — Technical Memorandum; Technical Note
Date of publication
01 Jan 2005
Number of Pages
182
DSTKIM No
CA025684
CANDIS No
523389
Format(s):
CD ROM

Permanent link

Document 1 of 1

Date modified: