Computational Intelligence in Digital Forensics: Forensic Investigation and Applications pp 253-283 | Cite as
Learning Remote Computer Fingerprinting
Abstract
The process of remote characterization and identification of computers has many applications in network security and forensics. On network forensics, this process can be used together with intrusion detection systems to characterize suspicious machines of remote attackers. The characterization of remote computers is based on the analysis of network data originated from the remote machine. The classical approach is to exploit peculiar characteristics of different implementations of network protocols at each layer of the protocol stack, i.e. link, network, transport and application layers. Recent works show that the use of computational intelligence techniques can improve the identification performance when compared to classical classification algorithms and tools. This chapter presents some advances in this area and surveys the use of computational intelligence for remote identification of computers and its applications to network forensics.
Keywords
Network Stack Fingerprinting Intelligent Detection System Remote Computer FingerprintingPreview
Unable to display preview. Download preview PDF.
References
- 1.Arackaparambil, C., Bratus, S., Shubina, A., Kotz, D.: On the reliability of wireless fingerprinting using clock skews. In: Proceedings of the Third ACM Conference on Wireless Network Security (WiSec), pp. 169–174 (2010), doi:10.1145/1741866.1741894Google Scholar
- 2.Arkin, O., Yarochkin, F.: ICMP based remote OS TCP/IP stack fingerprinting techniques. Phrack Magazine 11(57) (2001)Google Scholar
- 3.Bellovin, S.: RFC 1948 (Informational), Defending Against Sequence Number Attacks. Internet Engineering Task Force (IETF) (1996)Google Scholar
- 4.Beverly, R.: A robust classifier for passive TCP/IP fingerprinting. In: Barakat, C., Pratt, I. (eds.) PAM 2004. LNCS, vol. 3015, pp. 158–167. Springer, Heidelberg (2004)CrossRefGoogle Scholar
- 5.Braden, R.: RFC 1122 (Standard), Requirements for Internet Hosts – Communication Layers. Internet Engineering Task Force (IETF) (1989)Google Scholar
- 6.Bratus, S., Cornelius, C., Kotz, D., Peebles, D.: Active behavioral fingerprinting of wireless devices. In: Proceedings of the First ACM Conference on Wireless Network Security (WiSec), pp. 56–61 (2008), doi:10.1145/1352533.1352543Google Scholar
- 7.Burroni, J., Sarraute, C.: Using neural networks for remote OS identification. In: Proceedings of the 3rd Pacific Security Conference (PacSec) (2005)Google Scholar
- 8.Cooper, G.F., Herskovits, E.: A bayesian method for the induction of probabilistic networks from data. Machine Learning 9(4), 309–347 (1992), doi:10.1007/BF00994110zbMATHGoogle Scholar
- 9.Corbett, C.L., Beyah, R.A., Copeland, J.A.: A passive approach to wireless NIC identification. In: Proceedings of IEEE International Conference on Communications (ICC), pp. 2329–2334 (2006), doi:10.1109/ICC.2006.255117Google Scholar
- 10.Corbett, C.L., Beyah, R.A., Copeland, J.A.: Passive classification of wireless NICs during active scanning. International Journal of Information Security 7(5), 335–348 (2008), doi:10.1007/s10207-007-0053-7CrossRefGoogle Scholar
- 11.Cortes, C., Vapnik, V.: Support-vector networks. Machine Learning 20(3), 273–297 (1995), doi:10.1007/BF00994018zbMATHGoogle Scholar
- 12.Danev, B., Luecken, H., Capkun, S., Defrawy, K.E.: Attacks on physical-layer identification. In: Proceedings of the Third ACM Conference on Wireless Network Security (WiSec), pp. 89–98 (2010), doi:10.1145/1741866.1741882Google Scholar
- 13.Danev, B., Zanetti, D., Capkun, S.: On physical-layer identification of wireless devices. ACM Computing Surveys 45(1) (2012), doi:10.1145/2379776.2379782Google Scholar
- 14.Deering, S., Hinden, R.: RFC 2460 (Draft Standard), Internet Protocol, Version 6 (IPv6) Specification. Internet Engineering Task Force (IETF) (1998)Google Scholar
- 15.Eddy, W.M.: Defenses against TCP SYN flooding attacks. The Internet Protocol Journal 9(4), 2–16 (2006)Google Scholar
- 16.Eddy, W.M.: RFC 4987 (Informational), TCP SYN Flooding Attacks and Common Mitigations. Internet Engineering Task Force (IETF) (2007)Google Scholar
- 17.Fielding, R., Gettys, J., Mogul, J., Frystyk, H., Masinter, L., Leach, P., Berners-Lee, T.: RFC 2068 (Proposed Standard), Hypertext Transfer Protocol – HTTP/1.1. Internet Engineering Task Force (IETF) (1999)Google Scholar
- 18.Fritzke, B.: A growing neural gas network learns topologies. In: Tesauro, G., Touretzky, D., Leen, T. (eds.) Advances in Neural Information Processing Systems, vol. 7, pp. 625–632. MIT Press (1995)Google Scholar
- 19.Gagnon, F., Esfandiari, B.: Using answer set programming to enhance operating system discovery. In: Erdem, E., Lin, F., Schaub, T. (eds.) LPNMR 2009. LNCS, vol. 5753, pp. 579–584. Springer, Heidelberg (2009)CrossRefGoogle Scholar
- 20.Gagnon, F., Esfandiari, B., Bertossi, L.: A hybrid approach to operating system discovery using answer set programming. In: Proceedings of the 10th IFIP/IEEE International Symposium on Integrated Network Management (IM), pp. 391–400 (2007), doi:10.1109/INM.2007.374804Google Scholar
- 21.Gao, K., Corbett, C., Beyah, R.: A passive approach to wireless device fingerprinting. In: Proceedings of the IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), pp. 383–392 (2010), doi:10.1109/DSN.2010.5544294Google Scholar
- 22.Garfinkel, S.L.: Digital forensics research: The next 10 years. Digital Investigation 7, S64–S73 (2010), doi:10.1016/j.diin.2010.05.009Google Scholar
- 23.Gont, F., Bellovin, S.: RFC 6528 (Standards Track), Defending Against Sequence Number Attacks. Internet Engineering Task Force (IETF) (2012)Google Scholar
- 24.Greenwald, L.G., Thomas, T.J.: Toward undetected operating system fingerprinting. In: Proceedings of the First USENIX Workshop on Offensive Technologies (WOOT) (2007)Google Scholar
- 25.Greenwald, L.G., Thomas, T.J.: Understanding and preventing network device fingerprinting. Bell Labs Technical Journal 12(3), 149–166 (2007), doi:10.1002/bltj.20257CrossRefGoogle Scholar
- 26.Hartmeier, D.: Design and performance of the OpenBSD stateful packet filter (pf). In: Proceedings of the FREENIX Track: USENIX Annual Technical Conference, pp. 171–180 (2002)Google Scholar
- 27.Huang, D.J., Yang, K.T., Ni, C.C., Teng, W.C., Hsiang, T.R., Lee, Y.J.: Clock skew based client device identification in cloud environments. In: Proceedings of the IEEE 26th International Conference on Advanced Information Networking and Applications (AINA), pp. 526–533 (2012), doi:10.1109/AINA.2012.51Google Scholar
- 28.Jacobson, V., Braden, R., Borman, D.: RFC 1323 (Proposed Standard), TCP Extensions for High Performance. Internet Engineering Task Force (IETF) (1992)Google Scholar
- 29.Jacobson, V., Leres, C., McCanne, S.: TCPDUMP/LIBPCAP public repository, version 4.3.0 (2012), http://www.tcpdump.org/ (released on June 2012)
- 30.Jana, S., Kasera, S.K.: On fast and accurate detection of unauthorized wireless access points using clock skews. IEEE Transactions on Mobile Computing 9(3), 449–462 (2010), doi:10.1109/TMC.2009.145CrossRefGoogle Scholar
- 31.Kohno, T., Broido, A., Claffy, K.: Remote physical device fingerprinting. IEEE Transactions on Dependable and Secure Computing 2(2), 93–108 (2005), doi:10.1109/TDSC.2005.26CrossRefGoogle Scholar
- 32.Kohonen, T.: Self-organized formation of topologically correct feature maps. Biological Cybernetics 43(1), 59–69 (1982)CrossRefzbMATHMathSciNetGoogle Scholar
- 33.Kohonen, T.: Self-Organizing Maps, 3rd edn. Springer (2001)Google Scholar
- 34.Levenberg, K.: A method for the solution of certain non-linear problems in least squares. Quarterly of Applied Mathematics 2, 164–168 (1944)zbMATHMathSciNetGoogle Scholar
- 35.Li, W., Zhang, D.-F., Yang, J.: Remote OS fingerprinting using BP neural network. In: Wang, J., Liao, X.-F., Yi, Z. (eds.) ISNN 2005. LNCS, vol. 3498, pp. 367–372. Springer, Heidelberg (2005)Google Scholar
- 36.Liu, M.W., Doherty, J.F.: Wireless device identification in MIMO channels. In: Proceedings of the 43rd Annual Conference on Information Sciences and Systems (CISS), pp. 563–567 (2009), doi:10.1109/CISS.2009.5054783Google Scholar
- 37.Loh, D.C.C., Cho, C.Y., Tan, C.P., Lee, R.S.: Identifying unique devices through wireless fingerprinting. In: Proceedings of the First ACM Conference on Wireless Network Security (WiSec), pp. 46–55 (2008), doi:10.1145/1352533.1352542Google Scholar
- 38.Lyon, G.F.: The art of port scanning. Phrack Magazine 7(51) (1997)Google Scholar
- 39.Lyon, G.F.: Remote OS detection via TCP/IP fingerprinting. Phrack Magazine 8(54) (1998)Google Scholar
- 40.Lyon, G.F.: Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning. Insecure.Com LLC (2009)Google Scholar
- 41.MacQueen, J.B.: Some methods for classification and analysis of multivariate observations. In: Proceedings of 5th Berkeley Symposium on Mathematical Statistics and Probability, vol. 1, pp. 281–297 (1967)Google Scholar
- 42.Marek, V.W., Truszczyński, M.: Stable models and an alternative logic programming paradigm. In: Apt, K.R., Marek, V.W., Truszczyński, M., Warren, D.S. (eds.) The Logic Programming Paradigm: A 25-Year Perspective, pp. 375–398. Springer (1999), doi:10.1007/978-3-642-60085-2_17Google Scholar
- 43.Marquardt, D.W.: An algorithm for least-squares estimation of nonlinear parameters. Journal of the Society for Industrial and Applied Mathematics 11(2), 431–441 (1963), doi:10.1137/0111030CrossRefzbMATHMathSciNetGoogle Scholar
- 44.McCanne, S., Jacobson, V.: The BSD packet filter: A new architecture for user-level packet capture. In: Proceedings of the USENIX Winter 1993 Conference, pp. 259–269 (1993)Google Scholar
- 45.Medeiros, J.P.S., Cunha, A.C., Brito Jr., A.M., Motta Pires, P.S.: Application of kohonen maps to improve security tests on automation devices. In: Lopez, J., Hämmerli, B.M. (eds.) CRITIS 2007. LNCS, vol. 5141, pp. 235–245. Springer, Heidelberg (2008)CrossRefGoogle Scholar
- 46.Medeiros, J.P.S., Cunha, A.C., Brito, A.M., Pires, P.S.M.: Automating security tests for industrial automation devices using neural networks. In: Proceedings of the 12th IEEE International Conference on Emerging Technologies and Factory Automation (ETFA), pp. 772–775 (2007), doi:10.1109/EFTA.2007.4416854Google Scholar
- 47.Medeiros, J.P.S., Brito Jr., A.M., Pires, P.S.M.: A data mining based analysis of Nmap operating system fingerprint database. In: Herrero, Á., Gastaldo, P., Zunino, R., Corchado, E. (eds.) CISIS 09. AISC, vol. 63, pp. 1–8. Springer, Heidelberg (2009)Google Scholar
- 48.Medeiros, J.P.S., Brito, A.M., Pires, P.S.M.: A new method for recognizing operating systems of automation devices. In: Proceedings of the 14th IEEE International Conference on Emerging Technologies and Factory Automation (ETFA), pp. 1–4 (2009), doi:10.1109/ETFA.2009.5347095Google Scholar
- 49.Medeiros, J.P.S., Santos, S.R., Brito, A.M., Pires, P.S.M.: Advances in network topology security visualisation. International Journal of System of Systems Engineering 1(4), 387–400 (2009), doi:10.1504/IJSSE.2009.031347CrossRefGoogle Scholar
- 50.Medeiros, J.P.S., Brito Jr., A.M., Motta Pires, P.S.: An effective TCP/IP fingerprinting technique based on strange attractors classification. In: Garcia-Alfaro, J., Navarro-Arribas, G., Cuppens-Boulahia, N., Roudier, Y. (eds.) DPM 2009. LNCS, vol. 5939, pp. 208–221. Springer, Heidelberg (2010)CrossRefGoogle Scholar
- 51.Medeiros, J.P.S., Brito, A.M., Pires, P.S.M.: Using intelligent techniques to extend the applicability of operating system fingerprint databases. Journal of Information Assurance and Security 5(4), 554–560 (2010)Google Scholar
- 52.Medeiros, J.P.S., de Medeiros Brito Júnior, A., Motta Pires, P.S.: A qualitative survey of active TCP/IP fingerprinting tools and techniques for operating systems identification. In: Herrero, Á., Corchado, E. (eds.) CISIS 2011. LNCS, vol. 6694, pp. 68–75. Springer, Heidelberg (2011)CrossRefGoogle Scholar
- 53.Meehan, A., Manes, G., Davis, L., Hale, J., Shenoi, S.: Packet sniffing for automated chat room monitoring and evidence preservation. In: Proceedings of the 2001 IEEE Workshop on Information Assurance and Security, pp. 285–288 (2001)Google Scholar
- 54.Mockapetris, P.: RFC 1035 (Internet Standard), Domain Names – Implementation and Specification. Internet Engineering Task Force (IETF) (1987)Google Scholar
- 55.Novotny, J., Schulte, D., Manes, G., Shenoi, S.: Remote computer fingerprinting for cyber crime investigations. In: di Vimercati, S.D.C., Ray, I., Ray, I. (eds.) Data and Applications Security XVII. IFIP, vol. 142, pp. 3–15. Springer, Boston (2004)CrossRefGoogle Scholar
- 56.Novotny, J.M., Meehan, A., Schulte, D., Manes, G.W., Shenoi, S.: Evidence acquisition tools for cyber sex crimes investigations. In: Proceedings of the SPIE, Sensors, and Command, Control, Communications, and Intelligence (C3I) Technologies for Homeland Defense and Law Enforcement, vol. 4708, pp. 53–60 (2002), doi:10.1117/12.479292Google Scholar
- 57.Pollitt, M., Caloyannides, M., Novotny, J., Shenoi, S.: Digital forensics: Operational, legal and research issues. In: di Vimercati, S.D.C., Ray, I., Ray, I. (eds.) Data and Applications Security XVII. IFIP, vol. 142, pp. 393–403. Springer, Boston (2004)CrossRefGoogle Scholar
- 58.Postel, J.: RFC 768 (Internet Standard), User Datagram Protocol. Internet Engineering Task Force (IETF) (1980)Google Scholar
- 59.Postel, J.: RFC 791 (Internet Standard), Internet Protocol – DARPA Internet Program, Protocol Specification. Internet Engineering Task Force (IETF) (1981)Google Scholar
- 60.Postel, J.: RFC 792 (Internet Standard), Internet Control Message Protocol – DARPA Internet Program, Protocol Specification. Internet Engineering Task Force (IETF) (1981)Google Scholar
- 61.Postel, J.: RFC 793 (Internet Standard), Transmission Control Protocol – DARPA Internet Program, Protocol Specification. Internet Engineering Task Force (IETF) (1981)Google Scholar
- 62.Postel, J., Reynolds, J.: RFC 854 (Internet Standard), Telnet Protocol Specification. Internet Engineering Task Force (IETF) (1983)Google Scholar
- 63.Postel, J., Reynolds, J.: RFC 959 (Internet Standard), File Transfer Protocol (FTP). Internet Engineering Task Force (IETF) (1985)Google Scholar
- 64.Provos, N.: A virtual honeypot framework. In: Proceedings of the 13th USENIX Security Symposium (2004)Google Scholar
- 65.Provos, N., Holz, T.: Virtual Honeypots: From Botnet Tracking to Intrusion Detection. Addison-Wesley (2008)Google Scholar
- 66.Ramakrishnan, K., Floyd, S., Black, D.: RFC 3168 (Proposed Standard), The Addition of Explicit Congestion Notification (ECN) to IP. Internet Engineering Task Force (IETF) (2001)Google Scholar
- 67.Rasmussen, K.B., Capkun, S.: Implications of radio fingerprinting on the security of sensor networks. In: Proceedings of the Third International Conference on Security and Privacy in Communications Networks and the Workshops (SecureComm), pp. 331–340 (2007), doi:10.1109/SECCOM.2007.4550352Google Scholar
- 68.Remley, K., Grosvenor, C., Johnk, R., Novotny, D., Hale, P., McKinley, M.: Electromagnetic signatures of WLAN cards and network security. In: Proceedings of Fifth IEEE International Symposium on Signal Processing and Information Technology, pp. 484–488 (2005), doi:10.1109/ISSPIT.2005.1577145Google Scholar
- 69.Rivest, R.: RFC 1321 (Informational), The MD5 Message-Digest Algorithm. Internet Engineering Task Force (IETF) (1992)Google Scholar
- 70.Rumelhart, D.E., Hinton, G.E., Williams, R.J.: Learning representations by back-propagating errors. Nature 323(6088), 533–536 (1986), doi:10.1038/323533a0CrossRefGoogle Scholar
- 71.Sarraute, C., Burroni, J.: Using neural networks to improve classical operating system fingerprinting techniques. Electronic Journal of SADIO 8(1), 35–47 (2008)zbMATHGoogle Scholar
- 72.Shanon, C.E.: A mathematical theory of communication. Bell System Technical Journal 27(3), 379–423 (1948)CrossRefMathSciNetGoogle Scholar
- 73.Smart, M., Malan, G.R., Jahanian, F.: Defeating TCP/IP stack fingerprinting. In: Proceedings of the 9th USENIX Security Symposium (2000)Google Scholar
- 74.Ureten, O., Serinken, N.: Wireless security through RF fingerprinting. Canadian Journal of Electrical and Computer Engineering 32(1), 27–33 (2007), doi:10.1109/CJECE.2007.364330CrossRefGoogle Scholar
- 75.Walls, R.J., Levine, B.N., Liberatore, M., Shields, C.: Effective digital forensics research is investigator-centric. In: Proceedings of the 6th USENIX Conference on Hot Topics in Security (HotSec) (2011)Google Scholar
- 76.Watson, D., Smart, M., Malan, G., Jahanian, F.: Protocol scrubbing: network security through transparent flow modification. In: Proceedings of the DARPA Information Survivability Conference and Exposition II (DISCEX), pp. 108–118 (2001), doi:10.1109/DISCEX.2001.932163Google Scholar
- 77.Watson, D., Smart, M., Malan, G., Jahanian, F.: Protocol scrubbing: network security through transparent flow modification. IEEE/ACM Transactions on Networking 12(2), 261–273 (2004), doi:10.1109/TNET.2003.822645CrossRefGoogle Scholar
- 78.Zalewski, M.: Silence on the Wire: A Field Guide to Passive Reconnaissance and Indirect Attacks, 1st edn. No Starch Press (2005)Google Scholar
- 79.Zhang, B., Zou, T., Wang, Y., Zhang, B.: Remote operation system detection base on machine learning. In: Proceedings of the International Conference on Frontier of Computer Science and Technology, pp. 539–542 (2005), doi:10.1109/FCST.2009.21Google Scholar