Advertisement

An Effective TCP/IP Fingerprinting Technique Based on Strange Attractors Classification

  • João Paulo S. Medeiros
  • Agostinho M. BritoJr.
  • Paulo S. Motta Pires
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5939)

Abstract

We propose a new technique to perform TCP/IP (Transmission Control Protocol/Internet Protocol) stack fingerprinting. Our technique relies on chaotic dynamics theory and artificial neural networks applied to TCP ISN (Initial Sequence Number) samples making possible to associate strange attractors to operating systems. We show that it is possible to recognize operating systems using only an open TCP port on the target machine. Also, we present results which shows that our technique cannot be fooled by Honeyd or affected by PAT (Port Address Translation) environments.

Keywords

Transmission Control Protocol Strange Attractor Fingerprinting Technique Attractor Representation Target Machine 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Medeiros, J.P.S., Brito Jr., A.M., Pires, P.S.M.: A Data Mining Based Analysis of Nmap Operating System Fingerprint Database. In: Proceedings of the 2nd International Workshop on Computational Intelligence in Security for Information Systems (CISIS 2009). Advances in Intelligent and Soft Computing, vol. 63 (to be published, 2009)Google Scholar
  2. 2.
    Fyodor: Nmap (2009), http://www.nmap.org/
  3. 3.
    Provos, N.: Honeyd (2008), http://www.honeyd.org/
  4. 4.
    Provos, N., Holz, T.: Virtual Honeypots: From Botnet Tracking to Intrusion Detection. Addison-Wesley, Reading (2008)Google Scholar
  5. 5.
    Auffret, P.: SinFP (2008), http://www.gomor.org/bin/view/Sinfp
  6. 6.
    Zalewski, M.: Strange attractors and TCP/IP sequence number analysis (2001), http://lcamtuf.coredump.cx/oldtcp/tcpseq.html
  7. 7.
    Veysset, F., Courtay, O., Heen, O., et al.: New tool and technique for remote operating system fingerprinting. Intranode Software Technologies (2002)Google Scholar
  8. 8.
    Baker, G.L., Gollub, J.P.: Chaotic Dynamics: An Introduction, 2nd edn. Cambridge University Press, Cambridge (1996)zbMATHGoogle Scholar
  9. 9.
    Ott, E.: Chaos in Dynamical Systems, 2nd edn. Cambridge University Press, Cambridge (2002)zbMATHGoogle Scholar
  10. 10.
    Alligood, K., Sauer, T., Yorke, J.: Chaos: an introduction to dynamical systems. Springer, Heidelberg (1997)Google Scholar
  11. 11.
    Kohonen, T.: Self-Organizing Maps, 3rd edn. Springer, Heidelberg (2001)zbMATHGoogle Scholar
  12. 12.
    Postel, J.: RFC 793: Transmission control protocol. Technical report (1996)Google Scholar
  13. 13.
    Bellovin, S.: RFC 1948: Defending Against Sequence Number Attacks. Technical report (1996)Google Scholar
  14. 14.
    CERT: CERT advisory CA-2001-09 statistical weaknesses in TCP/IP initial sequence numbers (2001), http://www.cert.org/advisories/CA-2001-09.html
  15. 15.
    OpenBSD: PF: The OpenBSD Packet Filter (2008), http://www.openbsd.org/faq/pf/
  16. 16.
    Medeiros, J.P.S., Brito Jr., A.M., Pires, P.S.M.: A new method for recognizing operating systems of automation devices. In: Proc. IEEE Conference on Emerging Technologies and Factory Automation, ETFA 2009 (to be published, 2009)Google Scholar
  17. 17.
    Goerke, N., Kintzler, F., Eckmiller, R.: Self organized classification of chaotic domains from a nonlinear attractor. In: Proc. International Joint Conference on Neural Networks (IJCNN 2001), Washington, DC, July 2001, vol. 3 (2001)Google Scholar
  18. 18.
    Medeiros, J.P.S., Cunha, A.C., Brito Jr., A.M., Pires, P.S.M.: Application of Kohonen maps to improve security tests on automation devices. In: Lopez, J., Hämmerli, B.M. (eds.) CRITIS 2007. LNCS, vol. 5141, Springer, Heidelberg (2008)Google Scholar
  19. 19.
    Medeiros, J.P.S., Cunha, A.C., Brito Jr., A.M., Pires, P.S.M.: Automating security tests for industrial automation devices using neural networks. In: Proc. IEEE Conference on Emerging Technologies and Factory Automation (ETFA 2007), pp. 772–775 (2007)Google Scholar
  20. 20.
    Deza, E., Deza, M.M.: Dictionary of Distances. Elsevier Science, Amsterdam (2006)Google Scholar
  21. 21.
    NetBSD Project: Products based on NetBSD (2009), http://www.netbsd.org/gallery/products.html

Copyright information

© Springer-Verlag Berlin Heidelberg 2010

Authors and Affiliations

  • João Paulo S. Medeiros
    • 1
  • Agostinho M. BritoJr.
    • 1
  • Paulo S. Motta Pires
    • 1
  1. 1.LabSIN - Security Information Laboratory, Department of Computer Engineering and Automation – DCAFederal University of Rio Grande do Norte – UFRNNatalBrazil

Personalised recommendations