Advertisement

Learning Remote Computer Fingerprinting

  • João P. Souza Medeiros
  • João B. Borges Neto
  • Agostinho M. Brito Júnior
  • Paulo S. Motta Pires
Part of the Studies in Computational Intelligence book series (SCI, volume 555)

Abstract

The process of remote characterization and identification of computers has many applications in network security and forensics. On network forensics, this process can be used together with intrusion detection systems to characterize suspicious machines of remote attackers. The characterization of remote computers is based on the analysis of network data originated from the remote machine. The classical approach is to exploit peculiar characteristics of different implementations of network protocols at each layer of the protocol stack, i.e. link, network, transport and application layers. Recent works show that the use of computational intelligence techniques can improve the identification performance when compared to classical classification algorithms and tools. This chapter presents some advances in this area and surveys the use of computational intelligence for remote identification of computers and its applications to network forensics.

Keywords

Network Stack Fingerprinting Intelligent Detection System Remote Computer Fingerprinting 

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Arackaparambil, C., Bratus, S., Shubina, A., Kotz, D.: On the reliability of wireless fingerprinting using clock skews. In: Proceedings of the Third ACM Conference on Wireless Network Security (WiSec), pp. 169–174 (2010), doi:10.1145/1741866.1741894Google Scholar
  2. 2.
    Arkin, O., Yarochkin, F.: ICMP based remote OS TCP/IP stack fingerprinting techniques. Phrack Magazine 11(57) (2001)Google Scholar
  3. 3.
    Bellovin, S.: RFC 1948 (Informational), Defending Against Sequence Number Attacks. Internet Engineering Task Force (IETF) (1996)Google Scholar
  4. 4.
    Beverly, R.: A robust classifier for passive TCP/IP fingerprinting. In: Barakat, C., Pratt, I. (eds.) PAM 2004. LNCS, vol. 3015, pp. 158–167. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  5. 5.
    Braden, R.: RFC 1122 (Standard), Requirements for Internet Hosts – Communication Layers. Internet Engineering Task Force (IETF) (1989)Google Scholar
  6. 6.
    Bratus, S., Cornelius, C., Kotz, D., Peebles, D.: Active behavioral fingerprinting of wireless devices. In: Proceedings of the First ACM Conference on Wireless Network Security (WiSec), pp. 56–61 (2008), doi:10.1145/1352533.1352543Google Scholar
  7. 7.
    Burroni, J., Sarraute, C.: Using neural networks for remote OS identification. In: Proceedings of the 3rd Pacific Security Conference (PacSec) (2005)Google Scholar
  8. 8.
    Cooper, G.F., Herskovits, E.: A bayesian method for the induction of probabilistic networks from data. Machine Learning 9(4), 309–347 (1992), doi:10.1007/BF00994110MATHGoogle Scholar
  9. 9.
    Corbett, C.L., Beyah, R.A., Copeland, J.A.: A passive approach to wireless NIC identification. In: Proceedings of IEEE International Conference on Communications (ICC), pp. 2329–2334 (2006), doi:10.1109/ICC.2006.255117Google Scholar
  10. 10.
    Corbett, C.L., Beyah, R.A., Copeland, J.A.: Passive classification of wireless NICs during active scanning. International Journal of Information Security 7(5), 335–348 (2008), doi:10.1007/s10207-007-0053-7CrossRefGoogle Scholar
  11. 11.
    Cortes, C., Vapnik, V.: Support-vector networks. Machine Learning 20(3), 273–297 (1995), doi:10.1007/BF00994018MATHGoogle Scholar
  12. 12.
    Danev, B., Luecken, H., Capkun, S., Defrawy, K.E.: Attacks on physical-layer identification. In: Proceedings of the Third ACM Conference on Wireless Network Security (WiSec), pp. 89–98 (2010), doi:10.1145/1741866.1741882Google Scholar
  13. 13.
    Danev, B., Zanetti, D., Capkun, S.: On physical-layer identification of wireless devices. ACM Computing Surveys 45(1) (2012), doi:10.1145/2379776.2379782Google Scholar
  14. 14.
    Deering, S., Hinden, R.: RFC 2460 (Draft Standard), Internet Protocol, Version 6 (IPv6) Specification. Internet Engineering Task Force (IETF) (1998)Google Scholar
  15. 15.
    Eddy, W.M.: Defenses against TCP SYN flooding attacks. The Internet Protocol Journal 9(4), 2–16 (2006)Google Scholar
  16. 16.
    Eddy, W.M.: RFC 4987 (Informational), TCP SYN Flooding Attacks and Common Mitigations. Internet Engineering Task Force (IETF) (2007)Google Scholar
  17. 17.
    Fielding, R., Gettys, J., Mogul, J., Frystyk, H., Masinter, L., Leach, P., Berners-Lee, T.: RFC 2068 (Proposed Standard), Hypertext Transfer Protocol – HTTP/1.1. Internet Engineering Task Force (IETF) (1999)Google Scholar
  18. 18.
    Fritzke, B.: A growing neural gas network learns topologies. In: Tesauro, G., Touretzky, D., Leen, T. (eds.) Advances in Neural Information Processing Systems, vol. 7, pp. 625–632. MIT Press (1995)Google Scholar
  19. 19.
    Gagnon, F., Esfandiari, B.: Using answer set programming to enhance operating system discovery. In: Erdem, E., Lin, F., Schaub, T. (eds.) LPNMR 2009. LNCS, vol. 5753, pp. 579–584. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  20. 20.
    Gagnon, F., Esfandiari, B., Bertossi, L.: A hybrid approach to operating system discovery using answer set programming. In: Proceedings of the 10th IFIP/IEEE International Symposium on Integrated Network Management (IM), pp. 391–400 (2007), doi:10.1109/INM.2007.374804Google Scholar
  21. 21.
    Gao, K., Corbett, C., Beyah, R.: A passive approach to wireless device fingerprinting. In: Proceedings of the IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), pp. 383–392 (2010), doi:10.1109/DSN.2010.5544294Google Scholar
  22. 22.
    Garfinkel, S.L.: Digital forensics research: The next 10 years. Digital Investigation 7, S64–S73 (2010), doi:10.1016/j.diin.2010.05.009Google Scholar
  23. 23.
    Gont, F., Bellovin, S.: RFC 6528 (Standards Track), Defending Against Sequence Number Attacks. Internet Engineering Task Force (IETF) (2012)Google Scholar
  24. 24.
    Greenwald, L.G., Thomas, T.J.: Toward undetected operating system fingerprinting. In: Proceedings of the First USENIX Workshop on Offensive Technologies (WOOT) (2007)Google Scholar
  25. 25.
    Greenwald, L.G., Thomas, T.J.: Understanding and preventing network device fingerprinting. Bell Labs Technical Journal 12(3), 149–166 (2007), doi:10.1002/bltj.20257CrossRefGoogle Scholar
  26. 26.
    Hartmeier, D.: Design and performance of the OpenBSD stateful packet filter (pf). In: Proceedings of the FREENIX Track: USENIX Annual Technical Conference, pp. 171–180 (2002)Google Scholar
  27. 27.
    Huang, D.J., Yang, K.T., Ni, C.C., Teng, W.C., Hsiang, T.R., Lee, Y.J.: Clock skew based client device identification in cloud environments. In: Proceedings of the IEEE 26th International Conference on Advanced Information Networking and Applications (AINA), pp. 526–533 (2012), doi:10.1109/AINA.2012.51Google Scholar
  28. 28.
    Jacobson, V., Braden, R., Borman, D.: RFC 1323 (Proposed Standard), TCP Extensions for High Performance. Internet Engineering Task Force (IETF) (1992)Google Scholar
  29. 29.
    Jacobson, V., Leres, C., McCanne, S.: TCPDUMP/LIBPCAP public repository, version 4.3.0 (2012), http://www.tcpdump.org/ (released on June 2012)
  30. 30.
    Jana, S., Kasera, S.K.: On fast and accurate detection of unauthorized wireless access points using clock skews. IEEE Transactions on Mobile Computing 9(3), 449–462 (2010), doi:10.1109/TMC.2009.145CrossRefGoogle Scholar
  31. 31.
    Kohno, T., Broido, A., Claffy, K.: Remote physical device fingerprinting. IEEE Transactions on Dependable and Secure Computing 2(2), 93–108 (2005), doi:10.1109/TDSC.2005.26CrossRefGoogle Scholar
  32. 32.
    Kohonen, T.: Self-organized formation of topologically correct feature maps. Biological Cybernetics 43(1), 59–69 (1982)CrossRefMATHMathSciNetGoogle Scholar
  33. 33.
    Kohonen, T.: Self-Organizing Maps, 3rd edn. Springer (2001)Google Scholar
  34. 34.
    Levenberg, K.: A method for the solution of certain non-linear problems in least squares. Quarterly of Applied Mathematics 2, 164–168 (1944)MATHMathSciNetGoogle Scholar
  35. 35.
    Li, W., Zhang, D.-F., Yang, J.: Remote OS fingerprinting using BP neural network. In: Wang, J., Liao, X.-F., Yi, Z. (eds.) ISNN 2005. LNCS, vol. 3498, pp. 367–372. Springer, Heidelberg (2005)Google Scholar
  36. 36.
    Liu, M.W., Doherty, J.F.: Wireless device identification in MIMO channels. In: Proceedings of the 43rd Annual Conference on Information Sciences and Systems (CISS), pp. 563–567 (2009), doi:10.1109/CISS.2009.5054783Google Scholar
  37. 37.
    Loh, D.C.C., Cho, C.Y., Tan, C.P., Lee, R.S.: Identifying unique devices through wireless fingerprinting. In: Proceedings of the First ACM Conference on Wireless Network Security (WiSec), pp. 46–55 (2008), doi:10.1145/1352533.1352542Google Scholar
  38. 38.
    Lyon, G.F.: The art of port scanning. Phrack Magazine 7(51) (1997)Google Scholar
  39. 39.
    Lyon, G.F.: Remote OS detection via TCP/IP fingerprinting. Phrack Magazine 8(54) (1998)Google Scholar
  40. 40.
    Lyon, G.F.: Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning. Insecure.Com LLC (2009)Google Scholar
  41. 41.
    MacQueen, J.B.: Some methods for classification and analysis of multivariate observations. In: Proceedings of 5th Berkeley Symposium on Mathematical Statistics and Probability, vol. 1, pp. 281–297 (1967)Google Scholar
  42. 42.
    Marek, V.W., Truszczyński, M.: Stable models and an alternative logic programming paradigm. In: Apt, K.R., Marek, V.W., Truszczyński, M., Warren, D.S. (eds.) The Logic Programming Paradigm: A 25-Year Perspective, pp. 375–398. Springer (1999), doi:10.1007/978-3-642-60085-2_17Google Scholar
  43. 43.
    Marquardt, D.W.: An algorithm for least-squares estimation of nonlinear parameters. Journal of the Society for Industrial and Applied Mathematics 11(2), 431–441 (1963), doi:10.1137/0111030CrossRefMATHMathSciNetGoogle Scholar
  44. 44.
    McCanne, S., Jacobson, V.: The BSD packet filter: A new architecture for user-level packet capture. In: Proceedings of the USENIX Winter 1993 Conference, pp. 259–269 (1993)Google Scholar
  45. 45.
    Medeiros, J.P.S., Cunha, A.C., Brito Jr., A.M., Motta Pires, P.S.: Application of kohonen maps to improve security tests on automation devices. In: Lopez, J., Hämmerli, B.M. (eds.) CRITIS 2007. LNCS, vol. 5141, pp. 235–245. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  46. 46.
    Medeiros, J.P.S., Cunha, A.C., Brito, A.M., Pires, P.S.M.: Automating security tests for industrial automation devices using neural networks. In: Proceedings of the 12th IEEE International Conference on Emerging Technologies and Factory Automation (ETFA), pp. 772–775 (2007), doi:10.1109/EFTA.2007.4416854Google Scholar
  47. 47.
    Medeiros, J.P.S., Brito Jr., A.M., Pires, P.S.M.: A data mining based analysis of Nmap operating system fingerprint database. In: Herrero, Á., Gastaldo, P., Zunino, R., Corchado, E. (eds.) CISIS 09. AISC, vol. 63, pp. 1–8. Springer, Heidelberg (2009)Google Scholar
  48. 48.
    Medeiros, J.P.S., Brito, A.M., Pires, P.S.M.: A new method for recognizing operating systems of automation devices. In: Proceedings of the 14th IEEE International Conference on Emerging Technologies and Factory Automation (ETFA), pp. 1–4 (2009), doi:10.1109/ETFA.2009.5347095Google Scholar
  49. 49.
    Medeiros, J.P.S., Santos, S.R., Brito, A.M., Pires, P.S.M.: Advances in network topology security visualisation. International Journal of System of Systems Engineering 1(4), 387–400 (2009), doi:10.1504/IJSSE.2009.031347CrossRefGoogle Scholar
  50. 50.
    Medeiros, J.P.S., Brito Jr., A.M., Motta Pires, P.S.: An effective TCP/IP fingerprinting technique based on strange attractors classification. In: Garcia-Alfaro, J., Navarro-Arribas, G., Cuppens-Boulahia, N., Roudier, Y. (eds.) DPM 2009. LNCS, vol. 5939, pp. 208–221. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  51. 51.
    Medeiros, J.P.S., Brito, A.M., Pires, P.S.M.: Using intelligent techniques to extend the applicability of operating system fingerprint databases. Journal of Information Assurance and Security 5(4), 554–560 (2010)Google Scholar
  52. 52.
    Medeiros, J.P.S., de Medeiros Brito Júnior, A., Motta Pires, P.S.: A qualitative survey of active TCP/IP fingerprinting tools and techniques for operating systems identification. In: Herrero, Á., Corchado, E. (eds.) CISIS 2011. LNCS, vol. 6694, pp. 68–75. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  53. 53.
    Meehan, A., Manes, G., Davis, L., Hale, J., Shenoi, S.: Packet sniffing for automated chat room monitoring and evidence preservation. In: Proceedings of the 2001 IEEE Workshop on Information Assurance and Security, pp. 285–288 (2001)Google Scholar
  54. 54.
    Mockapetris, P.: RFC 1035 (Internet Standard), Domain Names – Implementation and Specification. Internet Engineering Task Force (IETF) (1987)Google Scholar
  55. 55.
    Novotny, J., Schulte, D., Manes, G., Shenoi, S.: Remote computer fingerprinting for cyber crime investigations. In: di Vimercati, S.D.C., Ray, I., Ray, I. (eds.) Data and Applications Security XVII. IFIP, vol. 142, pp. 3–15. Springer, Boston (2004)CrossRefGoogle Scholar
  56. 56.
    Novotny, J.M., Meehan, A., Schulte, D., Manes, G.W., Shenoi, S.: Evidence acquisition tools for cyber sex crimes investigations. In: Proceedings of the SPIE, Sensors, and Command, Control, Communications, and Intelligence (C3I) Technologies for Homeland Defense and Law Enforcement, vol. 4708, pp. 53–60 (2002), doi:10.1117/12.479292Google Scholar
  57. 57.
    Pollitt, M., Caloyannides, M., Novotny, J., Shenoi, S.: Digital forensics: Operational, legal and research issues. In: di Vimercati, S.D.C., Ray, I., Ray, I. (eds.) Data and Applications Security XVII. IFIP, vol. 142, pp. 393–403. Springer, Boston (2004)CrossRefGoogle Scholar
  58. 58.
    Postel, J.: RFC 768 (Internet Standard), User Datagram Protocol. Internet Engineering Task Force (IETF) (1980)Google Scholar
  59. 59.
    Postel, J.: RFC 791 (Internet Standard), Internet Protocol – DARPA Internet Program, Protocol Specification. Internet Engineering Task Force (IETF) (1981)Google Scholar
  60. 60.
    Postel, J.: RFC 792 (Internet Standard), Internet Control Message Protocol – DARPA Internet Program, Protocol Specification. Internet Engineering Task Force (IETF) (1981)Google Scholar
  61. 61.
    Postel, J.: RFC 793 (Internet Standard), Transmission Control Protocol – DARPA Internet Program, Protocol Specification. Internet Engineering Task Force (IETF) (1981)Google Scholar
  62. 62.
    Postel, J., Reynolds, J.: RFC 854 (Internet Standard), Telnet Protocol Specification. Internet Engineering Task Force (IETF) (1983)Google Scholar
  63. 63.
    Postel, J., Reynolds, J.: RFC 959 (Internet Standard), File Transfer Protocol (FTP). Internet Engineering Task Force (IETF) (1985)Google Scholar
  64. 64.
    Provos, N.: A virtual honeypot framework. In: Proceedings of the 13th USENIX Security Symposium (2004)Google Scholar
  65. 65.
    Provos, N., Holz, T.: Virtual Honeypots: From Botnet Tracking to Intrusion Detection. Addison-Wesley (2008)Google Scholar
  66. 66.
    Ramakrishnan, K., Floyd, S., Black, D.: RFC 3168 (Proposed Standard), The Addition of Explicit Congestion Notification (ECN) to IP. Internet Engineering Task Force (IETF) (2001)Google Scholar
  67. 67.
    Rasmussen, K.B., Capkun, S.: Implications of radio fingerprinting on the security of sensor networks. In: Proceedings of the Third International Conference on Security and Privacy in Communications Networks and the Workshops (SecureComm), pp. 331–340 (2007), doi:10.1109/SECCOM.2007.4550352Google Scholar
  68. 68.
    Remley, K., Grosvenor, C., Johnk, R., Novotny, D., Hale, P., McKinley, M.: Electromagnetic signatures of WLAN cards and network security. In: Proceedings of Fifth IEEE International Symposium on Signal Processing and Information Technology, pp. 484–488 (2005), doi:10.1109/ISSPIT.2005.1577145Google Scholar
  69. 69.
    Rivest, R.: RFC 1321 (Informational), The MD5 Message-Digest Algorithm. Internet Engineering Task Force (IETF) (1992)Google Scholar
  70. 70.
    Rumelhart, D.E., Hinton, G.E., Williams, R.J.: Learning representations by back-propagating errors. Nature 323(6088), 533–536 (1986), doi:10.1038/323533a0CrossRefGoogle Scholar
  71. 71.
    Sarraute, C., Burroni, J.: Using neural networks to improve classical operating system fingerprinting techniques. Electronic Journal of SADIO 8(1), 35–47 (2008)MATHGoogle Scholar
  72. 72.
    Shanon, C.E.: A mathematical theory of communication. Bell System Technical Journal 27(3), 379–423 (1948)CrossRefMathSciNetGoogle Scholar
  73. 73.
    Smart, M., Malan, G.R., Jahanian, F.: Defeating TCP/IP stack fingerprinting. In: Proceedings of the 9th USENIX Security Symposium (2000)Google Scholar
  74. 74.
    Ureten, O., Serinken, N.: Wireless security through RF fingerprinting. Canadian Journal of Electrical and Computer Engineering 32(1), 27–33 (2007), doi:10.1109/CJECE.2007.364330CrossRefGoogle Scholar
  75. 75.
    Walls, R.J., Levine, B.N., Liberatore, M., Shields, C.: Effective digital forensics research is investigator-centric. In: Proceedings of the 6th USENIX Conference on Hot Topics in Security (HotSec) (2011)Google Scholar
  76. 76.
    Watson, D., Smart, M., Malan, G., Jahanian, F.: Protocol scrubbing: network security through transparent flow modification. In: Proceedings of the DARPA Information Survivability Conference and Exposition II (DISCEX), pp. 108–118 (2001), doi:10.1109/DISCEX.2001.932163Google Scholar
  77. 77.
    Watson, D., Smart, M., Malan, G., Jahanian, F.: Protocol scrubbing: network security through transparent flow modification. IEEE/ACM Transactions on Networking 12(2), 261–273 (2004), doi:10.1109/TNET.2003.822645CrossRefGoogle Scholar
  78. 78.
    Zalewski, M.: Silence on the Wire: A Field Guide to Passive Reconnaissance and Indirect Attacks, 1st edn. No Starch Press (2005)Google Scholar
  79. 79.
    Zhang, B., Zou, T., Wang, Y., Zhang, B.: Remote operation system detection base on machine learning. In: Proceedings of the International Conference on Frontier of Computer Science and Technology, pp. 539–542 (2005), doi:10.1109/FCST.2009.21Google Scholar

Copyright information

© Springer International Publishing Switzerland 2014

Authors and Affiliations

  • João P. Souza Medeiros
    • 1
  • João B. Borges Neto
    • 1
  • Agostinho M. Brito Júnior
    • 2
  • Paulo S. Motta Pires
    • 2
  1. 1.Elements of Information Processing Laboratory (LabEPI), Department of Exact and Applied Sciences (DCEA)Federal University of Rio Grande do Norte (UFRN)CaicóBrazil
  2. 2.Security Information Laboratory (LabSIN), Department of Computer Engineering and Automation (DCA)Federal University of Rio Grande do Norte (UFRN)NatalBrazil

Personalised recommendations