Advanced Passive Operating System Fingerprinting Using Machine Learning and Deep Learning

2020 29th International Conference on Computer Communications and Networks (ICCCN) Pub Date : 2020-08-01 DOI:10.1109/ICCCN49398.2020.9209694

D. Hagos, Martin Løland, A. Yazidi, Ø. Kure, P. Engelstad

{"title":"Advanced Passive Operating System Fingerprinting Using Machine Learning and Deep Learning","authors":"D. Hagos, Martin Løland, A. Yazidi, Ø. Kure, P. Engelstad","doi":"10.1109/ICCCN49398.2020.9209694","DOIUrl":null,"url":null,"abstract":"Securing and managing large, complex enterprise network infrastructure requires capturing and analyzing network traffic traces in real-time. An accurate passive Operating System (OS) fingerprinting plays a critical role in effective network management and cybersecurity protection. Passive fingerprinting doesn’t send probes that introduce extra load to the network and hence it has a clear advantage over active fingerprinting since it also reduces the risk of triggering false alarms. This paper proposes and evaluates an advanced classification approach to passive OS fingerprinting by leveraging state-of-the-art classical machine learning and deep learning techniques. Our controlled experiments on benchmark data, emulated and realistic traffic is performed using two approaches. Through an Oracle-based machine learning approach, we found that the underlying TCP variant is an important feature for predicting the remote OS. Based on this observation, we develop a sophisticated tool for OS fingerprinting that first predicts the TCP flavor using passive traffic traces and then uses this prediction as an input feature for another machine learning algorithm for predicting the remote OS from passive measurements. This paper takes the passive fingerprinting problem one step further by introducing the underlying predicted TCP variant as a distinguishing feature. In terms of accuracy, we empirically demonstrate that accurately predicting the TCP variant has the potential to boost the evaluation performance from 84% to 94% on average across all our validation scenarios and across different types of traffic sources. We also demonstrate a practical example of this potential, by increasing the performance to 91.3% on average using a tool for TCP variant prediction in an emulated setting. To the best of our knowledge, this is the first study that explores the potential for using the knowledge of the TCP variant to significantly boost the accuracy of passive OS fingerprinting.","PeriodicalId":137835,"journal":{"name":"2020 29th International Conference on Computer Communications and Networks (ICCCN)","volume":"51 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2020-08-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"3","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2020 29th International Conference on Computer Communications and Networks (ICCCN)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/ICCCN49398.2020.9209694","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 3

Abstract

Securing and managing large, complex enterprise network infrastructure requires capturing and analyzing network traffic traces in real-time. An accurate passive Operating System (OS) fingerprinting plays a critical role in effective network management and cybersecurity protection. Passive fingerprinting doesn’t send probes that introduce extra load to the network and hence it has a clear advantage over active fingerprinting since it also reduces the risk of triggering false alarms. This paper proposes and evaluates an advanced classification approach to passive OS fingerprinting by leveraging state-of-the-art classical machine learning and deep learning techniques. Our controlled experiments on benchmark data, emulated and realistic traffic is performed using two approaches. Through an Oracle-based machine learning approach, we found that the underlying TCP variant is an important feature for predicting the remote OS. Based on this observation, we develop a sophisticated tool for OS fingerprinting that first predicts the TCP flavor using passive traffic traces and then uses this prediction as an input feature for another machine learning algorithm for predicting the remote OS from passive measurements. This paper takes the passive fingerprinting problem one step further by introducing the underlying predicted TCP variant as a distinguishing feature. In terms of accuracy, we empirically demonstrate that accurately predicting the TCP variant has the potential to boost the evaluation performance from 84% to 94% on average across all our validation scenarios and across different types of traffic sources. We also demonstrate a practical example of this potential, by increasing the performance to 91.3% on average using a tool for TCP variant prediction in an emulated setting. To the best of our knowledge, this is the first study that explores the potential for using the knowledge of the TCP variant to significantly boost the accuracy of passive OS fingerprinting.

查看原文本刊更多论文

使用机器学习和深度学习的先进被动操作系统指纹识别

保护和管理大型、复杂的企业网络基础设施需要实时捕获和分析网络流量轨迹。准确的被动指纹识别对有效的网络管理和网络安全保护起着至关重要的作用。被动指纹识别不会发送给网络带来额外负载的探针，因此它比主动指纹识别有明显的优势，因为它还降低了触发假警报的风险。本文通过利用最先进的经典机器学习和深度学习技术，提出并评估了被动操作系统指纹的高级分类方法。我们使用两种方法对基准数据、模拟和现实交通进行了控制实验。通过基于oracle的机器学习方法，我们发现底层TCP变体是预测远程操作系统的重要特征。基于这一观察，我们开发了一个复杂的操作系统指纹识别工具，该工具首先使用被动流量跟踪预测TCP类型，然后将此预测作为另一个机器学习算法的输入特征，用于从被动测量预测远程操作系统。本文通过引入底层可预测的TCP变体作为区分特征，进一步解决了被动指纹识别问题。在准确性方面，我们通过经验证明，在所有验证场景和不同类型的流量源中，准确预测TCP变体有可能将评估性能从平均84%提高到94%。我们还演示了一个实际的例子，通过在模拟设置中使用TCP变体预测工具将性能平均提高到91.3%。据我们所知，这是第一个探索利用TCP变体知识来显著提高被动操作系统指纹识别准确性的潜力的研究。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2020 29th International Conference on Computer Communications and Networks (ICCCN)

自引率

0.00%

发文量