从互联网流量中识别操作系统:基于指纹和集群的IPFIX监控

2014 5th International Conference on Data Communication Networking (DCNET) Pub Date : 2014-08-28 DOI:10.5220/0005099500210027

P. Matoušek, O. Ryšavý, M. Grégr, Martin Vymlátil

{"title":"从互联网流量中识别操作系统:基于指纹和集群的IPFIX监控","authors":"P. Matoušek, O. Ryšavý, M. Grégr, Martin Vymlátil","doi":"10.5220/0005099500210027","DOIUrl":null,"url":null,"abstract":"This paper deals with identification of operating systems (OSs) from the Internet traffic. Every packet injected on the network carries a specific information in its packet header that reflects the initial settings of a host's operating system. The set of such features forms a fingerprint. The OS fingerprint usually includes an initial TTL time, a TCP initial window time, a set of specific TCP options, and other values obtained from IP and TCP headers. Identification of OSs can be useful for monitoring a traffic on a local network and also for security purposes. In our paper we focus on the passive fingerprinting using TCP SYN packets that is incorporated to a IPFIX probe. Our tool enhances standard IPFIX records by additional information about OSs. Then, it sends the records to an IPFIX collector where network statistics are stored and presented to the network administrator. If identification is not successful, a further HTTP header check is employed and the fingerprinting database in the probe is updated. Our fingerprinting technique can be extended using cluster analysis as presented in this paper. As we show the clustering adds flexibility and dynamics to the fingerprinting. We also discuss the impact of IPv6 protocol on the passive fingerprinting.","PeriodicalId":394687,"journal":{"name":"2014 5th International Conference on Data Communication Networking (DCNET)","volume":"2 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2014-08-28","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"17","resultStr":"{\"title\":\"Towards identification of operating systems from the internet traffic: IPFIX monitoring with fingerprinting and clustering\",\"authors\":\"P. Matoušek, O. Ryšavý, M. Grégr, Martin Vymlátil\",\"doi\":\"10.5220/0005099500210027\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"This paper deals with identification of operating systems (OSs) from the Internet traffic. Every packet injected on the network carries a specific information in its packet header that reflects the initial settings of a host's operating system. The set of such features forms a fingerprint. The OS fingerprint usually includes an initial TTL time, a TCP initial window time, a set of specific TCP options, and other values obtained from IP and TCP headers. Identification of OSs can be useful for monitoring a traffic on a local network and also for security purposes. In our paper we focus on the passive fingerprinting using TCP SYN packets that is incorporated to a IPFIX probe. Our tool enhances standard IPFIX records by additional information about OSs. Then, it sends the records to an IPFIX collector where network statistics are stored and presented to the network administrator. If identification is not successful, a further HTTP header check is employed and the fingerprinting database in the probe is updated. Our fingerprinting technique can be extended using cluster analysis as presented in this paper. As we show the clustering adds flexibility and dynamics to the fingerprinting. We also discuss the impact of IPv6 protocol on the passive fingerprinting.\",\"PeriodicalId\":394687,\"journal\":{\"name\":\"2014 5th International Conference on Data Communication Networking (DCNET)\",\"volume\":\"2 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2014-08-28\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"17\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"2014 5th International Conference on Data Communication Networking (DCNET)\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.5220/0005099500210027\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"2014 5th International Conference on Data Communication Networking (DCNET)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.5220/0005099500210027","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 17

摘要

本文研究了从互联网流量中识别操作系统的问题。网络上注入的每个数据包在其数据包头中都携带一个特定的信息，该信息反映了主机操作系统的初始设置。这些特征的集合形成了指纹。操作系统指纹通常包括初始TTL时间、TCP初始窗口时间、一组特定的TCP选项，以及从IP和TCP报头中获得的其他值。识别操作系统可以用于监控本地网络上的流量，也可以用于安全目的。在我们的论文中，我们将重点放在使用TCP SYN数据包的被动指纹识别上，该数据包被合并到IPFIX探针中。我们的工具通过有关操作系统的附加信息增强了标准IPFIX记录。然后，它将记录发送到IPFIX收集器，在该收集器中存储网络统计信息并将其呈现给网络管理员。如果识别不成功，则使用进一步的HTTP头检查，并更新探针中的指纹数据库。我们的指纹识别技术可以使用本文提出的聚类分析进行扩展。正如我们所展示的，集群为指纹识别增加了灵活性和动态性。讨论了IPv6协议对被动指纹识别的影响。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

查看原文本刊更多论文

Towards identification of operating systems from the internet traffic: IPFIX monitoring with fingerprinting and clustering

This paper deals with identification of operating systems (OSs) from the Internet traffic. Every packet injected on the network carries a specific information in its packet header that reflects the initial settings of a host's operating system. The set of such features forms a fingerprint. The OS fingerprint usually includes an initial TTL time, a TCP initial window time, a set of specific TCP options, and other values obtained from IP and TCP headers. Identification of OSs can be useful for monitoring a traffic on a local network and also for security purposes. In our paper we focus on the passive fingerprinting using TCP SYN packets that is incorporated to a IPFIX probe. Our tool enhances standard IPFIX records by additional information about OSs. Then, it sends the records to an IPFIX collector where network statistics are stored and presented to the network administrator. If identification is not successful, a further HTTP header check is employed and the fingerprinting database in the probe is updated. Our fingerprinting technique can be extended using cluster analysis as presented in this paper. As we show the clustering adds flexibility and dynamics to the fingerprinting. We also discuss the impact of IPv6 protocol on the passive fingerprinting.

求助全文

通过发布文献求助，成功后即可免费获取论文全文。去求助

来源期刊

2014 5th International Conference on Data Communication Networking (DCNET)

自引率

0.00%

发文量