research-article

Hershel: single-packet os fingerprinting

Authors:

Ankur Nandwani,

Dmitri LoguinovAuthors Info & Claims

SIGMETRICS '14: The 2014 ACM international conference on Measurement and modeling of computer systems

Pages 195 - 206

https://doi.org/10.1145/2591971.2591972

Published: 16 June 2014 Publication History

Abstract

Traditional TCP/IP fingerprinting tools (e.g., nmap) are poorly suited for Internet-wide use due to the large amount of traffic and intrusive nature of the probes. This can be overcome by approaches that rely on a single SYN packet to elicit a vector of features from the remote server; however, these methods face difficult classification problems due to the high volatility of the features and severely limited amounts of information contained therein. Since these techniques have not been studied before, we first pioneer stochastic theory of single-packet OS fingerprinting, build a database of 116 OSes, design a classifier based on our models, evaluate its accuracy in simulations, and then perform OS classification of 37.8M hosts from an Internet-wide scan.

References

[1]

Akamai. {Online}. Available: http://www.akamai.com/html/about/facts_figures.html.

[2]

P. Auffret, "SinFP, Unification of Active and Passive Operating System Fingerprinting," Journal in Computer Virology, vol. 6, no. 3, pp. 197--205, Nov. 2010.

[3]

T. Beardsley, "Snacktime: A Perl Solution for Remote OS Fingerprinting," Jun. 2003. {Online}. Available: http://www.planb-security.net/wp/snacktime.html.

[4]

R. Beck, "Passive-Aggressive Resistance: OS Fingerprint Evasion," Linux Journal, vol. 2001, no. 89, Aug. 2001.

Digital Library

[5]

D. B. Berrueta, "A Practical Approach for Defeating Nmap OS-Fingerprinting," 2003. {Online}. Available: http://nmap.org/misc/defeat-nmap-osdetect.html.

[6]

R. Beverly, "A Robust Classifier for Passive TCP/IP Fingerprinting," in Proc. PAM, Apr. 2004, p. 158.

[7]

R. Braden, "Requirements for Internet Hosts -- Communication Layers," IETF RFC 1122, Oct. 1989.

Digital Library

[8]

J. Caballero, S. Venkataraman, P. Poosankam, M. G. Kang, D. Song, and A. Blum, "FiG: Automatic Fingerprint Generation," in Proc. NDSS, Feb. 2007, pp. 27--42.

[9]

H. K. J. Chu, "Tuning TCP Parameters for the 21st Century," Jul. 2009. {Online}. Available: http://www.ietf.org/proceedings/75/slides/tcpm-1.pdf.

[10]

A. Crenshaw, "OSfuscate," 2008. {Online}. Available: http://www.irongeek.com/i.php?page=security/code.

[11]

D. Dagon, N. Provos, C. P. Lee, and W. Lee, "Corrupted DNS Resolution Paths: The Rise of a Malicious Resolution Authority," in Proc. NDSS, Feb. 2008.

[12]

T. Dunigan, M. Mathis, and B. Tierney, "A TCP Tuning Daemon," in Proc. ACM/IEEE Supercomputing, Nov. 2002, pp. 1--16.

Digital Library

[13]

Z. Durumeric, E. Wustrow, and J. Halderman, "ZMap: Fast Internet-wide scanning and its security applications," in Proc. USENIX Security, Aug. 2013, pp. 605--620.

Digital Library

[14]

P. Garcia-Laencina, J.-L. Sancho-Gomez, and A. Figueiras-Vidal, "Pattern Classification with Missing Data: A Review," Neural Computing and Applications, vol. 19, no. 2, pp. 263--282, Mar. 2010.

Digital Library

[15]

L. G. Greenwald and T. J. Thomas, "Toward undetected operating system fingerprinting," in Proc. USENIX WOOT, Aug. 2007, pp. 1--10.

Digital Library

[16]

S. Guoqiang and D. Lee, "Network Protocol System Fingerprinting: A Formal Approach," in Proc. IEEE INFOCOM, Apr. 2006, pp. 1--12.

[17]

J. Heidemann, Y. Pradkin, R. Govindan, C. Papadopoulos, G. Bartlett, and J. Bannister, "Census and Survey of the Visible Internet," in Proc. ACM IMC, Oct. 2008, pp. 169--182.

Digital Library

[18]

IRL Fingerprinting Dataset. {Online}. Available: http://irl.cs.tamu.edu/projects/sampling/.

[19]

V. Jacobson, R. Braden, and D. Borman, "TCP Extensions for High Performance," IETF RFC 1323, May 1992.

Digital Library

[20]

T. Kohno, A. Broido, and K. C. Claffy, "Remote physical device fingerprinting," IEEE Transactions on Dependable and Secure Computing, vol. 2, no. 2, pp. 93--108, May 2005.

Digital Library

[21]

E. Kollmann, "Chatter on the Wire: A Look at DHCP Traffic." {Online}. Available: http://myweb.cableone.net/xnih/download/chatter-dhcp.pdf.

[22]

D. Leonard and D. Loguinov, "Demystifying Service Discovery: Implementing an Internet-Wide Scanner," in Proc. ACM IMC, Nov. 2010, pp. 109--122.

Digital Library

[23]

J. Medeiros, A. Brito, and P. Pires, "A Data Mining Based Analysis of Nmap Operating System Fingerprint Database," in Proc. IEEE CISIS, Sep. 2009, pp. 1--8.

[24]

J. Medeiros, A. Brito, and P. Pires, "An Effective TCP/IP Fingerprinting Technique Based on Strange Attractors Classification," in Proc. DPM/SETOP, Sep. 2009, pp. 208--221.

Digital Library

[25]

Microsoft Support. {Online}. Available: http://support.microsoft.com/kb/2525390.

[26]

D. Napier, "IPTables/NetFilter -- Linux's Next Generation Stateful Packet Filter," SysAdmin Magazine, vol. 10, pp. 8--16, Nov. 2001.

Digital Library

[27]

Netcraft Web Server Survey. {Online}. Available: http://news.netcraft.com/.

[28]

Nmap. {Online}. Available: http://nmap.org/.

[29]

Oracle, "Operating System Tuning." {Online}. Available: http://docs.oracle.com/cd/E12839_01/web.1111/e13814/os_tuning.htm.

[30]

J. Padhye and S. Floyd, "On Inferring TCP Behavior," in Proc. ACM SIGCOMM, Aug. 2001, pp. 287--298.

Digital Library

[31]

V. Paxson, M. Allman, J. Chu, and M. Sargent, "Computing TCP's Retransmission Timer," IETF RFC 6298, Jun. 2011.

[32]

J. Postel, "Transmission Control Protocol," IETF RFC 793, Sep. 1981.

[33]

G. Prigent, F. Vichot, and F. Harrouet, "IpMorph: fingerprinting spoofing unification," Journal in Computer Virology, vol. 6, no. 4, pp. 329--342, Nov. 2010.

Digital Library

[34]

N. Provos, "A Virtual Honeypot Framework," in Proc. USENIX Security, Aug. 2004, pp. 1--14.

Digital Library

[35]

N. Provos and P. Honeyman, "ScanSSH - Scanning the Internet for SSH Servers," in Proc. USENIX LISA, Dec. 2001, pp. 25--30.

[36]

Y. Pryadkin, R. Lindell, J. Bannister, and R. Govindan, "An Empirical Evaluation of IP Address Space Occupancy," USC/ISI, Tech. Rep. ISI-TR-2004-598, Nov. 2004.

[37]

D. Richardson, S. Gribble, and T. Kohno, "The Limits of Automatic OS Fingerprint Generation," in Proc. ACM AISec, Oct 2010, pp. 24--34.

Digital Library

[38]

M. Roesch, "Snort -- Lightweight Intrusion Detection for Networks," in Proc. USENIX LISA, Nov. 1999, pp. 229--238.

Digital Library

[39]

G. Roualland and J.-M. Saffroy, "IP Personality." {Online}. Available: http://ippersonality.sourceforge.net/

[40]

C. Sarraute and J. Burroni, "Using Neural Networks to Improve Classical Operating System Fingerprinting Techniques," Electronic Journal of SADIO, vol. 8, no. 1, Mar. 2008.

[41]

S. Shah, "An Introduction to HTTP Fingerprinting," May 2004. {Online}. Available: http://net-square.com/httprint_paper.html

[42]

M. Smart, G. R. Malan, and F. Jahanian, "Defeating TCP/IP Stack Fingerprinting," in Proc. USENIX Security, Jun. 2000, pp. 229--240.

Digital Library

[43]

Snort IDS. {Online}. Available: http://www.snort.org/.

[44]

G. Taleck, "Ambiguity Resolution via Passive OS Fingerprinting," in Proc. RAID, Sep. 2003, pp. 192--206.

[45]

G. Taleck, "SYNSCAN: Towards Complete TCP/IP Fingerprinting," CanSecWest, Apr. 2004.

[46]

S. Theodoridis and K. Koutroumbas, phPattern Recognition, 4th ed. Academic Press, 2009.

Digital Library

[47]

B. Tierney, "TCP Tuning Guide for Distributed Applications on Wide Area Networks," USENIX & SAGE Login, vol. 26, no. 1, pp. 33--39, Feb. 2001.

[48]

C. Valli, "Honeyd -- A OS Fingerprinting Artifice," in Proc. Australian Computer, Network and Information Forensics Conference, Nov. 2003.

[49]

F. Veysset, O. Courtay, O. Heen, and I. R. Team, "New Tool and Technique for Remote Operating System Fingerprinting," Apr. 2002. {Online}. Available: http://www.ouah.org/ring-full-paper.pdf

[50]

K. Wang, "Frustrating OS Fingerprinting with Morph," 2004. {Online}. Available: http://hackerpoetry.com/images/defcon-12/dc-12-presentations/Wang/dc-12-wang.pdf.

[51]

F. V. Yarochkin, O. Arkin, M. Kydyraliev, S.-Y. Dai, Y. Huang, and S.-Y. Kuo, "Xprobe2: Low Volume Remote Network Information Gathering Tool," in Proc. IEEE/IFIP DSN, Jun. 2009, pp. 205--210.

[52]

M. Zalewski, "Strange Attractors and TCP/IP Sequence Number Analysis," Apr. 2001. {Online}. Available: http://lcamtuf.coredump.cx/newtcp/

[53]

M. Zalewski, "p0f v3: Passive Fingerprinter," 2012. {Online}. Available: http://lcamtuf.coredump.cx/p0f3/README

Cited By

Bhattacharjee ACecconello SKuipers FSmaragdakis G(2024)Fingerprinting of Cellular Infrastructure Based on Broadcast InformationComputer Security – ESORICS 202310.1007/978-3-031-51476-0_5(81-101)Online publication date: 11-Jan-2024
https://doi.org/10.1007/978-3-031-51476-0_5
Song JWan SHuang MLiu JSun LLi Q(2023)Toward Automatically Connecting IoT Devices with Vulnerabilities in the WildACM Transactions on Sensor Networks10.1145/360895120:1(1-26)Online publication date: 17-Jul-2023
https://dl.acm.org/doi/10.1145/3608951
Adhatarao SLauradoux CBorghys DBas PVerdoliva LPevný TLi BNewman J(2021)Exploitation and Sanitization of Hidden Data in PDF Files: Do Security Agencies Sanitize Their PDF Files?Proceedings of the 2021 ACM Workshop on Information Hiding and Multimedia Security10.1145/3437880.3460405(35-44)Online publication date: 17-Jun-2021
https://dl.acm.org/doi/10.1145/3437880.3460405
Show More Cited By

Index Terms

Hershel: single-packet os fingerprinting
1. General and reference
  1. Cross-computing tools and techniques
    1. Measurement
    2. Metrics

Recommendations

Hershel: single-packet os fingerprinting
Performance evaluation review

Traditional TCP/IP fingerprinting tools (e.g., nmap) are poorly suited for Internet-wide use due to the large amount of traffic and intrusive nature of the probes. This can be overcome by approaches that rely on a single SYN packet to elicit a vector of ...
Unsupervised Clustering Under Temporal Feature Volatility in Network Stack Fingerprinting
SIGMETRICS '16: Proceedings of the 2016 ACM SIGMETRICS International Conference on Measurement and Modeling of Computer Science

Maintaining and updating signature databases is a tedious task that normally requires a large amount of user effort. The problem becomes harder when features can be distorted by observation noise, which we call volatility. To address this issue, we ...
Unsupervised Clustering Under Temporal Feature Volatility in Network Stack Fingerprinting
Performance evaluation review

Maintaining and updating signature databases is a tedious task that normally requires a large amount of user effort. The problem becomes harder when features can be distorted by observation noise, which we call volatility. To address this issue, we ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

SIGMETRICS '14: The 2014 ACM international conference on Measurement and modeling of computer systems

June 2014

614 pages

ISBN:9781450327893

DOI:10.1145/2591971

General Chairs:
Sujay Sanghavi
The University of Texas at Austin
,
Sanjay Shakkottai
The University of Texas at Austin
,
Program Chairs:
Marc Lelarge
INRIA, France
,
Bianca Schroeder
University of Toronto

ACM SIGMETRICS Performance Evaluation Review Volume 42, Issue 1
Performance evaluation review
June 2014
569 pages
ISSN:0163-5999
DOI:10.1145/2637364
Editors:
Derek Eager
University of Saskatchewan
,
Carey Williamson
University of Calgary
Issue’s Table of Contents

Copyright © 2014 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGMETRICS: ACM Special Interest Group on Measurement and Evaluation

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 16 June 2014

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

SIGMETRICS '14

Sponsor:

SIGMETRICS

SIGMETRICS '14: ACM SIGMETRICS / International Conference on Measurement and Modeling of Computer Systems

June 16 - 20, 2014

Texas, Austin, USA

Acceptance Rates

SIGMETRICS '14 Paper Acceptance Rate 40 of 237 submissions, 17%;

Overall Acceptance Rate 459 of 2,691 submissions, 17%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

34
Total Citations
View Citations
571
Total Downloads

Downloads (Last 12 months)44
Downloads (Last 6 weeks)4

Reflects downloads up to 25 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Bhattacharjee ACecconello SKuipers FSmaragdakis G(2024)Fingerprinting of Cellular Infrastructure Based on Broadcast InformationComputer Security – ESORICS 202310.1007/978-3-031-51476-0_5(81-101)Online publication date: 11-Jan-2024
https://doi.org/10.1007/978-3-031-51476-0_5
Song JWan SHuang MLiu JSun LLi Q(2023)Toward Automatically Connecting IoT Devices with Vulnerabilities in the WildACM Transactions on Sensor Networks10.1145/360895120:1(1-26)Online publication date: 17-Jul-2023
https://dl.acm.org/doi/10.1145/3608951
Adhatarao SLauradoux CBorghys DBas PVerdoliva LPevný TLi BNewman J(2021)Exploitation and Sanitization of Hidden Data in PDF Files: Do Security Agencies Sanitize Their PDF Files?Proceedings of the 2021 ACM Workshop on Information Hiding and Multimedia Security10.1145/3437880.3460405(35-44)Online publication date: 17-Jun-2021
https://dl.acm.org/doi/10.1145/3437880.3460405
Shamsi ZCline DLoguinov D(2021)Faulds: A Non-Parametric Iterative Classifier for Internet-Wide OS FingerprintingIEEE/ACM Transactions on Networking10.1109/TNET.2021.308833329:5(2339-2352)Online publication date: Oct-2021
https://doi.org/10.1109/TNET.2021.3088333
Chakraborty BDivakaran DNevat IPeters GGurusamy M(2021)Cost-Aware Feature Selection for IoT Device ClassificationIEEE Internet of Things Journal10.1109/JIOT.2021.30514808:14(11052-11064)Online publication date: 15-Jul-2021
https://doi.org/10.1109/JIOT.2021.3051480
Yao LZhuang HLin ZGu JWang FChen Q(2021)Research on Detection and Identification Technology of Intelligent Devices in Cyberspace: A Survey2021 4th International Conference on Artificial Intelligence and Big Data (ICAIBD)10.1109/ICAIBD51990.2021.9459092(409-418)Online publication date: 28-May-2021
https://doi.org/10.1109/ICAIBD51990.2021.9459092
Yao LZhuang HLin ZGu J(2021)Intelligent Device Identification Method Based on Network Packet Fingerprint2021 IEEE Sixth International Conference on Data Science in Cyberspace (DSC)10.1109/DSC53577.2021.00103(648-653)Online publication date: Oct-2021
https://doi.org/10.1109/DSC53577.2021.00103
Kumar DShen KCase BGarg DAlperovich GKuznetsov DKuznetsov DGupta RDurumeric ZHeninger NTraynor P(2019)All things consideredProceedings of the 28th USENIX Conference on Security Symposium10.5555/3361338.3361419(1169-1185)Online publication date: 14-Aug-2019
https://dl.acm.org/doi/10.5555/3361338.3361419
Sarabi ALiu M(2018)Characterizing the Internet Host Population Using Deep LearningProceedings of the Internet Measurement Conference 201810.1145/3278532.3278545(133-146)Online publication date: 31-Oct-2018
https://dl.acm.org/doi/10.1145/3278532.3278545
Quach AWang ZQian Z(2017)Investigation of the 2016 Linux TCP Stack Vulnerability at ScaleACM SIGMETRICS Performance Evaluation Review10.1145/3143314.307851045:1(8-8)Online publication date: 5-Jun-2017
https://dl.acm.org/doi/10.1145/3143314.3078510
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents