Generic Encrypted Traffic Identification using Network Grammar : A Case Study in Passive OS Fingerprinting / Generisk Krypterad Trafikidentifiering med Nätverksgrammatik : En fallstudie i passiv osfingeravtryck

Rajala, Lukas, Scott, Kevin

January 2022

The increase in cybercrime and cyber-warfare has spurred the cat-and-mouse game of finding and attacking vulnerable devices on government or private company networks. The devices attacked are often forgotten computers that run operating systems with known exploits. Finding these devices are crucial for both an attacker and defender since they may be the only weak link on the network. Device discovery on a network using probing or active fingerprinting methods results in extra traffic on the network, which may strain fragile networks and generates suspect traffic that may get flagged as intrusive. Using passive OS fingerprinting allows an actor to listen in and classify active devices on a network. This thesis shows the features that can be exploited for OS fingerprinting and discusses the importance of TLS payload and time-based features. We also present a data collection strategy that could be utilized for simulating multiple OSs and collecting new datasets. We found that the TLS attributes such as cipher suites play an important role in distinguishing between OS versions.

Passive OS Fingerprinting

Encrypted Traffic Identification

Automated Traffic Analysis

Machine Learning

Supervised Learning

Networks

Packet Classification

Security and Privacy

Computer Sciences

Datavetenskap (datalogi)

Identifica??o remota de sistemas operacionais utilizando an?lise de processos aleat?rios e redes neurais artificiais

Medeiros, Jo?o Paulo de Souza

19 June 2009

Made available in DSpace on 2014-12-17T14:55:36Z (GMT). No. of bitstreams: 1 JoaoPSM.pdf: 2736653 bytes, checksum: 0b1bd7853a47877b24c5f2042e0a5d8e (MD5) Previous issue date: 2009-06-19 / Petr?leo Brasileiro SA - PETROBRAS / A new method to perform TCP/IP fingerprinting is proposed. TCP/IP fingerprinting is the process of identify a remote machine through a TCP/IP based computer network. This method has many applications related to network security. Both intrusion and defence procedures may use this process to achieve their objectives. There are many known methods that perform this process in favorable conditions. However, nowadays there are many adversities that reduce the identification performance. This work aims the creation of a new OS fingerprinting tool that bypass these actual problems. The proposed method is based on the use of attractors reconstruction and neural networks to characterize and classify pseudo-random numbers generators / ? proposto um novo m?todo para identifica??o remota de sistemas operacionais que operam em redes TCP/IP. Este m?todo possui diversas aplica??es relacionadas ? seguran?a em redes de computadores e ? normalmente adotado tanto em atividades de ataque quanto de defesa de sistemas. O m?todo proposto ? capaz de obter sucesso em situa??es onde diversas solu??es atuais falham, inclusive no tratamento com dispositivos possivelmente vulner?veis ao processo de identifica??o. O novo m?todo realiza a an?lise dos geradores de n?meros aleat?rios usados nas pilhas TCP/IP e, atrav?s do uso de redes neurais artificiais, cria mapas que representam o comportamento destes geradores. Tais mapas s?o usados para compara??o com mapas rotulados que representam sistemas j? conhecidos, concretizando o processo de identifica??o

Identifica??o de pilha TCP/IP

Seguran?a em redes de computadores

Identifica??o de honeypots

OS fingerprinting

TCP/IP fingerprinting

Network security

Honeypots indentification

CNPQ::ENGENHARIAS::ENGENHARIA ELETRICA