Abstract
Using probabilistic learning, we develop a naive Bayesian classifier to passively infer a host’s operating system from packet headers. We analyze traffic captured from an Internet exchange point and compare our classifier to rule-based inference tools. While the host operating system distribution is heavily skewed, we find operating systems that constitute a small fraction of the host count contribute a majority of total traffic. Finally as an application of our classifier, we count the number of hosts masquerading behind NAT devices and evaluate our results against prior techniques. We find a host count inflation factor due to NAT of approximately 9% in our traces.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Zalewski, M.: Passive OS fingerprinting tool (2003), http://lcamtuf.coredump.cx/p0f.shtml
Smart, M., Malan, G.R., Jahanian, F.: Defeating TCP/IP stack fingerprinting. In: Proc. of the 9th USENIX Security Symposium (2000)
Taleck, G.: Ambiguity resolution via passive OS fingerprinting. In: Proc. 6th International Symposium Recent Advances in Intrusion Detection (2003)
Egevang, K., Francis, P.: The IP network address translator (NAT). RFC 1631, Internet Engineering Task Force (1994)
Bellovin, S.: A technique for counting NATted hosts. In: Proc. Second Internet Measurement Workshop (2002)
Hain, T.: Architectural implications of NAT. RFC 2993, Internet Engineering Task Force (2000)
Senie, D.: Network address translator (NAT)-friendly application design guidelines. RFC 3235, Internet Engineering Task Force (2002)
Holdrege, M., Srisuresh, P.: Protocol complications with the IP network address translator. RFC 3027, Internet Engineering Task Force (2001)
Fyodor: Remote OS detection via TCP/IP stack fingerprinting (1998), http://www.insecure.org/nmap
Armitage, G.J.: Inferring the extent of network address port translation at public/ private internet boundaries. Technical Report 020712A, CAIA (2002)
Paxson, V.: Automated packet trace analysis of TCP implementations. In: SIGCOMM, pp. 167–179 (1997)
Braden, R.: Requirements for internet hosts – communication layers. RFC 1122, Internet Engineering Task Force (1989)
Langley, P., Iba, W., Thompson, K.: An analysis of bayesian classifiers. In: National Conference on Artificial Intelligence, pp. 223–228 (1992)
Netcraft: Web server survey (2004), http://www.netcraft.com
Phaal, P.: Detecting NAT devices using sflow (2003), http://www.sflow.org/detectNAT
Droms, R.: Dynamic host configuration protocol. RFC 2131, Internet Engineering Task Force (1997)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2004 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Beverly, R. (2004). A Robust Classifier for Passive TCP/IP Fingerprinting. In: Barakat, C., Pratt, I. (eds) Passive and Active Network Measurement. PAM 2004. Lecture Notes in Computer Science, vol 3015. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-24668-8_16
Download citation
DOI: https://doi.org/10.1007/978-3-540-24668-8_16
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-21492-2
Online ISBN: 978-3-540-24668-8
eBook Packages: Springer Book Archive