Skip to main content
SpringerLink
Log in

Learning Remote Computer Fingerprinting

  • Chapter
Computational Intelligence in Digital Forensics: Forensic Investigation and Applications

Part of the book series: Studies in Computational Intelligence ((SCI,volume 555))

  • 1695 Accesses

Abstract

The process of remote characterization and identification of computers has many applications in network security and forensics. On network forensics, this process can be used together with intrusion detection systems to characterize suspicious machines of remote attackers. The characterization of remote computers is based on the analysis of network data originated from the remote machine. The classical approach is to exploit peculiar characteristics of different implementations of network protocols at each layer of the protocol stack, i.e. link, network, transport and application layers. Recent works show that the use of computational intelligence techniques can improve the identification performance when compared to classical classification algorithms and tools. This chapter presents some advances in this area and surveys the use of computational intelligence for remote identification of computers and its applications to network forensics.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 84.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Hardcover Book
USD 109.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Arackaparambil, C., Bratus, S., Shubina, A., Kotz, D.: On the reliability of wireless fingerprinting using clock skews. In: Proceedings of the Third ACM Conference on Wireless Network Security (WiSec), pp. 169–174 (2010), doi:10.1145/1741866.1741894

    Google Scholar 

  2. Arkin, O., Yarochkin, F.: ICMP based remote OS TCP/IP stack fingerprinting techniques. Phrack Magazine 11(57) (2001)

    Google Scholar 

  3. Bellovin, S.: RFC 1948 (Informational), Defending Against Sequence Number Attacks. Internet Engineering Task Force (IETF) (1996)

    Google Scholar 

  4. Beverly, R.: A robust classifier for passive TCP/IP fingerprinting. In: Barakat, C., Pratt, I. (eds.) PAM 2004. LNCS, vol. 3015, pp. 158–167. Springer, Heidelberg (2004)

    Chapter  Google Scholar 

  5. Braden, R.: RFC 1122 (Standard), Requirements for Internet Hosts – Communication Layers. Internet Engineering Task Force (IETF) (1989)

    Google Scholar 

  6. Bratus, S., Cornelius, C., Kotz, D., Peebles, D.: Active behavioral fingerprinting of wireless devices. In: Proceedings of the First ACM Conference on Wireless Network Security (WiSec), pp. 56–61 (2008), doi:10.1145/1352533.1352543

    Google Scholar 

  7. Burroni, J., Sarraute, C.: Using neural networks for remote OS identification. In: Proceedings of the 3rd Pacific Security Conference (PacSec) (2005)

    Google Scholar 

  8. Cooper, G.F., Herskovits, E.: A bayesian method for the induction of probabilistic networks from data. Machine Learning 9(4), 309–347 (1992), doi:10.1007/BF00994110

    MATH  Google Scholar 

  9. Corbett, C.L., Beyah, R.A., Copeland, J.A.: A passive approach to wireless NIC identification. In: Proceedings of IEEE International Conference on Communications (ICC), pp. 2329–2334 (2006), doi:10.1109/ICC.2006.255117

    Google Scholar 

  10. Corbett, C.L., Beyah, R.A., Copeland, J.A.: Passive classification of wireless NICs during active scanning. International Journal of Information Security 7(5), 335–348 (2008), doi:10.1007/s10207-007-0053-7

    Article  Google Scholar 

  11. Cortes, C., Vapnik, V.: Support-vector networks. Machine Learning 20(3), 273–297 (1995), doi:10.1007/BF00994018

    MATH  Google Scholar 

  12. Danev, B., Luecken, H., Capkun, S., Defrawy, K.E.: Attacks on physical-layer identification. In: Proceedings of the Third ACM Conference on Wireless Network Security (WiSec), pp. 89–98 (2010), doi:10.1145/1741866.1741882

    Google Scholar 

  13. Danev, B., Zanetti, D., Capkun, S.: On physical-layer identification of wireless devices. ACM Computing Surveys 45(1) (2012), doi:10.1145/2379776.2379782

    Google Scholar 

  14. Deering, S., Hinden, R.: RFC 2460 (Draft Standard), Internet Protocol, Version 6 (IPv6) Specification. Internet Engineering Task Force (IETF) (1998)

    Google Scholar 

  15. Eddy, W.M.: Defenses against TCP SYN flooding attacks. The Internet Protocol Journal 9(4), 2–16 (2006)

    Google Scholar 

  16. Eddy, W.M.: RFC 4987 (Informational), TCP SYN Flooding Attacks and Common Mitigations. Internet Engineering Task Force (IETF) (2007)

    Google Scholar 

  17. Fielding, R., Gettys, J., Mogul, J., Frystyk, H., Masinter, L., Leach, P., Berners-Lee, T.: RFC 2068 (Proposed Standard), Hypertext Transfer Protocol – HTTP/1.1. Internet Engineering Task Force (IETF) (1999)

    Google Scholar 

  18. Fritzke, B.: A growing neural gas network learns topologies. In: Tesauro, G., Touretzky, D., Leen, T. (eds.) Advances in Neural Information Processing Systems, vol. 7, pp. 625–632. MIT Press (1995)

    Google Scholar 

  19. Gagnon, F., Esfandiari, B.: Using answer set programming to enhance operating system discovery. In: Erdem, E., Lin, F., Schaub, T. (eds.) LPNMR 2009. LNCS, vol. 5753, pp. 579–584. Springer, Heidelberg (2009)

    Chapter  Google Scholar 

  20. Gagnon, F., Esfandiari, B., Bertossi, L.: A hybrid approach to operating system discovery using answer set programming. In: Proceedings of the 10th IFIP/IEEE International Symposium on Integrated Network Management (IM), pp. 391–400 (2007), doi:10.1109/INM.2007.374804

    Google Scholar 

  21. Gao, K., Corbett, C., Beyah, R.: A passive approach to wireless device fingerprinting. In: Proceedings of the IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), pp. 383–392 (2010), doi:10.1109/DSN.2010.5544294

    Google Scholar 

  22. Garfinkel, S.L.: Digital forensics research: The next 10 years. Digital Investigation 7, S64–S73 (2010), doi:10.1016/j.diin.2010.05.009

    Google Scholar 

  23. Gont, F., Bellovin, S.: RFC 6528 (Standards Track), Defending Against Sequence Number Attacks. Internet Engineering Task Force (IETF) (2012)

    Google Scholar 

  24. Greenwald, L.G., Thomas, T.J.: Toward undetected operating system fingerprinting. In: Proceedings of the First USENIX Workshop on Offensive Technologies (WOOT) (2007)

    Google Scholar 

  25. Greenwald, L.G., Thomas, T.J.: Understanding and preventing network device fingerprinting. Bell Labs Technical Journal 12(3), 149–166 (2007), doi:10.1002/bltj.20257

    Article  Google Scholar 

  26. Hartmeier, D.: Design and performance of the OpenBSD stateful packet filter (pf). In: Proceedings of the FREENIX Track: USENIX Annual Technical Conference, pp. 171–180 (2002)

    Google Scholar 

  27. Huang, D.J., Yang, K.T., Ni, C.C., Teng, W.C., Hsiang, T.R., Lee, Y.J.: Clock skew based client device identification in cloud environments. In: Proceedings of the IEEE 26th International Conference on Advanced Information Networking and Applications (AINA), pp. 526–533 (2012), doi:10.1109/AINA.2012.51

    Google Scholar 

  28. Jacobson, V., Braden, R., Borman, D.: RFC 1323 (Proposed Standard), TCP Extensions for High Performance. Internet Engineering Task Force (IETF) (1992)

    Google Scholar 

  29. Jacobson, V., Leres, C., McCanne, S.: TCPDUMP/LIBPCAP public repository, version 4.3.0 (2012), http://www.tcpdump.org/ (released on June 2012)

  30. Jana, S., Kasera, S.K.: On fast and accurate detection of unauthorized wireless access points using clock skews. IEEE Transactions on Mobile Computing 9(3), 449–462 (2010), doi:10.1109/TMC.2009.145

    Article  Google Scholar 

  31. Kohno, T., Broido, A., Claffy, K.: Remote physical device fingerprinting. IEEE Transactions on Dependable and Secure Computing 2(2), 93–108 (2005), doi:10.1109/TDSC.2005.26

    Article  Google Scholar 

  32. Kohonen, T.: Self-organized formation of topologically correct feature maps. Biological Cybernetics 43(1), 59–69 (1982)

    Article  MATH  MathSciNet  Google Scholar 

  33. Kohonen, T.: Self-Organizing Maps, 3rd edn. Springer (2001)

    Google Scholar 

  34. Levenberg, K.: A method for the solution of certain non-linear problems in least squares. Quarterly of Applied Mathematics 2, 164–168 (1944)

    MATH  MathSciNet  Google Scholar 

  35. Li, W., Zhang, D.-F., Yang, J.: Remote OS fingerprinting using BP neural network. In: Wang, J., Liao, X.-F., Yi, Z. (eds.) ISNN 2005. LNCS, vol. 3498, pp. 367–372. Springer, Heidelberg (2005)

    Google Scholar 

  36. Liu, M.W., Doherty, J.F.: Wireless device identification in MIMO channels. In: Proceedings of the 43rd Annual Conference on Information Sciences and Systems (CISS), pp. 563–567 (2009), doi:10.1109/CISS.2009.5054783

    Google Scholar 

  37. Loh, D.C.C., Cho, C.Y., Tan, C.P., Lee, R.S.: Identifying unique devices through wireless fingerprinting. In: Proceedings of the First ACM Conference on Wireless Network Security (WiSec), pp. 46–55 (2008), doi:10.1145/1352533.1352542

    Google Scholar 

  38. Lyon, G.F.: The art of port scanning. Phrack Magazine 7(51) (1997)

    Google Scholar 

  39. Lyon, G.F.: Remote OS detection via TCP/IP fingerprinting. Phrack Magazine 8(54) (1998)

    Google Scholar 

  40. Lyon, G.F.: Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning. Insecure.Com LLC (2009)

    Google Scholar 

  41. MacQueen, J.B.: Some methods for classification and analysis of multivariate observations. In: Proceedings of 5th Berkeley Symposium on Mathematical Statistics and Probability, vol. 1, pp. 281–297 (1967)

    Google Scholar 

  42. Marek, V.W., Truszczyński, M.: Stable models and an alternative logic programming paradigm. In: Apt, K.R., Marek, V.W., Truszczyński, M., Warren, D.S. (eds.) The Logic Programming Paradigm: A 25-Year Perspective, pp. 375–398. Springer (1999), doi:10.1007/978-3-642-60085-2_17

    Google Scholar 

  43. Marquardt, D.W.: An algorithm for least-squares estimation of nonlinear parameters. Journal of the Society for Industrial and Applied Mathematics 11(2), 431–441 (1963), doi:10.1137/0111030

    Article  MATH  MathSciNet  Google Scholar 

  44. McCanne, S., Jacobson, V.: The BSD packet filter: A new architecture for user-level packet capture. In: Proceedings of the USENIX Winter 1993 Conference, pp. 259–269 (1993)

    Google Scholar 

  45. Medeiros, J.P.S., Cunha, A.C., Brito Jr., A.M., Motta Pires, P.S.: Application of kohonen maps to improve security tests on automation devices. In: Lopez, J., Hämmerli, B.M. (eds.) CRITIS 2007. LNCS, vol. 5141, pp. 235–245. Springer, Heidelberg (2008)

    Chapter  Google Scholar 

  46. Medeiros, J.P.S., Cunha, A.C., Brito, A.M., Pires, P.S.M.: Automating security tests for industrial automation devices using neural networks. In: Proceedings of the 12th IEEE International Conference on Emerging Technologies and Factory Automation (ETFA), pp. 772–775 (2007), doi:10.1109/EFTA.2007.4416854

    Google Scholar 

  47. Medeiros, J.P.S., Brito Jr., A.M., Pires, P.S.M.: A data mining based analysis of Nmap operating system fingerprint database. In: Herrero, Á., Gastaldo, P., Zunino, R., Corchado, E. (eds.) CISIS 09. AISC, vol. 63, pp. 1–8. Springer, Heidelberg (2009)

    Google Scholar 

  48. Medeiros, J.P.S., Brito, A.M., Pires, P.S.M.: A new method for recognizing operating systems of automation devices. In: Proceedings of the 14th IEEE International Conference on Emerging Technologies and Factory Automation (ETFA), pp. 1–4 (2009), doi:10.1109/ETFA.2009.5347095

    Google Scholar 

  49. Medeiros, J.P.S., Santos, S.R., Brito, A.M., Pires, P.S.M.: Advances in network topology security visualisation. International Journal of System of Systems Engineering 1(4), 387–400 (2009), doi:10.1504/IJSSE.2009.031347

    Article  Google Scholar 

  50. Medeiros, J.P.S., Brito Jr., A.M., Motta Pires, P.S.: An effective TCP/IP fingerprinting technique based on strange attractors classification. In: Garcia-Alfaro, J., Navarro-Arribas, G., Cuppens-Boulahia, N., Roudier, Y. (eds.) DPM 2009. LNCS, vol. 5939, pp. 208–221. Springer, Heidelberg (2010)

    Chapter  Google Scholar 

  51. Medeiros, J.P.S., Brito, A.M., Pires, P.S.M.: Using intelligent techniques to extend the applicability of operating system fingerprint databases. Journal of Information Assurance and Security 5(4), 554–560 (2010)

    Google Scholar 

  52. Medeiros, J.P.S., de Medeiros Brito Júnior, A., Motta Pires, P.S.: A qualitative survey of active TCP/IP fingerprinting tools and techniques for operating systems identification. In: Herrero, Á., Corchado, E. (eds.) CISIS 2011. LNCS, vol. 6694, pp. 68–75. Springer, Heidelberg (2011)

    Chapter  Google Scholar 

  53. Meehan, A., Manes, G., Davis, L., Hale, J., Shenoi, S.: Packet sniffing for automated chat room monitoring and evidence preservation. In: Proceedings of the 2001 IEEE Workshop on Information Assurance and Security, pp. 285–288 (2001)

    Google Scholar 

  54. Mockapetris, P.: RFC 1035 (Internet Standard), Domain Names – Implementation and Specification. Internet Engineering Task Force (IETF) (1987)

    Google Scholar 

  55. Novotny, J., Schulte, D., Manes, G., Shenoi, S.: Remote computer fingerprinting for cyber crime investigations. In: di Vimercati, S.D.C., Ray, I., Ray, I. (eds.) Data and Applications Security XVII. IFIP, vol. 142, pp. 3–15. Springer, Boston (2004)

    Chapter  Google Scholar 

  56. Novotny, J.M., Meehan, A., Schulte, D., Manes, G.W., Shenoi, S.: Evidence acquisition tools for cyber sex crimes investigations. In: Proceedings of the SPIE, Sensors, and Command, Control, Communications, and Intelligence (C3I) Technologies for Homeland Defense and Law Enforcement, vol. 4708, pp. 53–60 (2002), doi:10.1117/12.479292

    Google Scholar 

  57. Pollitt, M., Caloyannides, M., Novotny, J., Shenoi, S.: Digital forensics: Operational, legal and research issues. In: di Vimercati, S.D.C., Ray, I., Ray, I. (eds.) Data and Applications Security XVII. IFIP, vol. 142, pp. 393–403. Springer, Boston (2004)

    Chapter  Google Scholar 

  58. Postel, J.: RFC 768 (Internet Standard), User Datagram Protocol. Internet Engineering Task Force (IETF) (1980)

    Google Scholar 

  59. Postel, J.: RFC 791 (Internet Standard), Internet Protocol – DARPA Internet Program, Protocol Specification. Internet Engineering Task Force (IETF) (1981)

    Google Scholar 

  60. Postel, J.: RFC 792 (Internet Standard), Internet Control Message Protocol – DARPA Internet Program, Protocol Specification. Internet Engineering Task Force (IETF) (1981)

    Google Scholar 

  61. Postel, J.: RFC 793 (Internet Standard), Transmission Control Protocol – DARPA Internet Program, Protocol Specification. Internet Engineering Task Force (IETF) (1981)

    Google Scholar 

  62. Postel, J., Reynolds, J.: RFC 854 (Internet Standard), Telnet Protocol Specification. Internet Engineering Task Force (IETF) (1983)

    Google Scholar 

  63. Postel, J., Reynolds, J.: RFC 959 (Internet Standard), File Transfer Protocol (FTP). Internet Engineering Task Force (IETF) (1985)

    Google Scholar 

  64. Provos, N.: A virtual honeypot framework. In: Proceedings of the 13th USENIX Security Symposium (2004)

    Google Scholar 

  65. Provos, N., Holz, T.: Virtual Honeypots: From Botnet Tracking to Intrusion Detection. Addison-Wesley (2008)

    Google Scholar 

  66. Ramakrishnan, K., Floyd, S., Black, D.: RFC 3168 (Proposed Standard), The Addition of Explicit Congestion Notification (ECN) to IP. Internet Engineering Task Force (IETF) (2001)

    Google Scholar 

  67. Rasmussen, K.B., Capkun, S.: Implications of radio fingerprinting on the security of sensor networks. In: Proceedings of the Third International Conference on Security and Privacy in Communications Networks and the Workshops (SecureComm), pp. 331–340 (2007), doi:10.1109/SECCOM.2007.4550352

    Google Scholar 

  68. Remley, K., Grosvenor, C., Johnk, R., Novotny, D., Hale, P., McKinley, M.: Electromagnetic signatures of WLAN cards and network security. In: Proceedings of Fifth IEEE International Symposium on Signal Processing and Information Technology, pp. 484–488 (2005), doi:10.1109/ISSPIT.2005.1577145

    Google Scholar 

  69. Rivest, R.: RFC 1321 (Informational), The MD5 Message-Digest Algorithm. Internet Engineering Task Force (IETF) (1992)

    Google Scholar 

  70. Rumelhart, D.E., Hinton, G.E., Williams, R.J.: Learning representations by back-propagating errors. Nature 323(6088), 533–536 (1986), doi:10.1038/323533a0

    Article  Google Scholar 

  71. Sarraute, C., Burroni, J.: Using neural networks to improve classical operating system fingerprinting techniques. Electronic Journal of SADIO 8(1), 35–47 (2008)

    MATH  Google Scholar 

  72. Shanon, C.E.: A mathematical theory of communication. Bell System Technical Journal 27(3), 379–423 (1948)

    Article  MathSciNet  Google Scholar 

  73. Smart, M., Malan, G.R., Jahanian, F.: Defeating TCP/IP stack fingerprinting. In: Proceedings of the 9th USENIX Security Symposium (2000)

    Google Scholar 

  74. Ureten, O., Serinken, N.: Wireless security through RF fingerprinting. Canadian Journal of Electrical and Computer Engineering 32(1), 27–33 (2007), doi:10.1109/CJECE.2007.364330

    Article  Google Scholar 

  75. Walls, R.J., Levine, B.N., Liberatore, M., Shields, C.: Effective digital forensics research is investigator-centric. In: Proceedings of the 6th USENIX Conference on Hot Topics in Security (HotSec) (2011)

    Google Scholar 

  76. Watson, D., Smart, M., Malan, G., Jahanian, F.: Protocol scrubbing: network security through transparent flow modification. In: Proceedings of the DARPA Information Survivability Conference and Exposition II (DISCEX), pp. 108–118 (2001), doi:10.1109/DISCEX.2001.932163

    Google Scholar 

  77. Watson, D., Smart, M., Malan, G., Jahanian, F.: Protocol scrubbing: network security through transparent flow modification. IEEE/ACM Transactions on Networking 12(2), 261–273 (2004), doi:10.1109/TNET.2003.822645

    Article  Google Scholar 

  78. Zalewski, M.: Silence on the Wire: A Field Guide to Passive Reconnaissance and Indirect Attacks, 1st edn. No Starch Press (2005)

    Google Scholar 

  79. Zhang, B., Zou, T., Wang, Y., Zhang, B.: Remote operation system detection base on machine learning. In: Proceedings of the International Conference on Frontier of Computer Science and Technology, pp. 539–542 (2005), doi:10.1109/FCST.2009.21

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Elements of Information Processing Laboratory (LabEPI), Department of Exact and Applied Sciences (DCEA), Federal University of Rio Grande do Norte (UFRN), Caicó, RN, Brazil

    João P. Souza Medeiros & João B. Borges Neto

  2. Security Information Laboratory (LabSIN), Department of Computer Engineering and Automation (DCA), Federal University of Rio Grande do Norte (UFRN), Natal, RN, Brazil

    Agostinho M. Brito Júnior & Paulo S. Motta Pires

Authors
  1. João P. Souza Medeiros
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. João B. Borges Neto
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Agostinho M. Brito Júnior
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Paulo S. Motta Pires
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to João P. Souza Medeiros .

Editor information

Editors and Affiliations

  1. Department of Software Engineering Faculty of Information and, Technical University of Malaysia Melaka (UTeM), Durian Tunggal, Malaysia

    Azah Kamilah Muda

  2. Department of Software Engineering Faculty of Info. and Comm. Tech., Technical University of Malaysia Melaka (UTeM), Durian Tunggal, Malaysia

    Yun-Huoy Choo

  3. Scientific Network for Innovation and Research Excellence, Machine Intelligence Research Labs (MIR Labs), Auburn, Washington, Washington, USA

    Ajith Abraham

  4. Dept. of Computer Sci. and Engineering Center of Excellence for Document, The State University of New York SUNY, Buffalo, New York, USA

    Sargur N. Srihari

Rights and permissions

Reprints and permissions

Copyright information

© 2014 Springer International Publishing Switzerland

About this chapter

Cite this chapter

Medeiros, J.P.S., Neto, J.B.B., Júnior, A.M.B., Pires, P.S.M. (2014). Learning Remote Computer Fingerprinting. In: Muda, A., Choo, YH., Abraham, A., N. Srihari, S. (eds) Computational Intelligence in Digital Forensics: Forensic Investigation and Applications. Studies in Computational Intelligence, vol 555. Springer, Cham. https://doi.org/10.1007/978-3-319-05885-6_12

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-05885-6_12

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-05884-9

  • Online ISBN: 978-3-319-05885-6

  • eBook Packages: EngineeringEngineering (R0)

Publish with us

Policies and ethics

Search

Navigation