PTF: Passive Temporal Fingerprinting

International audienceWe describe in this paper a tool named PTF (Passive and Temporal Fingerprinting) for fingerprinting network devices. The objective of device fingerprinting is to uniquely identify device types by looking at captured traffic from devices imple- menting that protocol. The main novelty of our approach consists in leveraging both temporal and behavioral features for this purpose. The key contribution is a fingerprinting scheme, where individual fingerprints are represented by tree-based temporal finite state machines. We have developed a fingerprinting scheme that leverages supervised learning approaches based on support vector machines for this purpose

Snap: Robust Tool for Internet-wide Operating System Fingerprinting

Different approaches have been developed for TCP/IP fingerprinting, but none of these approaches is suited for Internet-wide fingerprinting. In this work, we develop approaches that rigorously tackle the issue of noise and packet loss while carrying out Internet-wide fingerprinting. We then carry out an Internet-wide scan to determine the distribution of different operating systems on the Internet. The results of our scan indicate that there are approximately 8.9 million publicly accessible web-servers on the Internet running Linux, while there are nearly 9.6 million web-servers with different embedded operating systems

Application Protocols Identification

Digitálna forenzná analýza aplikuje metodické sady techník a procedúr potrebných na získanie dôkazov z počítačových zariadení a prezentuje v zmysluplnom formáte. Táto práca sa zaoberá problematikou identifikácie aplikačných protokolov za pomoci metód strojového učenia a štatistických metód. V práci je obsiahnuté testovania aktuálnej implementácie agenta Netfox Detective, ktorý využíva tieto dve metódy. Následne som sa snažil zlepšiť detekčné schopnosti pomocou procesu zvaného Feature Engineering, ktorého úlohou je vytvárať sadu príznakov, ktoré nám môžu pomôcť  charakterizovať sieťovú komunikáciu. Práca porovnáva tieto dve metódy detekcie a rozširuje ich implementáciu s úsilím vylepšiť detekčné schopností agenta Netfox Detective.Digital forensic analysis applies methodical series of techniques  and procedures used to gather evidence, from computer device and present it in meaningful format. This thesis is dealing with identification of application protocols with help of machine learning and statistical methods. Further thesis explain attempts to improve detection skills with help of process called Feature Engineering. Feature Engineering is process of creating set of features that will help us to characterise network traffic. Paper contains testing of actual implementation of agent Netfox Detective which uses those two methods Paper is comparing those two methods and extends the implementation with effort to improve detection skills of a Netfox Detective agent. 

A framework for malicious host fingerprinting using distributed network sensors

Numerous software agents exist and are responsible for increasing volumes of malicious traffic that is observed on the Internet today. From a technical perspective the existing techniques for monitoring malicious agents and traffic were not developed to allow for the interrogation of the source of malicious traffic. This interrogation or reconnaissance would be considered active analysis as opposed to existing, mostly passive analysis. Unlike passive analysis, the active techniques are time-sensitive and their results become increasingly inaccurate as time delta between observation and interrogation increases. In addition to this, some studies had shown that the geographic separation of hosts on the Internet have resulted in pockets of different malicious agents and traffic targeting victims. As such it would be important to perform any kind of data collection over various source and in distributed IP address space. The data gathering and exposure capabilities of sensors such as honeypots and network telescopes were extended through the development of near-realtime Distributed Sensor Network modules that allowed for the near-realtime analysis of malicious traffic from distributed, heterogeneous monitoring sensors. In order to utilise the data exposed by the near-realtime Distributed Sensor Network modules an Automated Reconnaissance Framework was created, this framework was tasked with active and passive information collection and analysis of data in near-realtime and was designed from an adapted Multi Sensor Data Fusion model. The hypothesis was made that if sufficiently different characteristics of a host could be identified; combined they could act as a unique fingerprint for that host, potentially allowing for the re-identification of that host, even if its IP address had changed. To this end the concept of Latency Based Multilateration was introduced, acting as an additional metric for remote host fingerprinting. The vast amount of information gathered by the AR-Framework required the development of visualisation tools which could illustrate this data in near-realtime and also provided various degrees of interaction to accommodate human interpretation of such data. Ultimately the data collected through the application of the near-realtime Distributed Sensor Network and AR-Framework provided a unique perspective of a malicious host demographic. Allowing for new correlations to be drawn between attributes such as common open ports and operating systems, location, and inferred intent of these malicious hosts. The result of which expands our current understanding of malicious hosts on the Internet and enables further research in the area

Network Protocol System Fingerprinting – A Formal Approach

Abstract — Network protocol system fingerprinting has been recognized as an important issue and a major threat to network security. Prevalent works rely largely on human experiences and insight of the protocol system specifications and implementations. Such ad-hoc approaches are inadequate in dealing with large complex protocol systems. In this paper we propose a formal approach for automated protocol system fingerprinting analysis and experiment. Parameterized Extended Finite State Machine is used to model protocol systems, and four categories of fingerprinting problems are formally defined. We propose and analyze algorithms for both active and passive fingerprinting and present our experimental results on Internet protocols. Furthermore, we investigate protection techniques against malicious fingerprinting and discuss the feasibility of two defense schemes, based on the protocol and application scenarios

Network Protocol System Fingerprinting- A Formal Approach

Abstract — Network protocol system fingerprinting has been recognized as an important issue and a major threat to network security. Prevalent works rely largely on human experiences and insight of the protocol system specifications and implementations. Such ad-hoc approaches are inadequate in dealing with large complex protocol systems. In this paper we propose a formal approach for automated protocol system fingerprinting analysis and experiment. Parameterized Extended Finite State Machine is used to model protocol systems, and four categories of fingerprinting problems are formally defined. We propose and analyze algorithms for both active and passive fingerprinting and present our experimental results on Internet protocols. Furthermore, we investigate protection techniques against malicious fingerprinting and discuss the feasibility of two defense schemes, based on the protocol and application scenarios