Abstract
Using probabilistic learning, we develop a naive Bayesian classifier to passively infer a host’s operating system from packet headers. We analyze traffic captured from an Internet exchange point and compare our classifier to rule-based inference tools. While the host operating system distribution is heavily skewed, we find operating systems that constitute a small fraction of the host count contribute a majority of total traffic. Finally as an application of our classifier, we count the number of hosts masquerading behind NAT devices and evaluate our results against prior techniques. We find a host count inflation factor due to NAT of approximately 9% in our traces.
Keywords
- Network Address Translator
- Internet Engineer Task
- Remote Host
- Operating System Distribution
- Border Router
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
Zalewski, M.: Passive OS fingerprinting tool (2003), http://lcamtuf.coredump.cx/p0f.shtml
Smart, M., Malan, G.R., Jahanian, F.: Defeating TCP/IP stack fingerprinting. In: Proc. of the 9th USENIX Security Symposium (2000)
Taleck, G.: Ambiguity resolution via passive OS fingerprinting. In: Proc. 6th International Symposium Recent Advances in Intrusion Detection (2003)
Egevang, K., Francis, P.: The IP network address translator (NAT). RFC 1631, Internet Engineering Task Force (1994)
Bellovin, S.: A technique for counting NATted hosts. In: Proc. Second Internet Measurement Workshop (2002)
Hain, T.: Architectural implications of NAT. RFC 2993, Internet Engineering Task Force (2000)
Senie, D.: Network address translator (NAT)-friendly application design guidelines. RFC 3235, Internet Engineering Task Force (2002)
Holdrege, M., Srisuresh, P.: Protocol complications with the IP network address translator. RFC 3027, Internet Engineering Task Force (2001)
Fyodor: Remote OS detection via TCP/IP stack fingerprinting (1998), http://www.insecure.org/nmap
Armitage, G.J.: Inferring the extent of network address port translation at public/ private internet boundaries. Technical Report 020712A, CAIA (2002)
Paxson, V.: Automated packet trace analysis of TCP implementations. In: SIGCOMM, pp. 167–179 (1997)
Braden, R.: Requirements for internet hosts – communication layers. RFC 1122, Internet Engineering Task Force (1989)
Langley, P., Iba, W., Thompson, K.: An analysis of bayesian classifiers. In: National Conference on Artificial Intelligence, pp. 223–228 (1992)
Netcraft: Web server survey (2004), http://www.netcraft.com
Phaal, P.: Detecting NAT devices using sflow (2003), http://www.sflow.org/detectNAT
Droms, R.: Dynamic host configuration protocol. RFC 2131, Internet Engineering Task Force (1997)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2004 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Beverly, R. (2004). A Robust Classifier for Passive TCP/IP Fingerprinting. In: Barakat, C., Pratt, I. (eds) Passive and Active Network Measurement. PAM 2004. Lecture Notes in Computer Science, vol 3015. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-24668-8_16
Download citation
DOI: https://doi.org/10.1007/978-3-540-24668-8_16
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-21492-2
Online ISBN: 978-3-540-24668-8
eBook Packages: Springer Book Archive