Professional Documents
Culture Documents
US 8,352,393 B2
Jan. 8, 2013
OTHER PUBLICATIONS
Ark
III,
O? F
1, yo OI BIOC
d Y
hki
Il,3.l'l
dM d
e er
K d
yra rev.-
1.
Th P
e resen
(75)
System Fingerprinting [Online] Downloaded Jul. 19, 2010. Jul. 2003 P~ 135*
Fedor V. Yarochkin et al., Xprobe2++: Low Volume Remote Net
(73)
(*)
Work Information Gathering Tool, IEEE/IFIP International Confer ence on Dependable Systems&NetWorks, Jun. 29, 2009-Jul. 2, 2009,
pp. 205-210.
* _
cued by examlner
P rtmar . y Exammer . * B en Rik. 1 1n
(22) Filed:
(65)
Aug. 3, 2007
Prior Publication Data
Us 2009/0037353 A1
(51) Int Cl
Fell 5, 2009
'
(58)
(56)
References Cited
U_S_ PATENT DOCUMENTS
6,101,275 A * 8/2000 Coppersmrth et a1. ...... .. 382/226
these methods to an example signature database for Nmap. Other assumptions or a priori information (e.g., normal dis
tributions over ranges) can also be accommodated. The infor
mation ain measure rovided can be a
. g P PP
2002/0129140 A1*
2004/0015728 A1 * 2007/0297349 A1 *
Coleetal.
..
22 Packets
( Probe )
Signature Database
44\
Known < ------- -.
Tests
.
4/
Flngerprmt System
36
US. Patent
Jan. 8, 2013
Sheet 1 of5
US 8,352,393 B2
24\
_ TCP/IP """"""""" "*> "
28,rOperating
System <, _________________ _, I
26T2esponse Packets
Tests
36\ L
(Fingerprint/ Signature) Fingerprint System
Results
20\
Probe ) 22 ( Packets
Packets
50\
26 Response
44\
Egggt
38\ Signature
/
Database
36
82%;;_________________,jingerpriming Tests
34 Fingerprint
System FIG. 2
US. Patent
Jan. 8, 2013
Sheet 3 of5
US 8,352,393 B2
@230
0mm oom cm? 09. How
.OE <w
E C C EC CQ EIECftZ
A~>vz_>
. SN
Er! C OEZ
.GE mm
U.S. Patent
250 200
Jan. 8, 2013
Sheet 5 0f 5
US 8,352,393 B2
ISN (SP)
150
FIG. 9A
250
200 -
TTL(T7)
150
100
50
none
FF
3C
100
1
E
20 F8 41 3F 7F 96 81 FA 45 101
her
FIG. 98
250 200
1 50
T8 (SEQ)
50
US 8,352,393 B2
1
METHOD AND SYSTEM FOR EVALUATING TESTS USED IN OPERATING SYSTEM FINGERPRINTING FIELD OF THE INVENTION
2
ever, each probe 22 and test 34 incurs a cost, e.g., time spent
sending the probe and waiting for the response, and process
ing time for executing the test. These costs motivate the need to select only those probes and tests that contribute enough to
The transmission control protocol/Intemet protocol suite (TCP/IP) is a commonly used communications protocol suite
for the exchange of packet data in computer or other commu nication networks. Because of its widespread use, TCP/IP can
An embodiment of the present invention relates to a system and method for evaluating a classi?cation system, e.g., for evaluating software tools such as an operating system (OS) ?ngerprinting tool. The classi?cation system includes a sig nature database for use in classifying target systems. By tar
get system, it is meant a system with one or more unknown
mining the operating system of a target system (e. g., a system whose operating system is unknown) based on inferring prop erties of its TCP/IP protocol stack from observed packets.
Due to ambiguities in TCP/IP speci?cations, there are many
25
variations in TCP/IP implementations. Ambiguous speci?ca tions permit some degree of ?exibility in optimizing protocol
implementations, setting initial parameters, or including or excluding certain options. In addition to subtle implementa tion differences, TCP/IP implementations may have bugs or fail to correctly capture a speci?cation. Additionally, operat ing system designers may choose from a number of compat
ible but varying versions of TCP, such as Reno or Tahoe. Implementation variations, errors, and version choices can be
30
using the classi?cation tests, to classify a target system. In the case of evaluating OS ?ngerprinting tools, the evalu
35
used to ?ngerprint operating systems, that is, to identify or otherwise classify an unknown operating system from its
TCP/IP characteristics.
There are many reasons to ?ngerprint an operating system.
ation system of the present invention uses information gain as a metric to evaluate the quality of the tools ?ngerprinting
ment tool. Other reasons include tailoring offensive exploits, detecting unauthorized devices in a network, and gathering
tests.) In other systems where information gain is utilized, information gain is computed from collections of training samples of tests from known systems. However, ?ngerprint ing tools store information about known systems in digested
signature databases rather than as raw training samples. This
removes and obscures distribution information that is present
45
in representative training samples. Here, the evaluation sys tem computes information gain using signature databases, including the information gain of signatures/data represented
by ranges of test values (rather than a single value), missing or null values, and disjunctive values. As indicated above, a
signature database can be viewed as a collection of rules for
50
recorded packets 26 to help classify the software 28, 30 that produced the packets 26. To classify the operating system 28
of a target system 24, the results 36 of the classi?cation tests 34 are compared to results from known systems. The results from known systems are stored in signature databases 38.
55
Typically, the information gain pro?le of an OS ?nger printing tool will include a plurality of information gain val
ues, with one or more information gain values for each of the
Tools for active ?ngerprinting include Nmap, synscan, and Xprobe2. Tools forpassive ?ngerprinting include pOf
and SinFP. Fingerprinting tools 20 offer a variety of probes and tests
60
OS ?ngerprinting tools classi?cation tests. Once the infor mation gain values are determined, the OS ?ngerprinting tool is evaluated, in one embodiment of the present invention, by ranking the information gain values of the classi?cation tests. For example, the information gain values can be ranked in
valuable for use in identifying target operating systems. The ranking may also be a function of a particular operating system or family of operating systems, such as grouping the
classi?cation tests as a function of their discriminative value
US 8,352,393 B2
3
in identifying between different operating systems and fami lies/groups of operating systems. Once the OS ?ngerprinting
tool is evaluated in this manner, classi?cation tests With
4
example, the information gain values may be ranked in
numerical order, and/or as a function of a particular operating
higher information gain values may be carried out for identi fying a target system, While those With loWer information gain
values may be omitted. Classi?cation tests may also be car ried out in an order based on a decision tree analysis.
ner, the classi?cation tests With higher information gain val ues may be carried out for identifying a target system 24, While those With loWer information gain values may be omit
ted. Classi?cation tests may also be carried out in an order
based on a decision tree analysis. The information gain pro?le may be used for other evaluation purposes, such as building
?ngerprinting tools/systems 20 and their associated classi? cation tests 43, e.g., tests 34 and probe packets 22. Informa
20
present invention;
FIG. 4 is a table shoWing a collection of pre-classi?ed
tion gain is generally computed from collections of training samples of tests from knoWn systems. HoWever, ?ngerprint
ing tools store information about knoWn systems in digested signature databases rather than as raW training samples. This
removes and obscures distribution information that is present
training samples;
FIG. 5 is a table shoWing an example signature database; FIGS. 6A and 6B are graphs illustrating a relationship
betWeen tests and signature database entries; FIG. 7 is a table shoWing an information gain pro?le for
25
in representative training samples. Despite this, the system 40 is con?gured to compute information gain using signature databases, including taking into consideration signature data represented by ranges of test values, disjunctive values, and missing values.
Turning noW to a more detailed discussion of OS ?nger
30
encompasses many of the techniques used in these tools, including probes and tests based on TCP, UDP, and ICMP packets and tests on IP headers. As such, operation of the
evaluation system 40 is described herein With respect to use
ating a classi?cation system 42, e.g., for evaluating softWare tools such as an operating system (OS) ?ngerprinting tool 20. The classi?cation system 42 includes a signature database 38 for use in classifying target systems 24. As noted above, by
target system, it is meant a system With one or more
With Nmap, as a pertinent example. Nmap sends a total of sixteen probes 22 to a target system 24 and applies a series of tests 34 to the probe responses 26.
40
The test values are combined into a ?ngerprint 3 6, also knoWn as a signature. The ?ngerprint 36 of a target system is com
45
pared against reference ?ngerprints in a signature database 38 in order to ?nd matches to help classify the operating system 28 of the target system 24. Tests are organiZed into categories Within a ?ngerprint. Nmap ?rst sends six TCP SYN packets in
distinct time intervals to an open port on the target machine.
These probes vary only in TCP options and TCP WindoW ?elds. The test values computed from the response packets are organiZed into the categories SEQ, OPS, WIN, and T1. The remaining ten probes include three more TCP packets to
more knoWn systems 44 (see FIG. 2), that is, systems With knoWn characteristics of interest. In operation, the evaluation system 40 determines an information gain pro?le 46 of the classi?cation systems signature database 38. The classi?ca
tion system 42 is then evaluated based on the information gain pro?le 46. By information gain pro?le, it is meant one or more information gain characteristics (e. g., calculated infor mation gain values 48) of the classi?cation system, e. g., that quantify the value or bene?t in using the classi?cation sys tems various classi?cation tests 43 for classifying a target
55
Well as the three ICMP responses. Within the SEQ category are tests on the initial sequence
system 24. The information gain pro?le 46 of an OS ?ngerprinting tool 20 includes a plurality of information gain values 48,
With one or more information gain values for each of the OS ?ngerprinting tool s classi?cation tests 43. Once the informa
65
US 8,352,393 B2
5
ISN generation algorithm, it is vulnerable to malicious activ ity such as TCP connection hijacking. The timing betWeen consecutive probes of the ?rst six TCP SYN probes is also used to test the TCP timestamp generation option (TS). Addi
tionally, these six probes are used to test the IP header ID
6
gain. In operating system ?ngerprinting, this Would corre spond to having a collection of samples of target systems that include the operating system label of the target system and the values of all ?ngerprinting tests applied to that target system. The collection of samples Would be representative of target
systems both in terms of the distribution of labels in the collection and the distribution of test values for each operat
One aspect of applying information gain as a metric in evaluating ?ngerprinting tests is generating such a collection of training samples. With reference to FIG. 2, it is observed
that open source ?ngerprinting tools 20 such as Nmap take advantage of their large communities of users to solicit train
implementation and in response to TCP options settings. Similarly, each returned TCP packet is tested for the value of
its TCP options. Tests on the responses to the ?rst six probes are grouped into the OPS category, and the remaining tests are
20
printing. Some TCP/IP stack implementations do not imple ment any of the options in the SYN packet. Other operating
systems Will respond With some or all of the options that Were sent originally, or they may even include additional options
25
knoWn systems (e.g., knoWn operating systems) and the cor responding knoWn test values for these systems, generated as combination of training data 36 and expert knoWledge/ data 50. Expert knowledge 50 is employed to tailor a database
entry to capture the possible variations in test values for an
such as padding (NOP). Nmap calculates the target systems initial time-to-live
(TTL) value based on an ICMP port unreachable packet
returned in response to a UDP packet sent to a closed port. The TTL ?eld is set to a value that represents the maximum
30
time the packet is alloWed to traverse the Internet before being dropped, and is decremented at each router. The returned ICMP packet includes both a decremented TTL value in its IP header and a decremented TTL of the sent IP packet Within the ICMP response. This information is used to calculate the
35
target systems initial TTL value. If the ICMP packet gets blocked, Nmap can guess the target systems initial TTL
value from a decremented TTL in other packets. The different values used for the initial TTL ?eld are useful in ?ngerprint ing.
Turning noW to a more detailed discussion of hoW infor
40
mation gain is used as a metric for evaluating ?ngerprinting tests 43, the evaluation system 40, in a general sense, com
pares hoW accurately the classi?cation system 42 in question could classify a target system 24 before and after performing
the test 43 in question. The difference is called the informa
45
In the evaluation system 40, a signature database 38 is treated as the source of data for calculating information gain 46. Since a signature database is once removed from the training samples used to create the database, calculations are
tion gain. The test 43 With the highest information gain pro vides the most discriminative poWer in ?ngerprinting the target system 24. Information gain is built on the mathemati cal principles of information theory, and is an important tool in building decision tree classi?ers. Information gain is used
to select the next test at each step in groWing a decision tree. Information gain is not a perfect measure of test quality.
In machine learning problems, the existence of a test With no corresponding value for a training sample might indicate
One Well-knoWn Weakness is that information gain tends to overestimate the quality of tests that have many possible
should have a value for that test, draWn from the domain of
values for that test. HoWever, in the system 40, the absence of
a value for a test in a signature database is assumed to be
other Weaknesses, include gain ratio and minimum descrip tion length.
intentional. It indicates that the entry should not match any of the values that the test produces, for example, the value OS
60
that depicted in the table in FIG. 4. These training samples are assumed to be representative of domain objects, both in dis
tribution of class labels and in distribution of test values for each test across objects. These assumptions are used to derive the probability distributions needed to calculate information
disjunctive lists and ranges of values. Let X be a random variable that describes the classi?cation of the operating sys
tem of a target system. Let X take on n possible values, each
US 8,352,393 B2
7
with an a prior probability p(xj), lj n. The entropy in X is the amount of uncertainty there is in classifying an unknown
system. This can also be referred to as the information content
8
P06] | 1651M) = A
W -> * pom-k Ix -)
H(X) = Z poplogzmxp
Fl
These equations allow for the calculation of information gain as long as the distribution over classi?cations p(xj) and distributions over test values, given a known classi?cation p(testl-k|xj), are known. There is not enough information in a
Let Testl- be a random variable that describes the result of applying test i to the probe responses of a target system. Let
Testl. take on nl. values, each with probability p(testl.k), lkni. Knowing the value of Testl- may convey something
about the value of X. This can be captured in the conditional
account: (1) tests that match a single discrete value; (2) tests that match one of a disjunctive set of values; (3) tests that
match one of a range of values; and (4) tests that match a
H(X | Tam) :
A measure of the amount of information gained about X if the value Testl- is known is called the mutual information, or information gain, of X and Testi. This can be expressed as:
H(X;Testi):H(X)H(Xl Testi)
25
system classi?cations, p(xj), over all possible classi?cations. After performing a ?ngerprinting test, the operating system
can be guessed based on the a posteriori distribution of oper
for tests with a single discrete value per operating system, the tests partition the database into mutually exclusive sets.
The ?ngerprinting test that conveys the most about the oper
ating system classi?cation of a target system is the one that removes the most uncertainty about the classi?cation, namely the test with the highest information gain. To calculate information gain, the following are utiliZed:
p(xj|testl-k) can then be computed by just considering the set in which xj falls. FIG. 6B shows that, when considering tests
with disjunctions or ranges of values, the resulting sets are not mutually exclusive. Each classi?cation may contribute to the
35
probability of more than one test value per test. Each set that a classi?cation can be in is considered (i.e., each value it takes
to derive p(xj|testik).
Firstly considered is the case in which a test has one dis
40
crete value, testik, per classi?cation, xj. In this case, p(testl-k|xj):l for that value and p(testl-k|xl-):0 for all others. This case is represented by Test 1 in FIGS. 5 and 6A. The remaining three cases require information about dis
tributions over test values given a classi?cation. If this infor
45
mation is indicated in the signature database, it can be used here. Without that information, it is assumed that each test
modated as well.
Let siZel-j the number of values that Testl- can take on in classi?cation entry xj. If Testl- is disjunctive, this is the sum of
discrete values. If Testl- is a range, this is the siZe of the range. If Testl. is a combination of disjunctive values and ranges, this is the sum of siZes of each disjunct. If it is assumed that each
Through a combination of marginalization and the product rule, the following is obtained:
55
Thus, the probability of each test value is calculated by sum ming, over all classi?cations (entries in the signature data
xj includes testik
following ratio:
US 8,352,393 B2
10
probability of the value Within the classi?cation. Note that this subsumes the ?rst case, Where l/sizelfl for each test value testl-k that occurs in the classi?cation entry for classi?
cation xj and Zero for all other test values. This results in
p(xj|testik):0 for each value testikthat is not included in x], and 5 that all possible values of a test for a given classi?cation (e. g., from disjunctions or ranges) are also equally likely. Despite for each value testl-k that is included in xj: the fact that these assumptions are Weak, interesting insight is
sizej
xj includes testik
database to convey anything directly about p(xj). If it is assumed that all classi?cations xj are equally likely, this results in p(xj|testik):0 for each value testl-k that is not included
in x], and for each value testik that is included in xj:
sizej
xj includes testik
20 designers should pay the mo st attention to in order to increase their cost of application. Fingerprinting tests With loW infor mation gain leave a lot of uncertainty about the target system and are only WorthWhile if higher quality tests are too costly. Even so, they are unlikely to be useful independently. Finger 25 printing tests can be used in sequence in order to gain increas ingly more information about a target system. This is the basis for building decision trees for classi?cation, Which is touched
sizeil.
xj includes testik
As an example of ranking classi?cation tests by informa tion gain, the results of applying an information gain calcu lation to Nmap version 4.2lALPHA4 second generation ?n
35
gerprinting tests are provided in the table in FIG. 7. The left-most column captures information gain calculated over
all the entries in the signature database. The remaining three columns capture information gain for subsets of entries in the
H(X | Tam) : n
sumszzeik
_ fl
_llog2 sumszzeQ
size;l
size;l
40
purpose computers running versions of Microsoft WindoWs, general-purpose computers running versions of Linux, and
embedded devices identi?ed as routers, ?reWalls, or sWitches.
Each column indicates the total entropy of the collection of entries prior to applying any tests and the list of the top 20
50
Given the calculation for 1nformat1on ga1n denved above, the quality of classi?cation tests (e. g., ?ngerprinting tests and associated probes) can be evaluated for any ?ngerprinting
tool that includes a signature database. As a demonstration of the use of this measure, the tests and probes of the Nmap
55
Microsoft WindoWs, 84 entries corresponding to Linux, and 105 entries corresponding to routers, ?reWalls, and sWitches. Nmap tests the same TCP/IP feature multiple times using slightly different probes. For example, Nmap looks at the options ?eld of the TCP header returned from 13 of its probes. In the table in FIG. 7, only the maximum information gain of each type of test is recorded, along With specifying the probe Which solicited the maximum information gain. This confers an understanding of the best possible quality of each type of test. Discussed beloW is the variety of responses for each type
of test across probes. FIG. 7 labels tests based on hoW much uncertainty they remove. Tests are labeled as either removing at least 50%, 25%, 10%, or less than 10% of the uncertainty.
From FIG. 7 it can be seen that the tests on TCP options and
TCP initial WindoW siZe coming from the second sequence generation probe remove the mo st uncertainty from the oper
These are the only tWo tests that remove at least 50% of the
uncertainty. FIGS. 8A and 8B further explore these highly discriminative ?ngerprinting tests by depicting the distribu
US 8,352,393 B2
11
tion of values for each test over all signature database entries. The TCP options test elicits 1 15 different values, of Which 85
narrow doWn the selection to one or tWo operating systems
12
classi?cation. In one scenario, the possible classi?cations have been narroWed doWn to a family of operating systems (using ?ngerprinting tests or based on other knoWledge), and it is desirable to determine the version of the operating system Within this family. For example, it may be knoWn that the target system is a Linux system, but not Which version of Linux.
(these are grouped in the rightmost values to more compactly depict the tail of the distribution). The TCP initial WindoW
siZe test elicits 80 different values, of Which 55 narroW doWn
the selection to one or tWo operating systems. These are the
most discriminative ?ngerprinting tests. The second tier of discriminative tests include TCP initial
the remaining 300 values, after Which more testing Will be required to reduce uncertainty beyond 25% and guess an operating system classi?cation With con?dence. The TTL test
has about 28 of Which 15 narroW doWn the selection to one or 25
achieved by reducing the Nmap signature database to a sub set of entries identi?ed as belonging to a speci?c family of sys tems. It is interesting to note that the highly discriminative tests OPS and WIN are still the top tWo tests in differentiating systems Within a family. HoWever, there are interesting dif ferences. While OPS is the top overall test and the top test in differentiating Linux versions, WIN is the top test in differ entiating WindoW versions and the version of embedded sys tems. If it is already knoWn that a target system is in the Microsoft WindoWs family, OPS is no longer a highly dis criminative test. Similarly, if it is already knoWn that a target system is in the Linux family, WIN is no longer a highly
discriminative test.
While ISN, TTL and TS remain among the most discrimi native tests in each family, their quality varies across families.
systems. In both the TTL and TS tests the most likely test value leaves much more testing to narroW doWn the operating
overall or Within the family of embedded systems. ISN is not very discriminative among Linux versions. Also note that the
probe that achieves the highest information gain for each type
of test varies across families. For example, the T3 probe is more useful in differentiating Linux versions than it is in general. This is discussed further beloW. It is important to recall that the results in FIG. 7 make no assumptions about the distribution of versions Within a family of systems. If avail able, this information can be used to better re?ne the infor mation gain measure. Regarding the variability of tests across probes, in FIG. 7
of the 417 signature database entries. As mentioned above, information gain tends to overesti
mate the quality of tests that have many possible values. When studying ?ngerprinting tests With a similar number of values this is not an issue. HoWever, the ?ngerprinting tests in Nmap range from having tWo values to having tens or hun dreds of values. FIGS. 8A, 8B, and 9A-9C look more closely at the distribution of values for highly discriminative and discriminative tests. The number of values and their distribu tion vary greatly for each of these tests. While OPS and WIN have a large number of values, their distributions make it clear
that these are very valuable tests in terms of narroWing doWn
35
40
only the maximum information gain of each type of test is recorded. Here, the variability over information gain for the
same test over differing probes is noW discussed. Over all signature entries, the WIN and OPS tests on responses to the
the operating system classi?cation of a target system. Based on the number of values alone, ISN Would be the highest quality test, but it is clear that the information gain calculation herein is not mislead into ranking ISN above OPS and WIN. Similarly, although TTL and TS have feWer values than OPS
and WIN, they shoW distributions that are skeWed toWard a feW uninformative test values. Note that the ISN test is based
50
ever, the tests are still highly discriminative (removing greater than 50% of the uncertainty) When applied to any of the SEQ probes, the ECN probe, or the T3 probes. On the other hand, the OPS test provides no information gain When applied to probe responses T2 and T4-T7, While the WIN test is less discriminative (removing greater than 10% of the uncer tainty) When applied to probe responses T4 and T2, and not discriminative When applied to probe responses T5-T7. The TTL test is discriminative (removing greater than 25% of the
ing systems.
While these results indicate that information gain is a valu
able measurement in evaluating ?ngerprinting tests, the exist ence of bias should temper relying too heavily, on speci?c
values of information gain. The qualitative grouping of tests into 50%, 25%, and 10% groups of highly discriminative, discriminative, and less discriminative tests captures the qual ity of the tests. Regarding ranking tests by information gain Within fami lies of systems, as mentioned above, operating system ?nger
printing may require a sequence of tests in order to su?i
60
native, While the GCD test is less discriminative. Looking at a different type of test, the test of the dont fragment bit (DF) is less discriminative over all probes, except the UDP probe for Which it is not discriminative. Over signature entries for Microsoft WindoWs systems, the WIN test is highly discriminative over all the SEQ probes as
Well as the ECN and T3 probes. The WIN test is not discrimi
native over T2 or T4-T7. The OPS test is discriminative over
65
all the SEQ probes as Well as the ECN and T3 probes. The OPS test provides no information gain When applied to probe responses T2 and T4-T7. The TTL test is less discriminative over all probes except T3, for Which it is not discriminative.
US 8,352,393 B2
13
The ISN tests SP and ISR are both discriminative, While the GCD test is not discriminative. The DF test only provides discrimination over probes T1 and T4.
14
normalizing TCP tra?ic to remove ambiguities for use in
netWork intrusion detection. NormaliZing TCP options Would render the options ?ngerprinting test much less useful. HoW
ever, it has been empirically demonstrated that defensive devices like the PF netWork ?lter, despite having traf?c nor maliZing features, are not commonly con?gured to defeat
Over signature entries for Linux systems, the OPS test is highly discriminative over all SEQ tests except probe 6, as Well as the T3 and ECN probes. SEQ probe 6 is discrimina tive, While probes T2 and T4-T7 provide no information gain.
The WIN test is discriminative over all the SEQ probes as Well as the ECN and T3 probes. The WIN test is not discriminative
over T2 and T4-T7. The TTL test is less discriminative over
intrusion detection systems. While normaliZing TCP options can be implemented Without affecting performance, the ben
probe is discriminative, While the test over the T2, T4, and T6-T7 probes are less discriminative and the T5 probe is not discriminative. The OPS test is highly discriminative (or
close) for all the SEQ probes except probe 6, and discrimina
tive for the ECN, T3 probes and probe 6. The OPS test is not discriminative over probes T2, and T4-T7. The TTL and ISN
tests are discriminative over all probes. The DF test is less
tion includes a set of tunable parameters called Match Points that alloW the user to heuristically Weigh tests that are more effective and reliable in practice.
Since certain changes may be made in the above-described method and system for evaluating ?ngerprinting tests used in
These results can be summariZed by observing that SEQ probes and the ECN and T3 probes provide the mo st discrimi
native tests over all families. The selection of Which probes to
in the accompanying draWings shall be interpreted merely as examples illustrating the inventive concept herein and shall
not be construed as limiting the invention.
30
We claim:
method comprising:
determining an information gain pro?le of a signature data base, the signature database being associated With the classi?cation system; and evaluating the classi?cation system based on the informa
probes.
Regarding OS ?ngerprinting in practice, ?ngerprinting
tests have been ranked herein in terms of their information
50
the classi?cation system is evaluated by ranking the at least one information gain value of the plurality of classi?ca tion tests; and the method further comprises: executing a ?rst subset of the plurality of classi?cation
tests for classifying at least one of the target systems; and
60
practice.
Others have studied the problem of defeating TCP/IP ?n gerprinting and found that certain probes and responses used
in ?ngerprinting tests could be modi?ed or blocked Without
65
US 8,352,393 B2
15
known systems, based at least in part on the at least one
16
12. A method of evaluating a classi?cation system, the
method comprising:
determining at least one information gain value for each of a plurality of classi?cation tests, the plurality of classi ?cation tests being associated with the classi?cation
system; and
evaluating the classi?cation system based on the at least one information gain value for each of the plurality of classi?cation tests; wherein the at least one information gain value quanti?es the bene?t of using the plurality of classi?cation tests to
5. The method of claim 3 further comprising: ranking the at least one information gain value of the plu rality of classi?cation tests with respect to (i) all known
systems of the signature database and (ii) known sys tems of the signature database within selected family groupings of the known systems.
6. The method of claim 2 wherein: a ?rst subset of the plurality of classi?cation tests each have
null data values, disjunctive data values, and/or ranges of data values associated therewith in the signature data
base; and
the at least one information gain value for the plurality of classi?cation tests in the ?rst subset are generated in part based on the null data values, disjunctive data values, and/or ranges of data values. 7. The method of claim 1 wherein: the classi?cation system is a software tool con?gured for
20
25
30
the target system; the classi?cation system is evaluated by ranking the at least one information gain value of the plurality of classi?ca tion tests; and the method further comprises: executing a ?rst subset of the plurality of classi?cation tests for classifying the target system; and omitting a second, remaining subset of the plurality of classi?cation test, wherein the distribution of the plu
rality of classi?cation tests between the ?rst and sec ond subsets is based on the ranking. 14. The method of claim 13 wherein the plurality of clas
the OS ?ngerprinting tool includes the plurality of classi ?cation tests for classifying the unknown operating sys tem; the signature database comprises data associated with the
application of the plurality of classi?cation tests to a
35
si?cation tests in the ?rst sub set are executed in an order based
on a decision tree analysis of the plurality of classi?cation tests and/or the at least one information gain value thereof. 15. The method of claim 12 wherein: a ?rst subset of the plurality of classi?cation tests each have
40
null data values, disjunctive data values, and/ or ranges of data values associated therewith in the signature data
base; and
45
the OS ?ngerprinting tool is evaluated by ranking the at least one information gain value of the plurality of clas si?cation tests; and the method further comprises: executing a ?rst subset of the plurality of classi?cation
tests for classifying at least one of the unknown oper
the at least one information gain value for the plurality of classi?cation tests in the ?rst subset are generated in part based on the null data values, disjunctive data values, and/or ranges of data values. 16. The method of claim 12 wherein:
50
the classi?cation system is an operating system (OS) ?n gerprinting tool con?gured for use in identifying unknown operating systems; and the known systems are known operating systems.
17. The method of claim 16 wherein:
11. The method of claim 9 wherein: a ?rst subset of the plurality of classi?cation tests each have
null data values, disjunctive data values, and/or ranges of data values associated therewith in the signature data
base; and
the at least one information gain value for the plurality of classi?cation tests in the ?rst subset are generated in part based on the null data values, disjunctive data values, and/or ranges of data values.
65
US 8,352,393 B2
17
18. The method of claim 16 wherein: a ?rst subset of the plurality of classi?cation tests each have
18
Wherein the at least one information gain value quanti?es the bene?t of using at least one of the plurality of clas
null data values, disjunctive data values, and/or ranges of data values associated thereWith in the signature data
base; and
the at least one information gain value for the plurality of classi?cation tests in the ?rst subset are generated at least in part based on the null data values, disjunctive data values, and/or ranges of data values.
the data in the signature database includes null data values, disjunctive data values, and/or ranges of data values; and
15
the at least one information gain value is generated at least in part based on the null data values, disjunctive data values, and/ or ranges of data values.
* * * * *