Abstract
The process of remote characterization and identification of computers has many applications in network security and forensics. On network forensics, this process can be used together with intrusion detection systems to characterize suspicious machines of remote attackers. The characterization of remote computers is based on the analysis of network data originated from the remote machine. The classical approach is to exploit peculiar characteristics of different implementations of network protocols at each layer of the protocol stack, i.e. link, network, transport and application layers. Recent works show that the use of computational intelligence techniques can improve the identification performance when compared to classical classification algorithms and tools. This chapter presents some advances in this area and surveys the use of computational intelligence for remote identification of computers and its applications to network forensics.
Keywords
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
Arackaparambil, C., Bratus, S., Shubina, A., Kotz, D.: On the reliability of wireless fingerprinting using clock skews. In: Proceedings of the Third ACM Conference on Wireless Network Security (WiSec), pp. 169–174 (2010), doi:10.1145/1741866.1741894
Arkin, O., Yarochkin, F.: ICMP based remote OS TCP/IP stack fingerprinting techniques. Phrack Magazine 11(57) (2001)
Bellovin, S.: RFC 1948 (Informational), Defending Against Sequence Number Attacks. Internet Engineering Task Force (IETF) (1996)
Beverly, R.: A robust classifier for passive TCP/IP fingerprinting. In: Barakat, C., Pratt, I. (eds.) PAM 2004. LNCS, vol. 3015, pp. 158–167. Springer, Heidelberg (2004)
Braden, R.: RFC 1122 (Standard), Requirements for Internet Hosts – Communication Layers. Internet Engineering Task Force (IETF) (1989)
Bratus, S., Cornelius, C., Kotz, D., Peebles, D.: Active behavioral fingerprinting of wireless devices. In: Proceedings of the First ACM Conference on Wireless Network Security (WiSec), pp. 56–61 (2008), doi:10.1145/1352533.1352543
Burroni, J., Sarraute, C.: Using neural networks for remote OS identification. In: Proceedings of the 3rd Pacific Security Conference (PacSec) (2005)
Cooper, G.F., Herskovits, E.: A bayesian method for the induction of probabilistic networks from data. Machine Learning 9(4), 309–347 (1992), doi:10.1007/BF00994110
Corbett, C.L., Beyah, R.A., Copeland, J.A.: A passive approach to wireless NIC identification. In: Proceedings of IEEE International Conference on Communications (ICC), pp. 2329–2334 (2006), doi:10.1109/ICC.2006.255117
Corbett, C.L., Beyah, R.A., Copeland, J.A.: Passive classification of wireless NICs during active scanning. International Journal of Information Security 7(5), 335–348 (2008), doi:10.1007/s10207-007-0053-7
Cortes, C., Vapnik, V.: Support-vector networks. Machine Learning 20(3), 273–297 (1995), doi:10.1007/BF00994018
Danev, B., Luecken, H., Capkun, S., Defrawy, K.E.: Attacks on physical-layer identification. In: Proceedings of the Third ACM Conference on Wireless Network Security (WiSec), pp. 89–98 (2010), doi:10.1145/1741866.1741882
Danev, B., Zanetti, D., Capkun, S.: On physical-layer identification of wireless devices. ACM Computing Surveys 45(1) (2012), doi:10.1145/2379776.2379782
Deering, S., Hinden, R.: RFC 2460 (Draft Standard), Internet Protocol, Version 6 (IPv6) Specification. Internet Engineering Task Force (IETF) (1998)
Eddy, W.M.: Defenses against TCP SYN flooding attacks. The Internet Protocol Journal 9(4), 2–16 (2006)
Eddy, W.M.: RFC 4987 (Informational), TCP SYN Flooding Attacks and Common Mitigations. Internet Engineering Task Force (IETF) (2007)
Fielding, R., Gettys, J., Mogul, J., Frystyk, H., Masinter, L., Leach, P., Berners-Lee, T.: RFC 2068 (Proposed Standard), Hypertext Transfer Protocol – HTTP/1.1. Internet Engineering Task Force (IETF) (1999)
Fritzke, B.: A growing neural gas network learns topologies. In: Tesauro, G., Touretzky, D., Leen, T. (eds.) Advances in Neural Information Processing Systems, vol. 7, pp. 625–632. MIT Press (1995)
Gagnon, F., Esfandiari, B.: Using answer set programming to enhance operating system discovery. In: Erdem, E., Lin, F., Schaub, T. (eds.) LPNMR 2009. LNCS, vol. 5753, pp. 579–584. Springer, Heidelberg (2009)
Gagnon, F., Esfandiari, B., Bertossi, L.: A hybrid approach to operating system discovery using answer set programming. In: Proceedings of the 10th IFIP/IEEE International Symposium on Integrated Network Management (IM), pp. 391–400 (2007), doi:10.1109/INM.2007.374804
Gao, K., Corbett, C., Beyah, R.: A passive approach to wireless device fingerprinting. In: Proceedings of the IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), pp. 383–392 (2010), doi:10.1109/DSN.2010.5544294
Garfinkel, S.L.: Digital forensics research: The next 10 years. Digital Investigation 7, S64–S73 (2010), doi:10.1016/j.diin.2010.05.009
Gont, F., Bellovin, S.: RFC 6528 (Standards Track), Defending Against Sequence Number Attacks. Internet Engineering Task Force (IETF) (2012)
Greenwald, L.G., Thomas, T.J.: Toward undetected operating system fingerprinting. In: Proceedings of the First USENIX Workshop on Offensive Technologies (WOOT) (2007)
Greenwald, L.G., Thomas, T.J.: Understanding and preventing network device fingerprinting. Bell Labs Technical Journal 12(3), 149–166 (2007), doi:10.1002/bltj.20257
Hartmeier, D.: Design and performance of the OpenBSD stateful packet filter (pf). In: Proceedings of the FREENIX Track: USENIX Annual Technical Conference, pp. 171–180 (2002)
Huang, D.J., Yang, K.T., Ni, C.C., Teng, W.C., Hsiang, T.R., Lee, Y.J.: Clock skew based client device identification in cloud environments. In: Proceedings of the IEEE 26th International Conference on Advanced Information Networking and Applications (AINA), pp. 526–533 (2012), doi:10.1109/AINA.2012.51
Jacobson, V., Braden, R., Borman, D.: RFC 1323 (Proposed Standard), TCP Extensions for High Performance. Internet Engineering Task Force (IETF) (1992)
Jacobson, V., Leres, C., McCanne, S.: TCPDUMP/LIBPCAP public repository, version 4.3.0 (2012), http://www.tcpdump.org/ (released on June 2012)
Jana, S., Kasera, S.K.: On fast and accurate detection of unauthorized wireless access points using clock skews. IEEE Transactions on Mobile Computing 9(3), 449–462 (2010), doi:10.1109/TMC.2009.145
Kohno, T., Broido, A., Claffy, K.: Remote physical device fingerprinting. IEEE Transactions on Dependable and Secure Computing 2(2), 93–108 (2005), doi:10.1109/TDSC.2005.26
Kohonen, T.: Self-organized formation of topologically correct feature maps. Biological Cybernetics 43(1), 59–69 (1982)
Kohonen, T.: Self-Organizing Maps, 3rd edn. Springer (2001)
Levenberg, K.: A method for the solution of certain non-linear problems in least squares. Quarterly of Applied Mathematics 2, 164–168 (1944)
Li, W., Zhang, D.-F., Yang, J.: Remote OS fingerprinting using BP neural network. In: Wang, J., Liao, X.-F., Yi, Z. (eds.) ISNN 2005. LNCS, vol. 3498, pp. 367–372. Springer, Heidelberg (2005)
Liu, M.W., Doherty, J.F.: Wireless device identification in MIMO channels. In: Proceedings of the 43rd Annual Conference on Information Sciences and Systems (CISS), pp. 563–567 (2009), doi:10.1109/CISS.2009.5054783
Loh, D.C.C., Cho, C.Y., Tan, C.P., Lee, R.S.: Identifying unique devices through wireless fingerprinting. In: Proceedings of the First ACM Conference on Wireless Network Security (WiSec), pp. 46–55 (2008), doi:10.1145/1352533.1352542
Lyon, G.F.: The art of port scanning. Phrack Magazine 7(51) (1997)
Lyon, G.F.: Remote OS detection via TCP/IP fingerprinting. Phrack Magazine 8(54) (1998)
Lyon, G.F.: Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning. Insecure.Com LLC (2009)
MacQueen, J.B.: Some methods for classification and analysis of multivariate observations. In: Proceedings of 5th Berkeley Symposium on Mathematical Statistics and Probability, vol. 1, pp. 281–297 (1967)
Marek, V.W., Truszczyński, M.: Stable models and an alternative logic programming paradigm. In: Apt, K.R., Marek, V.W., Truszczyński, M., Warren, D.S. (eds.) The Logic Programming Paradigm: A 25-Year Perspective, pp. 375–398. Springer (1999), doi:10.1007/978-3-642-60085-2_17
Marquardt, D.W.: An algorithm for least-squares estimation of nonlinear parameters. Journal of the Society for Industrial and Applied Mathematics 11(2), 431–441 (1963), doi:10.1137/0111030
McCanne, S., Jacobson, V.: The BSD packet filter: A new architecture for user-level packet capture. In: Proceedings of the USENIX Winter 1993 Conference, pp. 259–269 (1993)
Medeiros, J.P.S., Cunha, A.C., Brito Jr., A.M., Motta Pires, P.S.: Application of kohonen maps to improve security tests on automation devices. In: Lopez, J., Hämmerli, B.M. (eds.) CRITIS 2007. LNCS, vol. 5141, pp. 235–245. Springer, Heidelberg (2008)
Medeiros, J.P.S., Cunha, A.C., Brito, A.M., Pires, P.S.M.: Automating security tests for industrial automation devices using neural networks. In: Proceedings of the 12th IEEE International Conference on Emerging Technologies and Factory Automation (ETFA), pp. 772–775 (2007), doi:10.1109/EFTA.2007.4416854
Medeiros, J.P.S., Brito Jr., A.M., Pires, P.S.M.: A data mining based analysis of Nmap operating system fingerprint database. In: Herrero, Á., Gastaldo, P., Zunino, R., Corchado, E. (eds.) CISIS 09. AISC, vol. 63, pp. 1–8. Springer, Heidelberg (2009)
Medeiros, J.P.S., Brito, A.M., Pires, P.S.M.: A new method for recognizing operating systems of automation devices. In: Proceedings of the 14th IEEE International Conference on Emerging Technologies and Factory Automation (ETFA), pp. 1–4 (2009), doi:10.1109/ETFA.2009.5347095
Medeiros, J.P.S., Santos, S.R., Brito, A.M., Pires, P.S.M.: Advances in network topology security visualisation. International Journal of System of Systems Engineering 1(4), 387–400 (2009), doi:10.1504/IJSSE.2009.031347
Medeiros, J.P.S., Brito Jr., A.M., Motta Pires, P.S.: An effective TCP/IP fingerprinting technique based on strange attractors classification. In: Garcia-Alfaro, J., Navarro-Arribas, G., Cuppens-Boulahia, N., Roudier, Y. (eds.) DPM 2009. LNCS, vol. 5939, pp. 208–221. Springer, Heidelberg (2010)
Medeiros, J.P.S., Brito, A.M., Pires, P.S.M.: Using intelligent techniques to extend the applicability of operating system fingerprint databases. Journal of Information Assurance and Security 5(4), 554–560 (2010)
Medeiros, J.P.S., de Medeiros Brito Júnior, A., Motta Pires, P.S.: A qualitative survey of active TCP/IP fingerprinting tools and techniques for operating systems identification. In: Herrero, Á., Corchado, E. (eds.) CISIS 2011. LNCS, vol. 6694, pp. 68–75. Springer, Heidelberg (2011)
Meehan, A., Manes, G., Davis, L., Hale, J., Shenoi, S.: Packet sniffing for automated chat room monitoring and evidence preservation. In: Proceedings of the 2001 IEEE Workshop on Information Assurance and Security, pp. 285–288 (2001)
Mockapetris, P.: RFC 1035 (Internet Standard), Domain Names – Implementation and Specification. Internet Engineering Task Force (IETF) (1987)
Novotny, J., Schulte, D., Manes, G., Shenoi, S.: Remote computer fingerprinting for cyber crime investigations. In: di Vimercati, S.D.C., Ray, I., Ray, I. (eds.) Data and Applications Security XVII. IFIP, vol. 142, pp. 3–15. Springer, Boston (2004)
Novotny, J.M., Meehan, A., Schulte, D., Manes, G.W., Shenoi, S.: Evidence acquisition tools for cyber sex crimes investigations. In: Proceedings of the SPIE, Sensors, and Command, Control, Communications, and Intelligence (C3I) Technologies for Homeland Defense and Law Enforcement, vol. 4708, pp. 53–60 (2002), doi:10.1117/12.479292
Pollitt, M., Caloyannides, M., Novotny, J., Shenoi, S.: Digital forensics: Operational, legal and research issues. In: di Vimercati, S.D.C., Ray, I., Ray, I. (eds.) Data and Applications Security XVII. IFIP, vol. 142, pp. 393–403. Springer, Boston (2004)
Postel, J.: RFC 768 (Internet Standard), User Datagram Protocol. Internet Engineering Task Force (IETF) (1980)
Postel, J.: RFC 791 (Internet Standard), Internet Protocol – DARPA Internet Program, Protocol Specification. Internet Engineering Task Force (IETF) (1981)
Postel, J.: RFC 792 (Internet Standard), Internet Control Message Protocol – DARPA Internet Program, Protocol Specification. Internet Engineering Task Force (IETF) (1981)
Postel, J.: RFC 793 (Internet Standard), Transmission Control Protocol – DARPA Internet Program, Protocol Specification. Internet Engineering Task Force (IETF) (1981)
Postel, J., Reynolds, J.: RFC 854 (Internet Standard), Telnet Protocol Specification. Internet Engineering Task Force (IETF) (1983)
Postel, J., Reynolds, J.: RFC 959 (Internet Standard), File Transfer Protocol (FTP). Internet Engineering Task Force (IETF) (1985)
Provos, N.: A virtual honeypot framework. In: Proceedings of the 13th USENIX Security Symposium (2004)
Provos, N., Holz, T.: Virtual Honeypots: From Botnet Tracking to Intrusion Detection. Addison-Wesley (2008)
Ramakrishnan, K., Floyd, S., Black, D.: RFC 3168 (Proposed Standard), The Addition of Explicit Congestion Notification (ECN) to IP. Internet Engineering Task Force (IETF) (2001)
Rasmussen, K.B., Capkun, S.: Implications of radio fingerprinting on the security of sensor networks. In: Proceedings of the Third International Conference on Security and Privacy in Communications Networks and the Workshops (SecureComm), pp. 331–340 (2007), doi:10.1109/SECCOM.2007.4550352
Remley, K., Grosvenor, C., Johnk, R., Novotny, D., Hale, P., McKinley, M.: Electromagnetic signatures of WLAN cards and network security. In: Proceedings of Fifth IEEE International Symposium on Signal Processing and Information Technology, pp. 484–488 (2005), doi:10.1109/ISSPIT.2005.1577145
Rivest, R.: RFC 1321 (Informational), The MD5 Message-Digest Algorithm. Internet Engineering Task Force (IETF) (1992)
Rumelhart, D.E., Hinton, G.E., Williams, R.J.: Learning representations by back-propagating errors. Nature 323(6088), 533–536 (1986), doi:10.1038/323533a0
Sarraute, C., Burroni, J.: Using neural networks to improve classical operating system fingerprinting techniques. Electronic Journal of SADIO 8(1), 35–47 (2008)
Shanon, C.E.: A mathematical theory of communication. Bell System Technical Journal 27(3), 379–423 (1948)
Smart, M., Malan, G.R., Jahanian, F.: Defeating TCP/IP stack fingerprinting. In: Proceedings of the 9th USENIX Security Symposium (2000)
Ureten, O., Serinken, N.: Wireless security through RF fingerprinting. Canadian Journal of Electrical and Computer Engineering 32(1), 27–33 (2007), doi:10.1109/CJECE.2007.364330
Walls, R.J., Levine, B.N., Liberatore, M., Shields, C.: Effective digital forensics research is investigator-centric. In: Proceedings of the 6th USENIX Conference on Hot Topics in Security (HotSec) (2011)
Watson, D., Smart, M., Malan, G., Jahanian, F.: Protocol scrubbing: network security through transparent flow modification. In: Proceedings of the DARPA Information Survivability Conference and Exposition II (DISCEX), pp. 108–118 (2001), doi:10.1109/DISCEX.2001.932163
Watson, D., Smart, M., Malan, G., Jahanian, F.: Protocol scrubbing: network security through transparent flow modification. IEEE/ACM Transactions on Networking 12(2), 261–273 (2004), doi:10.1109/TNET.2003.822645
Zalewski, M.: Silence on the Wire: A Field Guide to Passive Reconnaissance and Indirect Attacks, 1st edn. No Starch Press (2005)
Zhang, B., Zou, T., Wang, Y., Zhang, B.: Remote operation system detection base on machine learning. In: Proceedings of the International Conference on Frontier of Computer Science and Technology, pp. 539–542 (2005), doi:10.1109/FCST.2009.21
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2014 Springer International Publishing Switzerland
About this chapter
Cite this chapter
Medeiros, J.P.S., Neto, J.B.B., Júnior, A.M.B., Pires, P.S.M. (2014). Learning Remote Computer Fingerprinting. In: Muda, A., Choo, YH., Abraham, A., N. Srihari, S. (eds) Computational Intelligence in Digital Forensics: Forensic Investigation and Applications. Studies in Computational Intelligence, vol 555. Springer, Cham. https://doi.org/10.1007/978-3-319-05885-6_12
Download citation
DOI: https://doi.org/10.1007/978-3-319-05885-6_12
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-05884-9
Online ISBN: 978-3-319-05885-6
eBook Packages: EngineeringEngineering (R0)