Faulds: A Non-Parametric Iterative Classifier for Internet-Wide OS Fingerprinting

Transcription

1 Faulds: A Non-Parametric Iterative Classifier for Internet-Wide OS Fingerprinting Zain Shamsi,, Daren B.H. Cline, and Dmitri Loguinov Internet Research Lab Department of Computer Science and Engineering Texas A&M University Nov 1, / 28

2 Agenda Introduction OS Fingerprinting Techniques Iterative Classification with Faulds Internet Scan Conclusion 2 / 28

3 Introduction The Internet is exploding with different types of devices (e.g., phones, printers, cyberphysical, medical devices) Builds unique attack vectors for hackers Provides for interesting measurements for researchers One technique used for discovering these devices is OS fingerprinting Determines the OS of a remote host Can fingerprint specific firmware, which can reveal devices such as printers and webcams 3 / 28

4 Introduction OS fingerprinting is used widely in network security Used by attackers as part of their reconnaissance/discovery Used by administrators to survey their networks Used by IDS/IPS to build better protections Used by researchers/market analysts to measure networks Our focus in this work is improving the results of largescale OS fingerprinting We want to extract all the information we can We do not want to increase our measurement footprint 4 / 28

5 Agenda Introduction Background: OS Fingerprinting Iterative Classification Internet Scan Conclusion 5 / 28

6 Background: Fingerprinting Methods For our purposes, we focus on active fingerprinting Active Methods Passive methods (e.g., p0f) require access to existing traffic Active methods send crafted probes to elicit responses Banner Grabbing Multi-probe Single-probe Protocol must be known Defeated by generic software and can be easily scrubbed Nmap Xprobe Clock skew RING Snacktime Noisy, generate complaints Send malformed packets Too slow for millions of targets Packets easily blocked Hershel Hershel+ Our focus 6 / 28

7 Background: Single-Probe Fingerprinting Single-probe techniques use TCP probes and rely on two types of features for classification Network features: Can be modified by network effects User features: Can be modified by the end-user User Features M = MSS, S = SACK, T = Timestamp, W = Window Scale, N = NOP Network Features 7 / 28

8 Background: Network Features Network features are SYN/ACK retransmission timeouts (RTOs) Can be affected drastically by network delays and packet loss SYN SYN-ACK SYN-ACK SYN-ACK SYN-ACK R 1 R 1 R 2 R 1 R 2 R 3 With delays 1 packet lost 2 packets lost 3 packets lost (2.8,6.4,12.1) (9.2, 12.1) (2.8, 18.5) (2.8, 6.4) (6.4, 12.1) (21.3) (6.4) (18.5) (9.2) (12.1) (2.8) empty server client Not just many possibilities, but also drastically different values! 8 / 28

9 Background: User Features User features can typically be modified in OS settings Modification results in arbitrary value fluctuations E.g., Receiver Window more likely to go from 8192 to than to 8193 Treating all features as volatile, an observed sample can have multiple OS matches: 9 / 28

10 Background: Hershel+ Review 10 / 28 Computer Science, Texas A&M University

11 Background: Hershel+ Review 11 / 28 Computer Science, Texas A&M University

12 Background: Hershel+ Review 12 / 28 Computer Science, Texas A&M University

13 Agenda Introduction Background: OS Fingerprinting Iterative Classification Internet Scan Conclusion 13 / 28

14 14 / 28 Computer Science, Texas A&M University Iterative Classification

15 Iterative Classification with Faulds Conditioned on the previous estimates 15 / 28

16 Iterative Classification with Faulds 16 / 28

17 Iterative Classification with Faulds 17 / 28

18 Iterative Classification with Faulds We first focus on simulating different network conditions 18 / 28

19 Iterative Classification with Faulds We now switch to modifications to user features Please see paper for more scenarios 19 / 28

20 Iterative Classification with Faulds Iteration 0 actual estimated seconds Iteration 1 actual estimated seconds Iteration 10 actual estimated seconds Iteration 100 actual estimated seconds 20 / 28

21 Agenda Introduction Background Iterative Classification Internet Scan Conclusion 21 / 28

22 22 / 28 Computer Science, Texas A&M University Internet Scan

23 Internet Scan During classification, Faulds consolidates several signatures by learning how much they are tweaked Top 10 classified OSes: 23 / 28

24 Internet Scan Faulds outputs interesting details about end-user behavior in modifying each device in the database 10 0 Ubuntu (31.4%) 17898(4.0%) 26847(1.1%) WindowSize 28960(61.5%) 24 / 28

25 Internet Scan Faulds outputs interesting details about end-user behavior in modifying each device in the database Mac OSX 25 / 28

26 Internet Scan Faulds outputs interesting details about end-user behavior in modifying each device in the database Dell Printers 26 / 28

27 Internet Scan Faulds found several industrial and enterprise devices reachable from the Internet We also see large numbers of old OSes that are no longer supported still online 27 / 28

28 Conclusion We introduced an iterative EM-based classifier called Faulds to improve single-probe fingerprinting Outperforms previous best classifier Hershel+ Builds much more detailed output without increasing measurement cost Using an Internet scan, we use Faulds to produce world-wide OS measurements with exhaustive results THANK YOU! 28 / 28