Identifying Operating System Using Flow-based Traffic Fingerprinting

Transcription

1 Identifying Operating System Using Flow-based Traffic Fingerprinting Tomáš Jirsík, Pavel Čeleda {jirsik Institute of Computer Science, Masaryk University EUNICE 2014 September, 1. 5., Rennes, France

2 Motivation Increasing number of devices Management of devices Security issues VPN Wireless Access Point Home/Business Networks Datacenters Tomáš Jirsík, Pavel Čeleda Identifying Operating System Using Flow-based Traffic Fingerprinting 3rd September / 10

3 State of the Art Active Approach Higher precision of detection Inserts other traffic Needs to scan each host Passive Approach Lower detection precision Transparency Large-scale network detection Tomáš Jirsík, Pavel Čeleda Identifying Operating System Using Flow-based Traffic Fingerprinting 3rd September / 10

4 Detection Methods L3 - L4: Network and Transport Layer OS TTL SYN packet size TCP window size Windows XP Windows Ubuntu Mac OS X L7: Application Layer OS Browser User-Agent Windows 7 Chrome Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/ (KHTML, like Gecko) Chrome/ Safari/ Ubuntu Firefox Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:29.0) Gecko/ Firefox/29.0 Mac OS X Safari Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/ (KHTML, like Gecko) Version/6.1.1 Safari/ Tomáš Jirsík, Pavel Čeleda Identifying Operating System Using Flow-based Traffic Fingerprinting 3rd September / 10

5 Network Flows Probe SRC and DST IP addr SRC and DST port Protocol number TCP flags Lifetime Sum of bytes Others IPFIX Collector Data analysis Fl ow start Durati on Proto Src I P Addr: Port Dst I P Addr: Port Fl ags Packets Bytes 09: 41: TCP : > : 80. AP. SF : 41: TCP : 80 - > : AP. SF Tomáš Jirsík, Pavel Čeleda Identifying Operating System Using Flow-based Traffic Fingerprinting 3rd September / 10

6 Architecture Design Packet Tomáš Jirsík, Pavel Čeleda Identifying Operating System Using Flow-based Traffic Fingerprinting 3rd September / 10

7 Architecture Design Packet Metering Process Packet observation Tomáš Jirsík, Pavel Čeleda Identifying Operating System Using Flow-based Traffic Fingerprinting 3rd September / 10

8 Architecture Design Packet Metering Process Packet observation Data extraction Tomáš Jirsík, Pavel Čeleda Identifying Operating System Using Flow-based Traffic Fingerprinting 3rd September / 10

9 Architecture Design Packet Metering Process Packet observation Data extraction F = (IPsrc,IPdst,Psrc,Pdst,Proto, Tomáš Jirsík, Pavel Čeleda Identifying Operating System Using Flow-based Traffic Fingerprinting 3rd September / 10

10 Architecture Design Packet Metering Process Packet observation Data extraction F = (IPsrc,IPdst,Psrc,Pdst,Proto,TTL,Size SYN,Size WIN,UA) Tomáš Jirsík, Pavel Čeleda Identifying Operating System Using Flow-based Traffic Fingerprinting 3rd September / 10

11 Architecture Design Packet Metering Process Packet observation Data extraction Information aggregation Flow Cache F = (IPsrc,IPdst,Psrc,Pdst,Proto,TTL,Size SYN,Size WIN,UA) Tomáš Jirsík, Pavel Čeleda Identifying Operating System Using Flow-based Traffic Fingerprinting 3rd September / 10

12 Architecture Design Packet Metering Process Packet observation Data extraction Information aggregation Flow Cache Flow OS Detection F = (IPsrc,IPdst,Psrc,Pdst,Proto,TTL,Size SYN,Size WIN,UA) Tomáš Jirsík, Pavel Čeleda Identifying Operating System Using Flow-based Traffic Fingerprinting 3rd September / 10

13 Architecture Design Packet Metering Process Packet observation Data extraction Exporting Process Flow export OS included Flow export Information aggregation Flow Cache Flow OS Detection F = (IPsrc,IPdst,Psrc,Pdst,Proto,TTL,Size SYN,Size WIN,UA) Tomáš Jirsík, Pavel Čeleda Identifying Operating System Using Flow-based Traffic Fingerprinting 3rd September / 10

14 Architecture Design Packet Metering Process Packet observation Data extraction Exporting Process Flow export OS included Flow export Information aggregation Flow Cache Flow OS Detection F = (IPsrc,IPdst,Psrc,Pdst,Proto,TTL,Size SYN,Size WIN,UA) Tomáš Jirsík, Pavel Čeleda Identifying Operating System Using Flow-based Traffic Fingerprinting 3rd September / 10

15 Benchmark Sample 1 No modules HTTP module All modules Random network traffic Sample 2 No modules HTTP module All modules UDP:HTTPreq:SYN packets = 1:1: Sample 3 No modules HTTP module All modules UDP:HTTPreq:SYN packets = 2:1: Packets per second Tomáš Jirsík, Pavel Čeleda Identifying Operating System Using Flow-based Traffic Fingerprinting 3rd September / 10

16 Deployment Data set: 2 hours of traffic, M flows, hosts # of unique OS # of IP in A % of all A # of IP in B % of all B > Total % % Number of unique OS detected at one IP: A - whole network, B - dynamically addressed subnets removed Tomáš Jirsík, Pavel Čeleda Identifying Operating System Using Flow-based Traffic Fingerprinting 3rd September / 10

17 Summary Large scale detection Flow based OS detection framework High performance Future Work Deep analysis of User-Agents Fingerprint correlation Fingerprint database improvement Tomáš Jirsík, Pavel Čeleda Identifying Operating System Using Flow-based Traffic Fingerprinting 3rd September / 10

18 Thank you for your attention! Tomáš Jirsík, Pavel Čeleda {jirsik