OS Fingerprinting: New Techniques and a Study of Information Gain and Obfuscation
This work addresses the need for accurate OS detection to identify vulnerabilities in private networks, with potential applications for both defenders and attackers, though it is incremental in improving existing fingerprinting methods.
The paper tackled the problem of passive operating system fingerprinting for network security by developing a multi-session model using TLS, TCP/IP, and HTTP data features, achieving accuracies of 99.4% for major versions and 97.5% for minor versions in real-world experiments, and also studied how obfuscation techniques can be defeated.
Passive operating system fingerprinting reveals valuable information to the defenders of heterogeneous private networks; at the same time, attackers can use fingerprinting to reconnoiter networks, so defenders need obfuscation techniques to foil them. We present an effective approach for passive fingerprinting that uses data features from TLS as well as the TCP/IP and HTTP protocols in a multi-session model, which is applicable whenever several sessions can be observed within a time window. In experiments on a real-world private network, our approach identified operating system major and minor versions with accuracies of 99.4% and 97.5%, respectively, and provided significant information gain. We also show that obfuscation strategies can often be defeated due to the difficulty of manipulating data features from all protocols, especially TLS, by studying how obfuscation affects our fingerprinting system. Because devices running unpatched operating systems on private networks create significant vulnerabilities, their detection is critical; our approach achieved over 98% accuracy at this important goal.