Operating System Detection

Morgon Kanter

Milestone

1. Abstract

Given a stream of TCP packets from a server, can it be determine what operating system it is running? I have been attempting to answer this question, and have come up with a method of doing so.

2. Implementation

Thus far, I have implemented the traffic generator and one of the tests (each test is a member of the feature vector). The test simulates packet loss -- it connects to an arbitrary server that offers a banner on connection, such as a SMTP or HTTP server, and pretends to not receive the banner reply. It waits for two new replies, and compares the time difference in replies, before terminating the connection via normal 4-way handshake.

I have also implemented the Bayesian network. It is modeled after the QMR-DT medical diagnostic system, which puts diseases as a layer of hidden nodes, densely connected to the observed layer of symptoms. In my case I put each operating system in the hidden layer, and densely connect that layer to the next observed layer, which is test responses.

3. Todo

I have three main tasks ahead of me:

• Add additional features. I expect to get a lot of inspiration here from the ways the nmap and Nessus programs do operating system detection.
• Bayesian updating. If a new data point shows a high probability of one operating system, but the results for one of that operating system's distributions was low, we should update the distribution. And vice versa, for low probabilities.
• Get some results!

4. Comment on Status

Thus far, I am not where I wanted to be at the milestone. The traffic generator, with needing to understand all the nuances of TCP, and data generation itself, have proven to be very time-consuming tasks. The data generation was originally assumed to be one of the easier parts, but it has become one of the most difficult. In addition, I have been having a difficult time juggling the class and research demands -- an ongoing issue.

Despite the setbacks, I expect to complete the project.

5. References

• D. Heckerman. A Tutorial on Learning with Bayesian Networks. In Learning in Graphical Models, M. Jordan, ed.. MIT Press, Cambridge, MA, 1999. Also appears as Technical Report MSR-TR-95-06, Microsoft Research, March, 1995. An earlier version appears as Bayesian Networks for Data Mining, Data Mining and Knowledge Discovery, 1:79-119, 1997.
• D. Heckerman and D. Geiger. Learning Bayesian networks: A unification for discrete and Gaussian domains. In Proceedings of Eleventh Conference on Uncertainty in Artificial Intelligence, Montreal, Quebec, pages 274-284. Morgan Kaufmann, August 1995.
• T. Jaakkola and M. Jordan. Variational Probabilistic Inference and the QMR-DT Network. Taken from http://www.cs.cmu.edu/afs/cs/project/jair/pub/volume10/jaakkola99a-html/paper.html.
• K. Murphy. A Brief Introduction to Graphical Models and Bayesian Networks. Taken from http://www.cs.ubc.ca/~murphyk/Bayes/bayes.html.