Identifying Operating System Using Flow-based Traffic Fingerprinting Tomáš Jirsík, Pavel Čeleda {jirsik|celeda}@ics.muni.cz Institute of Computer Science, Masaryk University EUNICE 2014 September, 1. – 5., Rennes, France Motivation — Increasing number of devices — Management of devices — Security issues Wireless Access Point VPN Home/Business Networks Datacenters Tomáš Jirsík, Pavel Čeleda ·Identifying Operating System Using Flow-based Traffic Fingerprinting ·3rd September 2014 2 / 10 State of the Art Active Approach — Higher precision of detection — Inserts other traffic — Needs to scan each host Passive Approach — Lower detection precision — Transparency — Large-scale network detection Tomáš Jirsík, Pavel Čeleda ·Identifying Operating System Using Flow-based Traffic Fingerprinting ·3rd September 2014 3 / 10 Detection Methods L3 - L4: Network and Transport Layer OS TTL SYN packet size TCP window size Windows XP 128 48 65535 Windows 7 128 52 8192 Ubuntu 64 60 29200 Mac OS X 64 64 65535 L7: Application Layer OS Browser User-Agent Windows 7 Chrome Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.102 Safari/537.36 Ubuntu Firefox Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:29.0) Gecko/20100101 Firefox/29.0 Mac OS X Safari Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.73.11 (KHTML, like Gecko) Version/6.1.1 Sa- fari/537.73.11 Tomáš Jirsík, Pavel Čeleda ·Identifying Operating System Using Flow-based Traffic Fingerprinting ·3rd September 2014 4 / 10 Network Flows Probe Collector IPFIX SRC and DST IP addr SRC and DST port Protocol number Lifetime Sum of bytes TCP flags Others Data analysis Fl ow start Durati on Proto Src I P Addr: Port Dst I P Addr: Port Fl ags Packets Bytes 09: 41: 21. 763 0. 101 TCP 172. 16. 96. 48: 15094 - > 209. 85. 135. 147: 80 . AP. SF 4 715 09: 41: 21. 893 0. 031 TCP 209. 85. 135. 147: 80 - > 172. 16. 96. 48: 15094 . AP. SF 4 1594 Tomáš Jirsík, Pavel Čeleda ·Identifying Operating System Using Flow-based Traffic Fingerprinting ·3rd September 2014 5 / 10 Architecture Design Packet Tomáš Jirsík, Pavel Čeleda ·Identifying Operating System Using Flow-based Traffic Fingerprinting ·3rd September 2014 6 / 10 Architecture Design Packet Packet observation Metering Process Tomáš Jirsík, Pavel Čeleda ·Identifying Operating System Using Flow-based Traffic Fingerprinting ·3rd September 2014 6 / 10 Architecture Design Packet Packet observation Metering Process Data extraction Tomáš Jirsík, Pavel Čeleda ·Identifying Operating System Using Flow-based Traffic Fingerprinting ·3rd September 2014 6 / 10 Architecture Design Packet Packet observation Metering Process Data extraction F = (IPsrc,IPdst,Psrc,Pdst,Proto, Tomáš Jirsík, Pavel Čeleda ·Identifying Operating System Using Flow-based Traffic Fingerprinting ·3rd September 2014 6 / 10 Architecture Design Packet Packet observation Metering Process Data extraction F = (IPsrc,IPdst,Psrc,Pdst,Proto,TTL,SizeSYN,SizeWIN,UA) Tomáš Jirsík, Pavel Čeleda ·Identifying Operating System Using Flow-based Traffic Fingerprinting ·3rd September 2014 6 / 10 Architecture Design Packet Packet observation Metering Process Data extraction F = (IPsrc,IPdst,Psrc,Pdst,Proto,TTL,SizeSYN,SizeWIN,UA) Flow Cache Information aggregation Tomáš Jirsík, Pavel Čeleda ·Identifying Operating System Using Flow-based Traffic Fingerprinting ·3rd September 2014 6 / 10 Architecture Design Packet Packet observation Metering Process Data extraction F = (IPsrc,IPdst,Psrc,Pdst,Proto,TTL,SizeSYN,SizeWIN,UA) Flow Cache Information aggregation OS Detection Flow Tomáš Jirsík, Pavel Čeleda ·Identifying Operating System Using Flow-based Traffic Fingerprinting ·3rd September 2014 6 / 10 Architecture Design Packet Packet observation Metering Process Data extraction F = (IPsrc,IPdst,Psrc,Pdst,Proto,TTL,SizeSYN,SizeWIN,UA) Flow Cache Information aggregation OS Detection Flow Flow export OS included Flow export Exporting Process Tomáš Jirsík, Pavel Čeleda ·Identifying Operating System Using Flow-based Traffic Fingerprinting ·3rd September 2014 6 / 10 Architecture Design Packet Packet observation Metering Process Data extraction F = (IPsrc,IPdst,Psrc,Pdst,Proto,TTL,SizeSYN,SizeWIN,UA) Flow Cache Information aggregation OS Detection Flow Flow export OS included Flow export Exporting Process OS Detection Data extraction Tomáš Jirsík, Pavel Čeleda ·Identifying Operating System Using Flow-based Traffic Fingerprinting ·3rd September 2014 6 / 10 Benchmark Sample 1 No modules HTTP module All modules No modules HTTP module All modules No modules HTTP module All modules Sample 2 Sample 3 10158307 10727241 19124959 8497515 9087334 18327719 9139628 10217365 20404334 Packets per second Random network traffic UDP:HTTPreq:SYN packets = 1:1:1 UDP:HTTPreq:SYN packets = 2:1:2 Tomáš Jirsík, Pavel Čeleda ·Identifying Operating System Using Flow-based Traffic Fingerprinting ·3rd September 2014 7 / 10 Deployment Data set: 2 hours of traffic, 10.221 M flows, 12 897 hosts # of unique OS # of IP in A % of all A # of IP in B % of all B 1 7898 87.059 3996 95.989 2 1071 11.806 159 3.819 3 80 0.882 7 0.168 > 3 23 0.253 1 0.024 Total 9072 100 % 4163 100 % Number of unique OS detected at one IP: A - whole network, B - dynamically addressed subnets removed Tomáš Jirsík, Pavel Čeleda ·Identifying Operating System Using Flow-based Traffic Fingerprinting ·3rd September 2014 8 / 10 Summary — Large scale detection — Flow based OS detection framework — High performance Future Work — Deep analysis of User-Agents — Fingerprint correlation — Fingerprint database improvement Tomáš Jirsík, Pavel Čeleda ·Identifying Operating System Using Flow-based Traffic Fingerprinting ·3rd September 2014 9 / 10 Thank you for your attention! Tomáš Jirsík, Pavel Čeleda {jirsik|celeda}@ics.muni.cz