Passive operating system identification from TCP/IP packet headers
November 19, 2003
Conference Paper
Author:
Published in:
ICDM Workshop on Data Mining for Computer Security, DMSEC, 19 November 2003.
R&D Area:
R&D Group:
Passive operating system identification from TCP/IP packet headers
Summary
Accurate operating system (OS) identification by passive network traffic analysis can continuously update less-frequent active network scans and help interpret alerts from intrusion detection systems. The most recent open-source passive OS identification tool (ettercap) rejects 70% of all packets and has a high 75-class error rate of 30% for non-rejected packets on unseen test data. New classifiers were developed using machine-learning approaches including cross-validation testing, grouping OS names into fewer classes, and evaluating alternate classifier types. Nearest neighbor and binary tree classifiers provide a low 9-class OS identification error rate of roughly 10% on unseen data without rejecting packets. This error rate drops to nearly zero when 10% of the packets are rejected.