LNCS 2820 - Ambiguity Resolution via Passive OS Fingerprinting
LNCS 2820 - Ambiguity Resolution via Passive OS Fingerprinting
LNCS 2820 - Ambiguity Resolution via Passive OS Fingerprinting
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
202 G. Taleck<br />
that failed (either the SYN table or one of the 16 SYNACK sub-tables) and<br />
tally a score for each field. Once all fingerprint scores have been calculated, the<br />
highest score wins.<br />
6 Resource Consumption<br />
With ever-increasing network speeds, it is important for the network analysis of<br />
packets by an IDS to be as fast as possible. To this end, a number of optimizations<br />
have been made to satisfy the constraints placed on the IDS sensor.<br />
6.1 On-demand <strong>Resolution</strong><br />
Since detecting the <strong>OS</strong> type can be an O(n) operation, the SYN and SYNACK<br />
data from an IP are cached in a tree based upon the IP address of the host. To<br />
prevent dubious SYN/SYNACK entries from flooding the cache, the insertion<br />
is only done once the three-way handshake is complete and we understand a<br />
complete connection has been made. There is little sense in occupying resources<br />
for some port scan or even a flood.<br />
When an ambiguity arises in future traffic received by the IDS, a lookup is<br />
performed on the IP address of the host receiving the ambiguous packets, and<br />
a decision is made as to how to resolve the ambiguity. With this approach, only<br />
costly operations are performed when necessitated by the network traffic.<br />
6.2 Fingerprint Caching<br />
As described in the previous section, when an ambiguity arises, a lookup is<br />
made into the IP SYN/SYNACK cache. If an entry is found that matches the<br />
destination IP address of the packet(s) containing the ambiguity, the values of<br />
the SYN/SYNACK entry are used to look up the <strong>OS</strong> type in a fingerprint cache.<br />
Since the IDS does not perform any computationally intensive operations<br />
until an ambiguity arises, the average runtime cost is merely the cost of caching<br />
SYN and SYNACK information. The resulting computational overhead is negligible.<br />
At cold start, this cache is initialized to contain all the fingerprints of the<br />
database, built as described in Section 4. During runtime, if the lookup of the<br />
<strong>OS</strong> type in the fingerprint cache fails, the best-match algorithm is invoked to<br />
make a best guess. This resulting value is then inserted as a new entry into the<br />
fingerprint cache, such that any following lookup will result in a cache hit.<br />
6.3 Memory Utilization<br />
The two caches used for the SYN/SYNACK lookup tree and the <strong>OS</strong> fingerprint<br />
tree can grow to very large sizes. Even though the amount of memory per entry<br />
may be small, an IDS monitoring a large network can quickly expand the size of<br />
these caches. Our implementation does not limit the size of these caches; rather,