Passive OS Fingerprinting Methods in the Jungle of Wireless Networks

Warning

This publication doesn't include Faculty of Economics and Administration. It includes Institute of Computer Science. Official publication website can be found on muni.cz.
Authors

LAŠTOVIČKA Martin JIRSÍK Tomáš ČELEDA Pavel ŠPAČEK Stanislav FILAKOVSKÝ Daniel

Year of publication 2018
Type Article in Proceedings
Conference NOMS 2018 - 2018 IEEE/IFIP Network Operations and Management Symposium
MU Faculty or unit

Institute of Computer Science

Citation
Web https://ieeexplore.ieee.org/document/8406262
Doi http://dx.doi.org/10.1109/NOMS.2018.8406262
Field Informatics
Keywords OS fingerprinting;passive monitoring;IPFIX
Attached files
Description Operating system fingerprinting methods are well-known in the domain of static networks and managed environments. Yet few studies tackled this challenge in real networks, where users can bring and connect any device. We evaluate the performance of three OS fingerprinting methods on a large dataset collected from university wireless network. Our results show that method based on HTTP User-agents is the most accurate but can identify only low portion of the traffic. TCP/IP parameters method proved to be the opposite with high identification rate but low accuracy. We also implemented a new method based on detection of communication to OS-specific domains and its performance is comparable to the two established ones. After that, we discuss the impacts of traffic encryption and embracing new protocols such as IPv6 or HTTP/2.0 on OS fingerprinting. Our findings suggest that OS identification based on specific domain detection is viable and corresponds to the current directions of network traffic evolution, while methods based on TCP/IP parameters and User-agents will become ineffective in the future.
Related projects:

You are running an old browser version. We recommend updating your browser to its latest version.