1.Field of Invention
This invention relates in general to network security. More specifically, the invention relates to methods and systems for preventing the detection of an operating system installed in a host on a network.
2.Description of the Background Art
Intruders generally attack operating systems installed in hosts in a network. An intruder can be a host operating in another network, or a software program running on a host operating in another network system. The intruders attack the host by sending viruses, worms, corrupted files, etc., that do not have any authorized access to the host in the network. Generally, intruders try to gain access to the host in the computer network system by detecting the type of operating system installed on the host and then exploiting the operating systems' weaknesses. There are several conventional methods of detecting the type of operating system the host runs on. One such method is sending seemingly innocuous network probes to operating systems in a computer network system. Examples of network probes, commonly used for detecting operating systems, include the FIN probe, the BOGUS/Reserved flag probe, the Transport Control Protocol (TCP) ftp proxy, the TCP SYN, etc. Different operating systems generate different responses to a network probe. The differences in the responses help the intruders to detect the type of operating systems. The responses to the network probes provide information such as TCP timestamp values, the TCP window size, acknowledgement values, initial sequence numbers (ISN), etc., about the operating system. The intruders use this information to attack the operating system. Thus, network probes are precursors to a network attack, specific to the operating system.
There are several ways of preventing the detection of operating systems. Some network probes can be stopped by traditional firewalls. However, some of the network probes cannot be stopped by traditional firewalls, since these network probes are identical to valid network traffic. Intrusion protection systems (IPS) detect the network probes and then block future network probes, which are transmitted from the same source IP address. However, blocking the network probes can indicate the type of IPS used on the network. In addition, some types of probes could be successful before the probes can be blocked or dropped by the IPS.
Another method of preventing operating system detection is by using ‘honeypots’. A honeypot is an information system resource, whose value lies in the unauthorized or illicit use of the resource. Hence, any interaction with honeypots indicates unauthorized or malicious activity. Honeypots can only track and capture network probes that directly interact with the honeypots.