The transmission control protocol/Internet protocol suite (TCP/IP) is a commonly used communications protocol suite for the exchange of packet data in computer or other communication networks. Because of its widespread use, TCP/IP can form the basis for testing or evaluating disparate software systems, that is, it provides a common metric across different software systems that utilize TCP/IP for packet data communications. For example, operating system fingerprinting, also known as TCP/IP stack fingerprinting, is the process of determining the operating system of a target system (e.g., a system whose operating system is unknown) based on inferring properties of its TCP/IP protocol stack from observed packets. Due to ambiguities in TCP/IP specifications, there are many variations in TCP/IP implementations. Ambiguous specifications permit some degree of flexibility in optimizing protocol implementations, setting initial parameters, or including or excluding certain options. In addition to subtle implementation differences, TCP/IP implementations may have bugs or fail to correctly capture a specification. Additionally, operating system designers may choose from a number of compatible but varying versions of TCP, such as “Reno” or “Tahoe.” Implementation variations, errors, and version choices can be used to fingerprint operating systems, that is, to identify or otherwise classify an unknown operating system from its TCP/IP characteristics.
There are many reasons to fingerprint an operating system. For example, fingerprinting may be used defensively as an internal auditing tool or as an external vulnerability assessment tool. Other reasons include tailoring offensive exploits, detecting unauthorized devices in a network, and gathering statistics for tracking operating system deployment trends.
Fingerprinting can be active or passive. As shown in FIG. 1, for active fingerprinting, an operating system (OS) fingerprinting tool or system 20 sends specifically crafted network packets (“probes”) 22 to a target system 24 and records the packets 26 that are returned in response, if any. As indicated, the target system 24 includes an unknown operating system 28 with a TCP/IP protocol stack 30, and communications are carried out across a network 32. Passive fingerprinting listens for packets generated by a host based on communications with other sources and records these packets. In either case, fingerprinting tests 34 are applied to the content of the recorded packets 26 to help classify the software 28, 30 that produced the packets 26. To classify the operating system 28 of a target system 24, the results 36 of the classification tests 34 are compared to results from known systems. The results from known systems are stored in signature databases 38. Tools for active fingerprinting include “Nmap,” “synscan,” and “Xprobe2.” Tools for passive fingerprinting include “p0f” and “SinFP.”
Fingerprinting tools 20 offer a variety of probes and tests 22, 34. The default approach to classifying the operating system 28 of a target system 24 using these tools is to send all the probes 22, perform all the tests 34 on the response packets 26, and record the results 36 for use in classification. However, each probe 22 and test 34 incurs a cost, e.g., time spent sending the probe and waiting for the response, and processing time for executing the test. These costs motivate the need to select only those probes and tests that contribute enough to classifying the unknown operating system 28 to justify the cost.