There are the research results of using machine learning to solve the problem of the remote host operating system detection in the article. The analysis of existing methods and means of detection of the remote host operating system are carried out, the main advantages and disadvantages of their using are defined. Modeling of machine learning methods is carried out. The software architecture is designed and experimental application is developed. It uses a trained machine learning model that allows detecting the type and version of operating system with high accuracy.
Today, the number of devices in computer networks is growing every day. The list of devices includes routers, printers, IP phones, smart things, personal computers, laptops, smartphones, etc.
However, not all the network devices have the latest version of the operating system (OS) and
updates related to its security. The reasons for this may be: lack of necessary funding or lack of
required hardware for the new version of the operating system to work properly; unwillingness of
device users to master the new interface or capabilities; lack of support for the software used in the
new version of the operating system. The need for constant OS updating is an ever-increasing number
of identified vulnerabilities [
Penetration testing specialists and ethical hackers need to gather as much information about the
object as possible to conduct authorized attacks in the initial stages. It is necessary to form the most
effective vector of attack to identify potential vulnerabilities in the protection system of the researched
infrastructure [
Currently, there are a significant number of software tools for the operating system detection, which allow some probability to determine its family, not to mention the ability to determine the type and version of the OS.
Therefore, it is very important to research and develop methods and tools that will determine detailed information about the remote host operating system with high reliability, which will increase the efficiency of identifying vulnerabilities and, consequently, increase the level of cyber security in general.
There are two main methods for detecting a remote host operating system: active and passive.
The active methods are based on sending a specially built service packets to the target machine [
The advantages of this method are: speed – since the packets are sent to the target node, you can get a response faster, without having to wait for the necessary packets in the network; simplicity – usually you only need to compare the received answers with the database of signatures, without analyzing the parameters or their combination; flexibility – due to the packages are formed manually, it is possible to adjust the packages contents, adding new ones as needed.
However, there are also disadvantages: visibility – using this method, packets are sent over the network, so one can detect them and apply appropriate actions; signature database usage – record absence in the database, causes wrong detection or no answer at all; necessity of the node response receiving – if the response from the target node is not received, it is impossible to detect the operating system.
The passive methods of the operating system detection are based on network traffic listening,
transmitted packets collecting, and then, their contents analyzing to form a conclusion about the
remote host OS [
The advantages of this method are: invisibility – because of continuous listening, there is no activity on the listening network device, or this activity is so low that it can be perceived as normal traffic during the business day; no need to receive the target node response – traffic analysis from the target node to other devices is allowed.
The disadvantages of this method are: speed – it is necessary to wait for the appearance of certain packets in order to form a conclusion, that takes a long time in the case of the network activity absence; implementing complexity – since it is not possible to send self-generated packets, you need to use the information from intercepted packets.
In conclusion, the appropriate approach should be chosen depending on whether you want to perform the scan imperceptibly or you want to get the result quickly.
Existing tools of the remote node operating system detection also is considered. Currently, a small number of software products perform the task of scanning the remote node operating system. Often this task is not their main function, but only one of the menu options.
The most common tools that use the active detection method are Nmap, NetScanTools Pro and Xprobe.
Nmap is a free, open source software designed for network scanning and security auditing. The
program also allows you to detect the available nodes in the network, active network services, types
of firewalls, etc. [
Nmap uses an active method to detect the operating system. To do this, the tool creates a
"fingerprint", sending TCP, UDP and ICMP packets to known potentially open and closed ports.
Nmap analyzes the responses to these packets. As a result, a conclusion is formed, which indicates the
type of node operating system and the reliability of this conclusion. If there are no complete matches
with the signature, the score is performed (each parameter has a corresponding weight in points). The
tool does not have the ability to detect the operating system by passive method, so the tool is designed
specifically for active analysis [
NetScanTools Pro uses responses to ICMP packets to detect the operating system. This is the main
disadvantage of the tool – using only ICMP packets do not allow obtaining a reliable answer [
Xprobe is a software tool that relies on fuzzy signature matching, probabilistic assumptions,
analysis of multiple matches simultaneously in the signature database [
You can also use Wireshark for passive detection [
There are also tools that can work using both active and passive operating system detection
methods, for example are SinFP [
In research [
18-04-2016 02-09-2020 27-07-2005 04-05-2021 23-09-2020
TCP 19-09-2020 (app), 16-02-2010 (DB signature) 06-01-2021
made on OS’s, that support multitasking. Research results show that detection accuracy is around 70% when analyzing traffic for 30 seconds, around 90% accuracy while analyzing traffic for 5 minutes, and 100% accuracy when using combined traffic for 30 seconds period.
In research [
SVM was used as a machine learning method in [
In research [
In [
Methods and instruments analysis of the operating system type detection show that all of
approaches are based on the signatures database. However, this imposes limitations if the signature of
an OS is missing from the database, which can lead to low credibility. Herewith it is possible to form
a huge base for all possible types of OS but it can lead to considerable time expenses on finding the
corresponding signature. An alternative solution of the remote host OS type detection is use of the
machine learning methods [
If focusing on the real software development the signature database should be formed manually. This is necessary for understanding the signature forming principles so in the future it would be possible to use the tool for actual tasks rather than leaving everything on the stage of developed model. In addition, this approach will allow system scaling, namely to gradually increase the detected OS number. For making the OS type detection software more convenient, both active and passive mode should be implemented.
In addition, it is important not only detect the type of OS, but also its version, what can have significant influence on the user’s decision-making. Since the task of OS type detection is a classification task, the criteria of qualitative model obtaining is maximizing its accuracy and precision. In addition, an important metric of the tool grade evaluation is the response time. Most of the time is spent on the trial packet sending and receiving responses so it is a network delay. Herewith, the attempts amount can also have great influence on the response receiving time. The complexity of the machine learning model can also significantly affect the system efficiency so upon reaching sufficient accuracy it should be as simple as possible. The volume of the studied test packages parameters and their pre-processing affect the time delays as well. Therefore, it will be advisable to select relevant protocol headers.
Thereby, it is possible to determine the main goals and criteria to develop the OS detection software based on the machine learning methods: precision maximization; response time minimization; self-dependent signature forming; scalability; cross-platforming; universality of use.
Solving the object classification problem, namely the problem of detection the OS type, involves
the usage of algorithms for learning with the teacher (supervised learning) [
A ready-made data set can be used to solve the set tasks [
The main idea of detecting the family / type of remote node OS is based on the analysis of
network protocol headers of the OSI model application, transport and network layers. Despite the
standards of network protocols (RFC, IEEE) in different operating systems of even one family, some
header fields can differ significantly, such as TTL, DF, ToS IP [
The essence of the experiment of a training data set formation is to generate certain traffic,
capture and analyze it. The analysis consists in parsing packets, redacting to one data format and
relevant parameters (features) selecting. The creation of a dataset was performed under laboratory
conditions. The following OS versions were studied: Linux (version 5.4.0), Mac OS (version 10.12.4
and 11.4), Windows 10 (Corporate 20h2, Home 20h2), Windows 7 (Professional), Windows XP
(Professional SP3). At the same time, Windows XP and Linux 5.4 were studied using virtualization
technology using VirtualBox software [
The experiment steps of dataset creation are shown in Figure 1.
Feature selection 5
Traffic generation
1
Viewing different web pages from the studied OS;
Downloading images from the web to the studied OS.
Step 2. Traffic capture. The most popular Wireshark traffic analyzer was used to capture packets
from the network, which allows recording an interception session to a file for further processing
without having to be connected to the network [
Step 3. Traffic parsing. Packets were selected from all captured traffic, in which the IP address of the source corresponds to the IP address of the PC with the studied OS. After that, it is necessary to disassemble structure of a packet on headers fields of the main protocols: IP, ICMP, TCP, DNS and HTTP. As a result of parsing, the following field’s values were obtained: 1. IP – version, hdr_len, dsfield, dsfield_dscp, dsfield_ecn, len, id, flags, flags_rb, flags_df, flags_mf, frag_offset, ttl, proto, checksum, checksum_status. 2. ICMP – type, code, checksum, checksum_status, ident, seq, seq_le, data, data_data, data_len. 3. TCP – hdr_len, flags, flags_res, flags_ns, flags_cwr, flags_ecn, flags_urg, flags_ack, flags_push, flags_reset, flags_syn, flags_fin, flags_str, window_size_value, window_size, window_size_scalefactor, checksum, checksum_status. 4. DNS – id, flags, flags_response, flags_opcode, flags_truncated, flags_recdesired, flags_z, flags_checkdisable, count_queries, count_answers, count_auth_rr, count_add_rr, qry_name_len, count_labels, qry_type, qry_class. 5. HTTP – user_agent.
Parsing is performed using the Python 3.8 and the PyShark library, which allows working effectively with pcap-files. The parsing results of each packet are saved in a csv-file for further analysis. In addition to the field values, each entry in the csv file also has an OS version. As a result, a dataset containing 42,318 records was formed. It can be used as a database of signatures, which can give a certain result the search for.
Step 4. Preprocessing. Almost all classifiers do not work directly with text data. They received
features as well as numbers or booleans (which translate into numbers 0/1) that some feature is there
or not. Therefore, it is necessary to convert all categorical (text) features (IP: dsfield, flags; TCP:
flags, flags_str; DNS: flags, qry_class) into numbers. The following methods were used for this
purpose [
The Processing module from the Scikit-learn (Python) library was used as a tool. An example of the converted data is shown in Table 2, 3.
The id, checksum, and data fields of the TCP / IP protocols were not used during the
transformation and were removed from the feature list due to lack of clear differences between OS
families. Also for the study of some classifiers data normalization was performed, i.e. reduction of all
values of each parameter with a mean of 0 to the standard deviation of 1 by expression [
Step 5. Feature selection/importance. Since the size of the dataset has slightly increased from 54 to
156 after the some features transformation, it will be advisable to reduce the dimension and select the
most relevant features. This is necessary to increase the learning speed of the model, computation
time when using the trained model, avoid overfitting and increase the generalizing ability of the
model. Among the significant number of methods for selecting features by importance, the Recursive
Feature Elimination method was used. The essence of this method is to build a model (which includes
all factors), which excludes the least significant factor (feature) from the point of view of the model.
After that, a new model is built, which contains all the factors except those excluded in the previous
stage, and so on [
513 131328 256
When solving the problem of classification by machine learning methods, the question of choosing a classifier model arises. At present, a significant number of classifiers are known and implemented, (1) which differ in approaches to the construction of the decision rule, as well as hyperparameters. Correct adjustment of hyperparameters is one of the key points; it allows receiving desirable results. In some models of machine learning, the number of hyperparameters can reach more than 10, and each hyperparameter can take different values. Finding the optimal combination is not an easy task. One of the options for solving this problem is to build a model for each possible combination for all given domains of hyperparameters.
As a result of preliminary data processing, a dataset was obtained, the structure of which is shown in Table 5.
For each model, the desired metric is calculated, the best result of which determines the best
model. This approach is implemented in the GridSearch package of the Scikit-learn library [
Using GridSearch technology, the best parameters for the most used classifier models were automatically selected: 1. Decision Tree (DT) (criterion='entropy', max_depth=6); 2. Multilayer Perceptron (MLP) (alpha=0.05, hidden_layer_sizes=(50, 50, 50)); 3. Gaussian Naive Bayes (GNB) (var_smoothing=1e-9); 4. K-Nearest Neighbors (KNN) (leaf_size=5, n_neighbors=1); 5. Support Vector Machine (SVM) (C=1000, gamma=0.0001); 6. Logistic Regression (LR) (C=5, max_iter=500, solver='newton-cg'); 7. Random Forest (RF) (criterion='entropy', max_features='sqrt', min_samples_leaf=4, n_estimators=1900).
Since the use of GridSearch is quite time consuming even with a large number of models, it was decided to use a small dataset (table 5). It is representative enough to obtain adequate results.
The following metrics were used to assess the quality of classifiers [
After obtaining the optimal parameters of the classifiers based on the maximizing "accuracy" criterion, they were trained on a full dataset. Naive Bayes trained the fastest in time, and Logistic Regression the longest: DT - 0.194 s, GNB - 0.0409 s, KNN - 0.742, LR - 482.51 s, RF - 88.369 s, SVM - 5.08 s, MLP - 39.43. Training of models was performed on a PC with AMD A8-4500M APU, 1.9 GHz (4 cores, 4 threads) and 8 Gb RAM. Dataset is divided into training and test in the amount of 70% and 30%, respectively. The test results of the classifiers are presented in Table 6.
As can be seen from Table 6, the Decision Tree models and its ensemble modification Random Forest have best results without any errors. The worst classifier is Gaussian Naive Bayes, which showed the highest number of erroneous predictions, but in general, all classifiers have high metrics. These results are confirmed by 5-Fold cross validation. Compared with the known research results, our metrics are better. However, for a more adequate comparison it is necessary to carry it out at least for identical families / types / versions of OS.
According to the simulation results, confusion matrixes is obtained, which are shown in Appendix A. They contain the results of model prediction, namely the following indicators: True Positive, True Negative and FP, FN.
Analyzing the matrix of classifier errors (Figs.A.1 – A.6), we can note that most classifiers have errors within the OS family: Multilayer Perceptron: incorrect definition of Windows 10 Home (defined as Windows 10 Corporate) and Windows 7 Professional (defined as Windows XP Professional); Gaussian Naive Bayes: incorrect definition of Linux (defined as Windows 10 Home and Corporate), MacOS (defined as Linux), Windows 10 Corporate (defined as Linux), Windows 10 Home (defined as Windows 10 Corporate and Linux); K-Nearest Neighbors: incorrect definition of Windows 10 Corporate (defined as MacOS 11.4 and Windows 10 Home), Windows 10 Home (defined as Windows 10 Corporate); Support Vector Machine: incorrect definition of Windows 10 Home (defined as Windows 10 Corporate) and Windows XP (defined as Windows 10 Home); Logistic Regression: incorrect definition of MacOS 11.4 (defined as MacOS 10.12.4) and incorrect definition of Windows 10 Corporate (defined as Windows 10 Home and Linux).
Because the Decision Tree model is architecturally simpler than Random Forest, it is therefore more appropriate to use it in software. The tree consists of five levels and has 13 leaves. Due to the bulkiness of the tree, its image is not given in this article.
A software is developed for application use of trained classifier model. The software architecture is shown in Figure 2.
It consists of four modules: visualization module, scanning module, preprocessing module and intelligent analysis module. System has its own database also.
Visualization module is the first one to start. It initializes graphical components of program: icons, buttons, windows etc. It is also responsible for providing dialogue windows for user interaction, providing detection results for user.
Scanning module has two purposes: sniffing network traffic to capture packets from the host, which OS needs to be detected; sending probes (specific packets) to the host, which OS needs to be detected, in order to receive responses and conduct OS detection.
Preprocessing module is responsible for gathering fields from captured packets that are needed in order to create OS signature and creating OS signature. Signature is a string, where all fields needed from received packets are written, each field is separated by comma.
User
...
Intelligent analysis module uses trained machine learning classification algorithm to conduct OS detection on provided signature. Classification results are sent to visualization module in order to show them to user. Application database is used for storing previous OS detection results for using later. It can be used for signature storing and pcap-files also.
Based on proposed architecture a software is developed using Python 3.8 programming language with PyQt5 library. SQLite is used as a database. Software has two modes: online and offline.
In offline mode, user has an opportunity to upload pcap-file from external or internal resources. It can be useful when you already have captured traffic and need to detect type/version of OS after some time. Pcap-file should contain information about one specific host. Otherwise it can be filtered by ipaddress and then resaved. Online mode is available for both active and passive scanning. Passive scanning takes more time, since, as stated before, all needed packets are required for analysis. Software is in waiting mode until all needed packets are not captured. However, it can be sped up by, for example, visiting it if detected host is a webserver and is available through http or ftp. In addition, software provides a way to detect OS by analyzing User Agent from HTTP packets.
Active mode is more appropriate since it does not require waiting, because software send probes: four ICMP requests along with up to 10 TCP SYN requests. The procedure will be repeated up to 5 times if no response is received. After preprocessing module receives packets it sends formed signature to intelligent analysis module. Classifier predicts OS family/type/version of the target host and prediction probability. Next, an experiment is conducted by checking how software works and compare results with Nmap. First a scan for Windows 10 Corporate was conducted, it’s IP address in local network is 192.168.1.170. Results of the active scan mode are shown in Appendix B.
Results are stating that Nmap couldn’t detect exactly installed operating system. Also in results we can see a wide specter of possible operating systems (Windows 10, 7, Windows Phone, Windows Server, FreeBSD), and probability is equal to 0.92 compared to 0.955 of developed software (Fig. B.1, 2). By executing similar actions for host, that has IP address 192.168.43.60 developed software correctly detected Windows 10 Home 20h2 with probability of 0.937 (Fig. B.3). Nmap do not provide a result and states that host has too many signature matches (Fig. B.4). Also rented host with white IP address was used in experiments. It has OS Linux 5.4 installed beforehand. Developed software detected it with probability of 0.987 (Fig. B.5). Nmap gave a result of it having Windows 7 installed (Fig. B.6).
The analysis of existing methods and means of detection of the remote node operating system shows the main advantages and disadvantages of their using. Two main approaches, active and passive, of the remote node OS detection are considered. The combination of these approaches can make the process detection more flexible and accurate. The existing method of remote host OS detection is mostly based on signature model of decision making, but in such way they have a lot of errors because of undecidability in case of properly signature absence. That is why the machine learning methods are carried out. To form dataset for model learning the five-stage process is realized: traffic generating and gathering, parsing, preprocessing and feature selection.
As a result of the research, a classifier based on the Decision Tree model was trained. At the same time, other classifiers also showed high metrics with low rate errors within the OS family. The high accuracy of detection the type of OS indicates well-chosen features, as well as a sufficient size of input data set. This helped to avoid the effect of overfitting.
The trained model can detect seven OS versions within several families with absolute accuracy. The system architecture is proposed to remote OS detection. It realized in crosspaltform application based on trained model. This software tool allows scanning hosts in both offline and online modes. At the same time, both active and passive scanning are implemented online. This adds a means of versatility compared to analogues. The developed tool can be used by an ethical hacker for intrusion testing, network administrator for auditing, checking the network for new unknown devices. You can also use the tool to test the effectiveness of server protection tools against detecting their OS.
As a result of the experiment, the developed software was more effective compared to Nmap. However, Nmap allows to define many more types of OS. Therefore, further research will be associated with scaling the model, as well as expanding the functionality of application. One such future function will be to implement the ability to provide a list of ranked vulnerabilities inherent in a particular OS. It provides faster vector attack creation or decision making for network protection.
10. Appendix Appendix A. Confusion matrixes Figure A.2: K-Nearest Neighbors