Using machine learning techniques for advanced passive operating system fingerprinting

TCP/IP fingerprinting is the active or passive collection of information usually extracted from a remote computer’s network stack. The combination of such information can be then used to infer the remote operating system (OS fingerprinting). OS fingerprinting is traditionally based on a database of “signatures”. A signature comprises several features (i.e., pairs attribute/value) extracted from network packets generated by a known operating system. Signatures are manually generated (and updated) by ob- serving several operating systems. There are two types of fingerprinting: active and passive. In this work, we focus on automating the generation and updating of the signatures for passive fingerprinting. By using classification algorithms we deal with fingerprints which do not have an exact match with an already known signature.