王轶骏,薛质,李建华

DOI: https://doi.org/10.3969/j.issn.1000-3428.2004.18.003

2004-01-01

Abstract:Remote OS detection is an important technique in information network system security, because it closed links with security holes. This paper presents the remote OS detection based on TCP/IP stack fingerprinting, and gives emphasis on describing and analyzing two newl implemening techniques: fingerprinting via RTO sampling and fingerprinting via ICMP responses.

Zhaohui Hu,Qi Chen,Ruizhao Yu

DOI: https://doi.org/10.3321/j.issn:1002-8331.2001.10.020

2001-01-01

Abstract:This article introduces the implementation of TCP Protocol and the technique of Port Scanning based on the characteristic of TCP Protocol,at the same time,the several implementations of Port Scanning are also described. We also analyze the potential external attacks that can be made because of the weakness of operation system and the ways to avoid suck kinds of attack are also put up.

Yuxiang Lin,Yi Gao,Bingji Li,Wei Dong

DOI: https://doi.org/10.1145/3536423

2022-01-01

ACM Transactions on Sensor Networks

Abstract:The broadcast nature of wireless media makes WLANs easily attacked by rogue Access Points (APs) . Rogue AP attacks can potentially cause severe privacy leakage and financial loss. Hardware fingerprinting is the state-of-the-art technology to detect rogue APs since an attacker would find it difficult to set up a rogue AP with specific hardware fingerprints. However, existing hardware fingerprints not only depend on the AP but also depend on the client, significantly limiting their application scenarios. In this work, we investigate two novel client-agnostic fingerprints, which can be extracted using commercial off-the-shelf WiFi devices, to detect rogue APs. One is the power amplifier non-linearity fingerprint and the other is the frame interval distribution fingerprint . These two fingerprints remain consistent over time and space for the same AP but vary across different APs even with the same brand, model, and firmware. We use the fingerprint similarity between the candidate AP and the authorized AP for device authentication in typical indoor environments. We have also proposed a threshold-improved authentication scheme to improve the robustness of our system in dynamic environments. Our schemes can be implemented without modifying the infrastructural APs and can work well with new clients without rebuilding the fingerprint database. We evaluate our scheme in both in-lab and field scenarios, by analyzing 18 million WiFi packets. Results show that our scheme achieves an overall 96.55% positive detection rate and a 4.31% false alarm rate. Moreover, the threshold-improved authentication scheme can further reduce the false alarm rate by 13.0%-44.8% for dynamic environments.

Yuxiang Lin,Yi Gao,Bingji Li,Wei Dong

DOI: https://doi.org/10.1109/percom45495.2020.9127375

2020-01-01

Abstract:The broadcast nature of wireless medium makes WLANs easily be attacked by rogue Access Points (APs). Rogue AP attacks can potentially cause severe privacy leakage and financial lost. Hardware fingerprinting is the state-of-the-art technology to detect rogue APs, since an attacker would find it difficult to set up a rogue AP with specific hardware fingerprints. However, existing hardware fingerprints not only depend on the AP, but also depend on the client, significantly limiting their applicable scenarios. In this work, we investigate two novel client-agnostic fingerprints, which can be extracted using commercial off-the-shelf WiFi devices, to detect rogue APs. One is the power amplifier non-linearity fingerprint and the other is the frame interval distribution fingerprint. These two fingerprints remain consistent over time and space for the same AP but vary across different APs even with the same brand, model and firmware. We use the fingerprint similarity between the candidate AP and the authorized AP for device authentication. Our scheme can be implemented without modifying the infrastructural APs and can work well with new clients without rebuilding the fingerprint database. We evaluate our scheme in both in-lab and field scenarios, by analyzing 12 million WiFi packets. Results shows that our scheme achieves an overall 96.55% positive detection rate and a 4.31% false alarm rate.

Yi-Chao Chen,Yong Liao,Mario Baldi,Sung-Ju Lee,Lili Qiu

DOI: https://doi.org/10.1145/2663716.2663745

2014-01-01

Abstract:Fingerprinting the Operating System(OS) running on a device based on its traffic has several applications, such as NAT detection, policy enforcement in enterprise networks, and billing for shared access in mobile networks. In this paper, we propose to utilize several features in TCP/IP headers for OS identification, and use real traffic traces to evaluate the accuracy of fingerprinting. Our trace-driven study shows that several techniques that successfully fingerprint desktop OSes are not effective for fingerprinting mobile devices. Therefore, we propose new features for fingerprinting OSes on mobile devices. We also consider NAT/tethering detection, an important application of OS fingerprinting. We use the presence of multiple OSes from the same IP address along with TCP times-tamp, clock frequency, and boot time to detect tethering. Evaluation shows that our approach effectively detects tethering and outperforms existing schemes.

LIU Ying,XUE Zhi,WANG Yi-jun

DOI: https://doi.org/10.3969/j.issn.1009-8054.2007.11.032

2007-01-01

Abstract:One of the biggest challenges to protect network from being attacked is whether the vulnerabilities can be found promptly.While most vulnerabilities are closely bound up with OS information,the accurate identification of OS is one of the key technologies for ensuring the network security.This paper proposes the remote OS identification based on TCP options,and analyzes an implementation technology for identifying remote OS information.

WEI Wei,DONG Ya-bo,LU Dong-ming,JIN Guang

DOI: https://doi.org/10.3785/j.issn.1008-973x.2008.05.007

2008-01-01

Abstract:Low rate TCP-targeted denial of service(DoS) attack makes use of time-out and retransmission mechanism in transmission control protocol(TCP) and could severely decrease the throughput of legitimate TCP traffic.With its attacking traffic pattern,obvious difference was found between the power spectrum density(PSD) of legitimate and attack traffic samples.The statistical characteristic of this difference in history data was analyzed,and a detection method using the summation of low frequency was proposed.Meanwhile,based on the methods of leak bucket and the increasing of routing buffer,a response method was provided,which uses leak bucket periodically for smoothing the flow and uses buffer for holding extra traffic to send in next period,and its reasonable resource requirement was proved.Simulations show that for more general attack scenarios than the existing methods,the detection method has very low positive and negative false ratio,and the response method can depress attack flows more effectively than the previous methods and maintain the legitimate throughput in a normal level while the previous methods failed.

Wei Wei,Yabo Dong,Dongming Lu,Guang Jin,Honglan Lao

DOI: https://doi.org/10.1007/11760146_23

2006-01-01

Abstract:Low-rate TCP-targeted Denial-of-Service (DoS) attack (shrew) is a new kind of DoS attack which is based on TCP’s Retransmission Timeout (RTO) mechanism and can severely reduce the throughput of TCP traffic on victim. The paper proposes a novel mechanism which consists of effective detection and response methods. Through analyzing sampled attack traffic, we find that there is a stable difference between attack and legitimate traffic in frequency field, especially in low frequency. We use Sum of Low Frequency Power spectrum (SLFP) for detection. In our algorithm the destination IP address is used as flow label and SLFP is applied to every flow traversing edge router. If shrew is found, all flows to the destination are processed by Aggregated Flows Balance (AFB) at a proper upstream router. Simulation shows that attack traffics are restrained and TCP traffics can obtain enough bandwidth. The result indicates that our mechanism is effective and deployable.

QIU Qin-long,WU Chun-ming,PING Ling-di,LV Hong-bing

DOI: https://doi.org/10.3785/j.issn.1008-973x.2011.09.001

2011-01-01

Abstract:To avoid unnecessary data packet retransmission caused by the lost of the acknowledgement packet in the transmission control protocol(TCP) mechanism,a retransmission timeout(RTO) timer was added to retransmit the lost acknowledgement packet.The small initial RTO value and the fixed RTO duration were used to make sure that the RTO timer of the acknowledgement packet in the receiver expired earlier than that of the data packet in the sender.To verify the mechanism of the acknowledgement packet retransmission,a long term evolution network model was built with network simulation tool NS 2.Simulation showed that the system performance was improved significantly: average delay decreased by 16%,average jitter decreased by 14%,average packet loss rate decreased by 10%,and total throughput increased by 17% with 150 active users.

Yongle Chen,Jun Pan,Dan Yu,Yao Ma,Yuli Yang

DOI: https://doi.org/10.1109/tvt.2022.3169090

IF: 6.8

2022-01-01

IEEE Transactions on Vehicular Technology

Abstract:Due to the deployment of 5G technology, the number of IoV (Internet of Vehicle) devices connected to the Internet will explosively grow. However, as a kind of edge network device, IoV devices also face some problems including weak password authentication, lack of security protection, and lagged firmware updating, which largely threaten the security and legitimacy of these devices. IoV device identification is important in discovering, monitoring, and protecting these devices. Although existing proactive identification methods based on device fingerprints can be used to identify the large-scale Internet-connected IoV devices, they can not meet the fine-grained requirements for security risk assessment. Due to the increase in the types and brands of IoV devices, the fingerprint granularity will be insufficient. In this paper, we proposed a retransmission-based TCP fingerprints for large-scale fine-grained proactive device identification. Firstly, a probing scheme was designed to obtain TCP retransmission packet and increase the granularity space of traditional TCP fingerprint by selecting the multi-group features of TCP retransmission messages. Then, according to the bagging strategy of ensemble learning, a combined classifier with five predominant machine learning algorithms was generated. The experimental results showed that the identification accuracy and recall of IoV devices respectively reached 96.7% and 95.2%.

telecommunications,engineering, electrical & electronic,transportation science & technology

Deliang Chang,Qianli Zhang,Xing Li

2015-01-01

Abstract:OS fingerprinting and NAT detection are considered important in various researches like network troubleshooting, deployment of services. Previous passive approaches usually require raw network traffic, which is often difficult to deploy. In this paper, a novel method is designed to fingerprint the OS and classify the NAT only using DNS log. Features of the Windows, MacOS/iOs, Android and Linux operating systems can be automatically extracted from labelled DNS log. With these features a simple classifier can fingerprint the OS types of these devices accurately. We apply this algorithm on data set from a large scale network. Analysis also reveals that nowadays the Windows operating systems are widely used in tethering or NAT, which is contrary to our previous knowledge.

Tingyuan Nie,Jie Sun,Aiguo Ji,Zhe-Ming Lu

DOI: https://doi.org/10.1587/elex.10.20130138

2013-01-01

IEICE Electronics Express

Abstract:The continuously widening design productivity gap in the past few decades gives high incentives to counterfeiting ICs. Existing intellectual property (IP) protection schemes demand high overheads, and some techniques like watermarking do not facilitate tracing of illegal users. In this letter, we propose a novel fingerprinting method based on post-processing on circuit partitions. We evaluate our method on the ISPD98 benchmark suite. The experimental results demonstrate the effectiveness of the proposal. The fingerprinting design is distinct because the Hamming distance between fingerprinted IP designs is large enough to resist a collusion attack.

WANG Bin,CHEN Hongmei,ZHANG Baoping

DOI: https://doi.org/10.3724/sp.j.1087.2013.00943

2013-01-01

Journal of Computer Applications

Abstract:Aiming at terminal performance bottleneck among current data transfer process,a UDP-based terminal adaptive protocol was proposed.After the analysis and the comparison of many factors which affected terminal performance,this protocol viewed both the previous packet loss ratio and the current one as congestion detection parameters.It employed various rate adaption methods such as finite loop counter and process scheduling function in order to balance performance differences in real-time and ensured reliable and fast data transfer.Compared with traditional idle Automatic Repeat reQuest(ARQ) method,the average delay is reduced by more than 25%.The experimental results show that the proposed algorithm has the features of strong real-time,quick response,and it is compatible with large amount of data transmission,especially suitable for small amount of data transmission in engineering applications.

Zun-ying QIN,Guo-dong LI,Wei LI,Xu-chang HUANG

2013-01-01

Abstract:A universal and multi-mode OSPF vulnerability detection system was designed based on analysis and research of OSPF vulnerability.The system implements denial of service attack model with the method of forging entity router and man-in-middle attack model with zero-copy technology.The method combining SNMP and bypass monitoring was adopted to achieve real-time monitoring of test results.Finally,the system proves the vulnerability of different types of routing equipments in the test environment and the vulnerability hazards were analyzed quantitatively.

Akira Tanaka,Chansu Han,Takeshi Takahashi

DOI: https://doi.org/10.1109/access.2023.3249474

IF: 3.9

2023-01-01

IEEE Access

Abstract:Adversaries perform port scanning to discover accessible and vulnerable hosts as a prelude to cyber havoc. A darknet is a cyberattack observation network to capture these scanning activities through reachable yet unused IP addresses. However, the enormous amount of packets and superposition of diverse scanning strategies prevent extracting significant insights from the aggregate traffic. Some coordinated scanners disperse probe packets whose TCP/IP header follows a unique pattern to determine whether the received packets are valid responses to their probes or are part of other background traffic. We call such a pattern a fingerprint. For example, a probe packet from a Mirai-infected host satisfies a pattern whereby the destination IP address equals the sequence number. A fingerprint indicates that the source host has been involved in a particular scanning campaign. Although some fingerprints have been discovered and known to the public, there are and will be more undiscovered ones. We intend to unveil these fingerprints. Our preliminary work automatically identified flexible fingerprints but overlooked low-rate and coordinated scanners. In this work, we improved the fingerprint identifier, enabling it to detect these stealth scans. Moreover, we revealed the scans’ objectives by investigating destination port sets. We associated fingerprints with threat intelligence and verified their reliability. Our approach identified all well-known and eight unknown fingerprints on one month’s worth of darknet data collected from about three-hundred thousand unused IP addresses. We disclosed the fingerprints of the Mozi botnet and destination port sets that were previously unreported.

computer science, information systems,telecommunications,engineering, electrical & electronic

CHI Xiu-wei,TANG Shuo-fei,JI Zhen-zhou,LI Xin

DOI: https://doi.org/10.3969/j.issn.1007-130X.2006.10.009

2006-01-01

Abstract:State detection is the main stream of the current firewall technologies. This paper introduces the principle of state detection firewall.The flowchart of state detection and the model of state transition for the TCP packets are presented.A method of sequence number scope check and dynamic timeout management ensures the system security.A hash algorithm is adopted to manage the state table,and the design is implemented on FPGA.The experiment shows that the design can work well in a Gigabit network environment.

Yong-Hao Zou,Jia-Ju Bai,Jielong Zhou,Jiangfeng Tan,Chenggang Qin,Shi-Min Hu

2021-01-01

Abstract:TCP stacks provide reliable data transmission in network, and thus they should be correctly implemented and well tested to ensure reliability and security. However, testing TCP stacks is difficult. First, a TCP stack accepts packets and system calls that have dependencies between each other, and thus generating effective test cases is challenging. Second, a TCP stack has various complex state transitions, but existing testing approaches target covering states instead of covering state transitions, and thus their testing coverage is limited. Finally, our study of TCP stack commits shows that 87% of bug-fixing commits are related to semantic bugs (such as RFC violations), but existing bug sanitizers can detect only memory bugs not semantic bugs. In this paper, we design a novel fuzzing framework named TCP-Fuzz, to effectively test TCP stacks and detect bugs. TCP-Fuzz consists of three key techniques: (1) a dependencybased strategy that considers dependencies between packets and system calls, to generate effective test cases; (2) a transition-guided fuzzing approach that uses a new coverage metric named branch transition as program feedback, to improve the coverage of state transitions; (3) a differential checker that compares the outputs of multiple TCP stacks for the same inputs, to detect semantic bugs. We have evaluated TCP-Fuzz on five widely-used TCP stacks (TLDK, F-Stack, mTCP, FreeBSD TCP and Linux TCP), and find 56 real bugs (including 8 memory bugs and 48 semantic bugs). 40 of these bugs have been confirmed by related developers.

HONG Jingfeng,DUAN Haixin,YAO Shuzhen

DOI: https://doi.org/10.3969/j.issn.1000-3428.2006.08.066

2006-01-01

Abstract:A new approach to tracing sources of DDoS attacks based on passive sniffing overlay network(PSON) is proposed,which can span multiple autonomy systems to trace back to multiple attack sources of a large scale DDoS attack.Based on this solution,it designs and implements an IP traceback system: SnifferTrack.The architecture and composition of the system are described,as well as the tracing process and algorithms.Several limitations of the system and future work are also proposed.

Dehu Li,Haixin Duan,Jian Jiang

DOI: https://doi.org/10.1109/bcgin.2013.253

2013-01-01

Abstract:Research on evasion attack of intrusion detection plays an important role in anti-evasion research and the testing of Intrusion Detection Systems. However, the widely used "fragroute" evasion tool has some significant defects such as: the evasion techniques are quite simple and the semantics of attack can probably be disrupted in evasion test. This paper proposed a signature based overlapping segmentation evasion technique and implemented it. The new technique has the following advantages: the semantics of attack won't be disrupted during evasion test, and the TCP (Transmission Control Protocol) data gram can be segmented accurately at the location of signatures, the segment reassembly policy can also be customized according to the reassembly policy of the target OS (Operating System). At the end of this paper, the popular Snort IDS were used to test the new technique. Our test with Snort shows that the new technique can evade Snort effectively. We also found that Snort's Stream5 preprocessor which aims to reassemble overlapped segments cannot work properly in most situations.

Xuewei Feng,Chuanpu Fu,Qi Li,Kun Sun,Ke Xu

DOI: https://doi.org/10.1145/3372297.3417884

2020-08-29

Abstract:In this paper, we uncover a new off-path TCP hijacking attack that can be used to terminate victim TCP connections or inject forged data into victim TCP connections by manipulating the new mixed IPID assignment method, which is widely used in Linux kernel version 4.18 and beyond to help defend against TCP hijacking attacks. The attack has three steps. First, an off-path attacker can downgrade the IPID assignment for TCP packets from the more secure per-socket-based policy to the less secure hash-based policy, building a shared IPID counter that forms a side channel on the victim. Second, the attacker detects the presence of TCP connections by observing the shared IPID counter on the victim. Third, the attacker infers the sequence number and the acknowledgment number of the detected connection by observing the side channel of the shared IPID counter. Consequently, the attacker can completely hijack the connection, i.e., resetting the connection or poisoning the data stream. We evaluate the impacts of this off-path TCP attack in the real world. Our case studies of SSH DoS, manipulating web traffic, and poisoning BGP routing tables show its threat on a wide range of applications. Our experimental results show that our off-path TCP attack can be constructed within 215 seconds and the success rate is over 88%. Finally, we analyze the root cause of the exploit and develop a new IPID assignment method to defeat this attack. We prototype our defense in Linux 4.18 and confirm its effectiveness through extensive evaluation over real applications on the Internet.

Cryptography and Security