Prevention of operating system identification through fingerprinting techniques

US 7,231,665 B1
Filed: 07/05/2001
Issued: 06/12/2007
Est. Priority Date: 07/05/2001
Status: Active Grant

First Claim

Patent Images

1. A computerized method to prevent identification of an operating system executing on a computer connected to a network comprising:

intercepting a portion of outgoing network data characteristic of the operating system; and

conditionally masking the portion of outgoing network data to impersonate a different operating system in accordance with a security policy if the network is an untrusted network;

wherein masking the portion comprises;

replacing the portion of outgoing network data with data characteristic of the different operating system to prevent identification of the operating system by impersonating the different operating system, for misleading attackers into attempting attacks that are unworkable on the operating system.

View all claims

11 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Outgoing data units, such as packets, from a computer system that contain data characteristic of an operating system executing on the computer system are intercepted before they are transmitted on a network and masked to impersonate a different operating system if the network is untrusted. The masking may be to re-fingerprint the data units by replacing the data characteristic of the actual operating system with data characteristic of the different operating system. Alternatively, the masking may require discarding the data unit and not transmitting it.

Citations

36 Claims

1. A computerized method to prevent identification of an operating system executing on a computer connected to a network comprising:
- intercepting a portion of outgoing network data characteristic of the operating system; and
  
  conditionally masking the portion of outgoing network data to impersonate a different operating system in accordance with a security policy if the network is an untrusted network;
  
  wherein masking the portion comprises;
  
  replacing the portion of outgoing network data with data characteristic of the different operating system to prevent identification of the operating system by impersonating the different operating system, for misleading attackers into attempting attacks that are unworkable on the operating system.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The computerized method of claim 1, wherein the security policy identifies the portion of outgoing network data and specifies an action to take to mask the portion of outgoing network data.
  - 3. The computerized method of claim 1, wherein the security policy further specifies replacement data for the portion of outgoing network data, the replacement data characteristic of the different operating system.
  - 4. The computerized method of claim 1, wherein the security policy further defines the network as untrusted.
  - 5. The computerized method of claim 1 further comprising:
    - receiving the security policy through the network.
  - 6. The computerized method of claim 1 further comprising:
    - modifying the security policy based on user input.
  - 7. The computerized method of claim 1 further comprising:
    - transmitting the portion of outgoing network data unchanged if the network is a trusted network.
  - 8. The computerized method of claim 1 further comprising:
    - intercepting a portion of incoming network data; and
      
      sending a false response to the portion of incoming network data to impersonate the different operating system in accordance with the security policy if the network is an untrusted network.
  - 9. The computerized method of claim 8, wherein the security policy identifies the portion of incoming network data and the false response.
  - 10. The computerized method of claim 8, wherein the false response is sent if the operating system would normally not respond to the incoming network data.
  - 11. The computerized method of claim 1, wherein the method is integrated into a firewall that protects the computer.
  - 12. The computerized method of claim 1, wherein the security policy contains data on a plurality of different operating systems for allowing the portion of outgoing network data to impersonate any one of the plurality of different operating systems.
  - 13. The computerized method of claim 12, wherein each of the different operating systems included in the plurality of different operating systems is assigned a specific untrusted network for masking the portion of outgoing data according to the untrusted network.

14. A computer-readable medium having executable instructions to cause a computer to perform a method comprising:
- intercepting a portion of outgoing network data characteristic of an operating system executing on the computer when the computer is connected to a network; and
  
  conditionally masking the portion to impersonate a different operating system in accordance with a security policy if the network is an untrusted network;
  
  wherein masking the portion comprises;
  
  replacing the portion with data characteristic of the different operating system to prevent identification of the operating system by impersonating the different operating system, for misleading attackers into attempting attacks that are unworkable on the operating system.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23)
- - 15. The computer-readable medium of claim 14, wherein the security policy identifies the portion and specifies an action to take to mask the portion.
  - 16. The computer-readable medium of claim 14, wherein the security policy further specifies replacement data for the portion, the replacement data characteristic of the different operating system.
  - 17. The computer-readable medium of claim 14, wherein the security policy further defines the network as untrusted.
  - 18. The computer-readable medium of claim 14, wherein the method further comprises:
    - receiving the security policy through the network.
  - 19. The computer-readable medium of claim 14, wherein the method further comprises:
    - modifying the security policy based on user input.
  - 20. The computer-readable medium of claim 14, wherein the method further comprises:
    - transmitting the portion unchanged if the network is a trusted network.
  - 21. The computer-readable medium of claim 14, wherein the method further comprises:
    - intercepting a portion of incoming network data; and
      
      sending a false response to the portion of incoming network data to impersonate the different operating system in accordance with the security policy if the network is an untrusted network.
  - 22. The computer-readable medium of claim 21, wherein the security policy identifies the portion of incoming network data and the false response.
  - 23. The computer-readable medium of claim 14, wherein the instructions are operable for integration into a firewall.

24. A computerized system comprising:
- a processing unit;
  
  a memory coupled to the processing unit through a bus;
  
  a network interface coupled to the processing unit through the bus and further operable for coupling to a network;
  
  an operating system executed from the memory by the processing unit; and
  
  a fingerprint masking process executed from the memory by the processing unit to cause the processing unit to intercept a portion of network data characteristic of the operating system when the network interface is coupled to the network, and to conditionally mask the portion to impersonate a different operating system in accordance with a security policy if the network is an untrusted network;
  
  wherein the fingerprint masking process further causes the processing unit to mask the portion by replacing the portion with data characteristic of the different operating system to prevent identification of the operating system by impersonating the different operating system, for misleading attackers into attempting attacks that are unworkable on the operating system.
- View Dependent Claims (25, 26, 27, 28, 29, 30)
- - 25. The computerized system of claim 24, wherein the fingerprint masking process further causes the processing unit to transmit the portion unchanged if the network is a trusted network.
  - 26. The computerized system of claim 24, wherein the fingerprint masking process further causes the processing unit to receive the security policy through the network interface.
  - 27. The computerized system of claim 24 further comprising a user input device coupled to the processing unit through the bus and wherein the fingerprint masking process further causes the processing unit to receive input through the user input device and to modify the security policy based on the input.
  - 28. The computerized system of claim 24, wherein the fingerprint masking process further causes the processing unit to intercept a portion of incoming network data when the network interface is coupled to the network, and to send a false response to the portion of incoming network data to impersonate the different operating system in accordance with the security policy if the network is an untrusted network.
  - 29. The computerized system of claim 24, wherein the fingerprint masking process is integrated into a firewall process that is executed by the processing unit.
  - 30. The computerized system of claim 24, wherein the computerized system is a firewall and the fingerprint masking process masks an operating system on a computer coupled to the firewall.

31. A computer-readable medium having stored thereon an OS fingerprint policy data structure comprising:
- a data unit type field containing data representative of an identifier for a type of data unit, wherein information associated with the data unit is characteristic of an operating system; and
  
  an action field containing data representative of an action to be taken to mask the information associated with the data unit identified by the data unit type field;
  
  wherein masking the information comprises;
  
  replacing the information with information characteristic of a different operating system to prevent identification of the operating system by impersonating the different operating system, for misleading attackers into attempting attacks that are unworkable on the operating system.
- View Dependent Claims (32, 33, 34, 35, 36)
- - 32. The computer-readable medium of claim 31 further comprising:
    - a re-fingerprint field containing data representative of an identifier for a field type within the data unit type identified by the data unit type field, and further containing re-fingerprint data that identifies replacement data for the field identified by the field type.
  - 33. The computer-readable medium of claim 32, wherein the re-fingerprint data is selected from the group consisting of the replacement data and a location for the replacement data.
  - 34. The computer-readable medium of claim 31 further comprising:
    - a re-fingerprint field containing data representative of an identifier for a field type within a false response to the data unit type identified by the data unit type field, and further containing re-fingerprint data that identifies false data for the field identified by the field type.
  - 35. The computer-readable medium of claim 34, wherein the re-fingerprint data is selected from the group consisting of the false data and a location for the false data.
  - 36. The computer-readable medium of claim 31 further comprising:
    - a network identifier field containing data representative of an identifier for a network that is untrusted when transmitting the type of data unit identified by the data unit type field.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
McArdle, Mark J., Johnston, Brent A.
Primary Examiner(s)
Sheikh; Ayaz
Assistant Examiner(s)
Moorthy; Aravind K

Application Number

US09/900,001
Time in Patent Office

2,168 Days
Field of Search

713/200, 713/201
US Class Current

726/22
CPC Class Codes

G06F 21/606   by securing the transmissio...

G06F 21/6254   by anonymising data, e.g. d...

H04L 63/0227   Filtering policies mail mes...

H04L 63/1441   Countermeasures against mal...

Prevention of operating system identification through fingerprinting techniques

First Claim

11 Assignments

0 Petitions

Accused Products

Abstract

Citations

36 Claims

Specification

Solutions

Use Cases

Quick Links

Prevention of operating system identification through fingerprinting techniques

First Claim

11 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

36 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links