System and method of operating system identification

US 7,519,954 B1
Filed: 04/08/2004
Issued: 04/14/2009
Est. Priority Date: 04/08/2004
Status: Active Grant

First Claim

Patent Images

1. An operating system identification system including a node capable of executing computer code comprising:

an identification module configured to execute a plurality of operating system identification tests, each operating system identification test configured to make an identification of an operating system being executed by a network node;

a plurality of identification rules configured to define a procedure by which the identification module makes an overall identification of the operating system, wherein the overall identification is based at least in part on at least one of the identifications made by the plurality of operating system identification tests; and

a conflict resolution module configured to detect at least one of a plurality of cases defined by a plurality of conflict resolution definitions in which at least some of the plurality of operating system identification tests disagree in their identification of the operating system, and configured to, upon detecting such a case, to make an identification of the operating system and to cause the identification module to modify the overall identification based at least on the identification made by the conflict resolution module;

wherein a confidence level is assigned to the identification of the operating system based on a predetermined confidence level stored in association with at least one of a plurality of identification fingerprints used to identify the operating system;

wherein the identification of the operating system by one of the operating system identification tests is dependent on the identification of the operating system by another one of the operating system identification tests.

View all claims

12 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An automated system performs multiple tests for identifying an operating system executed by a network node. A combination of multiple tests may be calibrated to generate an acceptably accurate operating system identification. An identification module makes an overall identification based on identifications of the tests. A plurality of identification rules may determine which of the individual tests is likely to be most accurate. The system also may include a conflict resolution module that resolves conflicts among the multiple tests. The conflict resolution module may employ a plurality of conflict resolution definitions that define special cases in which the general identification rules may be overridden to make an identification without regard to the general identification rules. Alternatively, the conflict resolution module may be configured to work in combination with the general identification rules to make an operating system identification.

186 Citations

43 Claims

1. An operating system identification system including a node capable of executing computer code comprising:
- an identification module configured to execute a plurality of operating system identification tests, each operating system identification test configured to make an identification of an operating system being executed by a network node;
  
  a plurality of identification rules configured to define a procedure by which the identification module makes an overall identification of the operating system, wherein the overall identification is based at least in part on at least one of the identifications made by the plurality of operating system identification tests; and
  
  a conflict resolution module configured to detect at least one of a plurality of cases defined by a plurality of conflict resolution definitions in which at least some of the plurality of operating system identification tests disagree in their identification of the operating system, and configured to, upon detecting such a case, to make an identification of the operating system and to cause the identification module to modify the overall identification based at least on the identification made by the conflict resolution module;
  
  wherein a confidence level is assigned to the identification of the operating system based on a predetermined confidence level stored in association with at least one of a plurality of identification fingerprints used to identify the operating system;
  
  wherein the identification of the operating system by one of the operating system identification tests is dependent on the identification of the operating system by another one of the operating system identification tests.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The operating system identification system of claim 1, wherein the plurality of operating system identification tests includes a Transmission Control Protocol identification test;
    - wherein a list of open ports on the network node is generated and, based on the list of open ports, another identification of which operating system is executed by the network node and another confidence level indicating a degree to which the other identification is deemed accurate are generated, wherein making the overall identification of the operating system is further based on the other identification and the other confidence level; and
      
      wherein generating the list of open ports comprises retrieving a previously constructed list of open ports.
  - 3. The operating system identification system of claim 2, wherein the plurality of operating system identification tests further includes an Internet Control Message Protocol identification test.
  - 4. The operating system identification system of claim 3, wherein the plurality of operating system identification tests further includes a banner matching test.
  - 5. The operating system identification system of claim 4, wherein the plurality of operating system identification tests further includes an open port signature test.
  - 6. The operating system identification system of claim 5, wherein the plurality of operating system identification tests further includes a NULL session enumeration test.
  - 7. The operating system identification system of claim 4, wherein each identification fingerprint is configured to associate an operating system with responses expected to be generated by the associated operating system in response to execution of one of the identification tests, wherein the identification made by each identification test is based, at least in part, on comparisons between the identification fingerprints and actual responses generated by a tested operating system in response to execution of one of the identification tests.
  - 8. The operating system identification system of claim 7, further comprising a logic engine, wherein the logic engine performs the comparisons between the identification fingerprints and actual responses.
  - 9. The operating system identification system of claim 8, wherein at least one of the comparisons performed by the logic engine is a fuzzy logic comparison.
  - 10. The operating system identification system of claim 4, wherein each identification of the operating system made by one of the identification tests is associated with the confidence level indicating a degree to which the identification is deemed to be accurate, and wherein the overall identification is further based on the confidence level associated with the at least one identification relied upon to make the overall identification.
  - 11. The operating system identification system of claim 10, wherein each associated confidence level represents a probability that the identification is accurate.
  - 12. The operating system identification system of claim 1, wherein each operating system identification test executed by the identification module causes a first plurality of packets to be transmitted to the network node and a plurality of response packets to be received by each operating system identification test.
  - 13. The operating system identification system of claim 12, wherein the plurality of response packets are reformatted for use in identifying the operating system being executed by the network node.
  - 14. The operating system identification system of claim 1, further comprising resolving conflicts among the at least one of the identifications made by the plurality of operating system identification tests only if none of the at least one of the identifications is associated with the confidence level greater than the predetermined confidence level.
  - 15. The operating system identification system of claim 14, wherein the resolving conflicts is based at least in part on comparing aggregated results from at least two of the plurality of operating system identification tests with a plurality of conflict resolution definitions.

16. An operating system identification system including a node capable of executing computer code comprising:
- an identification module configured to execute a plurality of operating system identification tests including at least a Transmission Control Protocol identification test, an Internet Control Message Protocol identification test, and a banner matching test, each operating system identification test configured to make an identification of an operating system being executed by a network node; and
  
  a plurality of identification rules configured to define a procedure by which the identification module makes an overall identification of the operating system, wherein the overall identification is based at least on at least one of the identifications made by the plurality of operating system identification tests;
  
  wherein a confidence level is assigned to the identification of the operating system based on a predetermined confidence level stored in association with at least one of a plurality of identification fingerprints used to identify the operating system;
  
  wherein the identification of the operating system by one of the operating system identification tests is dependent on the identification of the operating system by another one of the operating system identification tests;
  
  wherein a list of open ports on the network node is generated and, based on the list of open ports, another identification of which operating system is executed by the network node and another confidence level indicating a degree to which the other identification is deemed accurate are generated, wherein making the overall identification of the operating system is further based on the other identification and the other confidence level; and
  
  wherein generating the list of open ports comprises retrieving a previously constructed list of open ports.
- View Dependent Claims (17, 18, 19, 20, 21, 22, 23)
- - 17. The operating system identification system of claim 16, wherein the plurality of operating system identification tests further includes an open port signature test.
  - 18. The operating system identification system of claim 17, wherein the plurality of operating system identification tests further includes a NULL session enumeration test.
  - 19. The operating system identification system of claim 16, wherein each identification fingerprint is configured to associate an operating system with responses expected to be generated by the associated operating system in response to execution of one of the identification tests, wherein the identification made by each identification test is based, at least in part, on comparisons between the identification fingerprints and actual responses generated by a tested operating system in response to execution of one of the identification tests.
  - 20. The operating system identification system of claim 19, further comprising a logic engine, wherein the logic engine performs the comparisons between the identification fingerprints and the actual responses.
  - 21. The operating system identification system of claim 20, wherein at least one of the comparisons performed by the logic engine is a fuzzy logic comparison.
  - 22. The operating system identification system of claim 16, wherein each identification of the operating system made by one of the identification tests is associated with the confidence level indicating a degree to which the identification is deemed accurate, and wherein the overall identification is further based on the confidence level associated with the at least one identification relied upon to make the overall identification.
  - 23. The operating system identification system of claim 22, wherein each associated confidence level represents a probability that the identification is accurate.

24. A method of identifying an operating system executed by a network node, comprising:
- transmitting a first plurality of Transmission Control Protocol packets to a network node on a computer network, receiving in response a second plurality of Transmission Control Protocol packets, and generating, based on characteristics of the second plurality of Transmission Control Protocol packets, a first identification of which operating system is executed by the network node and a first confidence level indicating a degree to which the first identification is deemed accurate;
  
  transmitting at least a first plurality of Internet Control Message Protocol packets to the network node, receiving in response at least a second plurality of Internet Control Message Protocol packets, and generating, based at least on characteristics of the second plurality of Internet Control Message Protocol packets, a second identification of which operating system is executed by the network node and a second confidence level indicating a degree to which the second identification is deemed accurate;
  
  connecting to at least one open port on the network node, transmitting to the at least one open port data configured to cause the at least one open port to return at least one banner, and generating, based on the at least one banner, a third identification of which operating system is executed by the network node and a third confidence level indicating a degree to which the third identification is deemed accurate; and
  
  generating an overall identification, based on at least the first identification, the first confidence level, the second identification, the second confidence level, the third identification, and the third confidence level, of the operating system executed by the network node;
  
  wherein the first confidence level is assigned to the first identification of the operating system the second confidence level is assigned to the second identification of the operating system, and the third confidence level is assigned to the third identification of the operating system based on a predetermined confidence level stored in association with at least one of a plurality of identification fingerprints used to identify the operating system;
  
  wherein the first identification of the operating system, the second identification of the operating system, and the third identification of the operating system by one of a plurality of operating system identification tests are dependent on the identification of the operating system by another one of the operating system identification tests;
  
  wherein a list of open ports on the network node is generated and, based on the list of open ports, fourth identification of which operating system is executed by the network node and fourth confidence level indicating a degree to which the other identification is deemed accurate are generated, wherein making the overall identification of the operating system is further based on the fourth identification and the fourth confidence level; and
  
  wherein generating the list of open ports comprises retrieving a previously constructed list of open ports.
- View Dependent Claims (25, 26, 27, 28, 29)
- - 25. The method of claim 24, wherein the network node is one of a computer, a router, and a printer.
  - 26. The method of claim 24, wherein transmitting at least a first plurality of Internet Control Message Protocol packets further includes transmitting at least a first User Datagram Protocol packet to the network node and receiving in response at least a second User Datagram Protocol packet, and wherein the generated second identification and the second confidence level are based, in addition to the second plurality of Internet Control Message Protocol packets, on at least the second User Datagram Protocol packet.
  - 27. The method of claim 24, further comprising determining whether NULL session access is available on at least one port configured to run at least one of a Server Message Block service and a NETBIOS service, and if such NULL session access is available, using such NULL session access to determine at least a major version and a minor version of the operating system executed by the network node, and generating, based on the major version and the minor version, a fifth identification of which operating system is executed by the network node and a fifth confidence level indicating a degree to which the fifth identification is deemed accurate, wherein generating the overall identification of the operating system is further based on the fifth identification and the fifth confidence level.
  - 28. The method of claim 24, wherein generating overall identification of an operating system includes selecting as the overall identified operating system the operating system identified by one of the first identification, the second identification, the third identification, and the fourth identification.
  - 29. The method of claim 24, wherein the first plurality of Transmission Control Protocol packets are compliant with a specification of Transmission Control Protocol packets defined by DARPA Request for Comments 793.

30. A method of identifying an operating system executed by a network node, comprising:
- executing a plurality of tests for identifying which operating system is executed by a network node, such that each test returns an identification of an operating system executed by the network node;
  
  assessing, based at least on one characteristic of each identification of the operating system returned by the plurality of tests, which of the tests to select for determining an overall identification of the operating system; and
  
  generating an overall identification of the operating system executed by the network node as the operating system that is identified by the selected test;
  
  wherein a confidence level is assigned to the identification of the operating system based on a predetermined confidence level stored in association with at least one of a plurality of identification fingerprints used to identify the operating system;
  
  wherein the identification of the operating system by one of the plurality of tests is dependent on the identification of the operating system by another one of the plurality of tests;
  
  wherein a list of open ports on the network node is generated and, based on the list of open ports, another identification of which operating system is executed by the network node and another confidence level indicating a degree to which the other identification is deemed accurate are generated, wherein making the overall identification of the operating system is further based on the other identification and the other confidence level; and
  
  wherein generating the list of open ports comprises retrieving a previously constructed list of open ports.
- View Dependent Claims (31, 32, 33, 34, 35, 36)
- - 31. The method of claim 30, further comprising resolving conflicts among identifications made by the plurality of tests, wherein the resolving conflicts is based at least in part on comparing aggregated results from at least two of the plurality of tests with a plurality of conflict resolution definitions.
  - 32. The method of claim 30, wherein each of the tests returns an identification of an operating system that is not influenced by the identification returned by any of the other tests.
  - 33. The method of claim 30, wherein the plurality of tests includes at least a first test in which the returned identification of an operating system is generated based on at least connecting to at least one open port on the network node and transmitting to the open port data configured to cause the open port to return at least one banner.
  - 34. The method of claim 33, wherein the plurality of tests further includes at least a second test in which the returned identification of an operating system is generated based on at least generating a list of open ports on the network node.
  - 35. The method of claim 34, wherein at least one characteristic of each operating system identification on which the assessing of a test to rely upon is based is the confidence level that each operating system identification is correct.
  - 36. The method of claim 35, wherein at least one confidence level concerning whether an operating system identification is correct is determined using a fitness calculation.

37. A method of identifying an operating system executed by a network node, comprising:
- executing a plurality of tests for identifying which operating system is executed by a network node, each test producing actual test results indicative of at least an identification of an operating system executed by the network node;
  
  determining that at least one of the plurality of tests have actual test results that disagree about which operating system is executed by the network node;
  
  deriving, from the plurality of actual test results, a group of aggregate actual test results that includes at least a portion of at least two of the plurality of actual test results;
  
  comparing the group of aggregate actual test results with a plurality of conflict resolution definitions and finding a closest match between the group of aggregate actual test results and the conflict resolution definitions, wherein each conflict resolution definition is associated with an operating system that is deemed to be the operating system being executed by the network node; and
  
  making an overall identification of the operating system executed by the network node, wherein the overall identified operating system is deemed to be the operating system associated with the closest matched conflict resolution definition;
  
  wherein a confidence level is assigned to the identification of the operating system, based on a predetermined confidence level stored in association with at least one of the plurality of tests used to identify the operating system;
  
  wherein the identification of the operating system by of the plurality of tests is dependent on the identification of the operating system by another one of the plurality of tests;
  
  wherein a list of open ports on the network node is generated and, based on the list of open ports, another identification of which operating system is executed by the network node and another confidence level indicating a degree to which the other identification is deemed accurate are generated, wherein making the overall identification of the operating system is further based on the other identification and the other confidence level; and
  
  wherein generating the list of open ports comprises retrieving a previously constructed list of open ports.
- View Dependent Claims (38, 39, 40, 41, 42, 43)
- - 38. The method of claim 37, wherein the actual test results are further indicative of the confidence level indicating a degree to which the identification of an operating system executed by the network node is accurate.
  - 39. The method of claim 37, wherein the plurality of tests includes a first test comprising transmitting a first plurality of Transmission Control Protocol packets to a network node on a computer network, receiving in response a second plurality of Transmission Control Protocol packets, and generating, based on characteristics of the second plurality of Transmission Control Protocol packets, a first identification of which operating system is executed by the network node.
  - 40. The method of claim 39, wherein the plurality of tests further includes a second test comprising transmitting at least a first plurality of Internet Control Message Protocol packets to the network node, receiving in response at least a second plurality of Internet Control Message Protocol packets, and generating, based at least on characteristics of the second plurality of Internet Control Message Protocol packets, a second determination of which operating system is executed by the network node.
  - 41. The method of claim 40, wherein the plurality of tests further includes a third test comprising connecting to at least one open port on the network node, transmitting to the open port data configured to cause the open port to return at least one banner, and generating, based on the at least one banner, a third determination of which operating system is executed by the network node.
  - 42. The method of claim 41, wherein the plurality of tests further includes a fourth test comprising generating the list of open ports on the network node and generating, based on the list of open ports, a fourth determination of which operating system is executed by the network node.
  - 43. The method of claim 42, wherein the plurality of tests further includes a fifth test comprising determining whether NULL session access is available on at least one port configured to run at least one of a Server Message Block service and a NETBIOS service, and if such NULL session access is available, using such NULL session access to determine at least a major version and a minor version of the operating system executed by the network node, and generating, based on the major version and the minor version, a fifth determination of which operating system is executed by the network node.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Beddoe, Marshall, Keir, Robin
Primary Examiner(s)
Dam; Tuan Q
Assistant Examiner(s)
RUTTEN, JAMES D

Application Number

US10/821,046
Time in Patent Office

1,832 Days
Field of Search

717/124, 709/224, 726/26
US Class Current

717/124
CPC Class Codes

H04L 63/1433 Vulnerability analysis

System and method of operating system identification

First Claim

12 Assignments

0 Petitions

Accused Products

Abstract

186 Citations

43 Claims

Specification

Use Cases

Quick Links

Others

System and method of operating system identification

First Claim

12 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

186 Citations

43 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others