System and method of operating system identification
First Claim
1. An operating system identification system including a node capable of executing computer code comprising:
- an identification module configured to execute a plurality of operating system identification tests, each operating system identification test configured to make an identification of an operating system being executed by a network node;
a plurality of identification rules configured to define a procedure by which the identification module makes an overall identification of the operating system, wherein the overall identification is based at least in part on at least one of the identifications made by the plurality of operating system identification tests; and
a conflict resolution module configured to detect at least one of a plurality of cases defined by a plurality of conflict resolution definitions in which at least some of the plurality of operating system identification tests disagree in their identification of the operating system, and configured to, upon detecting such a case, to make an identification of the operating system and to cause the identification module to modify the overall identification based at least on the identification made by the conflict resolution module;
wherein a confidence level is assigned to the identification of the operating system based on a predetermined confidence level stored in association with at least one of a plurality of identification fingerprints used to identify the operating system;
wherein the identification of the operating system by one of the operating system identification tests is dependent on the identification of the operating system by another one of the operating system identification tests.
12 Assignments
0 Petitions
Accused Products
Abstract
An automated system performs multiple tests for identifying an operating system executed by a network node. A combination of multiple tests may be calibrated to generate an acceptably accurate operating system identification. An identification module makes an overall identification based on identifications of the tests. A plurality of identification rules may determine which of the individual tests is likely to be most accurate. The system also may include a conflict resolution module that resolves conflicts among the multiple tests. The conflict resolution module may employ a plurality of conflict resolution definitions that define special cases in which the general identification rules may be overridden to make an identification without regard to the general identification rules. Alternatively, the conflict resolution module may be configured to work in combination with the general identification rules to make an operating system identification.
186 Citations
43 Claims
-
1. An operating system identification system including a node capable of executing computer code comprising:
-
an identification module configured to execute a plurality of operating system identification tests, each operating system identification test configured to make an identification of an operating system being executed by a network node; a plurality of identification rules configured to define a procedure by which the identification module makes an overall identification of the operating system, wherein the overall identification is based at least in part on at least one of the identifications made by the plurality of operating system identification tests; and a conflict resolution module configured to detect at least one of a plurality of cases defined by a plurality of conflict resolution definitions in which at least some of the plurality of operating system identification tests disagree in their identification of the operating system, and configured to, upon detecting such a case, to make an identification of the operating system and to cause the identification module to modify the overall identification based at least on the identification made by the conflict resolution module; wherein a confidence level is assigned to the identification of the operating system based on a predetermined confidence level stored in association with at least one of a plurality of identification fingerprints used to identify the operating system; wherein the identification of the operating system by one of the operating system identification tests is dependent on the identification of the operating system by another one of the operating system identification tests. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
-
-
16. An operating system identification system including a node capable of executing computer code comprising:
-
an identification module configured to execute a plurality of operating system identification tests including at least a Transmission Control Protocol identification test, an Internet Control Message Protocol identification test, and a banner matching test, each operating system identification test configured to make an identification of an operating system being executed by a network node; and a plurality of identification rules configured to define a procedure by which the identification module makes an overall identification of the operating system, wherein the overall identification is based at least on at least one of the identifications made by the plurality of operating system identification tests; wherein a confidence level is assigned to the identification of the operating system based on a predetermined confidence level stored in association with at least one of a plurality of identification fingerprints used to identify the operating system; wherein the identification of the operating system by one of the operating system identification tests is dependent on the identification of the operating system by another one of the operating system identification tests; wherein a list of open ports on the network node is generated and, based on the list of open ports, another identification of which operating system is executed by the network node and another confidence level indicating a degree to which the other identification is deemed accurate are generated, wherein making the overall identification of the operating system is further based on the other identification and the other confidence level; and wherein generating the list of open ports comprises retrieving a previously constructed list of open ports. - View Dependent Claims (17, 18, 19, 20, 21, 22, 23)
-
-
24. A method of identifying an operating system executed by a network node, comprising:
-
transmitting a first plurality of Transmission Control Protocol packets to a network node on a computer network, receiving in response a second plurality of Transmission Control Protocol packets, and generating, based on characteristics of the second plurality of Transmission Control Protocol packets, a first identification of which operating system is executed by the network node and a first confidence level indicating a degree to which the first identification is deemed accurate; transmitting at least a first plurality of Internet Control Message Protocol packets to the network node, receiving in response at least a second plurality of Internet Control Message Protocol packets, and generating, based at least on characteristics of the second plurality of Internet Control Message Protocol packets, a second identification of which operating system is executed by the network node and a second confidence level indicating a degree to which the second identification is deemed accurate; connecting to at least one open port on the network node, transmitting to the at least one open port data configured to cause the at least one open port to return at least one banner, and generating, based on the at least one banner, a third identification of which operating system is executed by the network node and a third confidence level indicating a degree to which the third identification is deemed accurate; and generating an overall identification, based on at least the first identification, the first confidence level, the second identification, the second confidence level, the third identification, and the third confidence level, of the operating system executed by the network node; wherein the first confidence level is assigned to the first identification of the operating system the second confidence level is assigned to the second identification of the operating system, and the third confidence level is assigned to the third identification of the operating system based on a predetermined confidence level stored in association with at least one of a plurality of identification fingerprints used to identify the operating system; wherein the first identification of the operating system, the second identification of the operating system, and the third identification of the operating system by one of a plurality of operating system identification tests are dependent on the identification of the operating system by another one of the operating system identification tests; wherein a list of open ports on the network node is generated and, based on the list of open ports, fourth identification of which operating system is executed by the network node and fourth confidence level indicating a degree to which the other identification is deemed accurate are generated, wherein making the overall identification of the operating system is further based on the fourth identification and the fourth confidence level; and wherein generating the list of open ports comprises retrieving a previously constructed list of open ports. - View Dependent Claims (25, 26, 27, 28, 29)
-
-
30. A method of identifying an operating system executed by a network node, comprising:
-
executing a plurality of tests for identifying which operating system is executed by a network node, such that each test returns an identification of an operating system executed by the network node; assessing, based at least on one characteristic of each identification of the operating system returned by the plurality of tests, which of the tests to select for determining an overall identification of the operating system; and generating an overall identification of the operating system executed by the network node as the operating system that is identified by the selected test; wherein a confidence level is assigned to the identification of the operating system based on a predetermined confidence level stored in association with at least one of a plurality of identification fingerprints used to identify the operating system; wherein the identification of the operating system by one of the plurality of tests is dependent on the identification of the operating system by another one of the plurality of tests; wherein a list of open ports on the network node is generated and, based on the list of open ports, another identification of which operating system is executed by the network node and another confidence level indicating a degree to which the other identification is deemed accurate are generated, wherein making the overall identification of the operating system is further based on the other identification and the other confidence level; and wherein generating the list of open ports comprises retrieving a previously constructed list of open ports. - View Dependent Claims (31, 32, 33, 34, 35, 36)
-
-
37. A method of identifying an operating system executed by a network node, comprising:
-
executing a plurality of tests for identifying which operating system is executed by a network node, each test producing actual test results indicative of at least an identification of an operating system executed by the network node; determining that at least one of the plurality of tests have actual test results that disagree about which operating system is executed by the network node; deriving, from the plurality of actual test results, a group of aggregate actual test results that includes at least a portion of at least two of the plurality of actual test results; comparing the group of aggregate actual test results with a plurality of conflict resolution definitions and finding a closest match between the group of aggregate actual test results and the conflict resolution definitions, wherein each conflict resolution definition is associated with an operating system that is deemed to be the operating system being executed by the network node; and making an overall identification of the operating system executed by the network node, wherein the overall identified operating system is deemed to be the operating system associated with the closest matched conflict resolution definition; wherein a confidence level is assigned to the identification of the operating system, based on a predetermined confidence level stored in association with at least one of the plurality of tests used to identify the operating system; wherein the identification of the operating system by of the plurality of tests is dependent on the identification of the operating system by another one of the plurality of tests; wherein a list of open ports on the network node is generated and, based on the list of open ports, another identification of which operating system is executed by the network node and another confidence level indicating a degree to which the other identification is deemed accurate are generated, wherein making the overall identification of the operating system is further based on the other identification and the other confidence level; and wherein generating the list of open ports comprises retrieving a previously constructed list of open ports. - View Dependent Claims (38, 39, 40, 41, 42, 43)
-
Specification