Operating system fingerprinting
First Claim
Patent Images
1. A method of determining operating system data, including:
- receiving at a processor a message associated with a network protocol;
extracting a set of features from the message; and
determining operating system data at least in part by checking to determine if there are matches between features of the message and features of a fingerprint associated with an operating system at a plurality of levels of granularity, including;
traversing an ordered tree that is organized according to levels of granularity of operating system hierarchy, wherein each child node in the ordered tree corresponds to a more specific version of an operating system, wherein the ordered tree has at least two levels corresponding to at least two levels of granularity of operating system hierarchy;
obtaining features of a fingerprint associated with each node of the ordered tree organized according to levels of granularity of operating system hierarchy from a fingerprint database, wherein the fingerprint database comprises features of a fingerprint associated with each node of the ordered tree and unique to the node corresponding to a level of granularity of the operating system hierarchy, wherein a feature of a fingerprint comprises a set of one or more fields, order of fields, field values, or order of field values for each known operating system;
checking the features of the message with the features of a fingerprint associated with a node of the ordered tree that is currently traversed, wherein a match between the features of the message and the features of the fingerprint associated with the node determines operating system data with a level of granularity represented by the node, and wherein a match of the features at every level of granularity is not required to determine operating system data.
7 Assignments
0 Petitions
Accused Products
Abstract
Determining operating system data is disclosed, including receiving a message associated with a network protocol, extracting a set of one or more features from the message, and determining operating system data at least in part by matching one or more features of the message with one or more features of a fingerprint associated with an operating system. An exact match of the features is not required to determine operating system data.
-
Citations
23 Claims
-
1. A method of determining operating system data, including:
-
receiving at a processor a message associated with a network protocol; extracting a set of features from the message; and determining operating system data at least in part by checking to determine if there are matches between features of the message and features of a fingerprint associated with an operating system at a plurality of levels of granularity, including; traversing an ordered tree that is organized according to levels of granularity of operating system hierarchy, wherein each child node in the ordered tree corresponds to a more specific version of an operating system, wherein the ordered tree has at least two levels corresponding to at least two levels of granularity of operating system hierarchy; obtaining features of a fingerprint associated with each node of the ordered tree organized according to levels of granularity of operating system hierarchy from a fingerprint database, wherein the fingerprint database comprises features of a fingerprint associated with each node of the ordered tree and unique to the node corresponding to a level of granularity of the operating system hierarchy, wherein a feature of a fingerprint comprises a set of one or more fields, order of fields, field values, or order of field values for each known operating system; checking the features of the message with the features of a fingerprint associated with a node of the ordered tree that is currently traversed, wherein a match between the features of the message and the features of the fingerprint associated with the node determines operating system data with a level of granularity represented by the node, and wherein a match of the features at every level of granularity is not required to determine operating system data. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19)
-
-
20. A system for determining operating system data, including:
-
a processor configured to; receive a message associated with a network protocol; extract a set of features from the message; and determine operating system data at least in part by checking to determine if there are matches between features of the message and features of a fingerprint associated with an operating system at a plurality of levels of granularity, including; traversing an ordered tree that is organized according to levels of granularity of operating system hierarchy, wherein each child node in the ordered tree corresponds to a more specific version of an operating system, wherein the ordered tree has at least two levels corresponding to at least two levels of granularity of operating system hierarchy; obtaining features of a fingerprint associated with each node of the ordered tree organized according to levels of granularity of operating system hierarchy from a fingerprint database, wherein the fingerprint database comprises features of a fingerprint associated with each node of the ordered tree and unique to the node corresponding to a level of granularity of the operating system hierarchy, wherein a feature of a fingerprint comprises a set of one or more fields, order of fields, field values, or order of field values for each known operating system; checking the features of the message with the features of a fingerprint associated with a node of the ordered tree that is currently traversed, wherein a match between the features of the message and the features of the fingerprint associated with the node determines operating system data with a level of granularity represented by the node, and wherein a match of the features at every level of granularity is not required to determine operating system data; and a memory coupled with the processor, wherein the memory provides the processor with instructions. - View Dependent Claims (21)
-
-
22. A non-transitory computer readable storage medium and comprising computer instructions for:
-
receiving a message associated with a network protocol; extracting a set of one or more features from the message; and determining operating system data at least in part by checking to determine if there are matches between one or more features of the message and one or more features of a fingerprint associated with an operating system at a plurality of levels of granularity, including by; traversing an ordered tree that is organized according to levels of granularity of operating system hierarchy, wherein each child node in the ordered tree corresponds to a more specific version of an operating system, wherein the ordered tree has at least two levels corresponding to at least two levels of granularity of operating system hierarchy; obtaining features of a fingerprint associated with each node of the ordered tree organized according to levels of granularity of operating system hierarchy from a fingerprint database, wherein the fingerprint database comprises features of a fingerprint associated with each node of the ordered tree and unique to the node corresponding to a level of granularity of the operating system hierarchy, wherein a feature of a fingerprint comprises a set of one or more fields, order of fields, field values, or order of field values for each known operating system; checking the features of the message with the features of a fingerprint associated with a node of the ordered tree that is currently traversed, wherein a match between the features of the message and the features of the fingerprint associated with the node determines operating system data with a level of granularity represented by the node, and wherein a match of the features at every level of granularity is not required to determine operating system data. - View Dependent Claims (23)
-
Specification