Research Of Positive Approach To Operating Systems Identification Based On Decision Tree

With the rapid popularity of the network, whether it is for countries, companies or individuals, network security has been unprecedented attention, and the operating systems identification as part of network security assessment has been studied by more and more people. Most of the current approaches to operating systems identification are active, and they are realized by sending probe packets so they are easy to be detected by intrusion detection system, in addition, most of the current approaches can't identity the fingerprint that is not in the fingerprint database, so an approach that can identify it and is passive has practical significance. The paper studies this as a starting point.The main contents are as follows:1. We introduce some approaches to operating systems identification and compare their characteristics, finally we combine two approaches, based on TCP/IP stack fingerprint and application layer's mark, as our positive approach. It will not seed probe packets to target host, so we don't need to worry about being detected by intrusion detection system.2. To identity the fingerprint that is not in the fingerprint database, this paper use classification algorithm to build classification model. By comparing several kinds of classification algorithm's performance, we choose the C45 decision tree algorithm. We also take advantage of the feature selection algorithm to streamline the fingerprint, removing redundant items, to avoid their interference.3. Using Visual Studio 2008 and WINPCAP development kit, the passive approach to operating system identification based on decision tree is implemented in software, the software is divided into four modules: the pre-processing module, the identify module based on TCP/IP fingerprint, the identify module based on UA and the combining results module. Finally we build an experimental environment to test our software, and analyze the results of the experiment. The results show that the software achieves the expected goal and has practical value. Two fingerprints are not present in the existing fingerprint database, so it can be explained that the current method can be used to identify the unknownfingerprint.