Re: GSoC Candidate Intro and Project Discussion

[David Fifield <david () bamsoftware com>]

On Sun, Mar 27, 2011 at 04:46:14PM -0500, Dautenhahn, Nathan Daniel wrote:
> Hey All-
>
> My name is Nathan Dautenhahn. I am a second year PhD student at the
> University of Illinois at Urbana-Champaign and am interested in
> working with the Nmap project for GSoC 2011. With this message I would
> like to get to know some of the devs, as well as outline my initial
> thoughts for the project.
>
> I would like to participate in the enhancement of Nmap's IPv6
> capabilities. As I'm a researcher, I'm inclined to tackle more complex
> problems such as OS detection. I have previous experience in using
> statistical packet analysis to perform classification of encrypted
> traffic.
>
> At this point I still need to specify in greater detail my ideas and
> scope for the project, but figured it would be good to start here to
> make sure that I'm getting the right feedback throughout the process.
> I will say I don't know how current IPv4 host detection occurs, and
> assume that I should start there. The following lists an initial
> approach I would take in order to develop host detection:

Hello Nathan. You're using the term "host detection," which is a little
confusing because it puts me in mind of "host discovery," which is a
topic separate from OS detection (see chapter 3 of the Nmap book or
http://nmap.org/book/man-host-discovery.html). The reference for OS
detection is http://nmap.org/book/osdetect.html.

Host discovery (ping scanning) on IPv6 networks is another open research
area.

>  *   Review IPv4 host recognition techniques and other literature on the subject
>  *   Review IPv6 RFC Specification
>  *   It seems as though host detection is very specific to the OS and
>  other implementation specific issues, and as such profiling the
>  different systems seems like a good first step. I would manually
>  review packet traces from each OS in order to find any unique state
>  produced by the system.
>  *   Review other state output visible to the network. This task would
>  be focused on exposing any unexpected state that could be used for
>  host detection.

Can you give examples of state output? I don't know what you mean.

>  *   After manually analyzing these traces and other output from the
>  hosts I would start to develop some type of classification of
>  different types of data we find valuable in performing host
>  recognition.
>  *   Would need to analyze and define what type of
>  pattern/classification technique we will use.

This is an interesting topic. Nmap's IPv4 matching algorithm just uses a
weighted sum of passing tests. A few months ago I did a small research
project into using a support vector machine for classification, with
some success. This is the paper, which also has some useful references:
http://seclists.org/nmap-dev/2011/q1/156.

>  *   The next thing would be to build some type of initial prototype
>  and see how it does.

This is a good point. We don't have to settle for testing in a lab when
there are so many Nmap users. A good project plan will include ideas to
enable testing by interested users.

>  *   Then make modifications and recurse over testing and modification
>  until the application performs as desired.
>
> Like I said this is a very raw initial approach. Please provide any
> feedback to point the project in a direction that would better serve
> Nmap.
>
> I have a few questions:
>
>  *   What is the potential for publication coming from this work?
>  Would Nmap be okay if attempted this, and would there be interest
>  from Nmap to participate in this?

I don't have a feel for what kind of work is publishable. But I can say
that this not a project to be done and then forgotten about--it has to
be usable and maintainable for years to come.

>  *   Is this too advantageous of a project, or would I also need to
>  add in some other work?

I think OS detection is a big enough project on its own.

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/