Nmap Development mailing list archives
Re: Nmap OS Database and Artificial Neural Networks
From: "João Medeiros" <ignotus21 () gmail com>
Date: Tue, 19 Feb 2008 07:28:53 -0300
Hi Diman, First, thanks for reply ;) On Feb 19, 2008 5:03 AM, Diman Todorov <diman.todorov () univie ac at> wrote:
In your paper I cannot find benchmarks of the accuracy of your method. It would be interesting to compare it with the accuracy of the finger printing already built into Nmap. The performance of your neural network on real data is crucial to its application in practice.
The NN solution on this work is to show how one operating system is relatively similar with the others. The Kohonen approach used works fine for this purpose, but is not the most efficient for pattern classification. Our aim in paper was not a classification method using NN cause this is already done, and for research this isn't good [0]. Which the paper focus was not pure classification we did not place this kind of information, but I we can talk about this now.
If it performs reasonably well it could be used to give information about operating systems the engine has not seen yet. The things that I don't like about neural networks is that when your system makes a guess about a new OS it doesn't tell us an error probability. Its guess is also not tractable, we cannot say why a neural network has classified an OS as it has classified it.
I agree with you. In my current work I'm only using the Euclidean distance, cause, like you, I see no big advantage in the use of a NN for this. Using distance based methods (ilke Nmap does) we can have a "proximity factor". I think that the focus on this is in what kind of distance is better for the data we have. When I make initial conversion of Nmap database the size of vector was around 400. With PCA techniques this can be reduced a lot. Performance is not a problem. If we have a database with 'E' number of entries and the vector has a 'n' size the complexity is O(E n^2). In experiments I got some fingerprints Nmap says not recognizable and use them as real vectors with Euclidean distance and we guess the OS correctly. I did not remember now which, but in some examples of SinFP [1] that it says Nmap don't be able to find a os match we got the same fingerprint and using our aproach we can guess correctly too. In other words Nmap database is wonderful :)
Running security tests based on the result of the NN is theoretically possible in Nmap but not very interesting because Nmap doesn't have many security tests. And of the security tests coming with Nmap even fewer are OS specific. But again, the security tests in Nmap have access to the OS detection engine built into Nmap.
When I wrote this I'm not thinking in use NSE to do this task cause the number of exploits to write is very big. Instead this we get the neighborhood of the most similar entry in the map and search for security problems for these OSs in a database like NVD [2]. But I'm thinking now to do fuzzing with NSE, and this looks like a good idea for me.
There are only two reasons why someone would want to use a NN: 1. if its guessing is better than the one in Nmap 2. if someone deals a lot with operating systems which have not been entered into the Nmap OS database.
As I said, distance aproach bring better results for me. The NN was not used for do this, the map created it's nice, but I don't actually now for what more we can use it, because this a tell you. In my experiments I've tested some devices that has a really little number of open ports, like no open TCP port (Nmap OS detection don't like this). I think that we can do more with the Nmap OS database. Att, João Medeiros. [0] - http://pacsec.jp/psj05/psj05-burroni-en.ppt [1] - http://www.gomor.org/cgi-bin/sinfp.pl [2] - http://nvd.nist.gov/ _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- Nmap OS Database and Artificial Neural Networks João Medeiros (Feb 18)
- RE: Nmap OS Database and Artificial Neural Networks Dario Ciccarone (dciccaro) (Feb 18)
- Re: Nmap OS Database and Artificial Neural Networks Diman Todorov (Feb 19)
- Re: Nmap OS Database and Artificial Neural Networks João Medeiros (Feb 19)
- Re: Nmap OS Database and Artificial Neural Networks João Medeiros (Feb 19)
- Re: Nmap OS Database and Artificial Neural Networks Diman Todorov (Feb 19)
- Re: Nmap OS Database and Artificial Neural Networks João Medeiros (Feb 19)