Re: Nmap OS Database and Artificial Neural Networks

["João Medeiros" <ignotus21 () gmail com>]

Hi Diman,

First, thanks for reply ;)

On Feb 19, 2008 5:03 AM, Diman Todorov <diman.todorov () univie ac at> wrote:
> In your paper I cannot find benchmarks of the accuracy of your method.
> It would be interesting to compare it with the accuracy of the finger
> printing already built into Nmap. The performance of your neural
> network on real data is crucial to its application in practice.

The NN solution on this work is to show how one operating system is
relatively similar with the others. The Kohonen approach used works
fine for this purpose, but is not the most efficient for pattern
classification. Our aim in paper was not a classification method using
NN cause this is already done, and for research this isn't good [0].
Which the paper focus was not pure classification we did not place
this kind of information, but I we can talk about this now.

> If it performs reasonably well it could be used to give information
> about operating systems the engine has not seen yet. The things that I
> don't like about neural networks is that when your system makes a
> guess about a new OS it doesn't tell us an error probability. Its
> guess is also not tractable, we cannot say why a neural network has
> classified an OS as it has classified it.

I agree with you. In my current work I'm only using the Euclidean
distance, cause, like you, I see no big advantage in the use of a NN
for this. Using distance based methods (ilke Nmap does) we can have a
"proximity factor". I think that the focus on this is in what kind of
distance is better for the data we have. When I make initial
conversion of Nmap database the size of vector was around 400. With
PCA techniques this can be reduced a lot. Performance is not a
problem. If we have a database with 'E' number of entries and the
vector has a 'n' size the complexity is O(E n^2). In experiments I got
some fingerprints Nmap says not recognizable and use them as real
vectors with Euclidean distance and we guess the OS correctly.

I did not remember now which, but in some examples of SinFP [1] that
it says Nmap don't be able to find a os match we got the same
fingerprint and using our aproach we can guess correctly too. In other
words Nmap database is wonderful :)

> Running security tests based on the result of the NN is theoretically
> possible in Nmap but not very interesting because Nmap doesn't have
> many security tests. And of the security tests coming with Nmap even
> fewer are OS specific. But again, the security tests in Nmap have
> access to the OS detection engine built into Nmap.

When I wrote this I'm not thinking in use NSE to do this task cause
the number of exploits to write is very big. Instead this we get the
neighborhood of the most similar entry in the map and search for
security problems for these OSs in a database like NVD [2]. But I'm
thinking now to do fuzzing with NSE, and this looks like a good idea
for me.

> There are only two reasons why someone would want to use a NN: 1. if
> its guessing is better than the one in Nmap 2. if someone deals a lot
> with operating systems which have not been entered into the Nmap OS
> database.

As I said, distance aproach bring better results for me. The NN was
not used for do this, the map created it's nice, but I don't actually
now for what more we can use it, because this a tell you. In my
experiments I've tested some devices that has a really little number
of open ports, like no open TCP port (Nmap OS detection don't like
this). I think that we can do more with the Nmap OS database.

Att, João Medeiros.

[0] - http://pacsec.jp/psj05/psj05-burroni-en.ppt
[1] - http://www.gomor.org/cgi-bin/sinfp.pl
[2] - http://nvd.nist.gov/

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org