CN105554009B - A method of passing through Network Data Capture device operating system information - Google Patents
A method of passing through Network Data Capture device operating system information Download PDFInfo
- Publication number
- CN105554009B CN105554009B CN201511003623.5A CN201511003623A CN105554009B CN 105554009 B CN105554009 B CN 105554009B CN 201511003623 A CN201511003623 A CN 201511003623A CN 105554009 B CN105554009 B CN 105554009B
- Authority
- CN
- China
- Prior art keywords
- data
- data packets
- dhcp
- network
- system information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/30—Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information
Landscapes
- Engineering & Computer Science (AREA)
- Technology Law (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a kind of methods by Network Data Capture device operating system information, by passively listening the data packet generated in network, extract the characteristic in data packet, it is compared with individual features data preset in property data base, to be inferred to the host operating system information to network transmission data packet;The data packet includes one or more in IP data packets, TCP SYN data packets and DHCP data packets;Data decryptor module extracts IP data packets, TCP SYN data packets or/and the DHCP data packets for needing the host paid close attention to be sent out from network, characteristic in IP data packets, TCP SYN data packets or/and DHCP data packets is extracted, data analysis module is sent into;By the creative use to existing network protocol data, a kind of accurate, efficient, applied widely method is provided, this method can be inferred that the operation system information of each host equipment in current network.
Description
Technical field
The present invention relates to the technical fields such as information security, data mining, are that one kind passing through Network Data Capture specifically
The method of device operating system information.
Background technology
With the fast development of mobile communication technology, people's lives increasingly be unable to do without various quickly access with work
The mobile terminal device of the networks such as 3G/4G/WiFi.But these equipment have also buried many information while convenient people
Security risk.The characteristic that mobile device is quickly accessed/exitted network produces serious impact to the safety management of network.For peace
Complete to consider, network manager needs, according to different network access equipment types, to define different network access policies.It is how high
Effect, the accurately relevant various information of identification equipment become urgent problem to be solved.
The so-called relevant various information of identification equipment, wherein being the OS Type and phase of identification equipment mostly importantly
Close information (such as version number).Just look like everyone can all gather around there are one unique fingerprint it is the same, each operating system
Can have oneself unique characteristic.And these unique characteristics, it can be embodied in terminal device is with the behavior of extraneous communication.
Theoretically, the communication layers of all terminal devices are designed according to the specification of procotol, and all is logical
It should be unrelated with operating system to interrogate feature.However due to definition, the different angle of reading and understanding these network standards, or
It is difference of the application developer for the processing realization method of specific abnormal, special scene, each operating system is in net
Some are different really for behavior on network protocol realization.By observing simultaneously these specific characteristics of analyzing processing, can recognize that
Operation system information.The method for realizing this identification process has active and passive type at present.
Proactive identification:It is active to mean, it needs actively to send to certified equipment and a certain number of especially combine
Data packet, OS Type and the version number etc. that other side is determined according to the reaction of other side.This technology is usually applied to
Network safety filed, when hacker or security expert need to permeate remote system, usually using the identification maneuver as opening
Field is white.The method of initiative recognition is due to actively having sent data into network, to produce influence to whole network so that quilt
The presence that identification side may detect the action of these initiative recognitions even misleads (packet spoof etc.) to be taken precautions against,
Under certain application environments and it is not suitable for.
Passive type identifies:The technical system of passive type adheres to reaching identification equipment in the case of sending any data
The purpose of fingerprint.Such realization mechanism can be collected and more believe in detail in the case where being had no effect to network
Breath, is used in order to provide to network management and security management.Passive type technique of fingerprint indentification is attempted due to not sending any detection,
It is realized by way of passive listening data packet, application environment adaptability higher.
Invention content
The purpose of the present invention is to provide a kind of methods by Network Data Capture device operating system information, by right
The creative use of existing network protocol data, provides a kind of accurate, efficient, applied widely method, and this method can push away
Break and the operation system information of each host equipment in current network.
The present invention is achieved through the following technical solutions:A kind of side by Network Data Capture device operating system information
Method by passively listening the data packet generated in network, and extracts the characteristic in data packet, and preset in property data base
Individual features data compared, to be inferred to the host operating system information to network transmission data packet.
Further to better implement the present invention, it is specifically arranged to following manner:The data packet include IP data packets,
It is one or more in TCP SYN data packets and DHCP data packets.
Further to better implement the present invention, it is specifically arranged to following manner:Network Data Capture equipment should be passed through
The specific steps of the method for operation system information include:
1) data decryptor module extracts IP data packets, the TCP SYN data for needing the host paid close attention to be sent out from network
Then packet or/and DHCP data packets are extracted the characteristic in IP data packets, TCP SYN data packets or/and DHCP data packets
Out, and it is sent into data analysis module;
2) after step 1), in data analysis module, from IP data packets, TCP SYN data packets or/and DHCP data packets
Interior extracted characteristic carries out single or Comprehensive Correlation with the preset individual features data of property data base, according to corresponding spy
Sign is inferred to send the master of IP data packets, TCP SYN data packets or/and DHCP data packets to network from fast to slow from thick to thin
The operation system information of machine.
Further to better implement the present invention, it is specifically arranged to following manner:The step 2) includes following single
Using or the comprehensive specific steps used:
Acquiescence TTL characteristic values 2-1) are obtained out of IP data packets, pass through the acquiescence TTL characteristic values and preset for judging to obtain
Individual features data are compared, to judge to send the IP data packets host operation system information;
2-2) out of TCP SYN data packets obtain starting TCP window value, by judge obtain starting TCP window value with
Preset individual features data are compared, to further judge to send the operation system of the host of the TCP SYN data packets
System information;
DHCP parameter permutation and combination information 2-3) is obtained from DHCP data packets, and passes through acquired DHCP parameter arrangement groups
It closes information to be compared with preset individual features data, believe to judge to send the operating system of host of the DHCP data packets
Breath.
Further to better implement the present invention, it is specifically arranged to following manner:The DHCP parameters permutation and combination letter
Breath is specially DHCP Option 55.
Further to better implement the present invention, it is specifically arranged to following manner:The preset individual features data
Operation system information corresponding to acquiescence TTL characteristic values and acquiescence TTL characteristic values including IP data packets.
Further to better implement the present invention, it is specifically arranged to following manner:The preset individual features data
The starting TCP window value and the operation system information corresponding to the starting TCP window value for further including TCP SYN data packets.
Further to better implement the present invention, it is specifically arranged to following manner:The preset individual features data
The DHCP Option 55 for further including DHCP data packets and the operation system information corresponding to the DHCP Option 55.
Compared with prior art, the present invention haing the following advantages and advantageous effect:
(1) present invention, which is one kind, sending any data to network, various simply by being transmitted in monitoring network
Information, comprehensive analysis, to be inferred to certain host equipments are currently running in network OS Type and related data
Method.
The present invention is provided a kind of accurate, efficient, applied widely by the creative use to existing network protocol data
Method, this method can be inferred that the operation system information of each host equipment in current network.
Specific implementation mode
The present invention relates to the aspects of contents such as computer networking technology, information security technology and data mining technology, are
A kind of integrated application of the computer technology in above-mentioned field.During the realization of the present invention, multiple software functions can be related to
The application of module.It is applicant's understanding that such as in the realization principle and goal of the invention for reading over application documents, the accurate understanding present invention
After, in the case where combining existing known technology, those skilled in the art can use the software programming skill of its grasp completely
It can realize the present invention.
The present invention is described in further detail with reference to embodiment, embodiments of the present invention are not limited thereto.
IP:The agreement (IP) interconnected between network is the foreign language abbreviation of Internet Protocol, is for computer network
It is connected with each other the agreement for being communicated and being designed.In the internet, it is that all computer networks of connection on the net can be made real
The set of rule that is now in communication with each other is, it is specified that the rule that computer should abide by when being communicated on the internet.Any producer
The computer system of production, as long as interconnecting in accordance with IP agreement and internet.
TCP SYN:SYN (synchronous) is that TCP/IP establishes the handshake used when connection.In client computer kimonos
When establishing normal TCP network connections between business device, client computer sends out a SYN message first, and server is answered using SYN+ACK
It answers expression and has received this message, last client computer is responded with ACK message again.Between client and server could in this way
Reliable TCP connection is set up, data can just be transmitted between client and server.
DHCP:DHCP (Dynamic Host Configuration Protocol, dynamic host configuration protocol) is one
The procotol of LAN, is worked using udp protocol, and main there are two purposes:Certainly to internal network or Internet service provider
Dynamic distribution IP address, to user or internal network administrator as the means that all computers are made with central management, in RFC
It is described later in detail in 2131.
TTL:TTL is the abbreviation of Time To Live, the field allow before specifying IP coating routers to abandon by
Maximum web segment number.
Option:Optional elongated Option Field in DHCP message, including the type of message, effective rental period, dns server
The configuration informations such as IP address, the IP address of WINS servers.
Embodiment 1:
The present invention proposes a kind of method by Network Data Capture device operating system information, by passively listening net
The data packet generated in network, and extract the characteristic in data packet, with individual features data preset in property data base into
Row comparison, to be inferred to the host operating system information to network transmission data packet.
Embodiment 2:
The present embodiment is further optimized based on the above embodiments, further to better implement the present invention,
It is specifically arranged to following manner:The data packet include IP data packets, TCP SYN data packets and one kind in DHCP data packets or
It is a variety of.
Embodiment 3:
The present embodiment is further optimized based on the above embodiments, further to better implement the present invention,
It is specifically arranged to following manner:The specific steps of the method by Network Data Capture device operating system information include:
1) data decryptor module extracts IP data packets, the TCP SYN data for needing the host paid close attention to be sent out from network
Then packet or/and DHCP data packets are extracted the characteristic in IP data packets, TCP SYN data packets or/and DHCP data packets
Out, and it is sent into data analysis module;
2) after step 1), in data analysis module, from IP data packets, TCP SYN data packets or/and DHCP data packets
Interior extracted characteristic carries out single or Comprehensive Correlation with the preset individual features data of property data base, according to corresponding spy
Sign is inferred to send the master of IP data packets, TCP SYN data packets or/and DHCP data packets to network from fast to slow from thick to thin
The operation system information of machine.
Embodiment 4:
The present embodiment is further optimized based on the above embodiments, further to better implement the present invention,
It is specifically arranged to following manner:The step 2) includes following single use or the comprehensive specific steps used:
Acquiescence TTL characteristic values 2-1) are obtained out of IP data packets, pass through the acquiescence TTL characteristic values and preset for judging to obtain
Individual features data are compared, to judge to send the IP data packets host operation system information;
2-2) out of TCP SYN data packets obtain starting TCP window value, by judge obtain starting TCP window value with
Preset individual features data are compared, to further judge to send the operation system of the host of the TCP SYN data packets
System information;
DHCP parameter permutation and combination information 2-3) is obtained from DHCP data packets, and passes through acquired DHCP parameter arrangement groups
It closes information to be compared with preset individual features data, believe to judge to send the operating system of host of the DHCP data packets
Breath.
Embodiment 5:
The present embodiment is further optimized based on the above embodiments, further to better implement the present invention,
It is specifically arranged to following manner:The DHCP parameters permutation and combination information is specially DHCP Option 55.
Embodiment 6:
The present embodiment is to advanced optimize based on any of the above embodiments, and further is preferably to realize this hair
It is bright, it is specifically arranged to following manner:The preset individual features data include the acquiescence TTL characteristic values of IP data packets and this is silent
Recognize the operation system information corresponding to TTL characteristic values.
Embodiment 7:
The present embodiment is to advanced optimize based on any of the above embodiments, and further is preferably to realize this hair
It is bright, it is specifically arranged to following manner:The preset individual features data further include the starting TCP window of TCP SYN data packets
Operation system information corresponding to value and the starting TCP window value.
Embodiment 8:
The present embodiment is to advanced optimize based on any of the above embodiments, and further is preferably to realize this hair
It is bright, it is specifically arranged to following manner:The preset individual features data further include the DHCP Option 55 of DHCP data packets
And the operation system information corresponding to the DHCP Option 55.
Embodiment 9:
The present embodiment is to advanced optimize based on any of the above embodiments, and one kind passing through Network Data Capture equipment
The method of operation system information, by passively listening the IP data packets generated in network, TCP SYN data packets and DHCP data
Packet, and extracts the characteristic in IP data packets, TCP SYN data packets and DHCP data packets, and preset in property data base
Individual features data are compared, to be inferred to send IP data packets, TCP SYN data packets and DHCP data packets to network
The operation system information of host.
The specific steps of the method by Network Data Capture device operating system information include:
1) data decryptor module extracts IP data packets, the TCP SYN data for needing the host paid close attention to be sent out from network
Packet and DHCP data packets, then extract the characteristic in IP data packets, TCP SYN data packets and DHCP data packets
Come, and is sent into data analysis module;
2) after step 1), in data analysis module, from IP data packets, TCP SYN data packets and DHCP data packets
Interior extracted characteristic carries out single or Comprehensive Correlation with the preset individual features data of property data base, according to corresponding spy
Sign is inferred to send the host of IP data packets, TCP SYN data packets and DHCP data packets to network from fast to slow from thick to thin
Operation system information.
It is special to apply to default TTL value signature analysis, starting TCP window size (starting TCP window value) signature analysis, DHCP
It levies field (DHCP parameter permutation and combination information, especially DHCP Option55) and analyzes 3 parts.
The first, default TTL value signature analysis:
TTL is a field defined in the packet header IP.This field is used for control data bag will not be by excessive on network
Transmission, whenever data packet passes through a routing device, ttl value will reduce 1.When this value is 0, router will abandon this
Data packet, the routing to avoid loop, mistake bring the damage to network.There is no agreements to come specification starting ttl value value, institute
There is the design of oneself with different operating system, therefore for TTL initial values (acquiescence TTL characteristic values) it can be found that apparent behaviour
Make systematical difference.
Operating system | Default TTL value |
Linux Kernel 2.0 | 64 |
Linux Kernel 2.2+ | 255 |
Windows XP/2000/2003/Vista | 128 |
Windows 95 | 32 |
Windows 95A/B | 128 |
Table 1
Table 1 is characterized the acquiescence TTL characteristic values of IP data packets and the operation corresponding to acquiescence TTL characteristic values in database
System information (part operation system).
If the TTL=125 of an IP data packet is captured, then on ordinary meaning, it means that this host rises
Beginning TTL is 128, and position is jumped 3 except routing.
The value of TTL is as a kind of estimation, a kind of quick and general means of can yet be regarded as, and makees for operating system identification
The data preparation of the first step.
Second, TCP window size signature analysis is originated:
ICP/IP protocol is the network communication protocol of current mainstream, almost can be described as the basic agreement of network.Due to not
The disconnected standard weeded out the old and bring forth the new and many exploitation designers are different to the understanding of these standards, each operating system, Ge Geshi
The version of phase possesses considerable difference for the realization of same communication criterion and handle.Most obvious one difference comes from
TCP SYN data packets during TCP three-hand shakes originate TCP window size.
Operating system | Originate TCP window value |
AIX 4.3 | 45046 |
FreeBSD 5.1 | 65535 |
Windows Vista | 8192 |
Windows 2003 | 65535 |
Windows XP | 65520 |
Table 2
Table 2 is characterized in database corresponding to the starting TCP window value of TCP SYN data packets and the starting TCP window value
Operation system information (part operation system).
It can be found that by screening different starting window values, different operating system or operation system can be distinguished
System version, can further increase deduction accuracy if being superimposed again with the selection result of default TTL value.
The third, DHCP feature fields analysis:
DHCP protocol itself is one of the indispensable agreement that each network-termination device can be supported, for applying being moved
State IP address, the operation system information that DHCP itself includes are very abundant.DHCP message can include the option of entitled Option, should
Option is the field of variable length in DHCP message, and partial charter party information, type of message etc. are contained in Option options.
Option quantity, sequence and combination of the different operating system when sending DHCP request all may completely not
Together, therefore the parameter permutation and combination of differentiation DHCP can carry out operating system identification, we pay special attention to DHCP Option here
55, it can be different according to different operating system, and the parameter arrangement of the Option can reliably distinguish hundreds of terminals and set
Standby type and OS Type.
Table 3
Table 3 is characterized corresponding to the DHCP Option 55 and the DHCP Option55 of DHCP data packets in database
Operation system information (part operation system).
By passively acquiring the related data packets in network, feature field therein is extracted, with the number in property data base
According to being compared, filters and sort by one or more methods in 3 kinds of modes, you can determine the operating system phase of destination host
Close information.
Data decryptor module:The module extracts the data packet for needing the host paid close attention to be sent out from network, specific to be concerned about
Content include IP data packets (default TTL value to be extracted include herein), TCP SYN data packets (comprising to be extracted in it
Starting TCP window size) and DHCP data packets (include 55 fields of Option, that is, include DHCP Option 55);Later
Critical field in these data packets is extracted, next module is sent to and is analyzed.
Data analysis module:The module obtains data from a upper module, and is analyzed, and specific analytical method is as follows:
IP data packets:Including the IP data packets of TTL are easiest to obtain in 3 kinds of data packets, it can be most rapidly to target
The operating system of host judged, but since ttl value can successively decrease with routing forwarding number, it is possible that can cause to miss
Sentence, so further to obtain more accurate information, further combines following method;
TCP SYN data packets:The acquisition of TCP SYN data packets may need slightly to wait for a period of time, because while TCP
Connection is very common in a network, but the starting stage that TCP SYN data packets only start to initiate in a TCP connection can go out
It is existing.Since TCP window size included in TCP SYN data packets is fixed, so can determine that target master once obtaining
Whether machine operates on quite a few mainstream operation system;
DHCP data packets:DHCP data packets only can just be sent when host is to network application IP address, once IP address
It determines, host will not send the data packet in for a period of time, so this data packet should most be difficult to obtain in 3 kinds of data packets
It takes.But once get, the information (DHCP Option 55) that 55 fields of Option are included in the data packet can be more
To be accurately determined the operation system information of destination host;
Then, the characteristic of single use or this comprehensive 3 kinds of data, this module according to individual features from fast to slow from thick to thin
Ground is inferred to destination host operation system information.
Property data base:This module for store the corresponding ttl value of each operating system, starting TCP window size and
DHCP Option sequences (Option55 fields) compare for data analysis module analysis.Property data base can be according to using
Experience in the process is further adjusted to improve efficiency.
The above is only presently preferred embodiments of the present invention, not does limitation in any form to the present invention, it is every according to
According to the technical spirit of the present invention to any simple modification, equivalent variations made by above example, the protection of the present invention is each fallen within
Within the scope of.
Claims (2)
1. a kind of method by Network Data Capture device operating system information, it is characterised in that:By passively listening network
The data packet of middle generation, and the characteristic in data packet is extracted, it is carried out with individual features data preset in property data base
Comparison, to be inferred to the host operating system information to network transmission data packet;
The data packet includes IP data packets, TCP SYN data packets, DHCP data packets;
The specific steps of the method by Network Data Capture device operating system information include:
1)Data decryptor module extracted from network the IP data packets for needing the host paid close attention to be sent out, TCP SYN data packets and
Then characteristic in IP data packets, TCP SYN data packets and DHCP data packets is extracted, and sent by DHCP data packets
Enter data analysis module;
2)Through step 1)Afterwards, it in data analysis module, is carried out of IP data packets, TCP SYN data packets and DHCP data packets
The characteristic taken carries out single or Comprehensive Correlation with the preset individual features data of property data base, according to individual features by fast
To the operation for the host for being inferred to send IP data packets, TCP SYN data packets and DHCP data packets from thick to thin slowly to network
System information;
The step 2)Including the comprehensive specific steps used:
2-1)Acquiescence TTL characteristic values are obtained out of IP data packets, it is corresponding to preset by the acquiescence TTL characteristic values for judging to obtain
Characteristic is compared, to judge to send the IP data packets host operation system information;
2-2)Out of TCP SYN data packets obtain starting TCP window value, by judge obtain starting TCP window value with it is preset
Individual features data compared, to further judge send the TCP SYN data packets host operating system letter
Breath;
2-3)DHCP parameter permutation and combination information is obtained from DHCP data packets, and is believed by acquired DHCP parameter permutation and combination
Breath compared with preset individual features data, to judge to send the DHCP data packets host operation system information.
2. a kind of method by Network Data Capture device operating system information according to claim 1, feature exist
In:The preset individual features data include IP data packets acquiescence TTL characteristic values and acquiescence TTL characteristic values corresponding to
Operation system information;
The preset individual features data further include the starting TCP window value and the starting TCP window value of TCP SYN data packets
Corresponding operation system information;
The preset individual features data further include the DHCP Option 55 and the DHCP Option 55 of DHCP data packets
Corresponding operation system information.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201511003623.5A CN105554009B (en) | 2015-12-28 | 2015-12-28 | A method of passing through Network Data Capture device operating system information |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201511003623.5A CN105554009B (en) | 2015-12-28 | 2015-12-28 | A method of passing through Network Data Capture device operating system information |
Publications (2)
Publication Number | Publication Date |
---|---|
CN105554009A CN105554009A (en) | 2016-05-04 |
CN105554009B true CN105554009B (en) | 2018-10-30 |
Family
ID=55832943
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201511003623.5A Active CN105554009B (en) | 2015-12-28 | 2015-12-28 | A method of passing through Network Data Capture device operating system information |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN105554009B (en) |
Families Citing this family (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN105959321A (en) * | 2016-07-13 | 2016-09-21 | 中国人民解放军理工大学 | Passive identification method and apparatus for network remote host operation system |
CN106789934A (en) * | 2016-11-29 | 2017-05-31 | 北京神州绿盟信息安全科技股份有限公司 | A kind of network equipment recognition methods and system |
CN107770202A (en) * | 2017-12-11 | 2018-03-06 | 郑州云海信息技术有限公司 | A kind of method from application layer extraction TCP Fingerprinting |
CN107995226A (en) * | 2017-12-27 | 2018-05-04 | 山东华软金盾软件股份有限公司 | A kind of device-fingerprint recognition methods based on passive flux |
CN109327391A (en) * | 2018-08-07 | 2019-02-12 | 阿里巴巴集团控股有限公司 | Target device determines method, apparatus, electronic equipment and storage medium |
CN110213124A (en) * | 2019-05-06 | 2019-09-06 | 清华大学 | Passive operation system identification method and device based on the more sessions of TCP |
CN110336896B (en) * | 2019-07-17 | 2022-04-01 | 山东中网云安智能科技有限公司 | Local area network equipment type identification method |
CN110753134A (en) * | 2019-09-30 | 2020-02-04 | 互联网域名系统北京市工程研究中心有限公司 | Multi-policy DHCP client classification method and system |
CN112738102B (en) * | 2020-12-29 | 2023-01-10 | 北京天融信网络安全技术有限公司 | Asset identification method, device, equipment and storage medium |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20120255019A1 (en) * | 2011-03-29 | 2012-10-04 | Kindsight, Inc. | Method and system for operating system identification in a network based security monitoring solution |
CN103544089A (en) * | 2013-10-13 | 2014-01-29 | 西安电子科技大学 | Xen-based operating system identification method |
CN103746826A (en) * | 2013-10-29 | 2014-04-23 | 湖南蚁坊软件有限公司 | Method for automatically detecting and identifying operating systems of host computers in network |
CN104410540A (en) * | 2014-11-14 | 2015-03-11 | 中国联合网络通信集团有限公司 | A method and device for obtaining information of an operating system of a mobile terminal |
Family Cites Families (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7519561B2 (en) * | 2005-11-10 | 2009-04-14 | International Business Machines Corporation | System, method and program to manage software licenses |
US20070294699A1 (en) * | 2006-06-16 | 2007-12-20 | Microsoft Corporation | Conditionally reserving resources in an operating system |
-
2015
- 2015-12-28 CN CN201511003623.5A patent/CN105554009B/en active Active
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20120255019A1 (en) * | 2011-03-29 | 2012-10-04 | Kindsight, Inc. | Method and system for operating system identification in a network based security monitoring solution |
CN103544089A (en) * | 2013-10-13 | 2014-01-29 | 西安电子科技大学 | Xen-based operating system identification method |
CN103746826A (en) * | 2013-10-29 | 2014-04-23 | 湖南蚁坊软件有限公司 | Method for automatically detecting and identifying operating systems of host computers in network |
CN104410540A (en) * | 2014-11-14 | 2015-03-11 | 中国联合网络通信集团有限公司 | A method and device for obtaining information of an operating system of a mobile terminal |
Non-Patent Citations (1)
Title |
---|
"目标主机操作系统识别技术";陈哲,王清贤,谢余强;《第九届CERNET学术年会》;20031208;第299页第21-22、24、32-33行 * |
Also Published As
Publication number | Publication date |
---|---|
CN105554009A (en) | 2016-05-04 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN105554009B (en) | A method of passing through Network Data Capture device operating system information | |
US11399288B2 (en) | Method for HTTP-based access point fingerprint and classification using machine learning | |
US8042182B2 (en) | Method and system for network intrusion detection, related network and computer program product | |
Izhikevich et al. | {LZR}: Identifying unexpected internet services | |
CN110213212A (en) | A kind of classification method and device of equipment | |
US20090182864A1 (en) | Method and apparatus for fingerprinting systems and operating systems in a network | |
US20210092610A1 (en) | Method for detecting access point characteristics using machine learning | |
CN109587156A (en) | Abnormal network access connection identification and blocking-up method, system, medium and equipment | |
CN110417717B (en) | Login behavior identification method and device | |
US10375118B2 (en) | Method for attribution security system | |
CN111565203B (en) | Method, device and system for protecting service request and computer equipment | |
CN112995151A (en) | Access behavior processing method and device, storage medium and electronic equipment | |
Osanaiye et al. | TCP/IP header classification for detecting spoofed DDoS attack in Cloud environment | |
Albanese et al. | A deception based approach for defeating OS and service fingerprinting | |
CN102025567A (en) | Sharing access detection method and related device | |
CN113518042B (en) | Data processing method, device, equipment and storage medium | |
Mongkolluksamee et al. | Counting NATted hosts by observing TCP/IP field behaviors | |
CN103944788A (en) | Unknown trojan detecting method based on network communication behaviors | |
CN111935212A (en) | Security router and Internet of things security networking method based on security router | |
Choi et al. | Automated classifier generation for application-level mobile traffic identification | |
Xu et al. | Multidimensional behavioral profiling of internet-of-things in edge networks | |
US8724506B2 (en) | Detecting double attachment between a wired network and at least one wireless network | |
Hafiz et al. | Profiling and mitigating brute force attack in home wireless LAN | |
BR102020003105A2 (en) | METHOD FOR DETECTION OF FAKE DNS SERVERS USING MACHINE LEARNING TECHNIQUES | |
Cusack et al. | Detecting and tracing slow attacks on mobile phone user service |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |