Академический Документы
Профессиональный Документы
Культура Документы
US 8,458,308 B1
Jun. 4, 2013
(75)
(73)
( * )
lnvemor'
_
726/25
. 726/23
.. 370/255
726/23
~~ . . . . ..
(22)
(51)
(52)
(58)
Flled'
Int Cl
Aug 23 2006
NmapiFree Security Scanner for Network Exploration & Security Audits, Oct. 18, 1998, http://insecureorg.
Remote OS Detection viaTCP/IP Fingerprinting, http://insecure.org/
G06F 15/173
(200601)
nman/nmap-?ngerprinting-article.htrnl.
Michael]. Martin, Router Expert: IOS DHCP services,partl, Dec. 17, 2092, htrp://searchnerwor1<inglechtargehconvtip/118948350172
IEfI1fl698ZLghtInl
1 e " my,
N
ex
_
enemmn
DHCP D 1
eP Omen,
F b
e '
2005.
* cited by examiner
Primary Examiner * Phuoc Nguyen
7,181,493 B2 * 7,225,427 B2 *
2/2007 English et al. .............. .. 709/204 5/2007 Qureshi et al. .... .. 717/120
7,299,304 B2 *
7,356,679 B1*
11/2007 Saint-Hilaire et a1
4/2008 Le et al. ............ ..
.. 710/11
713/1
7,496,662 B1 *
7,523,231 B1*
709/224
7,623,547 B2
7,634,567 B1 *
A1* 11/2003 Rowland et al. A1* 1/2004 Cole et a1. A1* 4/2004 Keir et al. A1* 10/2004 Hanam et al.
4/2005 11/2005 Rowland ....... ..
features of a ?ngerprint associated with an operating system. An exact match of the features is not required to determine
2005/0086522 A1*
2005/0203901 A1*
2005/0256871 A1*
9/2005 Waldvogel et al
707/5
100\
104 106
Extracted Data
Operating
System Data
Fingerprint
Database
102
US. Patent
Jun. 4, 2013
Sheet 1 of8
US 8,458,308 B1
104
106
Extracted
Operating System
Operating
Data
Data Determination
A
System Data
Fingerprint
Database 102
FIG. 1
US. Patent
Jun. 4, 2013
Sheet 2 of8
US 8,458,308 B1
\202
\204
V
\206
FIG. 2
US. Patent
Jun. 4, 2013
Sheet 3 0f 8
US 8,458,308 B1
IP Header
\302 \304
\306
UDP Header
BOOTP Header
DHCP Options
FIG. 3
\308
US. Patent
Jun. 4, 2013
Sheet 4 0f 8
US 8,458,308 B1
Collect Data
ll
Analyze Data
ll
Populate Database
FIG. 4
US. Patent
Jun. 4, 2013
Sheet 5 of8
US 8,458,308 B1
( Start >
V
from Known OS
V
Message
V
No
508
Yes
FIG. 5A
US. Patent
Jun. 4, 2013
Sheet 6 of8
US 8,458,308 B1
\520
D0
Other Operating
Systems have this
Field Value
9
Yes
No
Add to Fingerprint
\524
i
Yes MOI'G Fields to Check
'2
' 526
No
ll
End
528
FIG. 5B
US. Patent
Jun. 4, 2013
Sheet 7 of8
US 8,458,308 B1
Service Pack 2
C=2
Server
C=3
614
Service Pack 1
616
618
620
FIG. 6
US. Patent
Jun. 4, 2013
Sheet 8 of8
US 8,458,308 B1
No
704
Return Indication
Yes
/
No
Yes
Return Match Data
FIG. 7
US 8,458,308 B1
1
OPERATING SYSTEM FINGERPRINTING BACKGROUND OF THE INVENTION
2
DETAILED DESCRIPTION
The invention can be implemented in numerous ways, including as a process, an apparatus, a system, a composition of matter, a computer readable medium such as a computer readable storage medium or a computer network wherein program instructions are sent over optical or communication
The Dynamic Host Con?guration Protocol (DHCP) is a network protocol that manages the assignment of IP addresses, subnet masks, default routers, and other IP param
eters. The assignment usually occurs when a DHCP con?g ured device boots up or regains connectivity to the network.
The DHCP client sends out a query requesting a response
from a DHCP server on the network. The DHCP server then
described as being con?gured to perform a task includes both a general component that is temporarily con?gured to per
form the task at a given time or a speci?c component that is
broadcast and unicast. DHCP may be used in conjunction with authentication and
authorization. For example, a user attempting to connect to a network at a hotel is redirected to a registration or sign-in page, where the user agrees to a usage policy and charges for
manufactured to perform the task. In general, the order of the steps of disclosed processes may be altered within the scope of the invention.
A detailed description of one or more embodiments of the
that illustrate the principles of the invention. The invention is described in connection with such embodiments, but the
invention is not limited to any embodiment. The scope of the
encompasses numerous alternatives, modi?cations and equivalents. Numerous speci?c details are set forth in the
according to the claims without some or all of these speci?c details. For the purpose of clarity, technical material that is known in the technical ?elds related to the invention has not been described in detail so that the invention is not unneces
sarily obscured.
FIG. 1 is a block diagram illustrating an embodiment of a
35
approaches are limited in that for security reasons, the client may only allow requests from certain IP addresses. Thus, an improved method for determining information
about a client device is needed. In particular, it would be useful to be able to identify information associated with the
40
print database 102, OC data determination block 106 deter mines operating system data 108 associated with extracted data 104. Operating system data 108 includes information about the OS at any level of granularity, from the vendor (e. g., Microsoft) to the exact version and service pack (e. g.,
Microsoft Windows XP Service Pack 2). In some embodi
?ngerprint database.
FIG. 5B is a ?ow chart illustrating an embodiment of a
60
operating system.
FIG. 6 is a ?ow chart illustrating an embodiment of an
ments, operating system data 108 includes information about the implementation of the DHCP client, as more fully described below. In some embodiments, operating system data 108 includes other information about hardware, ?rm
ware, or software running on the device.
US 8,458,308 B1
3
embodiments, the operating system data is vieWable in a GUI
as Well as available via anAPI, such as a Perl API.
4
(option 55). The parameter request list includes one or more
Operating system data 108 may be used in various Ways. Different activities may be performed based on OS data 108.
In some embodiments, an authorization and/ or authentication
parameters being requested from the DHCP server. The folloWing are examples of client DHCP messages obtained using a packet sni?ing program called tcpdump
from tcpdump.org. tcpdump is run on the DHCP server, Where the DHCP server is dhcpd from OpenBSD 3 .8. In these
program queries for the operating system data and uses it to make a policy decision. For example, the OS data 108 could
be used to make a judgment on What type of vulnerability scan to perform on the client. In another example, OS data 108 could be used to terminate the authentication sequence. For
examples, long lines from tcpdump are Wrapped for readabil ity. Fields from the IP header, UDP header, and BOOTP header are shoWn in the ?rst paragraph. FolloWing Vendor
rfc1048 are the DHCP options. CID is the MAC address of the client, HN is the host name, and PR is the parameter
example, a possible Wireless access point is identi?ed that is prohibited. In another example, if an IP phone comes on the network, OS data 108 could be used to determine Which lease
range and VLAN to use. In some embodiments, a DHCP server includes OS data
may be used to uniquely identify (or ?ngerprint) the particu lar operating system.
The folloWing is an example of a tcpdump from a DHCP discover message from a client running WindoWs XP Pro:
includes or communicates With OS data determination block 106. Various DHCP servers may be used. Examples of DHCP
[none],
20
proto:
UDP
(17),
length:
328)
any appropriate device and operating system. Examples of devices include personal computers, laptops, IP telephones, mobile devices, etc. Examples of operating systems include WindoWs XP Pro, Mac OS X, Apple Airport Express, NetScreen ScreenOS, OpenBSD, Unix, Linux etc. Examples
of these systems are provided beloW.
FIG. 2 is a ?oW chart illustrating an embodiment of a
HN:kstevens-xp
30
process for determining operating system data about a client device. In some embodiments, this process is performed by OS determination block 106. In the example shoWn, a mes sage associated With DHCP is received at 202. Examples of messages associated With DHCP include DHCP discover, DHCP request, DHCP inform, DHCP decline, and DHCP release messages. At 204, data is extracted from the message. Data extracted includes features of the message. Examples of features include ?elds, order of the ?elds, ?eld values, order of the ?eld values, and any other feature associated With the
from the message. Examples of ?elds include IP header, UDP header, BOOTP header, and/or DHCP options ?elds. At 206,
operating system data is determined based on the extracted data. In some embodiments, the ?eld values are prioritized and a ?ngerprint database is consulted to determine operating
system data, as more fully described beloW. In some embodi
The following is an example of a tcpdump from a DHCP request message from a client running WindoWs XP Pro:
[none],
proto:
UDP
(17),
length:
346)
DHCP:REQUEST
CID: [ether] 00:0d: 60:b2:61 :6b
RQ:172.29.10.104
SID:172.29.10.254
45
HN:kstevens-xp FQDN:kstevens-xp.
ments, data from multiple messages is used to determine the operating system. For example, data from a ?rst message may be used to narroW doWn the operating system to tWo choices.
Data from a second message may be used to select from the tWo choices. FIG. 3 illustrates an example of ?elds in a DHCP message
sent to a DHCP server from a client device. In some embodi
50
As shoWn, the client sets the auto con?guration option (option 116 de?ned in RFC 2563) to 1 (NOAUTO:Y). The
vendor class identi?er is set to MSFT 5.0. WindoWs 2000 and XP DHCP clients may set vendor class to this string; WindoWs 98 and Microsoft WindoWs ME DHCP clients may set the value to MSFT 98.
55
?elds 302, UDP header ?elds 304, BOOTP header ?elds 306, and DHCP options ?elds 308. Examples of IP header ?elds 302 include type of service, time to live, IP ID, offset, ?ags, protocol, and length. Examples of UDP header ?elds 304
include UDP checksum, source IP address, source port, des
60
The parameter request list includes several NETBIOS options (WNS+WNT+WSC), Which are speci?c to Win doWs. It also includes the router discovery request option (option 31) as Well as option 249, Which is in the private use
range. The folloWing is an example of a tcpdump from a DHCP discover message from a client running Mac OS X:
tination IP address, and destination port. Examples of BOOTP header ?elds 306 include client MAC address, ?ags, and transaction ID. Examples of DHCP options ?elds 308
include DHCP message type (option 53), auto-con?guration option (option 116), client identi?er (option 61), host name (option 12), vendor class identi?er (option 60), maximum DHCP message siZe (option 57), and parameter request list
?ags
65
[none],
proto:
UDP
(17),
length:
328)
US 8,458,308 B1
5
Client Ethernet Address: 00:11:24:8a:a6:82 Vendor-rfc 1048: DHCP:DISCOVER
SCOPE+LDAP+T252 MSZ: 1500
6
The folloWing is an example of a tcpdump from a DHCP discover mes sage from a client running NetScreen ScreenOS:
[none],
proto:
UDP
(17),
length:
328)
ClD:[ether]00:11:24:8a:a6:82
LT:7776000
The following is an example of a tcpdump from a DHCP request message from a client running Mac OS X:
?ags
[none],
proto:
UDP
(17),
length:
328)
VC:netscreen-5
The folloWing is an example of a tcpdump from a DHCP request message from a client running NetScreen ScreenOS:
[none],
20
proto:
UDP
(17),
length:
328)
DHCP:REQUEST
SCOPE+LDAP+T252 MSZ: 1500
ClD:[ether]00:11:24:8a:a6:82 RQ:172.29.10.103
SID:172.29.10.254
DHCP:REQUEST RQ:172.29.10.102
VC:netscreen-5 SID:172.29.10.254
The parameter request list contains SLP (Service Location Protocol, RFC 2610) and Netinfo options (1 12 and 113 Which
are referenced in RFC 3679 and appear to be Apple speci?c). The maximum message siZe option (option 57) is set to 1500. The folloWing is an example of a tcpdump from a DHCP
30
DHCP client sets the IP address lease time option (option 51)
35
Express:
06:51 :44.999176 1P (tos 0x0, ttl 32, id 31927, offset 0, ?ags
[DF],
proto:
UDP
(17),
length:
304)
in the parameter request list Which may be a bug in this version; this option should be used to request a speci?c lease time. The server identi?er option (option 54) is in the request list, Which may also be a bug. The transaction identi?er is using less than 16 bits of the 32 bits available.
The folloWing is an example of a tcpdump from a DHCP discover message from a client running OpenBSD:
[none],
proto:
UDP
(17),
length:
328)
ClD:[ether]00:11:24:04:30:0c
The folloWing is an example of a tcpdump from a DHCP
request message from a client running AppleAirport Express: 06:51 :49.999209 1P (tos 0x0, ttl 32, id 34999, offset 0, ?ags
[DF],
proto:
UDP
(17),
length:
316)
50
[none],
proto:
UDP
(17),
length:
328)
DHCP:REQUEST RQ:172.29.10.101
SID:172.29.10.254 MSZ:590
60
RQ:172.29.10.100 DHCP:REQUEST
SID:172.29.10.254
LT:7776000
ClD:[ether]00:11:24:04:30:0c
In this case, the parameter request list is shorter than that in the other examples. The parameter request list sets the maxi
mum message siZe to 590 (the default maximum is 576 bytes). The IP TTL is 32 and the DF bit is set.
subnet-mask,
broadcast-address,
time-offset,
routers,
US 8,458,308 B1
7
In this case, the host dhclient.conf has overridden the default
8
The folloWing is an example of data stored in a ?ngerprint database for a Cisco IP telephone:
to: request subnet-mask, broadcast-address, routers, domain name, domain-name-servers, host-name. TOS is 0x10 (minimize delay). Other clients in the above examples do not set TOS. IP TTL is 16. Other clients in the
above examples do not have an IP TTL of 16. IP ID is 0 and other clients in the above examples have a nonZero IP ID. These values are set in packet.c:assembie_udp_ip_header( ). In this case, these features may characteriZe the implementa tion, but not the OS. For example, an indication that the message is from an ISC DHCP client (With an unknown OS) is returned.
FIG. 4 is a ?owchart illustrating an embodiment of a pro cess for creating a ?ngerprint database. In some embodi
DOi60:text-re:ACisco Systems, Inc\. IP Phone # all options must appear in parameter request list
sages. Examples of data include features of the messages, such as ?elds, ?eldvalues, and order of ?elds and ?eld values. For example, the data collected includes the DHCP options and the order of the DHCP options. In some embodiments, rather than observing DHCP messages from a knoWn operat ing system, the source code is available and data is obtained
from source code. In some embodiments, data is collected for
DO_ST:dhcp-parameter-request-list-match-all:43,
249
31,
multiple operating systems and all the data is stored in a table for analysis. In some embodiments, data is collected for all operating systems from Which an operating system determi nation block expects to receive DHCP messages. At 404, the data is analyZed. Analysis may be manual or automatic. In
some embodiments, the table is analyZed for one or more ?eld values and/or order of ?eld values that are unique to one or
DO_ST:dhcp-message-type:3
DO_ST:vendor-class-identi?er:MSFT 5.0
DO_ST:dhcp-parameter-request-list-match-all:43,
30
31,
ti?ed. At 406, the ?ngerprint database is populated. In various embodiments, the ?ngerprint database may be stored in vari
ous Ways. The data may be accessed using an ordered tree, as
35
more fully described beloW. In some embodiments, for each operating system, the fol
process for collecting data for the purposes of creating a ?ngerprint database. In some embodiments, this process is used to perform 402. At 502, a DHCP message is received from a device running a knoWn operating system to be ?n gerprinted. For example, the DHCP message is a DHCP discover or request message. At 504, data is extracted from the DHCP message. In some embodiments, the ?elds, ?eld
values, and/ or order of the ?eld values are extracted. For
example, IP header ?eld values, UDP header ?eld values, BOOTP header ?eld values, and DHCP options ?eld values
are collected. The DHCP options ?elds and the order of the DHCP options ?elds are collected. The DHCP options ?elds
set (DFO)
UDP data: UH_SUM: UDP checksum. Exact match. Match no check sum (0). BOOTP data: BH_FLAGS: Flags. BC can be used to match broadcast bit. DHCP data: DO_ST:standard-name:value Document standard names; ISC standard options as base.
45
include the parameter request list. The parameters requested and the order of the parameters requested is collected. At 506, the extracted data is stored. For example, the
extracted data is stored in a table, a ?le, and/or a database. At 508, it is determined if the process is done. In some embodi ments, the process is done When a su?icient number of mes
For example, if it is observed that a particular ?eld has a value in a message, but the value changes in another message from the same operating system, then that value cannot necessarily
ing system to determine a ?ngerprint. If the process is not done, the process returns to 502. In some embodiments, process 500 is performed to collect
FP:Avaya IP Telephone
IH_TOS: 0x0
IH_FLAGS:DF1
# match DHCPDISCOVER only
FIG. 5B is a How chart illustrating an embodiment of a process for analyZing data to determine a ?ngerprint of an
DO_ST:dhcp-message-type: l
65
operating system. In some embodiments, process 516 is used to perform 404 for each operating system to be ?ngerprinted. Process 516 may be performed automatically (e.g., by a pro gram) or manually (e.g., by a user). At 518, the process starts by picking a ?rst ?eld. At 520, the
value of the ?eld is determined. At 522, it is determined Whether any other operating systems have the same ?eld
US 8,458,308 B1
9
value. If not, then the ?eld and ?eld value are added to the ?ngerprint for that OS at 524 and the process continues at 526. If it is determined that one or more operating systems have the same ?eld value, then the process continues at 526. At 526, it is determined Whether there are other ?elds to check. If there are other ?elds to check, the process returns to 520. If there are no other ?elds to check, the process ends at 528. In this example, a ?ngerprint based on ?eld values is deter
mined. In some embodiments, a ?ngerprint based on a com bination of one or more ?eld values is determined. For
10
client sending a DHCP message. In some embodiments, ordered tree 600 is used at 206 to determine operating system data based on extracted data. FIG. 7 is a How chart illustrating an embodiment of a
At 701, a ?ngerprint database is accessed. For example, ?ngerprint database 102 is accessed. At 702, the database is
searched for a match of a high priority ?eld. In some embodi
526, it is determined Whether there are other combinations to check. In some embodiments, all combinations are checked.
Similarly, this process may be altered as appropriate for determining a ?ngerprint based on ?elds, order of ?elds, order of ?eld values, and any other appropriate feature.
FIG. 6 is a How chart illustrating an embodiment of an
ments, ?elds are prioritized hierarchically according to an ordered tree. For example, a high priority ?eld corresponds to a ?eld that uniquely identi?es the operating system at a root node. For example, in FIG. 6, nodes 602 and 604 are root nodes and A is a high priority ?eld. All child nodes of node
602 also have ?eld A set to 0. In some embodiments, the
20
ordered tree used in conjunction With a ?ngerprint database. In the example shoWn, ordered tree 600 is arranged based at least in part on an operating system hierarchy. Ordered tree 600 is shoWn to include root nodes 602-604, branch nodes 606-614, and leaf nodes 616-620. Root nodes 602-604 cor respond to vendors of operating systems. In this case, node 602 corresponds to Microsoft and node 604 corresponds to
25
Apple. Branch nodes 606-614 correspond to operating sys tem products associated With each vendor. For example, node
606 corresponds to WindoWs XP and is a child of node 602. Similarly, node 610 corresponds to Mac OS X and is a child of node 604. The next level doWn includes nodes 616, 618,
nodes after node 602. If for example ?eld B distinguishes node 606 from node 608, it is the next highest priority ?eld.
At 710, it is determined if a match is found. If a match is not
and 614. These nodes correspond to more speci?c versions of their parent nodes. For example, node 618 corresponds to Service Pack 2, Which is a child ofnode 606. Thus, node 618 corresponds to Microsoft WindoWs XP Service Pack 2. In this example, node 614 corresponds to WindoWs NT Server and is
a child of node 608 (WindoWs NT). DoWn one more level is
found, an indication of this and match data is returned at 712. For example, if the message had ?eldA set to 0 and ?eld B set
35
to 5, then a match for ?eld B is not found in ordered tree 600. An indication that Microsoft Was found (but no further match Was found) is returned. As shoWn in this example, an exact match of all ?elds is not needed to return operating system data. If at 710, a match is found, then it is determined Whether
40
checking ?elds is done at 714. For example, it is determined Whether there is another ?eld to check. In FIG. 6, for example, after ?eld B is checked, ?eld C can still be checked, so it is determined that it is not done checking ?elds. If it is not done checking ?elds, the process returns to 708. For example, the next highest priority ?eld after ?eld B is ?eld C and the
database is searched for a match to the value of ?eld C.
example, if the message had ?eld A set to 0, ?eld B set to l, and ?eld C set to 2, then Microsoft WindoWs XP Service Pack 2 is returned. In some embodiments, an indication that
all ?eld matches Were made (or the ?ngerprint Was an exact or
high level ?ngerprint for WindoWs is AIO. The ?ngerprint for node 606 is AIO, BIl. The ?ngerprint for node 618 is AIO, BIl, C:2. Child nodes have ?ngerprints that include the ?ngerprints of their parent nodes.
In some embodiments, process 516 may be used to deter mine ?ngerprints for each node of ordered tree 600. For example, to determine a ?ngerprint for node 602, at 518 and
526, ?elds to check are ?elds that have ?eld values that are
Microsoft WindoWs XP Service Pack 2 is associated With a leaf node indicates that all ?eld matches Were made. In some embodiments, at 704 and/ or 710, if a match is not found, a search the process continues to look for matches of
60
common to all operating systems from that vendor. At 522, it is determined Whether other vendors have the ?eld and ?eld value. If not, then at 524, the ?eld and ?eld value are added to
other ?elds. For example, if the message had ?eldA set to 0, ?eld B set to 4, and ?eld C set to 2, then even though ?eld B does not have a match (see FIG. 6), ?eld C has a match With node 618. Therefore, Microsoft WindoWs XP Service Pack
US 8,458,308 B1
11
?elds (?elds B and C) match the ?ngerprint for Microsoft
Windows XP Service Pack 2. None of the other nodes have
tWo or more matching ?elds.
12
What is claimed is:
ing:
receiving at a processor a message associated With a net
Work protocol;
extracting a set of features from the message; and
the tie and both matches are returned. In some embodiments, multiple candidates are returned. In some embodiments, each candidate is returned With a score
including:
traversing an ordered tree that is organized according to
various data may be returned. For example, it may be possible to rule out operating systems. Data about Which operating
systems the message is not from may be returned in this case.
obtaining features of a ?ngerprint associated With each node of the ordered tree organized according to levels
of granularity of operating system hierarchy from a ?ngerprint database, Wherein the ?ngerprint database comprises features of a ?ngerprint associated With
each node of the ordered tree and unique to the node corresponding to a level of granularity of the operat ing system hierarchy, Wherein a feature of a ?nger
print comprises a set of one or more ?elds, order of
rather than ?elds. For example, the folloWing features could be prioritized in the folloWing order: value of ?eldA, value of ?eld B, order of the values of ?eld D, order of ?elds A and B, and presence of ?eld E. In some embodiments, Whether the
DHCP option vendor class includes the text MSFT is a
45
?ngerprint has ?elds AIO, BIl, and C:2, in that order and a message has ?elds BIl, AIO in that order, a match could be determined even though the message does not have a ?eld C, nor does it list the ?elds in the same order as the ?nger print. Although the terms client or client device may be used
nodes in the ordered tree organized by levels of granularity of operating system hierarchy are associated With high level ?ngerprints unique to the higher level node.
7. A method as recited in claim 1, Wherein the ?ngerprint database is created at least in part by: collecting messages from a plurality of knoWn operating
55
in these examples, the techniques described herein may be used With any appropriate device. Besides DHCP messages, the techniques described herein may apply to other types of messages. For example, these techniques may be extended to Domain Name System (DNS) messages. For example, a DNS
server could use these techniques to ?ngerprint resolvers and
systems;
extracting ?elds from the received messages;
60
analyzing the extracted ?elds, including, for each knoWn operating system identifying features of a ?ngerprint for each level of granularity of operating system data that is unique to the knoWn operating system, Wherein features
of a ?ngerprint comprise one or more ?elds, order of
servers making queries. Although the foregoing embodiments have been described
in some detail for purposes of clarity of understanding, the
invention is not limited to the details provided. There are
65
?elds, ?eld values, or order of ?eld values; creating the ?ngerprint database at least in part by popu lating the ?ngerprint database With the identi?ed fea tures for each level of granularity of operating system
data.
US 8,458,308 B1
13
8. The method of claim 7, wherein analyzing the extracted
14
the message and features of a ?ngerprint associated With an operating system at a plurality of levels of granularity,
including:
traversing an ordered tree that is organiZed according to
system granularity.
9. The method of claim 7, Wherein creating the ?ngerprint
database includes determining Whether a su?icient number of
messages have been collected prior to analyZing the extracted ?elds. 10. The method of claim 9, Wherein determining Whether a suf?cient number of messages have been collected includes
determining Whether a particular ?eld has a ?eld value that changes from message to message for the same knoWn oper
system hierarchy;
obtaining features of a ?ngerprint associated With each node of the ordered tree organiZed according to levels of
ating system.
11. The method of claim 7, Wherein analyZing includes: for each knoWn operating system, selecting a ?eld of the
knoWn operating system, determining the ?eld value of the selected ?eld, and determining Whether any other of the knoWn operating systems has the same ?eld and ?eld
value;
in the event that it is determined that none of the other
knoWn operating systems have the same ?eld and ?eld value, identifying the ?eld or ?eld value as unique to the
associated With the node determines operating system data With a level of granularity represented by the node,
and Wherein a match of the features at every level of
granularity is not required to determine operating sys tem data; and a memory coupled With the processor, Wherein the memory provides the processor With instructions. 21. A system as recited in claim 20, Wherein matching includes determining a partial match of the features.
22. A non-transitory computer readable storage medium and comprising computer instructions for:
receiving a message associated With a netWork protocol;
extracting a set of one or more features from the message;
and
15. A method as recited in claim 1, Wherein the operating system data includes an implementation of a DHCP client. 16. A method as recited in claim 1, Wherein the message is received from a DHCP client.
17. The method of claim 1 further comprising using the operating system data to make a policy decision. 18. The method of claim 1, Wherein determining operating system data includes resolving a tie betWeen tWo operating
systems that have a closest match to the features of the mes sage.
55
of granularity of operating system hierarchy from a ?ngerprint database, Wherein the ?ngerprint database comprises features of a ?ngerprint associated With
each node of the ordered tree and unique to the node corresponding to a level of granularity of the operat ing system hierarchy, Wherein a feature of a ?nger
print comprises a set of one or more ?elds, order of
19. The method of claim 18, Wherein resolving the tie includes checking other features that Were not originally extracted.
60
including:
a processor con?gured to: receive a message associated With a netWork protocol; extract a set of features from the message; and
65
associated With the node determines operating system data With a level of granularity represented by the node,
US 8,458,308 B1
15
and wherein a match of the features at every level of
16
23. A non-transitory computer readable storage medium as recited in claim 22, Wherein matching includes determining a 5 partial match of the features.
* * * * *