Operating System Discovery Using Answer Set Programming

The goal of operating system (OS) discovery is to learn which OS is running on a remote computer by looking at differences in the TCP/IP stack implementation of different vendors. There are two main strategies for OS discovery: passive, where deductions are made by looking at regular communications between computers, and active, where stimuli are sent to the target to see how it reacts in specific (often non-standard) situations. Each technique has its advantages as well as its drawbacks. The work described here studies how logic programming under the answer set semantics can be used to address, in a simple and elegant way, the task of operating system discovery by logically specifying the problem and providing solutions through automated reasoning. As a result of using such a knowledge representation framework, it is possible to unify the active and passive methods for OS discovery in a single hybrid approach that has the advantages of both strategies while being much more versatile. Current passive tools for OS discovery (OSD) have huge limitations. First, each packet is processed individually, meaning a stimulus-response correlation is not possible. Secondly, they are memoryless; that is, each packet is considered as being the only available information without considering the previous deductions. This greatly limits their accuracy. While active OSD tools are much more accurate, they also have shortcomings. First, they are usually very noisy (sometimes generating several hundreds of packets to discover the OS of a single host). Secondly, they often generate abnormal traffic (to see how the host reacts in non-standard situations) which may interfere with network monitoring tools such as intrusion detection systems. To circumvent those problems, we propose to use logic programming to implement a passive OSD module, and planning (on top of the passive module) to implement an active module, in a hybrid approach.