TY - JOUR
T1 - SoFi
T2 - Spoofing OS Fingerprints Against Network Reconnaissance
AU - Han, Xu
AU - Li, Haocong
AU - Wang, Wei
AU - Wang, Haining
AU - Ma, Xiaobo
AU - Ji, Shouling
AU - Li, Qiang
N1 - Publisher Copyright:
© 2005-2012 IEEE.
PY - 2025
Y1 - 2025
N2 - Fingerprinting is a network reconnaissance technique utilized for gathering information about online computing systems, including operation systems and applications. Unfortunately, attackers typically leverage fingerprinting techniques to locate, enumerate, and subsequently target vulnerable systems, which is the first primary stage of a cyber attack. In this work, we explore the susceptibility of machine learning (ML)-based classifiers to misclassification, where a slight perturbation in the packet is included to spoof OS fingerprints. We propose SoFi (Spoof OS Fingerprints), an adversarial example generation algorithm under TCP/IP specification constraints, to create effective perturbations in a packet for deceiving an OS fingerprint. Specifically, SoFi has three major technical innovations: (1) it is the first to utilize adversarial examples to automatically perturb fingerprinting techniques; (2) it complies with constraints and integrity of network packets; (3) it achieves a high success rate in spoofing OS fingerprints. We validate the effectiveness of adversarial packets against active and passive OS fingerprints, verifying the transferability and robustness of SoFi. Comprehensive experimental results demonstrate that SoFi automatically identifies applicable and available OS fingerprint features, unlike existing tools relying on expert knowledge.
AB - Fingerprinting is a network reconnaissance technique utilized for gathering information about online computing systems, including operation systems and applications. Unfortunately, attackers typically leverage fingerprinting techniques to locate, enumerate, and subsequently target vulnerable systems, which is the first primary stage of a cyber attack. In this work, we explore the susceptibility of machine learning (ML)-based classifiers to misclassification, where a slight perturbation in the packet is included to spoof OS fingerprints. We propose SoFi (Spoof OS Fingerprints), an adversarial example generation algorithm under TCP/IP specification constraints, to create effective perturbations in a packet for deceiving an OS fingerprint. Specifically, SoFi has three major technical innovations: (1) it is the first to utilize adversarial examples to automatically perturb fingerprinting techniques; (2) it complies with constraints and integrity of network packets; (3) it achieves a high success rate in spoofing OS fingerprints. We validate the effectiveness of adversarial packets against active and passive OS fingerprints, verifying the transferability and robustness of SoFi. Comprehensive experimental results demonstrate that SoFi automatically identifies applicable and available OS fingerprint features, unlike existing tools relying on expert knowledge.
KW - Adversarial machine learning (ML)
KW - fingerprinting
KW - operating system (OS)
UR - https://www.scopus.com/pages/publications/105002782136
U2 - 10.1109/TIFS.2025.3561673
DO - 10.1109/TIFS.2025.3561673
M3 - 文章
AN - SCOPUS:105002782136
SN - 1556-6013
VL - 20
SP - 4484
EP - 4497
JO - IEEE Transactions on Information Forensics and Security
JF - IEEE Transactions on Information Forensics and Security
ER -