An unauthorized OS might have been installed either by a malicious user without obtaining permission from a network administrator or by a virtual machine installed by malware over a native host OS. If the OS determined from the packet generated by an enterprise host differs from the original OS installed in the host machine, an unauthorized OS is likely present. By analyzing initial values of certain protocol flags, options, packet fields, and data in the packets that a host sends over a network, we can determine the OS installed in a host. Packet fingerprints are derived from the implementation dissimilarities of various OSs’ communication protocols. Similar to the way a human fingerprint serves as a tool to uniquely identify a person, an OS can be uniquely identified on a network by its packet fingerprint. As a consequence, developers of various OSs implement the protocol stack with different initial values for these fields. Although various RFCs specify definitions and interpretations of different TCP/IP packet fields, 2-7 many fail to specify a standard set of initial values for these fields. If OSs’ virtual machines differ from the native OSs, these malicious OSs can be identified and the infected machines can be cleaned. Audits also help in configuring network-based intrusion detection systems and maintaining an adaptive enterprise security policy. These help determine various services running on different systems and identify OSs with flaws that might cause vulnerabilities in the enterprise network. Such malware is hard to detect because the context data and state of the programs run by a virtual machine can’t be accessed by antivirus so ware installed on the native OS.ĭue to increasing OS vulnerabilities, enterprise network administrators must regularly perform OS audits. 1 This malware can also be used as part of a botnet to transfer information from the infected machine to a command-and-control center. Many modern malware implementations carry out their activities using virtual machines to escape detection from antivirus so ware running on the host OS. See LaunchDarkly in action, request a demo today! Do it faster, better, and with confidence.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |