Nmap Development mailing list archives
Re: IPv6 fingerprint database imputation of missing values
From: Alexandru Geana <alex () alegen net>
Date: Mon, 13 Apr 2015 16:37:15 +0200
Over the weekend I played around with some parameters and here are some of my findings: 1) I tried to impute TC and TCP_WSCALE with linear regression, but the accuracy from cross validation reported by liblinear drops to 55% - 60%. I decided to leave them out. Now the accuracy estimates are 62% - 65%. The accuracy value varies more now than before. I changed the scripts to run cross validation multiple times and on the same model and the values can differ as stated. 2) After choosing the imputation strategies per feature and a value for the cost used by liblinear, I started fingerprinting various OSes, the results of which are attached. As expected, the novelty factors have increased and I adjusted the limit to 50. For percentages, the greatest difference is for Linux 3.2 (tested on a Debian 7), going up from 82.7% to 91.8%. A newer Linux 3.18 (tested on a Fedora 21) goes from 2.0% to 8.9%, though still for the wrong version of the kernel. For Windows 7, the accuracy drops from 96% to 70%, but the novelty factor of the 2 top classes (both for Windows 7) are "normalized" and are almost equal (45 and 47 as opposed to 2 and 13). The most problematic was FreeBSD 10 which decreased quite a lot and was not the top match anymore. Even so, the top match had a very high novelty factor (almost double). I decided to change the code in FPEngine.cc, the classify function. My idea was to check all perfect matches and if there are more than one, to verify the novelty of each. If there is only one perfect match with a novelty score lower than the threshold, then nmap reports that one, otherwise the old behaviour is followed. I attached a small diff to give a better idea. This helps with the stats for FreeBSD fingerprinting. Best regards, Alexandru Geana alegen.net
Attachment:
linux_3.2
Description:
Attachment:
linux_3.18
Description:
Attachment:
windows_7
Description:
Attachment:
freebsd_10.1
Description:
Attachment:
FPEngine.cc.diff
Description:
Attachment:
signature.asc
Description: Digital signature
_______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- IPv6 fingerprint database imputation of missing values Alexandru Geana (Apr 10)
- Re: IPv6 fingerprint database imputation of missing values David Fifield (Apr 10)
- Re: IPv6 fingerprint database imputation of missing values Alexandru Geana (Apr 13)
- Re: IPv6 fingerprint database imputation of missing values Alexandru Geana (Apr 22)
- Re: IPv6 fingerprint database imputation of missing values Alexandru Geana (Jun 03)
- Re: IPv6 fingerprint database imputation of missing values Alexandru Geana (Jun 30)
- Re: IPv6 fingerprint database imputation of missing values Alexandru Geana (Apr 13)
- Re: IPv6 fingerprint database imputation of missing values David Fifield (Apr 10)