SoFi: Spoofing OS Fingerprints Against Network Reconnaissance

Abstract

Fingerprinting is a network reconnaissance technique utilized for gathering information about online computing systems, including operation systems and applications. Unfortunately, attackers typically leverage fingerprinting techniques to locate, enumerate, and subsequently target vulnerable systems, which is the first primary stage of a cyber attack. In this work, we explore the susceptibility of machine learning (ML)-based classifiers to misclassification, where a slight perturbation in the packet is included to spoof OS fingerprints. We propose SoFi (Spoof OS Fingerprints), an adversarial example generation algorithm under TCP/IP specification constraints, to create effective perturbations in a packet for deceiving an OS fingerprint. Specifically, SoFi has three major technical innovations: (1) it is the first to utilize adversarial examples to automatically perturb fingerprinting techniques; (2) it complies with constraints and integrity of network packets; (3) it achieves a high success rate in spoofing OS fingerprints. We validate the effectiveness of adversarial packets against active and passive OS fingerprints, verifying the transferability and robustness of SoFi. Comprehensive experimental results demonstrate that SoFi automatically identifies applicable and available OS fingerprint features, unlike existing tools relying on expert knowledge.