What is HOSD?

HOSD stands for Hybrid Operating System Discovery. HOSD combines the classical active and passive approache to OS discovery in a single tool. HOSD monitors the network passively to build a knowledge base about the operating system running on the remote computers. When the user queries HOSD and it cannot answer with the current state of knowledge, it goes in active mode to fetch the missing information. By relying on knowledge, HOSD has a memory (unlike classical passive tools). Moreover, by carefully selecting which tests to perform next (unlike most active tools that execute all the available tests), based on the user query and on the information gathered passively, HOSD minimizes the number of packets sent (and avoid as much as possible sending abnormal packets). Click here for more details.

Where is HOSD developped?

HOSD is currently being developped in the Network Management and Artificial Intelligence (NMAI) research lab in the department of systems and computer engineering at Carleton University in Canada. The project is supervised by a Ph.D. student (Francois Gagnon) and two undergraduate students are actively developping HOSD. HOSD is deveolpped in collabotation with the network security research group at Canada’s Communication Research Center (CRC) and is supported by the Talent First program of Carleton university.

What is HOSD used for?

HOSD is developped mainly for gathering IDS context. In that specific case, the user (an IDS) queries HOSD to know if the target of a given attack is vulnerable (i.e., if it’s operating system belongs to the set of vulnerable OS for that particular attack). The objective is to assign lower priority alarms to the attacks for which the target is not vulnerable. Due to the knowledge-based framework of HOSD, it is usually no necessary to find out the exact operating system before answering an IDS query (again reducing the number of packets sent). HOSD can, of course, be used for more standard OS discovery tasks.

Experiment 2009-04

This experiment evaluate the accuracy of different OSD tools to identify the actual operating system of a computer.

Documents:

  • Installation & User Guide
  • Publications:
    • (2007) Gagnon F., Esfandiari B. and Bertossi L. A Hybrid Approach to Operating System Discovery using Answer Set Programming – In Proceedings of the 10th IFIP/IEEE Symposium on Integrated Management (IM’07), 391-400
    • (2008) Gagnon F. and Esfandiari B. – A Query-Based Approach for Test Selection in Diagnosis: Operating System Discovery as a Case Study – poster session of the 19th International Workshop on Principles of Diagnosis (DX’08)
    • (2009) Gagnon F., Esfandiari B. and Massicotte F. – Using Contextual Information for IDS Alarm Classification (Extended Abstract) – (To Appear) Proceedings of the 6th Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA’09)
    • (2008) Gagnon F., Esfandiari B., and Massicotte F. – On the Effectiveness of Target Configuration as Contextual Information for IDS Alarm Classification – Technical Report SCE-08-08, Carleton University, Department of Systems and Computer Engineering

Downloads:

HOSD-0.2 is now availalbe as a pre-alpha release. HOSD 0.2 was released with rule set 0.2.11. There are no new rule set since.

News and Updates:

  • June 22, 2009: HOSD-0.2 available in pre-alpha release.
  • October 13, 2008: HOSD-0.1 available in pre-alpha release.
  • September 09, 2008: Creation of this website.
  • May 23, 2007: Presentation of HOSD to the 10th IFIP/IEEE Symposium on Integrated Management.