HOSD

What is HOSD?
HOSD stands for Hybrid Operating System Discovery. HOSD combines the classical active and passive approache to OS discovery in a single tool. HOSD monitors the network passively to build a knowledge base about the operating system running on the remote computers. When the user queries HOSD and it cannot answer with the current state of knowledge, it goes in active mode to fetch the missing information. By relying on knowledge, HOSD has a memory (unlike classical passive tools). Moreover, by carefully selecting which tests to perform next (unlike most active tools that execute all the available tests), based on the user query and on the information gathered passively, HOSD minimizes the number of packets sent (and avoid as much as possible sending abnormal packets). Click here for more details.


Where is HOSD developped?
HOSD is currently being developped in the Network Management and Artificial Intelligence (NMAI) research lab in the department of systems and computer engineering at Carleton University in Canada. The project is supervised by a Ph.D. student (Francois Gagnon) and two undergraduate students are actively developping HOSD. HOSD is deveolpped in collabotation with the network security research group at Canada's Communication Research Center (CRC) and is supported by the Talent First program of Carleton university.


What is HOSD used for?
HOSD is developped mainly for gathering IDS context. In that specific case, the user (an IDS) queries HOSD to know if the target of a given attack is vulnerable (i.e., if it's operating system belongs to the set of vulnerable OS for that particular attack). The objective is to assign lower priority alarms to the attacks for which the target is not vulnerable. Due to the knowledge-based framework of HOSD, it is usually no necessary to find out the exact operating system before answering an IDS query (again reducing the number of packets sent). HOSD can, of course, be used for more standard OS discovery tasks.