A Finite State Machine Model of TCP Connections in the Transport Layer J. Treurniet and J.H. Lefebvre Defence R&D Canada - Ottawa Mike Hsiao, 20080822.

Slides:



Advertisements
Similar presentations
Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
Advertisements

CISCO NETWORKING ACADEMY Chabot College ELEC Transport Layer (4)
Computer Security and Penetration Testing
TCP - Part I Relates to Lab 5. First module on TCP which covers packet format, data transfer, and connection management.
CCNA – Network Fundamentals
Transport Layer – TCP (Part2) Dr. Sanjay P. Ahuja, Ph.D. Fidelity National Financial Distinguished Professor of CIS School of Computing, UNF.
Transmission Control Protocol (TCP)
CISCO NETWORKING ACADEMY PROGRAM (CNAP)
Chapter 7: Transport Layer
Fundamentals of Computer Networks ECE 478/578 Lecture #20: Transmission Control Protocol Instructor: Loukas Lazos Dept of Electrical and Computer Engineering.
UDP & TCP Where would we be without them!. UDP User Datagram Protocol.
1 Reading Log Files. 2 Segment Format
1 TCP - Part I Relates to Lab 5. First module on TCP which covers packet format, data transfer, and connection management.
1 CS 4396 Computer Networks Lab Transmission Control Protocol (TCP) Part I.
Hands-On Ethical Hacking and Network Defense Second Edition Chapter 5 Port Scanning.
Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning.
Transmission Control Protocol (TCP) Basics
CS3505 The Internet and Info Hiway transport layer protocols : TCP/UDP.
Transport Layer – TCP (Part1) Dr. Sanjay P. Ahuja, Ph.D. Fidelity National Financial Distinguished Professor of CIS School of Computing, UNF.
Chapter 7 – Transport Layer Protocols
Firewalls and Intrusion Detection Systems
SYN Flooding: A Denial of Service Attack Shivani Hashia CS265.
Statistical based IDS background introduction. Statistical IDS background Why do we do this project Attack introduction IDS architecture Data description.
Examining IP Header Fields
Lecture 23: Network Primer 7/15/2003 CSCE 590 Summer 2003.
Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.
Detecting SYN-Flooding Attacks Aaron Beach CS 395 Network Secu rity Spring 2004.
William Stallings Data and Computer Communications 7 th Edition (Selected slides used for lectures at Bina Nusantara University) Transport Layer.
Department of Electronic Engineering City University of Hong Kong EE3900 Computer Networks Transport Protocols Slide 1 Transport Protocols.
1 CCNA 2 v3.1 Module Intermediate TCP/IP CCNA 2 Module 10.
WXES2106 Network Technology Semester /2005 Chapter 8 Intermediate TCP CCNA2: Module 10.
Chapter 4 OSI Transport Layer
Gursharan Singh Tatla Transport Layer 16-May
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
Port Scanning.
FIREWALL Mạng máy tính nâng cao-V1.
Firewalls. Evil Hackers FirewallYour network Firewalls mitigate risk Block many threats They have vulnerabilities.
1 Chapter Overview TCP/IP DoD model. 2 Network Layer Protocols Responsible for end-to-end communications on an internetwork Contrast with data-link layer.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 7: Transport Layer Introduction to Networking.
6.1. Transport Control Protocol (TCP) It is the most widely used transport protocol in the world. Provides reliable end to end connection between two hosts.
TCP : Transmission Control Protocol Computer Network System Sirak Kaewjamnong.
Section 5: The Transport Layer. 5.2 CS Computer Networks John Mc Donald, Dept. of Computer Science, NUI Maynooth. Introduction In the previous section.
ICOM 6115©Manuel Rodriguez-Martinez ICOM 6115 – Computer Networks and the WWW Manuel Rodriguez-Martinez, Ph.D. Lecture 26.
TCP1 Transmission Control Protocol (TCP). TCP2 Outline Transmission Control Protocol.
Scanning & Enumeration Lab 3 Once attacker knows who to attack, and knows some of what is there (e.g. DNS servers, mail servers, etc.) the next step is.
1 Figure 10-4: Intrusion Detection Systems (IDSs) HOST IDSs  Protocol Stack Monitor (like NIDS) Collects the same type of information as a NIDS Collects.
Chapter 8 Network Security Thanks and enjoy! JFK/KWR All material copyright J.F Kurose and K.W. Ross, All Rights Reserved Computer Networking:
Slide #1 CIT 380: Securing Computer Systems TCP/IP.
Breno de MedeirosFlorida State University Fall 2005 The IP, TCP, UDP protocols A quick refresher.
UDP & TCP Where would we be without them!. UDP User Datagram Protocol.
IP1 The Underlying Technologies. What is inside the Internet? Or What are the key underlying technologies that make it work so successfully? –Packet Switching.
TCP/IP1 Address Resolution Protocol Internet uses IP address to recognize a computer. But IP address needs to be translated to physical address (NIC).
11 CS716 Advanced Computer Networks By Dr. Amir Qayyum.
1 Transmission Control Protocol (TCP) RFC: Introduction The TCP is intended to provide a reliable process-to-process communication service in a.
3. END-TO-END PROTOCOLS (PART 1) Rocky K. C. Chang Department of Computing The Hong Kong Polytechnic University 22 March
Port Scanning James Tate II
Fast Retransmit For sliding windows flow control we waited for a timer to expire before beginning retransmission of a packet TCP uses an additional mechanism.
5. End-to-end protocols (part 1)
TCP.
TCP - Part I Karim El Defrawy
The IP, TCP, UDP protocols
TCP - Part I Relates to Lab 5. First module on TCP which covers packet format, data transfer, and connection management.
CS4470 Computer Networking Protocols
POOJA Programmer, CSE Department
Firewalls.
TCP - Part I Relates to Lab 5. First module on TCP which covers packet format, data transfer, and connection management.
Statistical based IDS background introduction
Transport Layer 9/22/2019.
TCP Connection Management
Presentation transcript:

A Finite State Machine Model of TCP Connections in the Transport Layer J. Treurniet and J.H. Lefebvre Defence R&D Canada - Ottawa Mike Hsiao, Defence R&D Canada - Ottawa Technical Memorandum DRDC Ottawa TM November 2003

2 Outline Summary and Introduction Theory – Transmission Control Protocol – TCP Finite State Machine Model – Detection of Anomalies Implementation of the Algorithm Results and Discussion – Network Management – Security – Research – False Positives Conclusion and Future Work

3 Background – RFC & implementation The protocols employed on computer networks are intended to be well-defined via Request for Comments (RFC) documents. – In reality, there is enough freedom in the RFC specifications of the protocols that they can vary widely from one implementation to the next. Additional information: Summary

4 Background – TCP TCP is a reliable protocol, and its behavior follows a pattern that is somewhat predictable. – The “flags” convey the commands that carry a connection through these stages. … SYN SYN-ACK ACK FIN FIN-ACK ACK Three-way handshake Data exchange Closing Diagram of a “textbook” TCP connection Summary

5 Background – FSM The authors model a TCP connection as an FSM, – defining the states of a FSM to reflect the stages of a connection and – using the flags as the events that bring about transitions among states. The TCP FSM proposed by the authors Summary

6 Background – Anomaly detection To use the model for strict anomaly detection, a failure state is introduced to indicate the occurrence of a disallowed event or an attempted illegal transition. – When the time-ordered flags of a TCP connection is input to the FSM, if the connection enters a failure state or otherwise does not complete, – the connection is flagged as anomalous. State X Failure State Event Y Summary

7 Background The TCP FSM can be used to detect some network management issues and network security events, and it can also be used as a research tool to study the behavior of TCP on the Internet. “”Strict anomaly detection”” defines a set of permitted events and detects activity which represents exceptions to those events. – TCP, FSM, anomalous Introduction

8 A snapshot of TCP anomalies Impart information to – Network management Unresponsive hosts Behaviors that lead to resource consumption – Network security Scanning activity The appeal of the model is in its simplicity and it utility in a wild range of applications Introduction

9 Transmission Control Protocol Theory Note: Only certain flag combination are valid.

10 Transmission Control Protocol Theory Graceful Termination In an ungraceful termination, the connection is torn down by transmission of a reset (R) from either the client or the server. On receiving an acceptable reset, if the receiving TCP is in 1) a non-synchronized state, => returns to LISTEN; 2) a synchronized states, => aborts the connection => informs its user.

11 In Practice In practice, stages of a connection are only allowed to exist for a set amount of time, to free up resources that aren't being used. in most Berkeley-derived systems Theory twice the max amount of time in RFC; some implement is one minute.

12 TCP client and server The traditional state transition diagram for TCP is a graphical representation of two separate but related finite state machines, one for the client and one for the server. The authors have simplified the traditional TCP state transition diagram to remove the differentiation of client and server. Theory

13 Theory Server Client Attempt to close socket Receive close request Simultaneous close

14 They proposed a 7-state TCP FSM.

15 6 events in the proposed TCP FSM Theory (e.g., SYN+FIN) Such packets are either “crafted” or appear as a result of corruption of the packet.

16 Theory almost 10% of all SYN packets are retransmitted

17 Detection of Anomalies If the final state of the sequence is not Closed (C 2 ), then the connection is flagged as anomalous. For streams that terminate in an allowed state other than Closed, we denote the event as “timeout”” to signify that the stream has ended but the connection has not been closed. Theory

18 Example of Anomalies Denial of Service (DoS) – many H 2 | timeout events for one host – X | timeout or C 1 | timeout TCP half-open scan – H1 | R APU, H 1 | timeout, H 2 | R APU or H 2 | timeout Scans for OS fingerprinting (e.g., QueOS) Theory

19 Traffic Traces Unfiltered traffic is collected at the external interface of 3 class B networks using tcpdump. Only the first 68 bytes of each packet were collected to obtain the full TCP header. At peak times, an hourly file contained on the order of 2 million packets. Implementation of the Algorithm

20 Implementation The TCP FSM algorithm was written in MATLAB. In practice, each packet was read sequentially from the raw traffic file. – Each socket pair was assigned a stream holding the complete trace for that socket. – How to deal with the truncation of the traffic data? (i.e., streams that start or end in the middle of a connection) August 21, 2000 data for 24 hours starting at midnight. Implementation of the Algorithm

21 Analysis Results (1/3) Results and Discussion They do not proceed the normal synchronization process.

22 Analysis Results (2/3) Results and Discussion They do not complete the synchronization process.

23 Analysis Results (3/3) Results and Discussion

24 Results and Discussion 1)Approximately 37% of the Internet TCP traffic does not obey the protocol. 2)If we remove “SYN scan” and “bad flag scan”, ↓

25 Network Management Unresponsive and non-existant hosts – H 1 | R APU, H1 | Timeout, H 2 | R APU and H 2 | timeout Delays (i.e., packets do not arrive in an appropriate time) – L | {SA, A PU, F APU, R APU }, H 2 | R APU and X | timeout Abandoned connections – X | timeout and C 1 | timeout Malfuncioning TCP – H 1 | F APU Backscatter effects – L | SA or L | SA Results and Discussion

26 Security (1/2) TCP connect and half-open scans – Open port: {S-SA-A PU -R APU } or {S-SA-A PU -F APU -A PU -F APU -A PU } – Half open: H 2 | R APU – Closed port: H 1 | R APU, H 1 | timeout Stealth scans and inverse mapping (firewall) – SYN-FIN (e.g., Firewalls will be configured to block incoming packets with only the SYN flag set) – L | A PU + RST or ICMP destination unreachable – L | SA, L | F APU, bad flag, L | R APU Results and Discussion

27 Security (2/2) Aggregating scanning events – L | {SA, A PU, F APU, R APU }, H 1 | {R APU, timeout} and H 2 | {F APU, R APU } or bad flag Role of the Firewall – H 2 | timeout – H 2 | R APU Results and Discussion 1m 10m 1h 5h 12h 1d 2d 5d >5d

28 False Positives By definition, all anomalies found using strict anomaly detection are anomalous and therefore there is no false positive rate to consider. – It is difficult to determine the intent of the user who sends a SYN and receives a RST in response (failure H 1 | R APU ). – It has different meanings and possesses different importance to different applications. Results and Discussion

29 Conclusions and Future Work (1/2) Examining packet follows on a network that do not conform to the protocol Successfully detect TCP-based scanning activity, delays, outages, misconfigurations and other unexpected TCP behaviour Correlation engines could be used to correlate the events found through application of this model. A successful full connect scan cannot be detected with this method because the flag pattern obeys the protocol specification. Include an option for TCP traffic that is not officially allowed but is nevertheless present on the Internet. IDS Conclusions and Future Work

30 Conclusions and Future Work (2/2) Using the proportionalities of anomalies found by implementing the TCP FSM, one can introduce failures using a Markov chain approach. As well as a mechanism for traffic generation, Markov models may provide the capability of assigning a probability that a connection is valid. This may be the basis of a statistical anomaly detection engine. Conclusions and Future Work

31 Comments The usage of a protocol can be considered as a distinctive signature to a program. Our work also include service level, and an application is more complicated than TCP. – More events (messages) – States are unclear. Too much false positive for anomaly detection model. Perfect attacks may exist.

32 Further Readings TCP – Floyd, S. (2002). Inappropriate TCP Resets Considered Harmful. (work in progress). – End-to-end Interest Maillist. Frequency of RST terminated connections. USC Information Sciences Institute. Apps – Sasha/Beetle (2000). A Strict Anomaly Detection Model for IDS. Phrack, 10(56). – Das, K. (2002). Protocol Anomaly Detection for Network- based Intrusion Detection. SANS Institute. – Lemonnier, E. (2001). Protocol Anomaly Detection in Network-based IDSs.