Network Protocol System Fingerprinting - A Formal Approach Guoqiang Shu and David Lee INFOCOM 2006 Speaker: Chang Huan Wu 2008/10/31.

Slides:

Advertisements

Similar presentations

7. 7 Chapter 13 Transmission Control Protocol (TCP) Retransmission and Time-Out.

Advertisements

Introduction 1 Lecture 13 Transport Layer (Transmission Control Protocol) slides are modified from J. Kurose & K. Ross University of Nevada – Reno Computer.

Mahadevan Subramaniam and Bo Guo University of Nebraska at Omaha An Approach for Selecting Tests with Provable Guarantees.

Simulation-based Comparison of Tahoe, Reno, and SACK TCP Kevin Fall & Sally Floyd Presented: Heather Heiman September 10, 2002.

1 Transport Protocols & TCP CSE 3213 Fall April 2015.

Guide to TCP/IP, Third Edition

TCP: Transmission Control Protocol Overview Connection set-up and termination Interactive Bulk transfer Timers Improvements.

1 The TCP Protocol Connection-oriented, point-to-point protocol: –Connection establishment and teardown phases –‘Phone-like’ circuit abstraction (application-layer.

An Automata-based Approach to Testing Properties in Event Traces H. Hallal, S. Boroday, A. Ulrich, A. Petrenko Sophia Antipolis, France, May 2003.

A Model-Based Approach to Security Flaw Detection of Network Protocol Implementation Yating Hsu, Guoqiang Shu and David Lee Ohio State University 2008.

Transport Layer 3-1 Fast Retransmit r time-out period often relatively long: m long delay before resending lost packet r detect lost segments via duplicate.

Inferring TCP Connection Characteristics Through Passive Measurements Sharad Jaiswal, Gianluca Iannaccone, Christophe Diot, Jim Kurose, Don Towsley Proceedings.

Transport Layer3-1 Congestion Control. Transport Layer3-2 Principles of Congestion Control Congestion: r informally: “too many sources sending too much.

1 The scanning process Goal: automate the process Idea: –Start with an RE –Build a DFA How? –We can build a non-deterministic finite automaton (Thompson's.

1 Spring Semester 2007, Dept. of Computer Science, Technion Internet Networking recitation #7 TCP New Reno Vs. Reno.

Week 9 TCP9-1 Week 9 TCP 3 outline r 3.5 Connection-oriented transport: TCP m segment structure m reliable data transfer m flow control m connection management.

CSEE W4140 Networking Laboratory Lecture 7: TCP congestion control Jong Yul Kim

Aho-Corasick String Matching An Efficient String Matching.

Port Scanning Yiqian Zhang CS 265 Project. What is Port Scanning? port scanning is equivalent to knocking on the walls to find all the doors and windows.

EEC-484/584 Computer Networks Lecture 13 Wenbing Zhao (Part of the slides are based on Drs. Kurose & Ross ’ s slides for their Computer.

Department of Electronic Engineering City University of Hong Kong EE3900 Computer Networks Transport Protocols Slide 1 Transport Protocols.

TCP. Learning objectives Reliable Transport in TCP TCP flow and Congestion Control.

Intrusion and Anomaly Detection in Network Traffic Streams: Checking and Machine Learning Approaches ONR MURI area: High Confidence Real-Time Misuse and.

3: Transport Layer3b-1 Principles of Congestion Control Congestion: r informally: “too many sources sending too much data too fast for network to handle”

Transport Layer 4 2: Transport Layer 4.

Transport Layer3-1 Chapter 3 outline r 3.1 Transport-layer services r 3.2 Multiplexing and demultiplexing r 3.3 Connectionless transport: UDP r 3.4 Principles.

Firewall and Internet Access Mechanism that control (1)Internet access, (2)Handle the problem of screening a particular network or an organization from.

A Virtual Honeypot Framework Author: Niels Provos Published in: CITI Report 03-1 Presenter: Tao Li.

17-1 Last time □ UDP socket programming ♦ DatagramSocket, DatagramPacket □ TCP ♦ Sequence numbers, ACKs ♦ RTT, DevRTT, timeout calculations ♦ Reliable.

TCP Transport Control Protocol Information management 2 Groep T Leuven – Information department 2/35 Introduction UDP provides the connection.

TCP1 Transmission Control Protocol (TCP). TCP2 Outline Transmission Control Protocol.

SELECTIVE ACKNOWLEDGEMENT (SACK) DUPLICATE SELECTIVE ACKNOWLEDGMENT

Chapter 12 Transmission Control Protocol (TCP)

Firewall Fingerprinting Amir R. Khakpour 1, Joshua W. Hulst 1, Zhihui Ge 2, Alex X. Liu 1, Dan Pei 2, Jia Wang 2 1 Michigan State University 2 AT&T Labs.

An Implementation of The Teiresias Algorithm Na Zhao Chengjun Zhan.

CSE679: Computer Network Review r Review of the uncounted quiz r Computer network review.

1 Internet Control Message Protocol (ICMP) Used to send error and control messages. It is a necessary part of the TCP/IP suite. It is above the IP module.

IEEE Communications Surveys & Tutorials 1st Quarter 2008.

Scanning & Enumeration Lab 3 Once attacker knows who to attack, and knows some of what is there (e.g. DNS servers, mail servers, etc.) the next step is.

1 TCP - Part II Relates to Lab 5. This is an extended module that covers TCP data transport, and flow control, congestion control, and error control in.

TCP Behavior Inference Tool Jitendra Padhye, Sally Floyd Presented by Songjie Wei.

Spring 2009CSE Congestion Control Outline Resource Allocation Queuing TCP Congestion Control.

TCP OVER ADHOC NETWORK. TCP Basics TCP (Transmission Control Protocol) was designed to provide reliable end-to-end delivery of data over unreliable networks.

Development of a QoE Model Himadeepa Karlapudi 03/07/03.

IP Configuration API. Network Interface Configuration NAIfconfigIsDeviceUp() NAIfconfigDeviceFromInterface() NAIfconfigBringDeviceUp() NAIfconfigSetIpAddress()

Defending against Hitlist Worms using NASR Khanh Nguyen.

© Janice Regan, CMPT 128, CMPT 371 Data Communications and Networking Congestion Control 0.

CIS679: TCP and Multimedia r Review of last lecture r TCP and Multimedia.

Transmission Control Protocol (TCP) TCP Flow Control and Congestion Control CS 60008: Internet Architecture and Protocols Department of CSE, IIT Kharagpur.

1 Transmission Control Protocol (TCP) RFC: Introduction The TCP is intended to provide a reliable process-to-process communication service in a.

DMET 602: Networks and Media Lab Amr El Mougy Yasmeen EssamAlaa Tarek.

29/09/2016 Passive Detection of TCP Congestion Events Shane Alcock and Richard Nelson University of Waikato, Hamilton New Zealand.

Port Scanning James Tate II

DMET 602: Networks and Media Lab

Automatic Network Protocol Analysis

Chapter 15 Transmission Control Protocol (TCP)

Chapter 3 outline 3.1 transport-layer services

The Transport Layer (TCP)

Introduction to Networks

COMP 431 Internet Services & Protocols

TCP Protocol Slides originally from Williamson at Calgary

The Transport Layer Chapter

CS 5565 Network Architecture and Protocols

Hojun Lee TCP enhancements Hojun Lee 11/8/2018.

Transport Layer Unit 5.

CS 5565 Network Architecture and Protocols

CS4470 Computer Networking Protocols

The Transport Layer Chapter 6.

TCP flow and congestion control

Computer Networks Protocols

Presentation transcript:

Network Protocol System Fingerprinting - A Formal Approach Guoqiang Shu and David Lee INFOCOM 2006 Speaker: Chang Huan Wu 2008/10/31

2 Outline Introduction A Formal Model Active and Passive Fingerprinting Defending Against Malicious Fingerprinting Conclusions

3 Introduction (1/3) Identifying specific features of a network protocol implementation by analyzing its input/output behavior – Facilitate management – Exploit the vulnerability of certain implementations

4 Introduction (2/3) Most network protocols are not specified completely and deterministically – Optional features – Unspecified behaviors under some circumstances

5 Introduction (3/3) Goal : identify which implementation it is by analyzing the input/output behaviors – Active : use some predetermined input sequences for probing the target host – Passive : observe a trace of input/output messages from the target host without disrupting its normal operations

6 A Formal Model (1/4) Parameterized Extended Finite State Machine (PEFSM) is a 6-tuple M = – S : a finite set of states – S init : initial state – I = {i 0, i 1, i 2 …, i p-1 }: input alphabet, each carries a vector of parameter values – O = {o 0, o 1, o 2 …, o q-1 } : output alphabet – X : finite set of variables with default initial values

7 A Formal Model (2/4) – T : finite set of transitions – For t ∈ T, t = {s, s’, i, o, P(X, i), A(X, i, o) s / s’ : start state / end state i and o : input / output symbols with parameters P : predicate of the variables and input parameters A : an operation on the variables, based on the current variable values, input and output parameter values Example of PEFSM transition

8 PEFSM model of a simplified TCP Tahoe implementation (State variables, guards and actions of transition are omitted) initial state (SYN) slow start (SS) congestion avoidance (CA) retransmission (REX) finish (Fin) Transition name Input / output

9 A Formal Model (3/4) Given a candidate group of implementation machines, C = {M 1, M 2 …, M k }, a test sequence seq separates M i and M j if taking seq as input, M i and M j have different output A fingerprinting set F for a candidate group C is a set of test sequences, such that for each pair of machines in C, F contains a sequence that separates them

10 A Formal Model (4/4) Given a candidate group, the goal of – Active fingerprinting : construct a fingerprinting set – Passive fingerprinting : if a specific candidate generate the given trace

11 Active Fingerprinting Algorithm 1 generate a sequence that separate two candidates Algorithm 2 generate the fingerprint set Partition = { {M 1, M 2, M 3, M 4 } } M 1 M 3 can be separated by T 1 Use T 1 to separate {M 1, M 2, M 3, M 4 } Partition = { {M 1, M 4 }, {M 2, M 3 } } M 1 M 4 can be separated by T 2 Use T 2 to separate {M 1, M 4 } and {M 2, M 3 } … Until all sets in Partition have only one element If T 2 separates {M 1, M 4 } and {M 2, M 3 } => Partition = { {M 1 }, {M 2 }, {M 3 }, {M 4 } } fingerprint set = {T 1, T 2 }

12 Active Fingerprinting using NMAP Tests (1/3) Nmap identifies a TCP stack implementation by using nine test sequences In the fingerprint database Nmap stores the encoded response to those test sequences of more than 1300 implementations

13 Active Fingerprinting using NMAP Tests (2/3) Fig.3 is PEFSM of input / output of some implementation in Nmap All inputs except T 3 could be used as separating sequence for the two machines

14 Active Fingerprinting using NMAP Tests (3/3) Ex. Use {Tseq, T1, T2, T3, PU} can separate each implementation in Router category * means there is no exact fingerprint set

15 Passive Fingerprinting (1/2) Using TCP Behavior Inference Tool (TBIT) to generate specific traffic Observe input and output in trace and transit, if a candidate can not transit, it means that candidate can not generate that trace

16 Passive Fingerprinting (2/2) NF: NoFR T: Tahoe R: Reno NR: NewReno After the duplicated acknowledgement ACK [12] is sent four times, we see a fast retransmission without timeout

17 Defending Against Malicious Fingerprinting (1/5) Scrubbing Camouflage One important principal : the modification should be transparent to all regular users

18 Defending Against Malicious Fingerprinting (2/5) When receiving I 3, discard it The grey circle represents the common user sets

19 Defending Against Malicious Fingerprinting (3/5) When receiving I 3, response O 4 instead O 3 The grey circle represents the union of all user sets Regular user expect the trace from any implementation

20 Defending Against Malicious Fingerprinting (4/5) Neither scrubbing nor camouflage is effective The grey circle represents the T 1 user sets Regular user expect the trace from T 1 implementation

21 Defending Against Malicious Fingerprinting (5/5) Follow the maximum overlapping subset until there is only one implementation possible When receiving I 3, response O 3 because it is overlapped by M 1 and M 3 The grey circle represents the union of all user sets

22 Conclusion Proposed a formal approach for fingerprinting Use PEFSM to model protocol implementation Proposed algorithms for active and passive fingerprinting

23 Comments General and automated method Huge database (like Nmap database) is needed How to construct PEFSM?