Presentation is loading. Please wait.

Presentation is loading. Please wait.

A Finite State Machine Model of TCP Connections in the Transport Layer J. Treurniet and J.H. Lefebvre Defence R&D Canada - Ottawa Mike Hsiao, 20080822.

Published byWilfrid Stewart Modified over 9 years ago

Similar presentations

Presentation on theme: "A Finite State Machine Model of TCP Connections in the Transport Layer J. Treurniet and J.H. Lefebvre Defence R&D Canada - Ottawa Mike Hsiao, 20080822."— Presentation transcript:

1 A Finite State Machine Model of TCP Connections in the Transport Layer J. Treurniet and J.H. Lefebvre Defence R&D Canada - Ottawa Mike Hsiao, 20080822 Defence R&D Canada - Ottawa Technical Memorandum DRDC Ottawa TM 2003-139 November 2003

2 2 Outline Summary and Introduction Theory – Transmission Control Protocol – TCP Finite State Machine Model – Detection of Anomalies Implementation of the Algorithm Results and Discussion – Network Management – Security – Research – False Positives Conclusion and Future Work

3 3 Background – RFC & implementation The protocols employed on computer networks are intended to be well-defined via Request for Comments (RFC) documents. – In reality, there is enough freedom in the RFC specifications of the protocols that they can vary widely from one implementation to the next. Additional information: http://lxr.linux.no/ Summary

4 4 Background – TCP TCP is a reliable protocol, and its behavior follows a pattern that is somewhat predictable. – The “flags” convey the commands that carry a connection through these stages. … SYN SYN-ACK ACK FIN FIN-ACK ACK Three-way handshake Data exchange Closing Diagram of a “textbook” TCP connection Summary

5 5 Background – FSM The authors model a TCP connection as an FSM, – defining the states of a FSM to reflect the stages of a connection and – using the flags as the events that bring about transitions among states. The TCP FSM proposed by the authors Summary

6 6 Background – Anomaly detection To use the model for strict anomaly detection, a failure state is introduced to indicate the occurrence of a disallowed event or an attempted illegal transition. – When the time-ordered flags of a TCP connection is input to the FSM, if the connection enters a failure state or otherwise does not complete, – the connection is flagged as anomalous. State X Failure State Event Y Summary

7 7 Background The TCP FSM can be used to detect some network management issues and network security events, and it can also be used as a research tool to study the behavior of TCP on the Internet. “”Strict anomaly detection”” defines a set of permitted events and detects activity which represents exceptions to those events. – TCP, FSM, anomalous Introduction

8 8 A snapshot of TCP anomalies Impart information to – Network management Unresponsive hosts Behaviors that lead to resource consumption – Network security Scanning activity The appeal of the model is in its simplicity and it utility in a wild range of applications Introduction

9 9 Transmission Control Protocol Theory Note: Only certain flag combination are valid.

10 10 Transmission Control Protocol Theory Graceful Termination In an ungraceful termination, the connection is torn down by transmission of a reset (R) from either the client or the server. On receiving an acceptable reset, if the receiving TCP is in 1) a non-synchronized state, => returns to LISTEN; 2) a synchronized states, => aborts the connection => informs its user.

11 11 In Practice In practice, stages of a connection are only allowed to exist for a set amount of time, to free up resources that aren't being used. in most Berkeley-derived systems Theory twice the max amount of time in RFC; some implement is one minute.

12 12 TCP client and server The traditional state transition diagram for TCP is a graphical representation of two separate but related finite state machines, one for the client and one for the server. The authors have simplified the traditional TCP state transition diagram to remove the differentiation of client and server. Theory

13 13 Theory Server Client Attempt to close socket Receive close request Simultaneous close

14 14 They proposed a 7-state TCP FSM.

15 15 6 events in the proposed TCP FSM Theory (e.g., SYN+FIN) Such packets are either “crafted” or appear as a result of corruption of the packet.

16 16 Theory almost 10% of all SYN packets are retransmitted

17 17 Detection of Anomalies If the final state of the sequence is not Closed (C 2 ), then the connection is flagged as anomalous. For streams that terminate in an allowed state other than Closed, we denote the event as “timeout”” to signify that the stream has ended but the connection has not been closed. Theory

18 18 Example of Anomalies Denial of Service (DoS) – many H 2 | timeout events for one host – X | timeout or C 1 | timeout TCP half-open scan – H1 | R APU, H 1 | timeout, H 2 | R APU or H 2 | timeout Scans for OS fingerprinting (e.g., QueOS) Theory

19 19 Traffic Traces Unfiltered traffic is collected at the external interface of 3 class B networks using tcpdump. Only the first 68 bytes of each packet were collected to obtain the full TCP header. At peak times, an hourly file contained on the order of 2 million packets. Implementation of the Algorithm

20 20 Implementation The TCP FSM algorithm was written in MATLAB. In practice, each packet was read sequentially from the raw traffic file. – Each socket pair was assigned a stream holding the complete trace for that socket. – How to deal with the truncation of the traffic data? (i.e., streams that start or end in the middle of a connection) August 21, 2000 data for 24 hours starting at midnight. Implementation of the Algorithm

21 21 Analysis Results (1/3) Results and Discussion They do not proceed the normal synchronization process.

22 22 Analysis Results (2/3) Results and Discussion They do not complete the synchronization process.

23 23 Analysis Results (3/3) Results and Discussion

24 24 Results and Discussion 1)Approximately 37% of the Internet TCP traffic does not obey the protocol. 2)If we remove “SYN scan” and “bad flag scan”, ↓

25 25 Network Management Unresponsive and non-existant hosts – H 1 | R APU, H1 | Timeout, H 2 | R APU and H 2 | timeout Delays (i.e., packets do not arrive in an appropriate time) – L | {SA, A PU, F APU, R APU }, H 2 | R APU and X | timeout Abandoned connections – X | timeout and C 1 | timeout Malfuncioning TCP – H 1 | F APU Backscatter effects – L | SA or L | SA Results and Discussion

26 26 Security (1/2) TCP connect and half-open scans – Open port: {S-SA-A PU -R APU } or {S-SA-A PU -F APU -A PU -F APU -A PU } – Half open: H 2 | R APU – Closed port: H 1 | R APU, H 1 | timeout Stealth scans and inverse mapping (firewall) – SYN-FIN (e.g., Firewalls will be configured to block incoming packets with only the SYN flag set) – L | A PU + RST or ICMP destination unreachable – L | SA, L | F APU, bad flag, L | R APU Results and Discussion

27 27 Security (2/2) Aggregating scanning events – L | {SA, A PU, F APU, R APU }, H 1 | {R APU, timeout} and H 2 | {F APU, R APU } or bad flag Role of the Firewall – H 2 | timeout – H 2 | R APU Results and Discussion 1m 10m 1h 5h 12h 1d 2d 5d >5d 3 1 7 2 11

28 28 False Positives By definition, all anomalies found using strict anomaly detection are anomalous and therefore there is no false positive rate to consider. – It is difficult to determine the intent of the user who sends a SYN and receives a RST in response (failure H 1 | R APU ). – It has different meanings and possesses different importance to different applications. Results and Discussion

29 29 Conclusions and Future Work (1/2) Examining packet follows on a network that do not conform to the protocol Successfully detect TCP-based scanning activity, delays, outages, misconfigurations and other unexpected TCP behaviour Correlation engines could be used to correlate the events found through application of this model. A successful full connect scan cannot be detected with this method because the flag pattern obeys the protocol specification. Include an option for TCP traffic that is not officially allowed but is nevertheless present on the Internet. IDS Conclusions and Future Work

30 30 Conclusions and Future Work (2/2) Using the proportionalities of anomalies found by implementing the TCP FSM, one can introduce failures using a Markov chain approach. As well as a mechanism for traffic generation, Markov models may provide the capability of assigning a probability that a connection is valid. This may be the basis of a statistical anomaly detection engine. Conclusions and Future Work

31 31 Comments The usage of a protocol can be considered as a distinctive signature to a program. Our work also include service level, and an application is more complicated than TCP. – More events (messages) – States are unclear. Too much false positive for anomaly detection model. Perfect attacks may exist.

32 32 Further Readings TCP – Floyd, S. (2002). Inappropriate TCP Resets Considered Harmful. (work in progress). – End-to-end Interest Maillist. Frequency of RST terminated connections. USC Information Sciences Institute. Apps – Sasha/Beetle (2000). A Strict Anomaly Detection Model for IDS. Phrack, 10(56). – Das, K. (2002). Protocol Anomaly Detection for Network- based Intrusion Detection. SANS Institute. – Lemonnier, E. (2001). Protocol Anomaly Detection in Network-based IDSs.

Download ppt "A Finite State Machine Model of TCP Connections in the Transport Layer J. Treurniet and J.H. Lefebvre Defence R&D Canada - Ottawa Mike Hsiao, 20080822."

Similar presentations

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
CISCO NETWORKING ACADEMY Chabot College ELEC 99.05 Transport Layer (4)

CISCO NETWORKING ACADEMY Chabot College ELEC Transport Layer (4)
Computer Security and Penetration Testing

Computer Security and Penetration Testing
TCP - Part I Relates to Lab 5. First module on TCP which covers packet format, data transfer, and connection management.

TCP - Part I Relates to Lab 5. First module on TCP which covers packet format, data transfer, and connection management.
CCNA – Network Fundamentals

CCNA – Network Fundamentals
Transport Layer – TCP (Part2) Dr. Sanjay P. Ahuja, Ph.D. Fidelity National Financial Distinguished Professor of CIS School of Computing, UNF.

Transport Layer – TCP (Part2) Dr. Sanjay P. Ahuja, Ph.D. Fidelity National Financial Distinguished Professor of CIS School of Computing, UNF.
Transmission Control Protocol (TCP)

Transmission Control Protocol (TCP)
CISCO NETWORKING ACADEMY PROGRAM (CNAP)

CISCO NETWORKING ACADEMY PROGRAM (CNAP)
Chapter 7: Transport Layer

Chapter 7: Transport Layer
Fundamentals of Computer Networks ECE 478/578 Lecture #20: Transmission Control Protocol Instructor: Loukas Lazos Dept of Electrical and Computer Engineering.

Fundamentals of Computer Networks ECE 478/578 Lecture #20: Transmission Control Protocol Instructor: Loukas Lazos Dept of Electrical and Computer Engineering.
UDP & TCP Where would we be without them!. UDP User Datagram Protocol.

UDP & TCP Where would we be without them!. UDP User Datagram Protocol.
1 Reading Log Files. 2 Segment Format

1 Reading Log Files. 2 Segment Format
1 TCP - Part I Relates to Lab 5. First module on TCP which covers packet format, data transfer, and connection management.

1 TCP - Part I Relates to Lab 5. First module on TCP which covers packet format, data transfer, and connection management.
1 CS 4396 Computer Networks Lab Transmission Control Protocol (TCP) Part I.

1 CS 4396 Computer Networks Lab Transmission Control Protocol (TCP) Part I.
Hands-On Ethical Hacking and Network Defense Second Edition Chapter 5 Port Scanning.

Hands-On Ethical Hacking and Network Defense Second Edition Chapter 5 Port Scanning.
Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning.

Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning.
Transmission Control Protocol (TCP) Basics

Transmission Control Protocol (TCP) Basics
CS3505 The Internet and Info Hiway transport layer protocols : TCP/UDP.

CS3505 The Internet and Info Hiway transport layer protocols : TCP/UDP.
Transport Layer – TCP (Part1) Dr. Sanjay P. Ahuja, Ph.D. Fidelity National Financial Distinguished Professor of CIS School of Computing, UNF.

Transport Layer – TCP (Part1) Dr. Sanjay P. Ahuja, Ph.D. Fidelity National Financial Distinguished Professor of CIS School of Computing, UNF.
Chapter 7 – Transport Layer Protocols

Chapter 7 – Transport Layer Protocols

Similar presentations

Ads by Google