TOWARDS RUN-TIME PROTOCOL ANOMALY DETECTION AND VERIFICATION

Inseon Yoo, Ulrich Ultes-nitsche

Abstract

`How to verify incoming packets whether they follow standards or not?' and `How to detect protocol anomalies in real-time?', we seek to answer these questions. In order to solve these questions, we have designed a packet verifier with packet inspection and sanity check. In this work, we specify TCP transaction behaviours declaratively in a high-level language called Specification and Description Language (SDL). This specification will be then compiled into an inspection engine program for oberving packets. In addition, the SanityChecker covers protocol header anomalies.

References

  1. CERT (1998). Advisory ca-1998-01 smurf ip denial-ofservice attacks. In Online Publication.
  2. CERT/CA-1996-21 (2000). Advisory ca-1996-21 tcp syn ooding and ip spoo ng attacks. In Online publication.
  3. CISCO (1997). Security advisory: Tcp loopback dos attack (land.c) and cisco devices.
  4. E.Hopcroft, J. and D.Ullman, J. (1979). Introduction to Automata Theory, languages, and computation. Addison Wesley.
  5. Fyodor (1996). Ping of death attack. In INSECURE.ORG.
  6. Fyodor (1997). CURE.ORG.
  7. Hoggan, D. (1994-2000). Teardrop attack. In The Internet Book: Introduction and Reference.
  8. ITU-T, C. (1992). Recommendation Z.100: Speci cation and Description Language (SDL). General Secretariat, Geneve, Switzerland.
  9. RFC791 (1981). Internet protocol. In DARPA Internet Program Protocol Speci cation.
  10. RFC793 (1981). Transmission control protocol. In DARPA Internet Program Protocol Speci cation.
Download


Paper Citation


in Harvard Style

Yoo I. and Ultes-nitsche U. (2004). TOWARDS RUN-TIME PROTOCOL ANOMALY DETECTION AND VERIFICATION . In Proceedings of the First International Conference on E-Business and Telecommunication Networks - Volume 2: ICETE, ISBN 972-8865-15-5, pages 299-304. DOI: 10.5220/0001395802990304


in Bibtex Style

@conference{icete04,
author={Inseon Yoo and Ulrich Ultes-nitsche},
title={TOWARDS RUN-TIME PROTOCOL ANOMALY DETECTION AND VERIFICATION},
booktitle={Proceedings of the First International Conference on E-Business and Telecommunication Networks - Volume 2: ICETE,},
year={2004},
pages={299-304},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0001395802990304},
isbn={972-8865-15-5},
}


in EndNote Style

TY - CONF
JO - Proceedings of the First International Conference on E-Business and Telecommunication Networks - Volume 2: ICETE,
TI - TOWARDS RUN-TIME PROTOCOL ANOMALY DETECTION AND VERIFICATION
SN - 972-8865-15-5
AU - Yoo I.
AU - Ultes-nitsche U.
PY - 2004
SP - 299
EP - 304
DO - 10.5220/0001395802990304