Abstract:
Without detailed knowledge of the network topology between Network Security Audit System (NSAS) and the end system, NSAS may be unable to determine whether a given packet will even be seen by the end system. Finite state machine detection model based on adaptive TTL neuron is proposed to solve it in this paper. By inspecting the variance of Time To Live (TTL) field in ingress sequence, the adaptive TTL neuron compares the TTL field of new fragment with the average
INTRODUCTION
Network security audit system (NSAS) just like IDS or content-based audit system (Cao et al., 2002) protects end systems of Intranet online. By exploiting ambiguities in the traffic stream as seen by NSAS, the ability of a skilled attacker can do insertion and evasion (IE) attack (Ptacek and Newsham, 1998; Patton et al., 2001) to end systems. NSAS can accept a packet that an end system rejects, that's insertion attack; an end system can accept a packet that an NSAS rejects, that's evasion attack. In the absence of external knowledge (end system implementation details, topology details), exploitable ambiguities can arise in two different ways (Handley et al., 2001): (1) Without detailed knowledge of the end system's protocol implementation, NSAS may be unable to determine how the end system will treat a given sequence of packets if different implementations interpret the same stream of packets in different ways. Unfortunately, Internet protocol specifications do not always accurately specify the complete behavior of protocols, especially for rare or exceptional conditions. In addition, different operating systems and applications implement different subsets of the protocols. (2) Without detailed knowledge of the network topology between the NSAS and the end system, NSAS may be unable to determine whether a given packet will even be seen by the end system. For example, a packet seen by NSAS that has a low Time To Live (TTL) field may or may not have sufficient hop count remaining to make it all the way to the end system. Figure 1 for an example.
Fig. 1: | IE attack example |
In this paper, finite state machine detection model based on adaptive TTL neuron
is proposed to detect the latter case. Counting TTL average of ingress as
ADAPTIVE TTL NEURON
In the adaptive TTL neuron, the TTL average of ingress fragments as
Each connection of the ingress flow is denoted as tuple (ID, Sip, Sport, Dip, Dport, C,) for the incoming fragments. ID is the identification field in the IP header. Sip is the source IP address. Sport is the source port. Dip is the destination IP address. Dport is the destination port. C is total packet which is counted for the connection. is the TTL average of ingress for the connection. Let D denote the depth of Intranet.
For every tuple,
Step 1: | For the new packet, |
Step 2: | If |
Step 3: | The ingress may be IE attack, the TTL neuron get result TRUE. |
Following above steps, the packet in abnormal TTL field will be detected. The adaptive TTL neuron will get result TRUE for detection of IE attack and FALSE for benign packet.
FINITE STATE MACHINE
Symbol meaning: We denote the finite state machine as FSM = [I, O, S, δ, s0]:
• | I: input symbol set |
• | O: output symbol set |
• | S: state set |
• | δ: S x I → I state transition function |
• | s0: initial state |
With the definition of the finite state machine, the detection model is shown in Fig. 2. The meaning of the parameter in the finite state machine detection model is the following:
(1) | Input symbol set I = {X, Y, Z} |
Every element of I has two inputs: One is the OR function result of the more fragment bit of TTL field and the Fragment Offset field in the IP header, another is the result of TTL neuron.
Fig. 2: | Finite state machine detection model |
Different inputs have the following cases (the former is the OR function result, the latter is the result of TTL neuron, x means do not care):
X (0, x): | The packet isn't fragment, there's no IE attack. |
Y (1, 0): | The packet is fragment, but there's no IE attack. |
Z (1, 1): | The packet is fragment and it seems to be IE attack. |
(2) | Stat set S = {s0, s1, s2, s3} |
s0, s1: | Detection state |
s2: | The ingress is normal |
s3: | Seem to be IE attack |
(3) | State transition function δ: S x I → I: |
Detection method: Packet passes the initial state s0 to start
detection. If the packet isn't fragment, that will not be IE attack and turn
to be state s2, else turn to be state s1 for next detection.
In state s1, the fragment will be submitted to state s3
for format formalization if the IE attack is detected. In state s3,
TTL field of the fragment is modified to be
(1) s0: | In this state, the finite state machine classifies the packet to be fragment or not by the Flags field and Fragment Offset field of the IP header. In the three bit of Flags field (IETF, 1981), bit 0 is reserved, bit 1(DF) means don't fragment in value 1 and may fragment in value 0, bit 2(MF) means there're more fragments in value 1 and to be the last fragment in value 0. Value (0, 1) is get from the OR function of MF and Fragment Offset. FALSE means the packet isn't a fragment, then turn to s2; and TRUE means it does, then turn to s1. |
(2) s1: | If just do the comparison with the TTL field value and some constant, but don't consider the variance of TTL field, the result may be false positive. In this study, the TTL field variance comparison is done according to the TTL average which is computed in the adaptive TTL neuron. If the variance is big, it means the fragment is abnormal. Then turn to state s3 to do the format formalization of TTL field. Else switch to state s2. |
(3) s2: | In this state, the packet is normal. |
(4) s3: | In this state, the fragment is abnormal in TTL field, it may be IE attack. Fill the in the TTL field of the fragment, then alert and record. |
DETECTING ABILITY
With the inspection of the variance of TTL field, the finite state machine
detection model based on adaptive TTL neuron is proposed to detect IE attack.
The TTL field of fragment which is detected to be IE attack will be set to be
TTL average
As the detection example for Fig. 1, the TTL average
Fig. 3: | Detection process |
CONCLUSIONS
In this study finite state machine detection model based on adaptive TTL neuron
is proposed to detect IE attack based on TTL. By inspecting the variance of
TTL field in ingress sequence, the adaptive TTL neuron compares the TTL field
of new fragment with the average