Title :
Protocol anomaly detection and verification
Author_Institution :
Dept. of Informatics, Fribourg Univ., Switzerland
Abstract :
´How to distinguish protocol anomalies from network traffic?´ ´How to normalize protocol usage against misuse problem based on the same protocol specification?´ and ´How to detect and verify protocol anomalies in realtime?´, we seek to answer these questions. In order to solve these questions, we have normalized layer-3 and layer-4 protocol usage, and we have designed a packet verifier with a packet inspection engine and a SanityChecker. In this work, we specify TCP transaction behaviours declaratively in a high-level language called Specification and Description Language (SDL). This specification is compiled into an inspection engine program for observing packets. In addition, the SanityChecker covers protocol header anomalies.
Keywords :
formal specification; formal verification; security of data; specification languages; transport protocols; TCP transaction behaviour; description language; formal specification; formal verification; network traffic; packet inspection engine; packet verifier; protocol anomaly detection; specification language; Computer crime; Diffserv networks; High level languages; Inspection; Internet; Logic; Search engines; Telecommunication traffic; Transport protocols; Viruses (medical);
Conference_Titel :
Information Assurance Workshop, 2004. Proceedings from the Fifth Annual IEEE SMC
Print_ISBN :
0-7803-8572-1
DOI :
10.1109/IAW.2004.1437800
