An improved TCP protocol machine for flow analysis and network monitoring

Heshmatollah Khosravi, Masaki Fukushima, Shigeki Goto

    Research output: Contribution to journalArticle

    Abstract

    In the Internet, flow analysis and network monitoring have been studied by various methods. Some methods try to make TCP (Transport Control Protocol) traces more readable by showing them graphically. Others such as MRTG, NetScope, and NetFlow read the traffic counters of the routers and record the data for traffic engineering. Even if all of the above methods are useful, they are made only to perform a single task. This paper describes an improved TCP Protocol Machine, a multipurpose tool that can be used for flow analysis, intrusion detection and link congestion monitoring. It is developed based on a finite state machine (automation). The machine separates the flows into two main groups. If a flow can be mapped to a set of input symbols of the automation, it is valid, otherwise it is invalid. It can be observed that intruders' attacks are easily detected by the use of the protocol machine. Also link congestion can be monitored, by measuring the percentage of valid flows to the total number of flows. We demonstrate the capability of this tool through measurement and working examples.

    Original languageEnglish
    Pages (from-to)595-603
    Number of pages9
    JournalIEICE Transactions on Communications
    VolumeE86-B
    Issue number2
    Publication statusPublished - 2003 Feb

    Fingerprint

    Computer networks
    Network protocols
    Monitoring
    Automation
    Finite automata
    Intrusion detection
    Routers
    Internet

    Keywords

    • Finite state machine (FSM)
    • Intrusion detection
    • Invalid flow
    • Network congestion
    • TCP protocol machine

    ASJC Scopus subject areas

    • Electrical and Electronic Engineering
    • Computer Networks and Communications

    Cite this

    An improved TCP protocol machine for flow analysis and network monitoring. / Khosravi, Heshmatollah; Fukushima, Masaki; Goto, Shigeki.

    In: IEICE Transactions on Communications, Vol. E86-B, No. 2, 02.2003, p. 595-603.

    Research output: Contribution to journalArticle

    Khosravi, H, Fukushima, M & Goto, S 2003, 'An improved TCP protocol machine for flow analysis and network monitoring', IEICE Transactions on Communications, vol. E86-B, no. 2, pp. 595-603.
    Khosravi H, Fukushima M, Goto S. An improved TCP protocol machine for flow analysis and network monitoring. IEICE Transactions on Communications. 2003 Feb;E86-B(2):595-603.
    Khosravi, Heshmatollah ; Fukushima, Masaki ; Goto, Shigeki. / An improved TCP protocol machine for flow analysis and network monitoring. In: IEICE Transactions on Communications. 2003 ; Vol. E86-B, No. 2. pp. 595-603.
    @article{910f3b877af24f2aaeb3175ec71a311b,
    title = "An improved TCP protocol machine for flow analysis and network monitoring",
    abstract = "In the Internet, flow analysis and network monitoring have been studied by various methods. Some methods try to make TCP (Transport Control Protocol) traces more readable by showing them graphically. Others such as MRTG, NetScope, and NetFlow read the traffic counters of the routers and record the data for traffic engineering. Even if all of the above methods are useful, they are made only to perform a single task. This paper describes an improved TCP Protocol Machine, a multipurpose tool that can be used for flow analysis, intrusion detection and link congestion monitoring. It is developed based on a finite state machine (automation). The machine separates the flows into two main groups. If a flow can be mapped to a set of input symbols of the automation, it is valid, otherwise it is invalid. It can be observed that intruders' attacks are easily detected by the use of the protocol machine. Also link congestion can be monitored, by measuring the percentage of valid flows to the total number of flows. We demonstrate the capability of this tool through measurement and working examples.",
    keywords = "Finite state machine (FSM), Intrusion detection, Invalid flow, Network congestion, TCP protocol machine",
    author = "Heshmatollah Khosravi and Masaki Fukushima and Shigeki Goto",
    year = "2003",
    month = "2",
    language = "English",
    volume = "E86-B",
    pages = "595--603",
    journal = "IEICE Transactions on Communications",
    issn = "0916-8516",
    publisher = "Maruzen Co., Ltd/Maruzen Kabushikikaisha",
    number = "2",

    }

    TY - JOUR

    T1 - An improved TCP protocol machine for flow analysis and network monitoring

    AU - Khosravi, Heshmatollah

    AU - Fukushima, Masaki

    AU - Goto, Shigeki

    PY - 2003/2

    Y1 - 2003/2

    N2 - In the Internet, flow analysis and network monitoring have been studied by various methods. Some methods try to make TCP (Transport Control Protocol) traces more readable by showing them graphically. Others such as MRTG, NetScope, and NetFlow read the traffic counters of the routers and record the data for traffic engineering. Even if all of the above methods are useful, they are made only to perform a single task. This paper describes an improved TCP Protocol Machine, a multipurpose tool that can be used for flow analysis, intrusion detection and link congestion monitoring. It is developed based on a finite state machine (automation). The machine separates the flows into two main groups. If a flow can be mapped to a set of input symbols of the automation, it is valid, otherwise it is invalid. It can be observed that intruders' attacks are easily detected by the use of the protocol machine. Also link congestion can be monitored, by measuring the percentage of valid flows to the total number of flows. We demonstrate the capability of this tool through measurement and working examples.

    AB - In the Internet, flow analysis and network monitoring have been studied by various methods. Some methods try to make TCP (Transport Control Protocol) traces more readable by showing them graphically. Others such as MRTG, NetScope, and NetFlow read the traffic counters of the routers and record the data for traffic engineering. Even if all of the above methods are useful, they are made only to perform a single task. This paper describes an improved TCP Protocol Machine, a multipurpose tool that can be used for flow analysis, intrusion detection and link congestion monitoring. It is developed based on a finite state machine (automation). The machine separates the flows into two main groups. If a flow can be mapped to a set of input symbols of the automation, it is valid, otherwise it is invalid. It can be observed that intruders' attacks are easily detected by the use of the protocol machine. Also link congestion can be monitored, by measuring the percentage of valid flows to the total number of flows. We demonstrate the capability of this tool through measurement and working examples.

    KW - Finite state machine (FSM)

    KW - Intrusion detection

    KW - Invalid flow

    KW - Network congestion

    KW - TCP protocol machine

    UR - http://www.scopus.com/inward/record.url?scp=0042510234&partnerID=8YFLogxK

    UR - http://www.scopus.com/inward/citedby.url?scp=0042510234&partnerID=8YFLogxK

    M3 - Article

    VL - E86-B

    SP - 595

    EP - 603

    JO - IEICE Transactions on Communications

    JF - IEICE Transactions on Communications

    SN - 0916-8516

    IS - 2

    ER -

    Access to Document