An improved TCP protocol machine for flow analysis and network monitoring

Heshmatollah Khosravi, Masaki Fukushima, Shigeki Goto

    Research output: Contribution to journalArticle

    Abstract

    In the Internet, flow analysis and network monitoring have been studied by various methods. Some methods try to make TCP (Transport Control Protocol) traces more readable by showing them graphically. Others such as MRTG, NetScope, and NetFlow read the traffic counters of the routers and record the data for traffic engineering. Even if all of the above methods are useful, they are made only to perform a single task. This paper describes an improved TCP Protocol Machine, a multipurpose tool that can be used for flow analysis, intrusion detection and link congestion monitoring. It is developed based on a finite state machine (automation). The machine separates the flows into two main groups. If a flow can be mapped to a set of input symbols of the automation, it is valid, otherwise it is invalid. It can be observed that intruders' attacks are easily detected by the use of the protocol machine. Also link congestion can be monitored, by measuring the percentage of valid flows to the total number of flows. We demonstrate the capability of this tool through measurement and working examples.

    Original languageEnglish
    Pages (from-to)595-603
    Number of pages9
    JournalIEICE Transactions on Communications
    VolumeE86-B
    Issue number2
    Publication statusPublished - 2003 Feb

      Fingerprint

    Keywords

    • Finite state machine (FSM)
    • Intrusion detection
    • Invalid flow
    • Network congestion
    • TCP protocol machine

    ASJC Scopus subject areas

    • Electrical and Electronic Engineering
    • Computer Networks and Communications

    Cite this