Abstract
In the Internet, flow analysis and network monitoring have been studied by various methods. Some methods try to make TCP (Transport Control Protocol) traces more readable by showing them graphically. Others such as MRTG, NetScope, and NetFlow read the traffic counters of the routers and record the data for traffic engineering. Even if all of the above methods are useful, they are made only to perform a single task. This paper describes an improved TCP Protocol Machine, a multipurpose tool that can be used for flow analysis, intrusion detection and link congestion monitoring. It is developed based on a finite state machine (automation). The machine separates the flows into two main groups. If a flow can be mapped to a set of input symbols of the automation, it is valid, otherwise it is invalid. It can be observed that intruders' attacks are easily detected by the use of the protocol machine. Also link congestion can be monitored, by measuring the percentage of valid flows to the total number of flows. We demonstrate the capability of this tool through measurement and working examples.
Original language | English |
---|---|
Pages (from-to) | 595-603 |
Number of pages | 9 |
Journal | IEICE Transactions on Communications |
Volume | E86-B |
Issue number | 2 |
Publication status | Published - 2003 Feb |
Keywords
- Finite state machine (FSM)
- Intrusion detection
- Invalid flow
- Network congestion
- TCP protocol machine
ASJC Scopus subject areas
- Electrical and Electronic Engineering
- Computer Networks and Communications