Abstract
Network protocols can be tested by capturing communication packets, assembling them into the high-level events, and comparing these to a finite state machine that describes the protocol standard. This process, which we call Network Event Recognition (NER), faces a number of challenges only partially addressed by existing systems. These include the ability to provide precise conformance with specifications, achieve adequate performance, admit analysis of the correctness of recognizers, provide useful diagnostics to enable the analysis of errors, and provide reasonable fidelity by distinguishing application errors from network errors. We introduce a special-purpose Network Event Recognition Language (NERL) and associated tools to address these issues. We validate the design using case studies on protocols at application and transport layers. These studies show that our system can efficiently find errors in recognizers and implementations of widely deployed protocols; they also demonstrate how improved diagnostics and transformations can substantially improve understanding of information generated by packet traces.
Similar content being viewed by others
References
K. Bhargavan, “Network Event Recognition,” Ph D thesis, University of Pennsylvania, 2003.
K. Bhargavan, C.A. Gunter, and D. Obradovic, “Fault origin adjudication,” Formal Methods in Software Practice, 2000.
K. Bhargavan, C.A. Gunter, M. Kim, I. Lee, D. Obradovic, O. Sokolsky, and M. Viswanathan, “Verisim: Formal analysis of network simulations,” IEEE Transactions on Software Engineering, Vol. 28, No. 2, pp. 129–145, 2002.
K. Bhargavan, S. Chandra, P.J. McCann, and C. A Gunter, “What packets may come: Automata for network monitoring,”in Proceedings of the Symposium on Principles of Programming Languages (POPL'01), ACM Press, pp. 206–219, 2001.
D. Binkley and K. Brian Gallagher, “Program slicing,” Advances in Computers, 1996.
G.V. Bochmann and O. Bellal, “Test result analysis with respect to formal specifications,” in Proc. 2-nd Int. Workshop on Protocol Test Systems. Berlin, 1989 pp. 272–294,.
R. Braden, “Requirements for internet hosts—communication layers,” Technical Report RFC 1122, IETF, 1989.
M. Crispin, “Internet message access protocol—Version 4rev1,”Technical Report RFC 2060, IETF, 1996.
D. Crocker, “Standard for the format of ARPA internet text messages,” Technical Report RFC 822, IETF, 1982.
S.A. Ezust and G.V. Bochmann, “An automatic trace analysis tool generator for estelle specifications,” Computer Communication Review, Vol. 25, No. 4, pp. 175–184, 1995 Proceedings of ACM SIGCOMM 95 Conference.
D.J. Farber and J.B. Picken, The overseer, a powerful communications attribute for debugging and security in thin-wire connected control structures, in Proceedings of International Computer Communications Conference, 1976.
G.J. Holzmann, “SPIN-formal verification,” Web Page. Available at http://netlib.bell-labs.com/netlib/spin/whatispin.html.
G.J. Holzmann, Design and Validation of Computer Protocols, Prentice Hall, 1991. http://cm.bell-labs.com/cm/cs/what/spin/Doc/Book91.html.
G.J. Holzmann, Logic Verification of ANSI-C Code with SPIN, Springer Verlag/LNCS, 1885, pp. 131–147, 2000.
IPInformation Sciences Institute, “Internet protocol,” Technical Report RFC 791, IETF, 1981a.
TCPInformation Sciences Institute, “Transmission control protocol,” Technical Report RFC 793, IETF, 1981b.
J. Klensin, “Simple mail transfer protocol,” Technical Report RFC 2821, IETF, 2001.
E. Kohler, M. Frans Kaashoek, and D.R. Montgomery, “A readable TCP in the Prolac protocol language,” in Proceedings of the ACM SIGCOMM'99 Conference: Applications, Technologies, Architectures, and Protocols for Computer Communication, Cambridge, Massachusetts, pp. 3–13, 1999.
I. Lee, S. Kannan, M. Kim, O. Sokolsky, and M. Viswanathan, “Runtime assurance based on formal specifications,” in Proceedings International Conference on Parallel and Distributed Processing Techniques and Applications, 1999.
Lotos: A formal description technique, 1987.
Z. Manna and A. Pnueli, The Temporal Logic of Reactive and Concurrent Systems, Springer-Verlag, 1991.
P. McCann and S. Chandra, “Packet Types: Abstract specification of network protocol messages,” in ACM Conference of Special Interest Group on Data Communications (SIGCOMM), August 2000.
J. Myers and M. Rose, “Post Office Protocol—Version 3.” Technical Report RFC 1939, IETF, 1996.
NSS Group, “Intrusion detection systems—group test,” December 2001.
V. Paxson, “Automated packet trace analysis of TCP implementations,” in ACM SIGCOMM'97, September 1997.
V. Paxson, “Bro: A system for detecting network intruders in real-time,” Computer Networks, Vol. 31, pp. 2435–2463, 14 December 1999.This paper is a revision of paper that previously appeared in Proc. 7th USENIX Security Symposium, January 1998.
C. Perkins, “Ad hoc on-demand distance vector (AODV) routing,” Internet-Draft Version 00, IETF, 1997.
C.E. Perkins and E.M. Royer, “Ad-hoc on-demand distance vector routing,” in Proceedings of the 2nd IEEE Workshop on Mobile Computer Systems and Applications, 1999, pp. 90–100.
J. Postel, “Internet control message protocol,” Technical Report RFC 792, IETF, 1981.
J.B. Postel, “Simple mail transfer protocol,” Technical Report RFC 821, IETF, 1982.
T.H. Ptacek and T.N. Newsham, “Insertion, evasion and denial of service: Eluding network intrusion detection,” Technical report, Secure Networks, Inc., 1998.
P. Resnick, “Internet message format,” Technical Report RFC 2822, IETF, 2001.
W.R. Stevens, “TCP/IP Illustrated, Volume 1, The Protocols,”Addison-Wesley, Reading, Massachusetts, Vol. 1, 1994.
F. Tip, “A survey of program slicing techniques,” Journal of Programming Languages, Vol. 3, pp. 121–189, 1995.
R. van Renesse, K. Birman, M. Hayden, A. Vaysburd, and D. Karr, “Building adaptive systems using Ensemble,” Softw. Pract. Exper., Vol. 28, No. 9, pp. 963–979, 1998.
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Bhargavan, K., Gunter, C.A. Network Event Recognition. Form Method Syst Des 27, 213–251 (2005). https://doi.org/10.1007/s10703-005-3398-4
Issue Date:
DOI: https://doi.org/10.1007/s10703-005-3398-4