Skip to main content
SpringerLink
Log in

Network Event Recognition

  • Published:
Formal Methods in System Design Aims and scope Submit manuscript

Abstract

Network protocols can be tested by capturing communication packets, assembling them into the high-level events, and comparing these to a finite state machine that describes the protocol standard. This process, which we call Network Event Recognition (NER), faces a number of challenges only partially addressed by existing systems. These include the ability to provide precise conformance with specifications, achieve adequate performance, admit analysis of the correctness of recognizers, provide useful diagnostics to enable the analysis of errors, and provide reasonable fidelity by distinguishing application errors from network errors. We introduce a special-purpose Network Event Recognition Language (NERL) and associated tools to address these issues. We validate the design using case studies on protocols at application and transport layers. These studies show that our system can efficiently find errors in recognizers and implementations of widely deployed protocols; they also demonstrate how improved diagnostics and transformations can substantially improve understanding of information generated by packet traces.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

References

  1. K. Bhargavan, “Network Event Recognition,” Ph D thesis, University of Pennsylvania, 2003.

  2. K. Bhargavan, C.A. Gunter, and D. Obradovic, “Fault origin adjudication,” Formal Methods in Software Practice, 2000.

  3. K. Bhargavan, C.A. Gunter, M. Kim, I. Lee, D. Obradovic, O. Sokolsky, and M. Viswanathan, “Verisim: Formal analysis of network simulations,” IEEE Transactions on Software Engineering, Vol. 28, No. 2, pp. 129–145, 2002.

    Article  Google Scholar 

  4. K. Bhargavan, S. Chandra, P.J. McCann, and C. A Gunter, “What packets may come: Automata for network monitoring,”in Proceedings of the Symposium on Principles of Programming Languages (POPL'01), ACM Press, pp. 206–219, 2001.

  5. D. Binkley and K. Brian Gallagher, “Program slicing,” Advances in Computers, 1996.

  6. G.V. Bochmann and O. Bellal, “Test result analysis with respect to formal specifications,” in Proc. 2-nd Int. Workshop on Protocol Test Systems. Berlin, 1989 pp. 272–294,.

  7. R. Braden, “Requirements for internet hosts—communication layers,” Technical Report RFC 1122, IETF, 1989.

  8. M. Crispin, “Internet message access protocol—Version 4rev1,”Technical Report RFC 2060, IETF, 1996.

  9. D. Crocker, “Standard for the format of ARPA internet text messages,” Technical Report RFC 822, IETF, 1982.

  10. S.A. Ezust and G.V. Bochmann, “An automatic trace analysis tool generator for estelle specifications,” Computer Communication Review, Vol. 25, No. 4, pp. 175–184, 1995 Proceedings of ACM SIGCOMM 95 Conference.

  11. D.J. Farber and J.B. Picken, The overseer, a powerful communications attribute for debugging and security in thin-wire connected control structures, in Proceedings of International Computer Communications Conference, 1976.

  12. G.J. Holzmann, “SPIN-formal verification,” Web Page. Available at http://netlib.bell-labs.com/netlib/spin/whatispin.html.

  13. G.J. Holzmann, Design and Validation of Computer Protocols, Prentice Hall, 1991. http://cm.bell-labs.com/cm/cs/what/spin/Doc/Book91.html.

  14. G.J. Holzmann, Logic Verification of ANSI-C Code with SPIN, Springer Verlag/LNCS, 1885, pp. 131–147, 2000.

  15. IPInformation Sciences Institute, “Internet protocol,” Technical Report RFC 791, IETF, 1981a.

  16. TCPInformation Sciences Institute, “Transmission control protocol,” Technical Report RFC 793, IETF, 1981b.

  17. J. Klensin, “Simple mail transfer protocol,” Technical Report RFC 2821, IETF, 2001.

  18. E. Kohler, M. Frans Kaashoek, and D.R. Montgomery, “A readable TCP in the Prolac protocol language,” in Proceedings of the ACM SIGCOMM'99 Conference: Applications, Technologies, Architectures, and Protocols for Computer Communication, Cambridge, Massachusetts, pp. 3–13, 1999.

  19. I. Lee, S. Kannan, M. Kim, O. Sokolsky, and M. Viswanathan, “Runtime assurance based on formal specifications,” in Proceedings International Conference on Parallel and Distributed Processing Techniques and Applications, 1999.

  20. Lotos: A formal description technique, 1987.

  21. Z. Manna and A. Pnueli, The Temporal Logic of Reactive and Concurrent Systems, Springer-Verlag, 1991.

  22. P. McCann and S. Chandra, “Packet Types: Abstract specification of network protocol messages,” in ACM Conference of Special Interest Group on Data Communications (SIGCOMM), August 2000.

  23. J. Myers and M. Rose, “Post Office Protocol—Version 3.” Technical Report RFC 1939, IETF, 1996.

  24. NSS Group, “Intrusion detection systems—group test,” December 2001.

  25. V. Paxson, “Automated packet trace analysis of TCP implementations,” in ACM SIGCOMM'97, September 1997.

  26. V. Paxson, “Bro: A system for detecting network intruders in real-time,” Computer Networks, Vol. 31, pp. 2435–2463, 14 December 1999.This paper is a revision of paper that previously appeared in Proc. 7th USENIX Security Symposium, January 1998.

    Google Scholar 

  27. C. Perkins, “Ad hoc on-demand distance vector (AODV) routing,” Internet-Draft Version 00, IETF, 1997.

  28. C.E. Perkins and E.M. Royer, “Ad-hoc on-demand distance vector routing,” in Proceedings of the 2nd IEEE Workshop on Mobile Computer Systems and Applications, 1999, pp. 90–100.

  29. J. Postel, “Internet control message protocol,” Technical Report RFC 792, IETF, 1981.

  30. J.B. Postel, “Simple mail transfer protocol,” Technical Report RFC 821, IETF, 1982.

  31. T.H. Ptacek and T.N. Newsham, “Insertion, evasion and denial of service: Eluding network intrusion detection,” Technical report, Secure Networks, Inc., 1998.

  32. P. Resnick, “Internet message format,” Technical Report RFC 2822, IETF, 2001.

  33. W.R. Stevens, “TCP/IP Illustrated, Volume 1, The Protocols,”Addison-Wesley, Reading, Massachusetts, Vol. 1, 1994.

    Google Scholar 

  34. F. Tip, “A survey of program slicing techniques,” Journal of Programming Languages, Vol. 3, pp. 121–189, 1995.

    Google Scholar 

  35. R. van Renesse, K. Birman, M. Hayden, A. Vaysburd, and D. Karr, “Building adaptive systems using Ensemble,” Softw. Pract. Exper., Vol. 28, No. 9, pp. 963–979, 1998.

    Article  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Microsoft Research, Cambridge

    Karthikeyan Bhargavan

  2. University of Illinois, Urbana-Champaign

    Carl A. Gunter

Authors
  1. Karthikeyan Bhargavan
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Carl A. Gunter
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Karthikeyan Bhargavan.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Bhargavan, K., Gunter, C.A. Network Event Recognition. Form Method Syst Des 27, 213–251 (2005). https://doi.org/10.1007/s10703-005-3398-4

Download citation

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10703-005-3398-4

Keywords

Search

Navigation