the length of the packet is greater than the MTU of next network, it must be divided into several small packets, which is called as fragmenting。Attackers often utilize this drawback and insert attack data into these small fragments so as to elude the detection to them.
For some typical IP fragment attacks, such as Teardrop, its feature is that its ip_off field is IP_MF and the value of the length field in its head is different from the actual length of the received packet. When IP packets are encapsulated some malicious data are inserted into different fragments respectively so as to attack the destination.
The model M which is used to describe IP fragment attacks is shown as follows: M=(Q, Σ,F, s, Z). Where q∈Q, q=(System-status,
Attack-status), System-status={normal,
non-frag,
fragmented,
received-all-frag frag-length-error,
time-exceed}
?
Attack-status= {false,true}. The set of the used functions:is defined asfollows: {E0:
ip_is_fragment(ip_packet)={false,
true}
E1: time_exceed( )={false, true}
E2: received_all_ip_frag( )={false, true} E3: ip_frag_ length_error ( )={false, true} }
Where E0 is to judge whether an IP packet is divided into some different fragments. Then E1 judges whether the procedure of receiving all IP fragments has exceeded out. E2 judges whether all IP fragments have been received. E3 judges whether the length of the packet which has been reassembled is the same as the value of the length field in the packet head.
The state transition diagram of the automaton model to recognize IP fragment attacks is shown in Fig. 4.
数据包的长度大于第二网络MTU,它必须被分割成几个小的数据包,这就被称为分组
攻击者经常利用这个缺点,在这些小片段插入攻击数据以逃避检测他们。
对一些典型的IP碎片攻击,如泪珠,其特征是它的ip_off是ip_mf,而且它的头部的字段值与它接收到的数据包的实际长度是不同。当一个封装了一些恶意的数据的IP数据包插入不同的片段,这就将分别攻击目标。
该模型M是用来描述IP碎片攻击,如下所示:
M=(Q, Σ,F, s, Z).
Q∈q,q =(ystem-status, Attack-status),系统状态= { normal, non-frag, fragmented, received-all-frag frag-length-error, time-exceed }?攻击状态= { false,true }。所使用的功能集的定义如下: {E0:
ip_is_fragment(ip_packet)={false, true}
E1: time_exceed( )={false, true} E2: received_all_ip_frag( )={false, true}
E3: ip_frag_ length_error ( ) = {false, true}}
E0是判断一个IP包分为一些不同的片段。然后E1判断接收所有IP碎片的过程已经超过了。E2判断是否已收到的所有IP碎片。E3判断已重新分组数据包的长度与数据包头部的长度值是否相同。
该自动机模型的状态转移图识别IP碎片攻击,如图4所示。
Some states shown in Fig. 4 are defined as follows:
S0= (normal, false) S1= (fragmented, false) S2= (received-all-frag, false) S3= (frag-length-error, true) S4= (time-exceed, false)
Where S0 is the start state of the system. The state of the system enters S1 from S0 when it concludes its received packets are some fragments of a big packet. If the system has received all fragments of a packet it transfers from S1 to S2. If the system in the state S1 has not received all fragments of a packet within the fixed time it will enter S4, which is called as time-exceeded error. The system in the state S2 concludes that the value of the length field of the received packet is different from the actual length of the reassembled packet and it will enter the final state S3. At this moment IP fragment attack has occurred.
IV. CONCLUSION
Because there has not been a mature theory basis for intrusion detection techniques up to now it is very important to use the mathematical methods to describe and research all kinds of complicated attack behaviors. In fact, whenever network attack happens the intrusion detection to this attack is corresponding to the procedure
which
runs
the
relevant
automaton to identify the features of the attack. Because attack behaviors are very complicated so that it is very difficult to use a uniform automaton model to detect all kinds
of network attacks.
图4。IP碎片攻击的状态转换图 一些状态如图4所示的定义如下: S0= (normal, false) S1= (fragmented, false)
S2= (received-all-frag, false) S3= (frag-length-error, true) S4= (time-exceed, false)
S0是系统的启动状态。系统状态从S0进入S1时接收到的数据包是一个大的数据包碎片。如果系统已收到的所有它从S1到S2的分组片段。如果系统处于S1状态在规定的时间内没有收到所有的数据包片段,就会进入S4,被称为超时错误。处于S2状态的系统认为接收到的数据包长度字段的值与重组数据包的实际长度不同,它将会进入最后的状态S3,这时候IP碎片攻击就发生了。
Ⅳ、总结
因为没有一个基于入侵检测技术的成熟理论基础,所以到目前为止,使用数学的方法来描述和研究各种复杂的攻击行为是非常重要的。事实上,当网络攻击时发生的对这种攻击的入侵检测就相当于运行鉴定攻击特征相关的自动机步骤。因为攻击行为是非常复杂的,所以使用一个统一的自动机模型来检测各种网络攻击是非常困难的。
But automaton models which are used to describe different network attacks are not ndependent each other and there exists some relationship between them. One model may be corresponding to a state of another model or it may be corresponding to a state transition function. We can construct automaton models for all kinds of intrusion behaviors and these models can be combined flexibly so as to detect various of complicated network attacks effectively. Hence automaton theory and its diagram denotation provide a noticeable method for the
formal
description
of
intrusion
procedures.
ACKNOWLEDGMENT
I am grateful for the anonymous reviewers who made constructive comments so that I can improve and refine my paper. The relative work about this paper is supported by the Science and Technology Innovation Project of Shanghai Education Committee under grant 09YZ370.
REFERENCES
[1] Joseph S. Sherif et al... Intrusion detection: the art and the practice. Information Management and Computer Security, pp.175-186,
Nov. 2003.
[2] T. Tidwell et al... Modeling internet attacks. Proceedings of the2001 IEEE workshop on information assurance and Security, New
York, pp.54-59, 2001.
[3] John E. Hopcroft, Rajeev Motwanti and Jeffrey D. Ullman.Introduction to automata theory, languages and computation.Beijing: Qinghua University Press, 2002.
[4] Yan Xue-xiong, Wang Qing-xian et al... The attack theory andprevention method of SYN_Flooding. Computer Application,
然而自动机模型是一种用来描述不同的网络攻击是不是相互独立和它们之间存在着的一定关系的。一个模型可以对应于另一个模型的状态或可以对应于一个状态转移函数。我们可以为各种入侵行为和可以灵活组合的模型构建自动机模型,以检测各种复杂的网络攻击。因此,自动机理论及其图表指示为入侵步骤的形式化描述提供明显的方法。
Vol.20, pp.41-43, Aug.2000. (In Chinese) [5] Hu Wei-dong and Wang Wei-nong. A processing method
ofSYN/Flooding.
Computer Engineering, pp.112-115. Aug.
2001. (In Chinese)
[6] Liu Xiang-hui, Yin Jian-ping et al... Analyzing the security of the handshake procedure in TCP by deterministic finite automata.Computer Engineering and Science, Vol.24. Pp.21-23, April 2002. (In Chinese)
[7] Chen Xiao-shu, Li Rong-hui et al... Research on IP-Spoofing attack by the state analyzing method. The Journal of Huazhong Science and technology University, Vol.31, pp.3-5, May 2003.(in Chinese)