Abstract View of Network Communications

Nodes (any devices connected to a computer network) in networked environment com- municate by exchanging data over the network physical media. In Ethernet networks, this physical media can be coaxial cable, twisted pair cable, or fibre cable. In order for nodes to communicate, there are certain protocols that need to be followed and executed by every communicating node for the communication to be successful.

Chapter 5. Temporal Stream Intrusion Detection System (TeStID) 40

In the OSI reference model1, when a node is ready to send data across the network, this data is encapsulated with headers. Each succeeding network layer wraps a header around the transferred data and thus the data can be handled properly by the layer below (see Figure 5.1). The following steps summarizes the sending process:

Figure 5.1: Packet Encapsulation During Sending

• At the application layer, the data (payload) is created and this is actually just simple data with a designated destination.

• At the transport layer, headers are added to these chunks of data to create TCP or UDP segments. These headers include linking information to specific processes at the destination.

• At the network layer, the Internet Protocol (IP) headers are added to create IP data grams. The IP header includes information about the source and destination address and thus at this point the data is being directed to a specific process running on a specific computer on a specific network.

• At the data link layer, the Ethernet frame header is added which includes infor- mation such as the physical MAC addresses of the source and destination and checksums.

During the receiving process, the operation is reversed in direction (i.e., from the physical layer to the application layer) and the headers are stripped away as the data is moved and finally delivered to the destination process (see Figure 5.2). The destination node monitors the Ethernet for frames addressed to its Ethernet network interface MAC address. If one exists, then the following steps take place:

1

Open System Interconnection Reference Model, a standard for network architecture developed by International Organization for Standardization (ISO). It consists of a set of seven layers that define the different stages that data must go through to travel from one device to another over a network.

Chapter 5. Temporal Stream Intrusion Detection System (TeStID) 41

• The data link layer strips the Ethernet header and the IP datagram is delivered to the next top layer.

• The network layer strips the IP header and delivers the TCP (UDP) datagram to the transport layer.

• The transport layer strips the TCP (UDP) header and delivers the data or payload part to the destination process.

Figure 5.2: Packet Deencapsulation During Receiving

Logically, the incoming network stream packets form the temporal modelM. Packets are captured in order by arrival time τ. Each captured packet belongs to a certain network communication protocol (TCP, UDP, ICMP, etc). Formally, we represent each type of packet as a predicate P which we denote as PT CP, PU DP, PICM P, etc. where

the subscript reflects the type of the protocol. The set of all packets of all possible types is denoted by_JP_K, that is:

JPK=JPT CP, PU DP, PICM P, . . .K

In this thesis as we use only TCP as a case study and as there is no ambiguity we will use P to represent a predicate of the TCP protocol type with 12-arity s1×...×s12

wheresn (1≤n≤12) is a sort of a particular predicate argument (i.e., sender address,

receiver address, sender ports, etc.). These fields are selected based on our need to represent attacks. In misuse IDS, we have the advantage of knowing in advance the attack signatures and it is easy to identify the features or fields required. This is simply done by cross referencing the attacks and the features needed by them. These features are then used in the system. Of course, if new attacks are discovered requiring new features, these would need to be included. The specification of a TCP predicate is:

Chapter 5. Temporal Stream Intrusion Detection System (TeStID) 42

P(x1, x2, x3, x4, x5, x6, x7, x8, x9, x10, x11, x12)

where:

• x1 : is a string variable representing the sender IP address;

• x2: is an integer variable representing the sender port;

• x3: is a string variable representing the receiver IP address;

• x4: is an integer variable representing the receiver port;

• x5: is an integer variable representing the sequence number;

• x6: is an integer variable representing the acknowledgment number;

• x7: is a Boolean variable representing the ack flag;

• x8: is a Boolean variable representing the syn flag;

• x9: is a Boolean variable representing the rst flag;

• x10: is a Boolean variable representing the push flag;

• x11: is a Boolean variable representing the urg flag.

• x12: is a string representing the payload or data.

Packets arrive at some point in time. So, we can consider the arrival of these packets as instantaneous arbitrary occurring events. Two packets can not arrive at the same time, one must be before the other. The model of time consists of a set of arrival points

T ⊂ _R+ _(where

R+ is the set of non-negative real numbers) and we require T to be discrete: for any finite interval [a, b], the set [a, b]∩ T is finite. The model is represented asM=hT, <,I, Isi where:

- T ={τ0, τ1, . . .} ⊂R+, whereR+ is a non-empty set of positive real numbers and

T is the set of all arrival moments. - <is a linear order onT.

- I is an interpretation which mapsT into_JP_K:

I :T →_JP_K

So,I(τi) represents a packet arriving at a momentτi ∈ T.

Chapter 5. Temporal Stream Intrusion Detection System (TeStID) 43