专业外语论文2

The Automaton Modeling of Typical Network Attacks

Shi Zhicai Electronic&Electrical Engineering Institute

Shanghai University of Engineering Science

Shanghai, P.R. China szc1964@163.com

Abstract—Network security is one of the most important research fields among information

security

techniques.

Most

problems of network security are often caused by network attacks. In order to ensure network secure running it is very necessary to analyze and research the procedure of network attacks. In this paper, the formal method is researched and automaton theory is used to describe the procedure of network attacks. The state transform diagrams of some typical network attacks are given. Different state transform diagrams are used to describe models for various network attacks and these models can be combined flexibly so as to describe complicated attack behaviors.

This

formal

method

for describing network attacks provides an effective approach for researching the mechanism of network attacks. Keywords-network attack;

automata;

information security; network intrusion

I. INTRODUCTION

Network Intrusions are defined as some behaviors which destroy the confidentiality, integrity, availability and controllability of the network system [1]. With the rapid development and widespread application of network techniques network attacks become more complicated. It is becoming very important how to abstract the features of network attacks and describe attack procedures so that they can be detected effectively. Natural language can be used to describe attack procedures. Although the

摘要——在信息安全技术领域中，网络的安全性是最重要的研究之一。大多数网络安全问题往往是网络攻击引起的。为了保证网络安全可靠的运行，分析和研究网络攻击的步骤是非常有必要的。在本文中，被研究的正式的方法和自动机理论是用来描述网络攻击的步骤。本文给出了一些状态变换的典型的网络攻击图。不同的状态转换图是用来描述各种网络攻击模型，这些模型可以灵活组合，来描述复杂的攻击行为。这种正式的用来描述网络攻击的方法对网络攻击的机制的研究提供了一种有效的途经。

Ⅰ．引言

网络入侵被定义为破坏了网络系统的保密性，完整性，可用性和可控性[ 1 ]的一定的行为。随着网络技术的迅速发展和广泛应用，网络攻击变得越来越复杂。如何概括网络攻击的特征和描述攻击步骤使他们能有效地检测变得非常重要。

method is direct it is very difficult to process natural language with a computer. Tidwell used attack tree to model the procedure of network intrusions [2]. But his method cannot describe the change of the system

states effectively. As we know, when the

system is running it changes from one state

to another state. These states represent different meanings. They may be some

normal states or abnormal states. But the

system is corresponding to only a state at any moment whether it is normal or abnormal.

The system runs to the ultimate state finally.

This will confirm the state of a system is limited. So the transition procedure of the

system states can be described with

deterministic finite automata. The automata can be described by means of state transition

diagram. When the system is attacked its

state will change and this procedure can be described directly by state transition diagram.

This makes attack procedures understood

easily. The remainder of this paper is

organized as follows. In Sect. II, we review

the theory of a deterministic finite automaton. In Sect， III, we investigate several typical network attacks and use deterministic

finite automata to describe their attack procedures. The state transform diagrams

of these network attacks are given. The paper

is concluded in Sect. IV with a summary and an outlook for future work.

II. DETERMINISTIC FINITE AUTOMATA

A deterministic finite automaton M is an automatic recognition device [3]. It consists

of:

1. A finite set of states, often denoted Q. 2. A finite set of input symbols, often

denoted. It is usually called a condition set.

3. A transition function that takes a state and an input symbol as arguments and returns

another state (or itself). The transition

自然语言可以用来描述攻击过程。但是该方法是直接的，用计算机处理自然语言非常困难。蒂德韦尔利用攻击树来建造网络入侵的过程[ 2 ]的模

型。但是他的方法不能有效的描述系

统状态的改变。我们知道，在系统运行时，它的变化是 从一个状态到另一个状态。这些状态代表不同的含义。

他们可能是一些正常状态或异常状态。

在任何时候，无论是正常或异常，系统仅仅对应于一个状态。最后，系统运行到极限状态。这将确定一个系统

的状态是有限的。因此系统状态的过

渡过程可以用确定性有限自动机描述。自动机可以通过状态过度图的方法描述。当系统受到攻击，它的状态会发

生变化，本程序可以通过状态转换图

直接描述。这使得攻击步骤易于理解。 本文的其余部分安排如下。第二，我们回顾一个确定性有限自动机理论。

第三，我们研究了几种典型的网络攻

击和使用确定性有限自动机来描述他们的攻击步骤，给出了这些网络攻击的状态转换图，本文的结论，总结和

对未来工作的展望在第五部分。

II。确定性有限自动机

一个确定性有限自动机M是一种自动识别装置[ 3 ]。它由： 1。一组有限的状态，往往表示为Q。

2。一个有限的输入符号集合，经常表

示为Σ。它通常被称为一个条件组。

function is commonly denoted F. In the diagram representation of automata, F is represented by arcs between states and labels on the arcs. If q ∈Q is a state, and s is an input symbol, then F (q,s)=p(p∈Q)and there is an arc labeled s from q to p. 4. A start state q0, q0 Q.

5. A set of final or accepted states Z, Z∈ Q.

A deterministic finite automaton M is abbreviated as DFA. It is often defined as a five-tuple:

M=(Q, Σ，F, q0, Z)

Where Q is a finite state set and it is not empty. One element of set Q presents a state of the system. Consists of all conditions occurred in the system and it may represent the running of a program, the happening of an attack or another event. F: Q Q?it is a function with a single value, For q Q and s?there exists a state p Q, p is equal to F (q,s). Q0 is only one start state of the system. Z ∈ Q, it is a set of final or accepted states.

As described above, the state of a computer system can be described with deterministic finite automata. It is supposed that there are m states in set Q and there are n transition conditions in set. Then there are m state nodes at most in the corresponding DFA. Each state node can be transferred to n neighbor nodes at most. The whole state transition procedure of a computer system can be described directly with the state transition diagram.

III. THE FORMAL DESCRIPTION OF SOME TYPICAL NETWORK ATTACKS Network attacks are complicated generally. Their feature and mechanism may be very different. So it is difficult to use a uniform model to describe various different attacks. In order to find the common features of different network attacks deterministic finite automata are used to

3。一个转换函数以一个状态和一个输入符号作为参数并返回另一个状态（或自己）。转换函数通常用F表示，用自动机图表示，F代表基于状态和标签之间的弧。如果一个状态是q＜Q，且S∈Σ，是一个输入符号，则F（Q，S）= P（P∈Q）并且有一条标记为从q到p的弧s。

4。一开始状态q0， q0∈Q

5。一组最终或公认的状态Z，Z∈Q。 一个确定性有限自动机M简称DFA。它通常被定义为一五元组：

M=(Q, Σ，F, q0, Z)

其中Q是一个有限状态集，它不是空的。一个元素的集合Q提出了一个系统的状态。Σ包括所有的发生在系统中的所有条件，它可能代表一个程序的运行，一个攻击或其他事件的发生。F：Q*Σ->Q，它是一个单值函数，q∈Q，s∈Σ，存在一个状态p∈Q，p= F(q,s)。 q0是唯一一个系统启动状态，Z∈Q，这是一套最终或可接受状态。

如上所述，一个计算机系统的状态可以用确定性有限自动机描述。认为在集合Q有m个状态和在集合∑有N个转换条件，然后有m个状态节点的相应的DFA。每个状态的节点最多可以转移到N的邻居节点。一个计算机系统的整个状态转换步骤可以用状态转换图直接描述。

III、一些典型的网络攻击的形式化描述

网络攻击比较复杂。他们的特征和机制可能会很不一样。所以很难用一个统一的模型来描述各种不同的攻击。为了找到不同网络攻击的确定性的共同特点，有限自动机被用来描述一些典型的攻击步骤。

describe

some

typical

attack

procedures.

For a DFA model M=（Q,Σ, F, q0, Z） which is corresponding to a different attack

procedure, the system state Q may represent

different meanings. It can be used to describe the states of hosts which are monitored, the

states of processes, and so on. The condition

set is called as the transition function. It is the cluster of functions and it consists of attack functions, communication functions, feature judgement functions, and so on. During the happening of attacks some

functions are activated, the system transfers

from one state to another state. For different attack procedures each component of DFA

model may be different.

When the DFA model is used the caught data packet and log file are analyzed

and audited, some feature parameters are got and they are used to judge whether the system is abnormal or there exist intrusion

behaviors. With system running a state

transition diagram is generated from the start state to the end state. What has

happened to the system can be got by

analyzing its end state. Some automaton models about typical network attacks (e.g.

SYN-Flooding attack) are given as follows.

A. SYN-Flooding Attack

TCP is an oriented connection protocol in Internet architecture. When two nodes want to communicate each other, they set up their connection at first by three handshake procedure. It is supposed that host A want to access the resource of server B, then host A must set up the connection with server B before their exchanging information. The detail procedure is shown as Fig. 1. At first, host A send a connection

request packet with SYN mark to server B. This packet consists of the initial

一个DFA模型（Q,Σ, F, q0, Z）是对应于一个不同的攻击步骤，系统

状态Q可能代表不同的含义。它可以

用来描述所监控主机的状态，进程的

状态，等等。设定的条件被称为转移函数。它是功能群并且它由攻击功能，

通信功能，特征判断功能组成，等等。

在攻击的一些功能被激活的时候，该系统从一个状态转移到另一种状态。

针对不同的攻击步骤的DFA模型的每

个组件可能是不同的。 当DFA模型采用了数据包的日志

文件分析和审计的一些特征参数，得到他们用来判断系统是否存在异常或

入侵行为。系统的运行状态转换图产

生自从开始状态到最终状态。对系统

所发生的一切都可以通过分析结束状态获得。对典型的网络攻击的一些自

动机模型（例如SYN泛洪攻击）如下。

在网络体系结构中A. SYN泛洪攻击TCP是一种面

向连接得协议。当两个节点要互相交流，他们在第一三次握手过程建立连接。假设，主机A要访问服务器B的资源，在他们的信息交换信息之前，主机A必须与服务器B建立连接。具体过程如图1所示。首先，首先主机A发送一个连接请求包到服务器B。该包包括主机A 的初始序列号x。

serial number x of host A. After server B receives this request packet its state is transferred to SYN.RCVD and it allocates the corresponding resource for this connection.

Then Server B sends the ACK packet with SYN/ACK mark to host A and this data packet consists of the initial serial number y of server B. It is obvious that the ACK serial number is x+1. At this moment the state of the system is called as the semi-connection state. After host A receives the SYN/ACK packet it sends the ACK packet to server B again. The ACK serial number in this packet is y+1. Server B receives the ACK packet and its state is transferred to “established”. The connection is set up at this moment and host A can exchange information with server B[4-5].

Figure 1. Setting up the connection between host A and server

The procedure of setting up connection mentioned above is the normal situation for TCP protocol. But after server B sends SYN/ACK packet to host a, it maybe not receive the responsive packet from host A for a long time. Then server B has to wait for a moment. If such semi-connection exceeds a certain amount it is possible to use up all system resources(e.g. buffers) of server B which is used to set up the connection between server B and other nodes. Once the resource of server B is exhausted other normal connection requests for server B cannot be responded. Denial of Service (DoS) attack happens. This is the basic theorem of SYN-Flooding attack.

在服务器B接收到该请求包之后它的状态转移到SYN.RCVD并且为该连接分配相应的资源。

然后服务器B发送标记SYN/ACK的ACK包给主机A，这个数据包包括服务器B的初始序列号Y。很明显，确认序号是x + 1。此时，系统的状态被称为半连接状态。然后主机A收到SYN/ACK包再次发送ACK包给主机B。这个包里的ACK序列号是y+1。B服务器接收ACK包及其状态转移到“建立”。 在这一刻连接被建立，主机A可以与服务器B [4-5]交换信息。

图1。建立了主机A和B服务器之间的连接

上述建立连接锁提到的步骤就是TCP协议正常的情况。但在服务器B发送SYN / ACK包到主机A，它也许在一个相当长的时间内没有从主机A收到响应数据包。然后服务器B等待一段时间。如果这些半连接超过一定量时可以使用服务器B的所有用于设置服务器B和其他节点之间的连接的系统资源（例如，缓存）。一旦服务器B的资源枯竭，其他正常的连接请求服务器B就不能回应。拒绝服务（DoS）攻击发生。这是SYN泛洪攻击的基本定理。

The detail procedure of SYN-Flooding attack is described as follows:

The intruder forges a non-existed host C or more hosts and it sends a large amount of the connection request to server B. Because the forged host doesn’t exist in fact, for each connection request server B cannot receive any responsive information so that it has to wait for a long time. So a lot of requests with semi-connection state happen in a short time and the relevant resource of server B is used up quickly. In this case some normal

connection requests will not be satisfied. This means that server B refuses to serve for any other normal request and Do S attack happens.

By means of a deterministic finite automaton the attack of SYN-Flooding is described as follows:

M=(Q, Σ，F, s, Z)

Where q∈Q ，q= (Intruder-status, Server-status, System-status). Intruder-status is the state of intruder, Intruder-status {listen, faked,

SYN.SENT,

ACK.SENT, failed,

established} Server-status is the state of the server, Server-status {listen, SYN.RCVD, SYN-ACK.SENT, ACK.RCVD, blocked, established}.System-status represents whether the intrusion has happened or not System-status {false, true}, it represents some intrusions

have

happened

when

System-status is true. is a set of transition functions and it consists of attack functions, communication functions, testing functions and other functions. is defined as follows: {E0: fake ( )

E1: Communication(s-host, d-host,

SYN-ISN, 0)

E2:

Communication(s-host,d-host,SYN-ISN, ACK-ISN)

E3: Tcp resource_used_out( )

}

Where E0 is used to forge a non-existed host

SYN Flooding攻击的详细过程描述如下：

攻击者伪造不存在主机C或者更多的主机，它发送到大量的连接请求到服务器B，因为事实上存在大量的伪造的主机不存在，对每个连接请求，服务器B无法接受任何响应信息，要等待很长的时间。所以很多半连接状态请求发生在一个短时间内服务器B相关资源用得很快。在这种情况下，一些正常的连接请求将不会响应，这意味着服务器B拒绝为任何其他正常的请求和拒绝服务攻击的发生。 一个有限自动机的SYN Flooding攻击被描述为方法如下：

M=(Q, Σ，F, s, Z) 在?q ∈Q =

（Intruder-status, Server-status, System-status）。Server-status是入侵者的状态，入侵者状态{ listen, faked, SYN.SENT, ACK.SENT, failed,

established }。服务器状态是服务器的状态，务器状态{ listen, SYN.RCVD, SYN-ACK.SENT,ACK.RCVD, }。系统状态表示是否发生入侵，系统状态{ false, true }，系统状态是真时，它代表了已经被入侵了。Σ是转换函数集，它由攻击功能，通信功能，测试功能和其他功能组成。定义如下：

{ E0：假（）

E1通信（s-host，d-host，syn-isn，0） E2：通信（s-host，d-host，syn-isn，ack-isn）

E3：tcp_resource_used_out（）}

randomly. E1 is used to send SYN request packet from source host: s-host to destination host: d-host, SYN-ISN is the sending serial number of source host. E2 is used to send SYN-ACK packet from the source host: s-host to the destination host: d-host, SYN-ISN is the sending serial number and ACK-ISN is the ACK serial number. E3 is used to judge whether the resource of the server about TCP connection is used up, if the resource is used up E3 returns true, or E3 returns false.

The state transition diagram which describes the attacking procedure of SYN-Flooding is shown as Fig. 2.

Figure2.The state transition diagram of SYN-Flooding attacks

All states in Fig.2 are described as follows individually:

S0= (listen, listen, false) S1= (faked, listen, false)

S2= (SYN.SENT, SYN.RCVD, false) S3= (failed, SYN-ACK.SENT, false) S4= (listen, blocked, true)

Where S0 is the start state of the system. After the intruder forges a non-existed host the system enters S1 and the intruder is in the state: “faked”. Then the intruder try to set up the connection with server B and the system enters S2. The server gives its response as soon as it receives the connection request and the system enters S3.

But the intruder is in the state “failed” because it forges a non-existed host and it cannot receive the SYN-ACK packet. At last the system judges whether the resource about TCP connection is used up. If the resource is not used up the system returns to the start state, or the system enters the final state: S4. SYN-Flooding attack happens.

E3：tcp_resource_used_out（）} 当E0用来伪造不存在主机时。E1用于从源主机发送SYN请求分组：s-host到目的主机：d-host，syn-isn是发送源主机的序列号.e2用于从源主机发送SYN-ACK包：s-host到目标主机：d-host，syn-isn为发送序号和ack-isn是ACK序列号。E3是用来判断是否对TCP连接的服务器资源耗尽，如果资源耗E3尽返回true，或E3返回false。

它描述了SYN泛洪攻击过程的状态转移图如图2所示。

图2。SYN洪水攻击的状态转换图 图2中的所有状态如下单独： S0 =（listen, listen, false） S1 =（faked, listen, false） S2 =（SYN.SENT, SYN.RCVD, false） S3 =（failed, SYN-ACK.SENT, false） S4 =（listen, blocked, true）

当S0是系统的启动状态时。在攻击者伪造不存在主机后系统进入S1，入侵者的状态是“假”。然后入侵者试图与服务器B建立连接，系统进入S2。服务器尽快对其响应它收到连接请求，系统进入S3。但入侵者处于 “失败”状态，因为它塑造了一个非存在的主机它不能接收SYN-ACK包。最后，系统判断是否对TCP连接资源耗尽。如果资源是用之不竭的返回到起始状态的系统，或系统进入最后的状态：S4。SYN泛洪攻击发生了。

B. IP-spoofing Attack

If an intruder wants to hide its true identity or it try to utilize the privilege of the rusted

host in order to attack other hosts it often fakes the IP address of other hosts. It is supposed that host A is a trusted host of

server B. If the intruder wants to forge host

A to communicate with server B it must steal the IP address of host A to spoof server B.

This is called as IP-Spoofing attack [6-7].

IP-Spoofing attack is described in detail as follows: 1. The intruder makes host A blocked by

DoS attack so that host A cannot disturb attacks which will occur. 2. The intruder sends the connection

request to server B at first and it guess the

TCP serial number according to the responsive packet from server B.

3. The intruder uses the IP address of

host A as its source address, then it sends SYN request packet to server B and try to set up the connection with server B. 4. Server B sends SYN-ACK packet to host A. But at this moment host A has been blocked and it cannot receive SYN-ACK

packet from server B.

5. The intruder forges host A again to send ACK packet to server B so that it

The model M which is used to describe the procedure above is shown as follows:

M=(Q, Σ，F, s, Z) Where q∈Q， q=(A-status, B-status, Intruder-status, System-status). A-status is

the state of host A, A-status {listen, blocked, SYN.SENT, SYN-ACK.RCVD, ACK.SENT, failed, established}. B-status is the state of

server B, B-status {listen, SYN.RCVD, SYN-ACK.SENT, ACK.RCVD, failed,

B. IP欺骗攻击

如果入侵者想隐藏自己的真实身

份，或试图利用以可信主机的特权来

攻击其他主机通常假冒其他主机的IP地址。假设，主机A被服务器B信任，

如果入侵者想要冒充A与服务器B交流，它必须伪造主机A的ip欺骗服务

器B。这是被称为IP欺骗攻击[ 7 ]。 IP欺骗攻击的详细描述如下：

1。入侵者使主机A被DoS攻击，

以便主机A不能打扰攻击 2。首先，入侵者给服务器B发送

连接请求，他根据来自B的数据包猜想序列号。

3入侵者使用的主机A的IP地址

作为源地址，然后发送SYN请求数据

包到服务器B，尝试建立与服务器B的连接。 4。服务器B给主机A发送

SYN-ACK，但此时主机已被封锁，无法从服务器B接收. SYN-ACK包

5。攻击者再次伪造主机A发送ACK数据包到服务器B，建立与服务

器连接的三次握手B。 该模型M是用来描述上述步骤如

下：

M=(Q, Σ，F, s, Z)

q∈Q，q =（A-status，B-status，Intruder-status, System-status）。a-status是主机的状态，a-status {isten,

blocked, SYN.SENT, SYN-ACK.RCVD,ACK.SENT, failed,

established }。B-status是B服务器的状态，B-status { listen, SYN.RCVD, SYN-ACK.SENT, ACK.RCVD, failed, established }。Intruder-status是入侵者的状态，

established}. Intruder-status is the state of the intruder, Intruder-status∈{listen, faked-A ? ACK.SENT, SYN-ACK.RCVD, KNOWN-TCP-NO, failed, established}. System-status represents whether the intrusion has happened, System-status∈{false, true}. When System-status is true it represents that the intrusion has happened. ? is the set of the transition functions. It

consists of attack functions, communication functions, serial number guessing function, and so on.

The set of attack functions are defined as:

{A1: Land ( ) A2: SYN_Flooding( ) A3: DoS( )

}

Where A1, A2 and A3 represents Land attack, SYN-Flooding attack and DoS attack respectively. Communication function is defined as follows: Communication(s-host, d-host, Syn-no, Ack-no) Where s-host and d-host are the source IP address and the destination IP address respectively. Syn-no and Ack-no are SYN serial number and ACK serial number respectively.

The set of other functions are defined as follows:

{E1: Communication (faked-A, B, Syn-no, 0)

E2: Communication (B, A, Syn-no, Ack-no)

E3:

Communication

(faked-A,

B,

Syn-no, Ack-no)

E4:Guess_tcp_packet_isn (B)}

Where“faked-A in E1 and E3 represents that the intruder has succeeded in forging host A. E4 is used to guess the initial serial number of TCP packets of server B. If E4 is successful it will return “true”, or it will return “false”.

The state transition diagram of the automaton model to recognize IP-Spoofing

入侵者状态属于{ listen, faked-A ? ACK.SENT, SYN-ACK.RCVD, KNOWN-TCP-NO, failed,

established }。System-status表示该入侵发生时，系统状态属于{ false, true }。当系统的状态是正确的它代表的入侵已经发生了。是过渡函数集。它由攻击功能，通信功能，序列号猜测函数，等等组成。

攻击的功能集合的定义是： ｛A1: Land( )

A2: SYN_Flooding( ) A3: DoS( ) } 其中A1，A2和A3分别代表Land攻击，SYN泛洪攻击和DoS攻击。

通信功能的定义如下：

通信（s-host, d-host, Syn-no, Ack-no)，s-host和d-host的源IP地址和目的IP地址为。Syn-no 和 Ack-no是SYN序列号和确认号。

其他的功能集的定义如下：

{E1: Communication (faked-A, B, Syn-no, 0)

E2: Communication (B, A, Syn-no, Ack-no)

E3: Communication (faked-A, B, Syn-no, Ack-no)

E4:Guess_tcp_packet_isn (B)}

“faked-a”在E1和E3表示入侵者成功伪造主机A。E4类是用来猜测TCP包服务器的初始序列号如果E4成功它将返回“真”，否则将返回“假”。

该自动机模型的状态转移图识别IP欺骗攻击，如图3所示。

attack is shown in Fig.3.

Figure 3. The state transition diagram of IP-Spoofing attack

Some states shown in Fig. 3 are defined as follows:

S0= (listen, listen, listen, false) S1= (blocked, listen, listen, false) S2= (blocked, listen, KNOWN-TCP-NO, false)

S3= (blocked, SYN.RCVD, SYN.SENT, false)

S4= (blocked, SYN-ACK.SENT, listen, false)

S5= (blocked, ACK.RCVD, ACK.SENT, true)

Where S0 is the start state. The system enters S1 after the intruder makes host A blocked by A1, A2 or A3. The intruder repeats to send the connection request to server B, after it guesses the serial number of TCP packet the system enters S2. Then the intruder forges host A to send SYN packets to server B for setting up the connection and the system enters S3. Server B sends the responsive packet with SYN and ACK to host A. But host A has been blocked and it cannot give any response to server B. Then the system enters S4. The intruder forges host A to send ACK packet to server B. After three handshakes have been finished the system enters S5. At this moment the intruder has set up the connection with server B and it forges host A to communicate with server B.

C. IP fragment Attacks

For different physical networks the length of their maximum transfer unit (MTU) is different. When a packet transfers from one network to another and

图3.IP欺骗攻击的状态转换图

一些状态如图3所示的定义如下：

S0= (listen, listen, listen, false)

S1= (blocked, listen, listen, false) S2= (blocked, listen, KNOWN-TCP-NO, false)

S3= (blocked, SYN.RCVD, SYN.SENT, false)

S4= (blocked, SYN-ACK.SENT, listen, false)

S5= (blocked, ACK.RCVD, ACK.SENT, true)

在S0状态的开始。系统进入S1后入侵者使主机A被A1，A2或A3封锁。入侵者重复发送连接请求到服务器B，之后它猜测TCP数据包的序列号，系统进入S2。为建立连接，攻击者伪造主机A发送SYN包到服务器B，系统进入S3。服务器B发送含有SYN和ACK的响应包给主机A，但主机A阻塞，它不能给服务器B任何回应，然后系统进入S4。攻击者伪造主机A发送ACK数据包到服务器B三次握手已完成后系统进入S5。在这一刻，入侵者已经建立与服务器B的连接，且伪造主机和服务器B交流。

C. IP碎片攻击

对于不同物理网络的最大传输单元（MTU）的长度是不同的。当一个数据包从一个网络到另一网络

the length of the packet is greater than the MTU of next network, it must be divided into several small packets, which is called as fragmenting。Attackers often utilize this drawback and insert attack data into these small fragments so as to elude the detection to them.

For some typical IP fragment attacks, such as Teardrop, its feature is that its ip_off field is IP_MF and the value of the length field in its head is different from the actual length of the received packet. When IP packets are encapsulated some malicious data are inserted into different fragments respectively so as to attack the destination.

The model M which is used to describe IP fragment attacks is shown as follows: M=(Q, Σ，F, s, Z). Where q∈Q, q=(System-status,

Attack-status), System-status={normal,

non-frag,

fragmented,

received-all-frag frag-length-error,

time-exceed}

?

Attack-status= {false,true}. The set of the used functions:is defined asfollows: {E0:

ip_is_fragment(ip_packet)={false,

true}

E1: time_exceed( )={false, true}

E2: received_all_ip_frag( )={false, true} E3: ip_frag_ length_error ( )={false, true} }

Where E0 is to judge whether an IP packet is divided into some different fragments. Then E1 judges whether the procedure of receiving all IP fragments has exceeded out. E2 judges whether all IP fragments have been received. E3 judges whether the length of the packet which has been reassembled is the same as the value of the length field in the packet head.

The state transition diagram of the automaton model to recognize IP fragment attacks is shown in Fig. 4.

数据包的长度大于第二网络MTU，它必须被分割成几个小的数据包，这就被称为分组

攻击者经常利用这个缺点，在这些小片段插入攻击数据以逃避检测他们。

对一些典型的IP碎片攻击，如泪珠，其特征是它的ip_off是ip_mf，而且它的头部的字段值与它接收到的数据包的实际长度是不同。当一个封装了一些恶意的数据的IP数据包插入不同的片段，这就将分别攻击目标。

该模型M是用来描述IP碎片攻击，如下所示：

M=(Q, Σ，F, s, Z).

Q∈q，q =（ystem-status, Attack-status），系统状态= { normal, non-frag, fragmented, received-all-frag frag-length-error, time-exceed }?攻击状态= { false,true }。所使用的功能集的定义如下： {E0:

ip_is_fragment(ip_packet)={false, true}

E1: time_exceed( )={false, true} E2: received_all_ip_frag( )={false, true}

E3: ip_frag_ length_error ( ) = {false, true}}

E0是判断一个IP包分为一些不同的片段。然后E1判断接收所有IP碎片的过程已经超过了。E2判断是否已收到的所有IP碎片。E3判断已重新分组数据包的长度与数据包头部的长度值是否相同。

该自动机模型的状态转移图识别IP碎片攻击，如图4所示。

Some states shown in Fig. 4 are defined as follows:

S0= (normal, false) S1= (fragmented, false) S2= (received-all-frag, false) S3= (frag-length-error, true) S4= (time-exceed, false)

Where S0 is the start state of the system. The state of the system enters S1 from S0 when it concludes its received packets are some fragments of a big packet. If the system has received all fragments of a packet it transfers from S1 to S2. If the system in the state S1 has not received all fragments of a packet within the fixed time it will enter S4, which is called as time-exceeded error. The system in the state S2 concludes that the value of the length field of the received packet is different from the actual length of the reassembled packet and it will enter the final state S3. At this moment IP fragment attack has occurred.

IV. CONCLUSION

Because there has not been a mature theory basis for intrusion detection techniques up to now it is very important to use the mathematical methods to describe and research all kinds of complicated attack behaviors. In fact, whenever network attack happens the intrusion detection to this attack is corresponding to the procedure

which

runs

the

relevant

automaton to identify the features of the attack. Because attack behaviors are very complicated so that it is very difficult to use a uniform automaton model to detect all kinds

of network attacks.

图4。IP碎片攻击的状态转换图 一些状态如图4所示的定义如下： S0= (normal, false) S1= (fragmented, false)

S2= (received-all-frag, false) S3= (frag-length-error, true) S4= (time-exceed, false)

S0是系统的启动状态。系统状态从S0进入S1时接收到的数据包是一个大的数据包碎片。如果系统已收到的所有它从S1到S2的分组片段。如果系统处于S1状态在规定的时间内没有收到所有的数据包片段，就会进入S4，被称为超时错误。处于S2状态的系统认为接收到的数据包长度字段的值与重组数据包的实际长度不同，它将会进入最后的状态S3，这时候IP碎片攻击就发生了。

Ⅳ、总结

因为没有一个基于入侵检测技术的成熟理论基础，所以到目前为止，使用数学的方法来描述和研究各种复杂的攻击行为是非常重要的。事实上，当网络攻击时发生的对这种攻击的入侵检测就相当于运行鉴定攻击特征相关的自动机步骤。因为攻击行为是非常复杂的，所以使用一个统一的自动机模型来检测各种网络攻击是非常困难的。

But automaton models which are used to describe different network attacks are not ndependent each other and there exists some relationship between them. One model may be corresponding to a state of another model or it may be corresponding to a state transition function. We can construct automaton models for all kinds of intrusion behaviors and these models can be combined flexibly so as to detect various of complicated network attacks effectively. Hence automaton theory and its diagram denotation provide a noticeable method for the

formal

description

of

intrusion

procedures.

ACKNOWLEDGMENT

I am grateful for the anonymous reviewers who made constructive comments so that I can improve and refine my paper. The relative work about this paper is supported by the Science and Technology Innovation Project of Shanghai Education Committee under grant 09YZ370.

REFERENCES

[1] Joseph S. Sherif et al... Intrusion detection: the art and the practice. Information Management and Computer Security, pp.175-186,

Nov. 2003.

[2] T. Tidwell et al... Modeling internet attacks. Proceedings of the2001 IEEE workshop on information assurance and Security, New

York, pp.54-59, 2001.

[3] John E. Hopcroft, Rajeev Motwanti and Jeffrey D. Ullman.Introduction to automata theory, languages and computation.Beijing: Qinghua University Press, 2002.

[4] Yan Xue-xiong, Wang Qing-xian et al... The attack theory andprevention method of SYN_Flooding. Computer Application,

然而自动机模型是一种用来描述不同的网络攻击是不是相互独立和它们之间存在着的一定关系的。一个模型可以对应于另一个模型的状态或可以对应于一个状态转移函数。我们可以为各种入侵行为和可以灵活组合的模型构建自动机模型，以检测各种复杂的网络攻击。因此，自动机理论及其图表指示为入侵步骤的形式化描述提供明显的方法。

Vol.20, pp.41-43, Aug.2000. (In Chinese) [5] Hu Wei-dong and Wang Wei-nong. A processing method

ofSYN/Flooding.

Computer Engineering, pp.112-115. Aug.

2001. (In Chinese)

[6] Liu Xiang-hui, Yin Jian-ping et al... Analyzing the security of the handshake procedure in TCP by deterministic finite automata.Computer Engineering and Science, Vol.24. Pp.21-23, April 2002. (In Chinese)

[7] Chen Xiao-shu, Li Rong-hui et al... Research on IP-Spoofing attack by the state analyzing method. The Journal of Huazhong Science and technology University, Vol.31, pp.3-5, May 2003.(in Chinese)

本文来源：https://www.bwwdw.com/article/7o2w.html