Network event recognition

Karthikeyan Bhargavan, University of Pennsylvania


This dissertation demonstrates and evaluates the use of passive run-time monitoring to test black-box implementations of network protocols for conformance with their published specifications. Our goal is to design a flexible, programmable, passive protocol monitoring system and apply it to the analysis of a variety of network protocol implementations in diverse monitoring environments. Passive monitoring has not been successful as a protocol testing technique because of several deficiencies in existing monitoring systems. Run-time software monitoring frameworks lack the domain-specific constructs to express protocol specifications. Passive testing systems based on non-deterministic protocol specifications are inefficient. Network intrusion detection systems are susceptible to false positives due to incorrect or incomplete protocol modeling. Error diagnostics provided by many of these systems are inadequate for debugging. None of these systems can accurately monitor network links where messages can be lost and delayed. We introduce a new passive protocol monitoring framework, Network Event Recognition, that provides analysis tools and techniques to combat these deficiencies. The framework consists of a domain-specific language, NERL, and three automated tools for monitor programs written in NERL. To guarantee correctness and completeness, NERL programs can be translated to a formal model and analyzed using a model checker. To provide diagnostics, NERL monitors can compute and print out the relevant event history for every error event. To account for non-deterministic packet loss and delay, NERL programs can be transformed to monitors that incorporate these network characteristics. We evaluate the effectiveness of our methodology through three case studies and find new errors in existing protocol implementations. First, we analyze network simulations of a wireless routing protocol, AODV, and find significant flaws in both the prototype implementation and the AODV standard. Second, we analyze live sessions of SMTP mail servers and find several flaws in popular mail server software. Third, we analyze TCP packet traces produced by three popular operating systems and confirm a defect in two of them. We establish that Network Event Recognition is an effective and widely applicable protocol testing technique. We conclude that passive monitoring of protocol implementations against a formal specification can significantly improve the reliability of networked applications.

Subject Area

Computer science

Recommended Citation

Bhargavan, Karthikeyan, "Network event recognition" (2003). Dissertations available from ProQuest. AAI3109152.