Petr Matousek

A Formal Model for Network-Wide Security Analysis

Network designers perform challenging tasks with so many configuration options that it is often hard or even impossible for a human to predict all potentially dangerous situations. In this paper, we introduce a formal method approach for verification of security constraints on networks with dynamic routing protocols in use. A unifying model based on packet-filters is employed for modelling of network behaviour. Over this graph model augmented with filtering rules over edges verification of reachability properties can be made. In our approach we also consider topology changes caused by dynamic routing protocols.

Practical IPv6 monitoring-challenges and techniques

Network monitoring is an essential task of network management. Information obtained by monitoring devices gives a real picture of the network in production including transmitted data volumes, top hosts, a list of frequently used applications etc. Deep analysis of data collected by monitoring can reveal network attacks or detect misuse of network services. In addition, Data Retention Act requires each ISP to track users activities. Protocol IPv6 puts new challenges for network administrators in the context of user identification. Unlike IPv4, an IPv6 address no longer uniquely identifies a user or PC. IPv6 address can be randomly generated and keeps changing in time. PCs with IPv6 stack can also communicate via predefined tunnels over IPv4 infrastructure. That tunneled traffic mostly bypasses network security implemented via firewalls. In this paper, we identify major monitoring and security issues of IPv6 connectivity and propose a solution based on SNMP and Netflow data that helps to uniquely identify users. The solution requires an extended set of monitoring data to be collected from network devices. We present a new data structure based on extended Netflow records. Feasibility of the approach is demonstrated on the Brno University of Technology (BUT) campus network.

Combination of simulation and formal methods to analyse network survivability

Modern computer networks are complex and their topology can dynamically change when links go down. It is difficult to predict behaviour of a large network with dynamic routing protocols. To automatically prove survivability and reliability of an end-to-end connection, formal analysis combined with simulation can be exploited. In this paper, an approach based on detection of critical elements using formal analysis and subsequent simulation of time related properties is introduced. Our network model is automatically extracted from configurations of network devices. Then, critical network elements are detected using graph search algorithms. After that, several simulation scenarios are executed over a model in order to detect time dependencies. Modelling and simulation is done in OMNeT++ simulator, formal analysis is computed using scripting. The first results of this combined analysis show feasibility of this approach and help to reveal both qualitative parameters (status of links and nodes), and quantitative parameters (timers, routing protocols) that influence reliability and survivability of the network. The approach is demonstrated on a simplified topology of Czech Academic Network (CESNET).

Advanced Techniques for Reconstruction of Incomplete Network Data

Network forensics is a method of obtaining and analyzing digital evidences from network sources. Network forensics includes data acquisition, selection, processing, analysis and presentation to investigators. Due to high volumes of transmitted data the acquired information can be incomplete, corrupted, or disordered which makes further reconstruction difficult. In this paper, we address the issue of advanced parsing and reconstruction of incomplete, corrupted, or disordered data packets. We introduce a technique that recovers TCP or UDP conversations so they could be further analyzed by application parsers. Presented technique is implemented in a new network forensic tool called Netfox Detective. We also discuss current challenges in parsing web mail communication, SSL decryption and Bitcoins detection.

FAST RTP DETECTION AND CODECS CLASSIFICATION IN INTERNET TRAFFIC

This paper presents a fast multi-stage method for on-line detection of RTP streams and codec identification of transmitted voice or video traffic. The method includes an RTP detector that filters packets based on specific values from UDP and RTP headers. When an RTP stream is successfully detected, codec identification is applied using codec feature sets. The paper shows advantages and limitations of the method and its comparison with other approaches. The method was implemented as a part of network forensics framework NetFox developed in project SEC6NET. Results show that the method can be successfully used for Lawful Interception as well as for network monitoring.

Formal analysis approach on networks with dynamic behaviours

Formal verification and validation techniques such as model checking are not widely used in computer networks. These methods are very useful to identify configuration errors, identify design problems and predict network behaviours under different network conditions. This paper describes the two main components of the formal verification process, formal modelling and the analysis process. For formal modelling, computer networks configured with dynamic routing protocols such as RIP, OSFP or EIGRP are considered. For the analysis, reachability and security properties are evaluated as the behavioural properties in the case of device or link failures. Graph Theory is used to implement the model and predict the network behaviours. The process of building the model, grouping the network states which have common behaviours and predicting behaviours are the core work of this paper. Furthermore this paper details a method to reduce the state space and hence eliminate the state space explosion.

Towards identification of operating systems from the internet traffic: IPFIX monitoring with fingerprinting and clustering

This paper deals with identification of operating systems (OSs) from the Internet traffic. Every packet injected on the network carries a specific information in its packet header that reflects the initial settings of a hosts operating system. The set of such features forms a fingerprint. The OS fingerprint usually includes an initial TTL time, a TCP initial window time, a set of specific TCP options, and other values obtained from IP and TCP headers. Identification of OSs can be useful for monitoring a traffic on a local network and also for security purposes. In our paper we focus on the passive fingerprinting using TCP SYN packets that is incorporated to a IPFIX probe. Our tool enhances standard IPFIX records by additional information about OSs. Then, it sends the records to an IPFIX collector where network statistics are stored and presented to the network administrator. If identification is not successful, a further HTTP header check is employed and the fingerprinting database in the probe is updated. Our fingerprinting technique can be extended using cluster analysis as presented in this paper. As we show the clustering adds flexibility and dynamics to the fingerprinting. We also discuss the impact of IPv6 protocol on the passive fingerprinting.

Comment on “Remote Physical Device Fingerprinting”

In this paper we revisited a method to identify computers by their clocks skew computed from TCP timestamps. We introduced our own tool to compute clock skew of computers in a network. We validated that the original method is suitable for the computer identification but we also discovered that Linux hosts running NTP had become immune to the identification.

Experimental Evaluation of Password Recovery in Encrypted Documents

Many document formats and archiving tools (PDF, DOC, ZIP) support encryption to protect the privacy of sensitive contents of the documents. The encryption is based on standard cryptographic algorithms as AES, SHA, and RC4. For forensic purposes, investigators are often challenged to analyze these encrypted documents. The task of password recovery can be solved using exhaustive state space search using dictionaries or password generators augmented with heuristic rules to speed up recovery. In our experimental study, we focus on the password recovery of the common document and archiving formats using parallel computation on conventional hardware with multi-core CPUs or accelerated by GPU processors. We show how recovery time can be estimated based on the alphabet, maximal password length and the performance of a given hardware. Our results are demonstrated on Wrathion, a tool developed by our research team.

High-level modelling, analysis, and verification on FPGA-based hardware design

The paper presents high-level modelling and formal analysis and verification on an FPGA-based multigigabit network monitoring system called Scampi. Uppaal was applied in this work to establish some correctness and throughput results on a model intentionally built using patterns reusable in other similar projects. Some initial experiments with parametric analysis using TReX were performed too.