Network Working Group S T. Brugger INTERNET-DRAFT: draft-brugger-connection-metrics-00 UC Davis 17 July 2006 Definitions for TCP Connection Metrics Intellectual Property Notice By submitting this Internet-Draft, each author represents that any applicable patent or other IPR claims of which he or she is aware have been or will be disclosed, and any of which he or she becomes aware will be disclosed, in accordance with Section 6 of BCP 79. Status of this Memo Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/1id-abstracts.html The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html Draft expires on 17 January 2007. Comments are solicited and should be addressed to the author(s) at . Abstract Numerous metrics, or features, have been used to describe TCP connections. These features are frequently of interest to the network intrusion detection community, and occasionally the network engineering community. While researchers may understand these terms when used by others, there are no formal definitions of these terms such that two researchers looking at the same connection will necessarily calculate the same values for all the metrics. This paper will propose a potential set of connection metrics with formal definitions of each. Brugger [Page 1] Internet-Draft TCP Connection Metrics 17 July 2006 1. Introduction Researchers frequently need to describe TCP connections, using metrics from the widely accepted ``Duration'' to the less commonly used, yet still understandable ``URG packet rate'', through more obscure measures such as the ``Wrong packet resend rate''. The advanced network intrusion detection community, which typically uses machine learning to attempt to identify malicious or anomalous connections, will use these metrics as the machine learning features (or attributes) that their methods train and recall on [Axelsson00]. These metrics are also used by the network engineering community; however, in this arena, researchers tend to focus on the effects of a single metric (such as the ``Interpacket latency'') on a device or network stack, at a time [Leland94, Paxson95, Racz03]. As such, the use of metrics tends to be better defined. It is important that researchers agree on the definitions of these terms. This is somewhat easier in the network engineering community, where an assumption is typically made that TCP connections will behave to specification, and that misbehaviour is the result of correctable deficiencies in network stack implementations, or unforeseen interactions as networks scale in size. The lack of definitions is more problematic in the intrusion detection community, as attackers actively create connections that are outside protocol specifications in an attempt to break stack implementations, such as Christmas Tree Packets [Miller00]. Since this misbehaviour may occur on such a small scale, relative to the total amount of traffic on the network, a difference in definitions may cause one researcher to measure a value of 0.01 for a metric, while another researcher measures a value of 0.02 -- double the measurement of the first researcher. This paper will begin by providing a definition of a TCP connection -- as that alone can account for differences in how metrics are measured. We will then provide a list of first-order network metrics, with definitions of each. While the intrusion detection community frequently uses second-order (or calculated) metrics, such as ``The number of new connections in the last n seconds'' [Lee98, Lee99a, Lee99b, Lee00a, Lee00b], we will not delve into definitions for those, as they should follow directly from the definitions we do provide. 2. Definition of a TCP Connection We will begin with a very basic definition: A TCP Connection is a set of packets between a pair of sockets (Host IP and port pairs). Since the same pair of sockets may be used for multiple connections, this section will further refine this definition. Brugger [Page 2] Internet-Draft TCP Connection Metrics 17 July 2006 In a perfect world, the definition of a TCP connection is easy: It is all the packets starting with the initial SYN packet, up to and including the ACK of the second FIN [RFC793]. Of course, the RFC acknowledges that we don't live in a perfect world, and it defines how hosts should act in a variety of situations. It is easy to extend the above definition to cover some of these, for example, we can say up to and include in the ACK of the second FIN, or a connection RST packet, but do we count a SYN packet in the middle of the current sequence as part of the current connection, or as a separate connection? Do we count a non-SYN packet that is not part of an ESTABLISHED connection to be part of a connection at all? We should begin by defining our viewpoint: we are assuming that we are passively viewing the connections as a third party. We might be observing the connections from a network edge-point, such as a firewall or router, or we might be collecting network dumps on one of the hosts via a user-level utility such as tcpdump [TCPDUMP] or Snort [Caswell04]. In any case, we do not have access to the state information of either of the hosts in the connection. Hence, we can not know that the connection is in the ESTABLISHED state, instead we must deduce it. Furthermore, we may only have a portion of the connection: we may have begun observing the connection after it was already established, or our observation may end before the connection is complete. To that end, we always require a SYN packet to begin a connection. If we don't see a SYN, and we don't have a record of the connection already, we must assume that the connection was already begun before we started observation, hence we do not have a complete record of the connection, and we will not attempt to record metrics on it. It is true that an attacker may attempt to attack the network stack by sending in a malicious packet (for instance a ``Christmas tree packet'', which has all of the TCP flags set) without having already established a connection, however this is not a connection, and any desire to include it in overall network characterization should be done separately from the connection metrics. Once we see the initial SYN packet, we include all packets between the source and destination sockets in the metrics for that connection. This includes packets that are invalid for whatever reason; for instance packets with incorrect checksums, or out of sequence packets. A connection ends when: - Both sides have send a FIN, which has been acknowledged. - One side sends a RST Brugger [Page 3] Internet-Draft TCP Connection Metrics 17 July 2006 - A packet goes unacknowledged for more than TIMEOUT seconds, where we use the 300 second TIMEOUT suggested by RFC 793. - There is no activity on the connection for more than TIMEOUT seconds. The first two are fairly straight forward. When we combine our definition of when a connection begins with the third, it brings with it an important implication: even if a connection never reaches the ESTABLISHED state on the hosts, we include it as a connection in the connection metrics. This means that if a firewall blocks the connection, we will still record it as a connection consisting of one packet. If the source tries to resend the SYN packet, lets say twice, then we'll record it as a connection with two duplicate packets. The fourth definition is really just a generalization of the third, however we call it out separately as we expect it will generate some discussion. The TCP specification indicates that once a connection is established, it will stay established as long as both hosts keep it established. It may be that during this idle time, one of the hosts is removed from the network (shutdown, unplugged, etc), at which point it will, in essence, terminate the connection, without being able to let the other host know. This condition is known as a half- open connection. Our problem is that, given our point of observation, we can not ascertain when this has occurred. As such, we must infer it through the lack of any activity over some time period. If one accepts this, then the question becomes how long that timeout should be. We propose using the same value as we use for closing the connection when it is in the TIME-WAIT state. 3. Definitions of TCP Connection Metrics Given the above definition of a connection, we will here define various metrics that we might use in characterizing connections. We follow the subsection for a Segment Arriving in the event processing model in RFC 793 and note where we count various characteristics. Due to our perspective, there is actually little overlap with the endpoint-model that RFC 793 uses, so we duplicate some information as necessary such that the reader does not require a copy of the RFC as they read though. Some areas we differ from the RFC are: we ignore the security and precedence checks, as those features of TCP/IP are not used on contemporary networks; and we also assume a three-way handshake to establish a connection, as it seems the four-way handshake has never borne out. 3.1. Metrics to collect An exhaustive list of the connection metrics that we collect as we follow the event processing model is as follows: Brugger [Page 4] Internet-Draft TCP Connection Metrics 17 July 2006 - Number of packets - Duration (time of last packet minus starting time), in seconds - Number control packets - Number data packets (Number of packets - Number control packets) - Bytes transfered - Data bytes transfered - Urgent - Resend - Wrong resend - Duplicate ACK - Wrong ACK - Wrong data packet size - Window exceeded - Hole - Connection errors - Reset connection - Other errors - Disconnection errors - Fragmented packets - Bad fragment - SYN-ONLY - SYN-ACK - Idle connection - Half-open connection Brugger [Page 5] Internet-Draft TCP Connection Metrics 17 July 2006 All of these metrics -- except the last four -- should be stored in the connection record, and can be reported when that record is closed. The last four can be reported based on the state of the record when it is closed. All of these metrics should be reported as counts (as opposed to rates), save for duration, which should be the number of seconds, which may be a real number (clock resolution permitting). 3.2. Connection record We use a modified form of the TCB presented in RFC 793 Section 3.2. Since we're a third party observer to the connection, we attempt to capture the state at both ends of the connection, rather than the definitive information that either host uses. Information on the source of the connection (the machine that sent the initial SYN): SRC.UNA - earliest sequence number the source has sent that has not been acknowledged by the dest SRC.NXT - the next sequence number the source is going to use SRC.WND - the size of the window on the source machine SRC.UP - the state of the urgent pointer on the source machine SRC.WL1 - sequence number used for last window update on source machine SRC.WL2 - sequence number of last source window update that the dest acknowledged SRC.FIN - sequence number of the source's FIN packet Information on the destination of the connection: DST.UNA - earliest sequence number the dest has sent that has not been acknowledged by the source DST.NXT - the next sequence number the dest is going to use DST.WND - the size of the window on the dest machine DST.UP - the state of the urgent pointer on the dest machine Brugger [Page 6] Internet-Draft TCP Connection Metrics 17 July 2006 DST.WL1 - sequence number used for last window update on dest machine DST.WL2 - sequence number of last dest window update that the source acknowledged DST.FIN - sequence number of the dest's FIN packet When looking at an individual packet, we may consider SND to be whomever sent the packet: either SRC or DST, and RCV to be the other. We use the same definition for SEG given in RFC 793, with the clarification that SEG.LEN is the data length of the segment. 3.3. Segment Arriving Since we're taking the viewpoint of a third-party observer to the connection, the only event we're interested in is ``Segment Arriving''. Of course, to us, the segment isn't really arriving, a better term might be ``Segment Observed''. A note on sequence comparisons: since sequence numbers run between zero and 2**32 - 1, then repeat, RFC 793 notes that all sequence comparisons should be done % 2**32, while this is not strictly correct, it is easy enough for TCP implementations to check that SND.UNA <= SEG.ACK <= SND.NXT, taking into account the special case when SND.NXT < SND.UNA. This is not sufficient when collecting metrics and we want to determine if ACKs are being duplicated, if a segment is being ACKed before it arrives, or any other of a number of scenarios. As such, whenever we note that a less than comparison, such as A < B is being done, where either A or B is SEG.SEQ or SEG.ACK, then if A is not less than B, check if A is past halfway on the set of possible sequence numbers (> 2**31), B is below the halfway mark, and the difference between them is at least 2**31. In formal notation: A < B or (A > 2**31 and B < 2**31 and A-B > 2**31) This may only be a heuristic, however it should be sufficient to classify a packet as either a bad resend, or out-of-sequence. 3.3.1. Fragmented packets For everything that follows, we assume that we're working with complete segments, just as RFC 793 does. Hence, when a packet arrives with the ``More Fragments'' (MF) flag set (that is part of a connection that we either have a record for, or it has the SYN flag set), it should be queued up in a fragmented packets queue. Any packet without the MF flag set and with the fragment offset > 0 will be assumed to be the last fragment. When it arrives, the Brugger [Page 7] Internet-Draft TCP Connection Metrics 17 July 2006 fragmentation pre-processor should: - verify that all the fragments were received (there are no holes) - verify that none of the fragments overlap - verify that none of the fragments (including the last one) have the ``Don't Fragment'' (DF) flag set. If there are any holes, the packet is unusable, so the ``Fragmented packets'' and ``Bad fragment'' counters should be incremented, and processing on the packet should stop. If any of the conditionals do not hold, then the ``Bad fragment'' counter should be incremented. In either case, the ``Fragmented packets'' counter should be incremented. Since only the first fragment has the TCP portion of the header, we must store the full header from the first fragment and use it for all the segment information we require. We will need to substitute in the full length of the packet as SEG.LEN. This measure will not account for the extra transmission overhead of the extra headers on all the fragment. This is fair because we are primarily interested in the connection metrics at this point. General network metrics, such as the total number of bytes sent or received on a given link, can be collected independently of the connection. The same argument holds for justification for dropping packets with missing fragments before processing them as part of the connection. Should the last fragment never arrive, then we may end up counting the packet as a hole, below. If we don't count it as a hole, that will mean that it was resent. Unfortunately, if it is not fragmented when it is resent, we will not know to increase the ``Resent'' counter. If it is, however, fragmented, then the resend will show up as a bad fragment due to overlap between the original and the resent fragments. When a connection is closed, a count should be made of any segments from that connection still on the fragmentation queue, and that number added to the ``Bad fragments'' count. The primary problem with this approach is that if the fragments arrive out of order -- in particular if a fragment arrives after the last fragment -- it will be recorded as a bad fragment. Considering how infrequently fragmented packets are encountered in practice anymore, we are not too concerned with this. 3.3.2. No Record If we don't have a record of the connection, it could mean that the connection was established before we started observing the traffic, Brugger [Page 8] Internet-Draft TCP Connection Metrics 17 July 2006 or that this packet is not part of an established connection. In the later case, we don't know if the connection is in the CLOSED or LISTEN state on the receiving host, so we continue to process this packet. If the packet is a RST, ignore it. If the packet is an ACK, then it must be part of a connection that was established before we began listening, so ignore it. If the packet is a SYN, create a new connection record with - the two sockets - the starting time of the connection and time of last packet - set SRC.UNA to SEG.SEQ - set SRC.NXT to SEG.SEQ + 1 - set SRC.WND to SEG.WND - set SRC.WL1 to SEG.SEQ - set SRC.UP and SRC.WL2 to zero - set all the DST fields to zero - set the state to SYN-RECEIVED - set the ``Number of packets'' counter to one - set the ``Bytes transfered'' to the total length of the packet - if the SEG.LEN is zero, set the ``Number controller packets'' counter to one, otherwise increment the ``Data bytes transfered'' by SEG.LEN and set the ``Wrong data packet size'' counter to one - set all other counters to zero 3.3.3. SYN-RECEIVED When we're in the SYN-RECEIVED state, we expect to see a SYN-ACK. For all packets: - increment the ``Number of packets'' counter - increment the ``Bytes transfered'' by the total length of the packet - if the SEG.LEN is zero, increment the ``Number controller packets'' counter, otherwise increment ``Data bytes transfered'' by SEG.LEN and increment the ``Wrong data packet size'' counter - set time of last packet If the packet is not an ACK: - increment the ``Connection errors'' counter - stop processing this packet Otherwise, the packet is an ACK, so check the acknowledgment number. If SEG.ACK != SRC.NXT: Brugger [Page 9] Internet-Draft TCP Connection Metrics 17 July 2006 - increment the ``Connection errors'' counter - stop processing this packet If the ACK is fine, check if the RST flag is set. If so: - increment the ``Connection errors'' counter - increment the ``Reset connection'' counter - close the record If the SYN flag is set, then this is the SYN-ACK we expect: - set DST.UNA to SEG.SEQ - set DST.NXT to SEG.SEQ + 1 - set DST.WND to SEG.WND - set DST.WL1 to SEG.SEQ - set DST.UP and DST.WL2 to zero - set SRC.UNA to SEG.ACK + 1 - set SRC.NXT to SEG.ACK + 1 - set the state to SYN-ACK - stop processing this packet If we made it this far, the packet is an ACK, but not a SYN-ACK, so: - increment the ``Connection errors'' counter - stop processing this packet 3.3.4. SYN-ACK and later The SYN-ACK state is what we call when the source is in the ESTABLISHED state and the destination is in the SYN-RECEIVED state. For this state, and all the ones that follow, we follow some common steps. For all packets: - increment the ``Number of packets'' counter - increment the ``Bytes transfered'' by the total length of the packet - if the SEG.LEN is zero, increment the ``Number controller packets'' counter, otherwise increment ``Data bytes transfered'' by SEG.LEN - set time of last packet First, check that the sequence number is acceptable. If SEG.SEQ < SND.UNA, then the sender is resending a packet that has already been acknowledged: - increment the ``Wrong resend'' counter - stop processing this packet If SEG.SEQ+SEG.LEN-1 > SND.UNA+RCV.WND, then the sender is sending a packet that will exceed the receiver's window: - if the state is SYN-ACK, increment the ``Connection errors'' counter Brugger [Page 10] Internet-Draft TCP Connection Metrics 17 July 2006 - increment the ``Window exceeded'' counter - stop processing this packet If SEG.SEQ < SND.NXT, then this is a resend: - increment the ``Resend'' counter Now see if the packets are out of order: If SND.NXT < SEG.SEQ, then this packet is either arriving after one before it in the sequence, or there is a hole in the sequence: - If the sequence of any packet in the other direction on the out-of-sequence queue is < SEG.ACK, continue processing (we will process the packets in the other direction below when we examine the ACK field) - Otherwise, push it on an ``out-of-sequence'' queue, which we will process later The remaining case is that SEG.SEQ = SND.NXT, which is what we want and expect, so we continue to process it. Second, if the RST flag is set: - increment the ``Reset connection'' counter - if the SEG.LEN > 0, increment the ``Wrong data packet size'' counter - if the state is ``SYN-ACK'', increment the ``Connection errors'' counter - close the record Third, if the SYN flag is set: - if the state is ``SYN-ACK'', increment the ``Connection errors'' counter, otherwise set the ``Other errors'' counter - if the SEG.LEN > 0, increment the ``Wrong data packet size'' counter - stop processing this packet Fourth, check the ACK field: If the ACK flag is not set: - if the state is ``SYN-ACK'', increment the ``Connection errors'' counter, otherwise set the ``Other errors'' counter - stop processing this packet SYN-ACK state: If SEQ.ACK != DST.UNA: - increment the ``Connection errors'' counter - stop processing this packet Otherwise: - change the state to ESTABLISHED - set DST.UNA to DST.UNA + 1 ESTABLISHED and FIN-WAIT-2 states: Brugger [Page 11] Internet-Draft TCP Connection Metrics 17 July 2006 If SEG.ACK < RCV.UNA: - increment the ``Duplicate ACK'' counter - stop processing this packet If RCV.NXT < SEG.ACK: - check the out-of-sequence queue - if there are any packets from the receiver of this packet to the sender of this packet, see if any of the sequences are < SEG.ACK; if so, for each matching packet on the queue, in order, based on their sequence numbers: - increment the ``Hole'' counter - recursively process that packet and remove it from the queue; if while processing a packet, it finds a RCV.NXT < SEG.ACK, then just increment the ``Hole'' counter and continue (in other words, we will recurse from SND -> RCV to RCV -> SND, from the perspective of the current segment, but no further). Once complete, continue to process this packet. - If after processing any out-of-sequence packets, SEG.ACK < RCV.UNA is still true: - increment the ``Wrong ACK'' counter - stop processing this packet Otherwise: - set RCV.UNA to SEG.ACK + SEG.LEN - If SND.WL1 < SEG.SEQ or (SND.WL1 = SEG.SEQ and SND.WL2 < SEG.ACK), then set SND.WND to SEG.WND, set SND.WL1 to SEG.SEQ, and set SND.WL2 to SEG.ACK FIN-WAIT-1 state: - Follow the steps for the ESTABLISHED state - If SEG.ACK = RCV.FIN, then set the state to FIN-WAIT-2 and set RCV.FIN to zero CLOSING state: - Follow the steps for the ESTABLISHED state - If SEG.ACK = RCV.FIN, then set RCV.FIN to zero (this, plus the state, indicates that it has been ACKed) and set the state to TIME-WAIT, otherwise increment the ``Disconnection errors'' counter TIME-WAIT state: - Follow the steps for the ESTABLISHED state - If SEG.ACK = RCV.FIN, then close the record Note from this point forward that we don't need to handle the SYN-ACK state as it will have either transitioned to the ESTABLISHED state or have stopped processing with an error. Fifth, check the URG flag: ESTABLISHED, FIN-WAIT-1, and FIN-WAIT-2 states: - If the URG flag is set, set RCV.UP to the max of RCV.UP and SEG.UP Brugger [Page 12] Internet-Draft TCP Connection Metrics 17 July 2006 - If SEG.SEQ <= RCV.UP, increment the ``Urgent'' counter CLOSING, and TIME-WAIT states: - If the URG flag is set, increment the ``Disconnection errors'' counter Sixth, update the source's sequence information: ESTABLISHED, FIN-WAIT-1, and FIN-WAIT-2 states: - If SEG.LEN > zero, set SRC.NXT to SRC.NXT + SEG.LEN CLOSE-WAIT, CLOSING, and TIME-WAIT states: - If SEG.LEN > zero, increment the ``Wrong data packet size'' counter Finally, check the FIN flag. Since we only process Segment Arrived events, there are only two ways that a connection can be closed: 1. Host A sends a FIN to Host B, Host B ACKs this FIN. Eventually, Host B sends its own FIN, which Host A will ACK, and the connection is CLOSED. 2. Host A sends a FIN to Host B, Host B is thinking the same thing and sends a FIN to Host A. One of the hosts (it does not matter which) ACKs the other's FIN, then the other host ACKs the other FIN, and the connection is CLOSED. We tweak the event model in RFC 793 to fit these two choices: When a FIN is received, we enter the FIN-WAIT-1 state. If that FIN is ACKed, we enter the FIN-WAIT-2 state. If, instead, the other ACK is received, we enter the CLOSING state. From the FIN-WAIT-2 state, when we receive the other FIN, we enter the TIME-WAIT state. From the CLOSING state, when one of the FINs is ACKed, we enter the TIME-WAIT state. From the TIME-WAIT state, when the other FIN is ACKed, we enter the CLOSED state. This can be illustrated as follows: +-------------+ | ESTABLISHED | +-------------+ | | FIN V +------------+ | FIN-WAIT-1 |------+ +------------+ | | | FIN | FIN-ACK | V V +------------+ +---------+ | FIN-WAIT-2 | | CLOSING | +------------+ +---------+ | | Brugger [Page 13] Internet-Draft TCP Connection Metrics 17 July 2006 | FIN | V | FIN-ACK +-----------+ | | TIME-WAIT |<------+ +-----------+ | | FIN-ACK V +--------+ | CLOSED | +--------+ So we perform the following steps, if the FIN bit is set: ESTABLISHED state: - set SRC.FIN to SEG.SEQ - change the state to FIN-WAIT-1 FIN-WAIT-1 state: - if SRC.FIN is set (not zero), increment the ``Disconnection errors'' counter and stop processing this packet - set SRC.FIN to SEG.SEQ - change the state to CLOSING FIN-WAIT-2 state: - if SRC.FIN is set (not zero), increment the ``Disconnection errors'' counter and stop processing this packet - set SRC.FIN to SEG.SEQ - change the state to TIME-WAIT CLOSING and TIME-WAIT states: - increment the ``Disconnection errors'' counter - stop processing this packet 3.4. Cleaning up When we are done observing the traffic over this connection, we will still have a number of open connection records. We must decide if these connections are still active, in which case we do not have all the information on the connection to report its metrics, or if the connection has timed out. If a connection has timed out, at least one end of the connection has closed its TCB (or it never created one), and any further attempts to use that connection will result in a RST (or will just be ignored). As explained in section 2, if the last packet was more than TIMEOUT seconds before we stopped observing traffic on this link, then we will assume the connection is idle and close it. - If the state of the connection is SYN-RECEIVED, then report the ``SYN-ONLY'' counter as one, otherwise report it as zero. - If the state of the connection is SYN-ACK, then report the Brugger [Page 14] Internet-Draft TCP Connection Metrics 17 July 2006 ``SYN-ACK'' counter as one, otherwise report it as zero. - If the state of the connection is ESTABLISHED, then report the ``Idle connection'' counter as one, otherwise report it as zero. - If the state of the connection is FIN-WAIT-1, FIN-WAIT-2, CLOSING, or TIME-WAIT, then report the ``Half-open connection'' counter as one, otherwise report it as zero. 4. Security Considerations There are no known security considerations to the creation and processing of TCP connection metrics. The capture of network data as a third party observer does, however, pose both security and privacy issues, which must be addressed on a case-by-case basis for the policies and environment of each network that data is collected from. Such metrics are likely to be useful in network security applications, such as network intrusion detectors. The potential for such application is left to future research. 5. IANA Considerations This document has no actions for IANA. 6. References 6.1. Normative References [RFC793] Postal, J., "Transmission Control Protocol", STD 7, RFC 793, September 1981. 6.2. Informative References [Axelsson00] Axelsson, S., "Intrusion detection systems: A survey and taxonomy", Chalmers Univ. of Technology, Technical Report 99-15, March 2000. [Caswell04] Caswell, B. and M. Roesch, "Snort: The open source network intrusion detection system", "http://www.snort.org/". [Lee98] Lee, W. and S. J. Stolfo, "Data mining approaches for intrusion detection", Proc. of the 7th USENIX Security Symp., 1998. Brugger [Page 15] Internet-Draft TCP Connection Metrics 17 July 2006 [Lee99a] Lee, W., "A Data Mining Framework for Constructing Features and Models for Intrusion Detection Systems", Columbia Univ., Ph. D. thesis, 1999. [Lee99b] Lee, W., S. J. Stolfo, and K. W. Mok, "Mining in a data-flow environment: Experience in network intrusion detection", Proc. of the Fifth International Conference on Knowledge Discovery and Data Mining (KDD-99), S. Chaudhuri and D. Madigan (Eds.), pp. 114-124, 15-18 August 1999. [Lee00a] Lee, W. and S. J. Stolfo, "A framework for constructing features and models for intrusion detection systems", Information and System Security 3 (4), pp. 227-261, 2000. [Lee00b] Lee, W., S. J. Stolfo, and K. W. Mok, "Adaptive intrusion detection: A data mining approach", Artificial Intelligence Review 14 (6), pp. 533-567, 2000. [Leland94] Leland, W. E., M. S. Taqqu, W. Willinger, and D. V. Wilson, "On the self-similar nature of ethernet traffic (extended version)", IEEE/ACM Trans. Networking 2, pp. 1-15, February 1994. [Miller00] Miller, T., "Intrusion detection level analysis of Nmap and Queso", SecurityFocus, Technical Report 1225, 30 August 2000. [Paxson95] Paxson, V. and S. Floyd, "Wide area traffic: the failure of Poisson modeling", IEEE/ACM Trans. Networking 3 (3), pp. 226-244, June 1995. [Racz03] Racz, P. I., T. Matsuda, and M. Yamamoto, "Contribution of the application, transport and network layers to the self-similarity of Internet traffic", Proc. of 2003 IEEE Pacific Rim Conf. on Communications, Computers and Signal Processing, Volume 2, pp. 760-763, 28-30 August 2003. [TCPDUMP] TCPDUMP public repository, "http://www.tcpdump.org/". Author's Address S Terry Brugger Department of Computer Science University of California, Davis Brugger [Page 16] Internet-Draft TCP Connection Metrics 17 July 2006 One Shields Ave Davis, CA Phone: 925.424.4992 EMail: zow@acm.org IPR Notice The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79. Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr. The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf-ipr@ietf.org. Copyright Notice Copyright (C) The Internet Society (2006). This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights. This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Expiration Notice Brugger [Page 17] Internet-Draft TCP Connection Metrics 17 July 2006 Draft expires on 17 January 2007. Brugger [Page 18]