Learning Fragments of the TCP Network Protocol

  • Paul Fiterău-Broştean
  • Ramon Janssen
  • Frits Vaandrager
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8718)


We apply automata learning techniques to learn fragments of the TCP network protocol by observing its external behaviour. We show that different implementations of TCP in Windows 8 and Ubuntu induce different automata models, thus allowing for fingerprinting of these implementations. In order to infer our models we use the notion of a mapper component introduced by Aarts, Jonsson and Uijen, which abstracts the large number of possible TCP packets into a limited number of abstract actions that can be handled by the regular inference tool LearnLib. Inspection of the learned models reveals that both Windows 8 and Ubuntu 13.10 violate RFC 793.


Sequence Number Transmission Control Protocol Session Initiation Protocol Mapper Component System Under Test 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Aarts, F., de Ruiter, J., Poll, E.: Formal models of bank cards for free. In: Proceedings of the 4th International Workshop on Security Testing, SECTEST 2013, Luxembourg, March 22 (2013)Google Scholar
  2. 2.
    Aarts, F., Heidarian, F., Kuppens, H., Olsen, P., Vaandrager, F.: Automata learning through counterexample guided abstraction refinement. In: Giannakopoulou, D., Méry, D. (eds.) FM 2012. LNCS, vol. 7436, pp. 10–27. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  3. 3.
    Aarts, F., Jonsson, B., Uijen, J.: Generating models of infinite-state communication protocols using regular inference with abstraction. In: Petrenko, A., Simão, A., Maldonado, J.C. (eds.) ICTSS 2010. LNCS, vol. 6435, pp. 188–204. Springer, Heidelberg (2010); Full version avalable at CrossRefGoogle Scholar
  4. 4.
    Angluin, D.: Learning regular sets from queries and counterexamples. Inf. Comput. 75(2), 87–106 (1987)CrossRefzbMATHMathSciNetGoogle Scholar
  5. 5.
    Buchler, M., Hossen, K., Mihancea, P.F., Minea, M., Groz, R., Oriat, C.: Model inference and security testing in the spacios project. In: 2014 Software Evolution Week - IEEE Conference on Software Maintenance, Reengineering and Reverse Engineering (CSMR-WCRE), pp. 411–414 (February 2014)Google Scholar
  6. 6.
    Chalupar, G., Peherstorfer, S., Poll, E., de Ruiter, J.: Automated reverse engineering using lego,
  7. 7.
    Cho, C.Y., Babić, D., Shin, E.C.R., Song, D.: Inference and analysis of formal models of botnet command and control protocols, New York, NY, USA (2010)Google Scholar
  8. 8.
  9. 9.
  10. 10.
    Fiterau, P., Janssen, R.: Experimental learning setup for TCP,
  11. 11.
    Hagerer, A., Hungar, H., Niese, O., Steffen, B.: Model generation by moderated regular extrapolation. In: Kutsche, R.-D., Weber, H. (eds.) FASE 2002. LNCS, vol. 2306, pp. 80–95. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  12. 12.
    Howar, F., Steffen, B., Jonsson, B., Cassel, S.: Inferring canonical register automata. In: Kuncak, V., Rybalchenko, A. (eds.) VMCAI 2012. LNCS, vol. 7148, pp. 251–266. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  13. 13.
    Merten, M., Steffen, B., Howar, F., Margaria, T.: Next generation LearnLib. In: Abdulla, P.A., Leino, K.R.M. (eds.) TACAS 2011. LNCS, vol. 6605, pp. 220–223. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  14. 14.
  15. 15.
    Pahdye, J., Floyd, S.: On inferring tcp behavior. SIGCOMM Comput. Commun. Rev. 31(4), 287–298 (2001)CrossRefGoogle Scholar
  16. 16.
    Postel, J. (ed.): Transmission Control Protocol - DARPA Internet Program Protocol Specification, RFC 3261 (September 1981),
  17. 17.
    Raffelt, H., Steffen, B., Berg, T., Margaria, T.: LearnLib: a framework for extrapolating behavioral models. STTT 11(5), 393–407 (2009)CrossRefGoogle Scholar
  18. 18.
  19. 19.
    Shahbaz, M., Groz, R.: Inferring mealy machines. In: Cavalcanti, A., Dams, D.R. (eds.) FM 2009. LNCS, vol. 5850, pp. 207–222. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  20. 20.
    SPaCIoS. Deliverable 2.2.1: Method for assessing and retrieving models (2013)Google Scholar
  21. 21.
    Tijssen, M.: Automatic modeling of ssh implementations with state machine learning algorithms. Bachelor’s thesis, Radboud University Nijmegen (June 2014)Google Scholar
  22. 22.
  23. 23.
  24. 24.
    How to modify the tcp/ip maximum retransmission time-out,

Copyright information

© Springer International Publishing Switzerland 2014

Authors and Affiliations

  • Paul Fiterău-Broştean
    • 1
  • Ramon Janssen
    • 1
  • Frits Vaandrager
    • 1
  1. 1.Institute for Computing and Information SciencesRadboud University NijmegenNijmegenThe Netherlands

Personalised recommendations