TY - GEN
T1 - Prett
T2 - Protocol reverse engineering using binary tokens and network traces
AU - Lee, Choongin
AU - Bae, Jeonghan
AU - Lee, Heejo
N1 - Funding Information:
Acknowledgement. This work was supported by Institute for Information & communications Technology Promotion (IITP) grant funded by the Korea government (MSIP) (No. R0190-16-2011, Development of Vulnerability Discovery Technologies for IoT Software Security, and No. 2017-0-00184, Self-Learning Cyber Immune Technology Development).
Publisher Copyright:
© IFIP International Federation for Information Processing 2018.
PY - 2018
Y1 - 2018
N2 - Protocol reverse engineering is the process of extracting application-level protocol specifications. The specifications are a useful source of knowledge about network protocols and can be used for various purposes. Despite the successful results of prior works, their methods primarily result in the inference of a limited number of message types. We herein propose a novel approach that infers a minimized state machine while having a rich amount of information. The combined input of tokens extracted from the network protocol binary executables and network traces enables the inference of new message types and protocol behaviors which had not been found in previous works. In addition, we propose a state minimization algorithm that can be applied to real-time black-box inference. The experimental results show that our approach can infer the largest number of message types for file-transfer protocol (FTP) and simple mail-transfer protocol (SMTP) compared to eight prior arts. Moreover, we found unexpected behaviors in two protocol implementations using the inferred state machines.
AB - Protocol reverse engineering is the process of extracting application-level protocol specifications. The specifications are a useful source of knowledge about network protocols and can be used for various purposes. Despite the successful results of prior works, their methods primarily result in the inference of a limited number of message types. We herein propose a novel approach that infers a minimized state machine while having a rich amount of information. The combined input of tokens extracted from the network protocol binary executables and network traces enables the inference of new message types and protocol behaviors which had not been found in previous works. In addition, we propose a state minimization algorithm that can be applied to real-time black-box inference. The experimental results show that our approach can infer the largest number of message types for file-transfer protocol (FTP) and simple mail-transfer protocol (SMTP) compared to eight prior arts. Moreover, we found unexpected behaviors in two protocol implementations using the inferred state machines.
KW - Automatic protocol analysis
KW - Protocol reverse engineering
KW - State machine reconstruction
UR - http://www.scopus.com/inward/record.url?scp=85090288132&partnerID=8YFLogxK
U2 - 10.1007/978-3-319-99828-2_11
DO - 10.1007/978-3-319-99828-2_11
M3 - Conference contribution
AN - SCOPUS:85090288132
SN - 9783319998275
T3 - IFIP Advances in Information and Communication Technology
SP - 141
EP - 155
BT - ICT Systems Security and Privacy Protection - 33rd IFIP TC 11 International Conference, SEC 2018, Held at the 24th IFIP World Computer Congress, WCC 2018, Proceedings
A2 - Janczewski, Lech Jan
A2 - Kutyłowski, Mirosław
PB - Springer
ER -