Bit-oriented format extraction approach for automatic binary protocol reverse engineering

Bit-oriented format extraction approach for automatic binary protocol reverse engineering

For access to this article, please select a purchase option:

Buy article PDF
(plus tax if applicable)
Buy Knowledge Pack
10 articles for £75.00
(plus taxes if applicable)

IET members benefit from discounts to all IET publications and free access to E&T Magazine. If you are an IET member, log in to your account and the discounts will automatically be applied.

Learn more about IET membership 

Recommend Title Publication to library

You must fill out fields marked with: *

Librarian details
Your details
Why are you recommending this title?
Select reason:
IET Communications — Recommend this title to your library

Thank you

Your recommendation has been sent to your librarian.

Protocol message format extraction is a principal process of automatic network protocol reverse engineering when target protocol specifications are not available. However, binary protocol reverse engineering has been a new challenge in recent years for approaches that traditionally have dealt with text-based protocols rather than binary protocols. In this study, the authors propose a novel approach called PRE-Bin that automatically extracts binary-type fields of binary protocols based on fine-grained bits. First, a silhouette coefficient is introduced into the hierarchical clustering to confirm the optimal clustering number of binary frames. Second, a modified multiple sequence alignment algorithm, in which the matching process and back-tracing rules are redesigned, is also proposed to analyse binary field features. Finally, a Bayes decision model is invoked to describe field features and determine bit-oriented field boundaries. The maximum a posteriori criterion is leveraged to complete an optimal protocol format estimation of binary field boundaries. The authors implemented a prototype system of PRE-Bin to infer the specification of binary protocols from actual traffic traces. Experimental results indicate that PRE-Bin effectively extracts binary fields and outperforms the existing algorithms.


    1. 1)
      • 1. Pan, F., Wu, L.F., Du, Y., et al: ‘Overviews on protocol reverse engineering’, Appl. Res. Comput., 2011, 28, (8), pp. 28012806.
    2. 2)
      • 2. Trifilo, A., Burschka, S., Biersack, E.: ‘Traffic to protocol reverse engineering’. Proc. of the 2009 IEEE Symp. on Computational Intelligence in Security and Defense Applications (CISDA), Ottawa, Canada, July 2009, pp. 18.
    3. 3)
    4. 4)
    5. 5)
      • 5. Li, X.D., Li, C.: ‘A survey on methods of automatic protocol reverse engineering’. Proceedings of 2011 Seventh Int. Conf. on Computational Intelligence and Security (CIS), Sanya, China, December 2011, pp. 685689.
    6. 6)
      • 6. ‘Intemet netflow statistics – Internet2 NetFlow organization’, available at, accessed October 2003.
    7. 7)
      • 7. Dagon, D., Gu, G., Lee, C.P., et al: ‘A taxonomy of botnet structures’. Proc. 23rd Annual Computer Security Applications Conference (ACSAC), Miami Beach, Florida, December 2007, pp. 325339.
    8. 8)
      • 8. Meng, F., Liu, Y., Zhang, C., et al: ‘Inferring protocol state machine for binary communication protocol’. Proc. of 2014 IEEE Workshop on Advanced Research and Technology in Industry Applications (WARTIA), Ottawa, Ontario, Canada, September 2014, pp. 870874.
    9. 9)
      • 9. How samba was written – Tridgell, A.’, available at, accessed October 2010.
    10. 10)
      • 10. The Protocol Informatics Project – Marshall, A. B.’, available at, accessed March 2014.
    11. 11)
      • 11. Cui, W.D., Kannan, J., Wang, H.J.: ‘Discoverer: automatic protocol reverse engineering from network traces’. Proc. of Usenix Security Symp., Boston, MA, August 2007, pp. 199212.
    12. 12)
      • 12. Security evaluation of communication protocols in common criteria using netzob – Georges, B.’, available at–SecurityEvaluationofCommunicationProtocols in Common Criteria.pdf, accessed July 2014.
    13. 13)
      • 13. Georges, B., Frédéric, G., Guillaume, H.: ‘Towards automated protocol reverse engineering using semantic information’. Proc. Ninth ACM Symp. on Information, Computer and Communications Security, Kyoto, Japan, June 2014, pp. 5162.
    14. 14)
    15. 15)
    16. 16)
    17. 17)
      • 17. The Internet Engineering Task Force: ‘RFC 935: Reliable link layer protocols’, January 2014.
    18. 18)
      • 18. Li, W.C., Zhou, Y., Xia, S.X.: ‘A novel clustering algorithm based on hierarchical and k-means clustering’. Proc. 26th Chinese Control Conf. (CCC), Hunan, China, July 2007, pp. 605609.
    19. 19)
      • 19. International Telecommunications Union: ‘Technical characteristics for an automatic identification system using TDMA in the VHF maritime mobile band, Recommendation ITU-R M.1371-4’, 2010.
    20. 20)
      • 20. International Organization for Standardization: ‘Information technology-Telecommunications and information exchange between systems-High-level data link control (HDLC) procedures, ISO/IEC 13239:2002’, 2007.
    21. 21)
      • 21. The Internet Engineering Task Force: ‘RFC 1088: a standard for the transmission of IP datagrams over NetBIOS networks’, February 1989.
    22. 22)
      • 22. The Internet Engineering Task Force: ‘RFC 792: Internet control message protocol’, September 1981.

Related content

This is a required field
Please enter a valid email address