Your browser does not support JavaScript!
http://iet.metastore.ingenta.com
1887

access icon free Bit-oriented format extraction approach for automatic binary protocol reverse engineering

Protocol message format extraction is a principal process of automatic network protocol reverse engineering when target protocol specifications are not available. However, binary protocol reverse engineering has been a new challenge in recent years for approaches that traditionally have dealt with text-based protocols rather than binary protocols. In this study, the authors propose a novel approach called PRE-Bin that automatically extracts binary-type fields of binary protocols based on fine-grained bits. First, a silhouette coefficient is introduced into the hierarchical clustering to confirm the optimal clustering number of binary frames. Second, a modified multiple sequence alignment algorithm, in which the matching process and back-tracing rules are redesigned, is also proposed to analyse binary field features. Finally, a Bayes decision model is invoked to describe field features and determine bit-oriented field boundaries. The maximum a posteriori criterion is leveraged to complete an optimal protocol format estimation of binary field boundaries. The authors implemented a prototype system of PRE-Bin to infer the specification of binary protocols from actual traffic traces. Experimental results indicate that PRE-Bin effectively extracts binary fields and outperforms the existing algorithms.

References

    1. 1)
      • 9. How samba was written – Tridgell, A.’, available at http://samba.org/ftp/tridge/misc/french_cafe.txt, accessed October 2010.
    2. 2)
    3. 3)
      • 6. ‘Intemet netflow statistics – Internet2 NetFlow organization’, available at http://www.internet2.edu/presentations/fall-03/20031013-NetFlow-Shalunov.pdf, accessed October 2003.
    4. 4)
      • 10. The Protocol Informatics Project – Marshall, A. B.’, available at http://www.4tphi.net/%7eawalters/PI/PI.html, accessed March 2014.
    5. 5)
      • 21. The Internet Engineering Task Force: ‘RFC 1088: a standard for the transmission of IP datagrams over NetBIOS networks’, February 1989.
    6. 6)
      • 11. Cui, W.D., Kannan, J., Wang, H.J.: ‘Discoverer: automatic protocol reverse engineering from network traces’. Proc. of Usenix Security Symp., Boston, MA, August 2007, pp. 199212.
    7. 7)
      • 20. International Organization for Standardization: ‘Information technology-Telecommunications and information exchange between systems-High-level data link control (HDLC) procedures, ISO/IEC 13239:2002’, 2007.
    8. 8)
      • 22. The Internet Engineering Task Force: ‘RFC 792: Internet control message protocol’, September 1981.
    9. 9)
    10. 10)
    11. 11)
      • 18. Li, W.C., Zhou, Y., Xia, S.X.: ‘A novel clustering algorithm based on hierarchical and k-means clustering’. Proc. 26th Chinese Control Conf. (CCC), Hunan, China, July 2007, pp. 605609.
    12. 12)
      • 5. Li, X.D., Li, C.: ‘A survey on methods of automatic protocol reverse engineering’. Proceedings of 2011 Seventh Int. Conf. on Computational Intelligence and Security (CIS), Sanya, China, December 2011, pp. 685689.
    13. 13)
      • 2. Trifilo, A., Burschka, S., Biersack, E.: ‘Traffic to protocol reverse engineering’. Proc. of the 2009 IEEE Symp. on Computational Intelligence in Security and Defense Applications (CISDA), Ottawa, Canada, July 2009, pp. 18.
    14. 14)
      • 7. Dagon, D., Gu, G., Lee, C.P., et al: ‘A taxonomy of botnet structures’. Proc. 23rd Annual Computer Security Applications Conference (ACSAC), Miami Beach, Florida, December 2007, pp. 325339.
    15. 15)
      • 1. Pan, F., Wu, L.F., Du, Y., et al: ‘Overviews on protocol reverse engineering’, Appl. Res. Comput., 2011, 28, (8), pp. 28012806.
    16. 16)
      • 12. Security evaluation of communication protocols in common criteria using netzob – Georges, B.’, available at http://www.yourcreativesolutions.nl/ICCC13/p/Networkdevices/GeorgesBossert–SecurityEvaluationofCommunicationProtocols in Common Criteria.pdf, accessed July 2014.
    17. 17)
      • 19. International Telecommunications Union: ‘Technical characteristics for an automatic identification system using TDMA in the VHF maritime mobile band, Recommendation ITU-R M.1371-4’, 2010.
    18. 18)
      • 8. Meng, F., Liu, Y., Zhang, C., et al: ‘Inferring protocol state machine for binary communication protocol’. Proc. of 2014 IEEE Workshop on Advanced Research and Technology in Industry Applications (WARTIA), Ottawa, Ontario, Canada, September 2014, pp. 870874.
    19. 19)
    20. 20)
      • 13. Georges, B., Frédéric, G., Guillaume, H.: ‘Towards automated protocol reverse engineering using semantic information’. Proc. Ninth ACM Symp. on Information, Computer and Communications Security, Kyoto, Japan, June 2014, pp. 5162.
    21. 21)
    22. 22)
      • 17. The Internet Engineering Task Force: ‘RFC 935: Reliable link layer protocols’, January 2014.
http://iet.metastore.ingenta.com/content/journals/10.1049/iet-com.2015.0797
Loading

Related content

content/journals/10.1049/iet-com.2015.0797
pub_keyword,iet_inspecKeyword,pub_concept
6
6
Loading
This is a required field
Please enter a valid email address