Analyzing Network Protocols of Application Layer Using Hidden Semi-Markov Model

Cai, Jun; Luo, Jianzhen; Lei, Fangyuan

doi:10.1155/2016/9161723

Cited by 13 publications

(9 citation statements)

References 24 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…They deduced design decisions for fields in these protocols to obtain hypotheses on field sizes and behavior. 9) Cai et al (2016): An idea similar to Whalen et al [19] for extracting message formats was proposed by Cai et al [25], relying completely on Markov Models. In contrast to Whalen et al, the new approach requires no previous knowledge of field boundary candidates.…”

Section: ) Protocol Informatics (2004)mentioning

confidence: 99%

“…At the end of each section, we conclude the application of the presented methods and algorithms for the respective [11] RolePlayer [18] Discoverer [13] Whalen et al [19] Biprominer [20] ProDecoder [21] Li et al [22] FieldHunter [23,24] Cai et al [25] PRE-Bin [26] Xiao et al [27] NEMESYS [28] ScriptGen [29] PEXT [30] Trifilo et al [31] Veritas [32] PREUGI [33] AutoFuzz [34] ReverX [14] ASAP [35] PRISMA [15] AutoReEngine [17] Netzob [16] process step. This discussion is intended to provide lessons learned from the application of the methods.…”

Section: Solutions and Algorithmsmentioning

confidence: 99%

See 1 more Smart Citation

Survey of Protocol Reverse Engineering Algorithms: Decomposition of Tools for Static Traffic Analysis

Kleber

Maile

Kargl

2019

IEEE Commun. Surv. Tutorials

View full text Add to dashboard Cite

Knowledge about a network protocol to understand the communication between entities is necessary for vulnerability research, penetration testing, malware analysis, network reconnaissance, and network modeling. Traffic analysis is one approach to infer a protocol, and this approach has specific challenges, tasks, methods, and solutions. In this survey, we collect tools presented by prior research in the field of protocol reverse engineering by static traffic trace analysis. We dissect each tool to discern the individual mechanisms and the algorithms on which they are based, then categorize and contrast the mechanisms and algorithms used in static traffic trace analysis to discuss how successfully they were applied in each case. To structure our discussion about the tools, we compared classification schemes for protocol reverse engineering. We present and discuss an explicit process model for static traffic trace analysis to reveal the common structure of the decomposed tools and frameworks from previous research. Via discussions of the algorithms applied within each tool, we show relations between tools, methods, and the process for each process task. We validate our model by applying it to each of the tools, then provide an outline of the utility of protocol reverse engineering. Beginning with the process description, we deduce which solutions and algorithms have already been investigated and where challenges remain to determine how new solutions may be researched in the future. Across the entire field of protocol reverse engineering, few implementations of tools and frameworks are publicly available, which remains a prevalent problem.

show abstract

Section: ) Protocol Informatics (2004)mentioning

confidence: 99%

Section: Solutions and Algorithmsmentioning

confidence: 99%

Survey of Protocol Reverse Engineering Algorithms: Decomposition of Tools for Static Traffic Analysis

Kleber

Maile

Kargl

2019

IEEE Commun. Surv. Tutorials

View full text Add to dashboard Cite

show abstract

“…This section analyzes 39 different approaches, methods, and tools outputs' focus in relation to the algorithms and/or technique along with architectures applied. [4] 2007 I PFSM for future work Polyglot [5] 2007 I Dispatcher [6] 1st work AutoFormat [7] 2008 I ∼ Tupni [8] 2008 I PFSM for future work ReFormat [9] 2009 I Decryption before PRE Prospex [10] 2009 I Reverse engineers PFSM as well ProDecoder [11] 2012 I ∼ Wang et al [12] 2013 I PRE in wireless environment ProGraph [13] 2015 I Traffic classification Cai et al [14] 2016 In the Tokenization and Initial Clustering module, Discoverer clusters messages based on their token patterns assigned in 4-tuple information (dir, class of token 1, class of token 2,. . ., class of token n) where dir is the direction of the message C2S or S2C followed by the classes of all tokens in a given message.…”

Section: Distribution Of Automatic Protocol Reverse Engineeringmentioning

confidence: 99%

“…Cai et al [14] aim at selecting fields keywords with their optimal lengths and finding about how protocol messages are segmented. Through a hidden semi-Markov model Cai et al try to model an entire protocol message format.…”

Section: Distribution Of Automatic Protocol Reverse Engineeringmentioning

confidence: 99%

“…Analyzed/reverse engineered protocols Related approach, method, or tool 7-application HTTP, HTTPS, DNS, SIP, FTP, TFTP, IMAP, SSH, IRC, XMPP, SMTP, BitTorrent, MIME, SNMP, MSNP, POP3, DHCP, SMB, CIFS, Samba, XunLei, BitSpirit, QQLive, eMule, ICQ, SopCast, PPLIVE, PPTV, KAD, ISAKMP, SSDP, WeChat, Kugoo [3-11, 13, 14, 16-22, 24-26, 28-30, 32-37, 39, 41, 42] 6-presentation SMB, WMF, BMP, JPG, PNG, TIF, MIME, SSL [8-11, 29, 39] 5-session RPC, NetBIOS, NFS, SSL [8,14,29,30,39,40] 4-transport TCP, UDP, SrvLoc [17,23,31,38] 3-network ICMP, OSPF, RIP [7,12,40] 2-data link ARP, STP [12,15,17,23] 1-physical none [15] analyzed or reverse engineered by 33 out of 39 approaches, methods, and tools presented in this paper. HTTP protocol appears in 21 approaches as the most analyzed protocol.…”

Section: Osi-layermentioning

confidence: 99%

See 1 more Smart Citation

A Survey of Automatic Protocol Reverse Engineering Approaches, Methods, and Tools on the Inputs and Outputs View

Sija

Goo

Shim

et al. 2018

Security and Communication Networks

View full text Add to dashboard Cite

A network protocol defines rules that control communications between two or more machines on the Internet, whereas Automatic Protocol Reverse Engineering (APRE) defines the way of extracting the structure of a network protocol without accessing its specifications. Enough knowledge on undocumented protocols is essential for security purposes, network policy implementation, and management of network resources. This paper reviews and analyzes a total of 39 approaches, methods, and tools towards Protocol Reverse Engineering (PRE) and classifies them into four divisions, approaches that reverse engineer protocol finite state machines, protocol formats, and both protocol finite state machines and protocol formats to approaches that focus directly on neither reverse engineering protocol formats nor protocol finite state machines. The efficiency of all approaches’ outputs based on their selected inputs is analyzed in general along with appropriate reverse engineering inputs format. Additionally, we present discussion and extended classification in terms of automated to manual approaches, known and novel categories of reverse engineered protocols, and a literature of reverse engineered protocols in relation to the seven layers’ OSI (Open Systems Interconnection) model.

show abstract