Refining Network Message Segmentation with Principal Component Analysis

Kleber, Stephan; Kargl, Frank

doi:10.1109/cns56114.2022.9947242

Cited by 3 publications

(3 citation statements)

References 21 publications

(43 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Compared Tools. We select five state-of-the-art protocol reverse engineering tools widely used in academia and industry as baselines, including Netzob [6], Netplier [53], FieldHunter [3], BinaryInferno [9], and Nemesys [22]. Their approaches are diverse.…”

Section: A Experiments Setupmentioning

confidence: 99%

“…Network Trace Based Approach. These techniques analyze static network traces to mine features such as message bytes [22], sequences [53], [6], and common field semantics [3], [9]. Some techniques, such as Netzob [6] and Netplier [53], employ an alignment-based approach that classifies messages into distinct clusters and summarizes cluster-specific structures based on alignment [12].…”

Section: A Protocol Reverse Engineeringmentioning

confidence: 99%

“…The experimental results demonstrate that DYNPRE outperforms prior approaches in both field identification and message type inference. Specifically, DYN-PRE identifies fields with a perfection score of 0.50 and infers message types with a V-measure of 0.94, whereas Netzob [6], Netplier [53], FieldHunter [3], BinaryInferno [9], and Nemesys [22] achieve on average (0.15, 0.72), (0.16, 0.73), (0.15, 0.83), (0.15, -), and (0.31, -), respectively. Even when these tools are given datasets enhanced with dynamic interaction, DYNPRE is still superior.…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

DynPRE: Protocol Reverse Engineering via Dynamic Inference

Luo,

Liang,

Zhao

et al. 2024

Proceedings 2024 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

Automatic protocol reverse engineering is essential for various security applications. While many existing techniques achieve this task by analyzing static network traces, they face increasing challenges due to their dependence on high-quality samples. This paper introduces DYNPRE, a protocol reverse engineering tool that exploits the interactive capabilities of protocol servers to obtain more semantic information and additional traffic for dynamic inference. DYNPRE first processes the initial input network traces and learns the rules for interacting with the server in different contexts based on session-specific identifier detection and adaptive message rewriting. It then applies exploratory request crafting to obtain semantic information and supplementary samples and performs real-time analysis. Our evaluation on 12 widely used protocols shows that DYNPRE identifies fields with a perfection score of 0.50 and infers message types with a V-measure of 0.94, significantly outperforming state-of-the-art methods like Netzob, Netplier, FieldHunter, BinaryInferno, and Nemesys, which achieve average perfection and V-measure scores of (0.15, 0.72), (0.16, 0.73), (0.15, 0.83), (0.15, -), and (0.31, -), respectively. Furthermore, case studies on unknown protocols highlight the effectiveness of DYNPRE in real-world applications.

show abstract