Survey of Protocol Reverse Engineering Algorithms: Decomposition of Tools for Static Traffic Analysis

Kleber, Stephan; Maile, Lisa; Kargl, Frank

doi:10.1109/comst.2018.2867544

Cited by 33 publications

(18 citation statements)

References 73 publications

(127 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…For example, when the program does not output data, the writing data function would not be easy to obtain. Kleber et al [7] proposed a scheme to mine the message format based on the data change distribution characteristics of the message. e theoretical basis of the scheme is to statistically analyze the change characteristics of the value range of each field in the message.…”

Section: Introductionmentioning

confidence: 99%

[Retracted] Dynamic Analysis of Network Protocol Hiding Behavior Based on Perceptual Mining

Xiao-yan

2022

Discrete Dynamics in Nature and Society

View full text Add to dashboard Cite

This paper analyzes the typical abnormal behaviors such as hidden and invisible attacks of network protocols and proposes a new method to perceive and mine the abnormal behaviors of protocols so as to evaluate the operational security of protocols. Aiming at the problems of long latency and difficulty to expose the hidden behavior of network protocols, a scheme combining dynamic stain analysis and instruction clustering analysis is proposed. The proposed method cannot only quickly distinguish the hidden behavior but also accurately grasp the hidden behavior instruction sequence. Experimentation results show that the proposed method can mine unknown protocols for abnormal behavior with high accuracy.

show abstract

Section: Introductionmentioning

confidence: 99%

[Retracted] Dynamic Analysis of Network Protocol Hiding Behavior Based on Perceptual Mining

Xiao-yan

2022

Discrete Dynamics in Nature and Society

View full text Add to dashboard Cite

show abstract

“…The use of sequence alignment to perform such an analysis was first suggested by Beddoe [16]. Since Beddoe's paper, a variety of algorithms from natural language processing and bio-informatics have been applied to network protocols [3]. There are also practical implementations to perform static traffic analysis, the most versatile of which is Netzob [10].…”

Section: Related Workmentioning

confidence: 99%

“…Several recent surveys by Narayan et al [1], Duchêne et al [2], and Kleber et al [3] describe the current state of the art for protocol reverse engineering based on network traffic traces or programs. In this paper, we focus on traffic analysis based on information gained by observing only the communication link.…”

Section: Introductionmentioning

confidence: 99%

Message Type Identification of Binary Network Protocols using Continuous Segment Similarity

Kleber

Heijden

Kargl

2020

IEEE INFOCOM 2020 - IEEE Conference on Computer Communications

Self Cite

View full text Add to dashboard Cite

Protocol reverse engineering based on traffic traces infers the behavior of unknown network protocols by analyzing observable network messages. To perform correct deduction of message semantics or behavior analysis, accurate message type identification is an essential first step. However, identifying message types is particularly difficult for binary protocols, whose structural features are hidden in their densely packed data representation. We leverage the intrinsic structural features of binary protocols and propose an accurate method for discriminating message types. Our approach uses a similarity measure with continuous value range by comparing feature vectors where vector elements correspond to the fields in a message, rather than discrete byte values. This enables a better recognition of structural patterns, which remain hidden when only exact value matches are considered. We combine Hirschberg alignment with DBSCAN as cluster algorithm to yield a novel inference mechanism. By applying novel autoconfiguration schemes, we do not require manually configured parameters for the analysis of an unknown protocol, as required by earlier approaches. Results of our evaluations show that our approach has considerable advantages in message type identification result quality and also execution performance over previous approaches. Index Terms-network reconnaissance; protocol reverse engineering; vulnerability research Preprocessing Structure NEMETYL Grammar Re co rd ed m es sa ge tra ce M es sa ge fo rm at s M es sa ge ty pe s St at e m ac hi ne

show abstract

“…The PRE process of the protocol includes input preprocessing, protocol format extraction and state machine inference [20][21][22]. First, the input preprocessing captures protocol messages on the network and transforms them into a format suitable for subsequent analysis.…”

Section: Introductionmentioning

confidence: 99%

Unsupervised Binary Protocol Clustering Based on Maximum Sequential Patterns

Shi¹,

Ye²,

Li³

et al. 2022

Computer Modeling in Engineering &Amp; Sciences

View full text Add to dashboard Cite

With the rapid development of the Internet, a large number of private protocols emerge on the network. However, some of them are constructed by attackers to avoid being analyzed, posing a threat to computer network security. The blockchain uses the P2P protocol to implement various functions across the network. Furthermore, the P2P protocol format of blockchain may differ from the standard format specification, which leads to sniffing tools such as Wireshark and Fiddler not being able to recognize them. Therefore, the ability to distinguish different types of unknown network protocols is vital for network security. In this paper, we propose an unsupervised clustering algorithm based on maximum frequent sequences for binary protocols, which can distinguish various unknown protocols to provide support for analyzing unknown protocol formats. We mine the maximum frequent sequences of protocol message sets in bytes. And we calculate the fuzzy membership of the protocol message to each maximum frequent sequence, which is based on fuzzy set theory. Then we construct the fuzzy membership vector for each protocol message. Finally, we adopt K-means++ to split different types of protocol messages into several clusters and evaluate the performance by calculating homogeneity, integrity, and Fowlkes and Mallows Index (FMI). Besides, the clustering algorithms based on Needleman-Wunsch and the fixed-length prefix are compared with the algorithm presented in this paper. Compared with these traditional clustering methods, we demonstrate a certain improvement in the clustering performance of our work.

show abstract

Survey of Protocol Reverse Engineering Algorithms: Decomposition of Tools for Static Traffic Analysis

Cited by 33 publications

References 73 publications

[Retracted] Dynamic Analysis of Network Protocol Hiding Behavior Based on Perceptual Mining

[Retracted] Dynamic Analysis of Network Protocol Hiding Behavior Based on Perceptual Mining

Message Type Identification of Binary Network Protocols using Continuous Segment Similarity

Unsupervised Binary Protocol Clustering Based on Maximum Sequential Patterns

Contact Info

Product

Resources

About