Using Segment-Based Alignment to Extract Packet Structures from Network Traces

Proceedings 2021 Network and Distributed System Security Symposium

et al. 2021

Network protocol reverse engineering is an important challenge with many security applications. A popular kind of method leverages network message traces. These methods rely on pair-wise sequence alignment and/or tokenization. They have various limitations such as difficulties of handling a large number of messages and dealing with inherent uncertainty. In this paper, we propose a novel probabilistic method for network trace based protocol reverse engineering. It first makes use of multiple sequence alignment to align all messages and then reduces the problem to identifying the keyword field from the set of aligned fields. The keyword field determines the type of a message. The identification is probabilistic, using random variables to indicate the likelihood of each field (being the true keyword). A joint distribution is constructed among the random variables and the observations of the messages. Probabilistic inference is then performed to determine the most likely keyword field, which allows messages to be properly clustered by their true types and enables the recovery of message format and state machine. Our evaluation on 10 protocols shows that our technique substantially outperforms the state-of-the-art and our case studies show the unique advantages of our technique in IoT protocol reverse engineering and malware analysis.

Section: Related Workmentioning

confidence: 99%

NetPlier: Probabilistic Network Protocol Reverse Engineering from Message Traces

Zhang

Proceedings 2021 Network and Distributed System Security Symposium

et al. 2021

“…Finally, the fields are merged according to the change rate, mean value, and variance of adjacent fields in the segmented group. Esoul and Walkinshaw [6] proposed a format extraction algorithm based on message segmentation (segment-based NW) in order to avoid the decision error caused by different message lengths. e basic idea is that the packets are compared by multiple sequences based on segmentation, and then the analysis results are combined by weighted coefficients.…”

Section: Related Workmentioning

confidence: 99%

A Practical Format and Semantic Reverse Analysis Approach for Industrial Control Protocols

Sun

Security and Communication Networks

et al. 2021

Industrial control protocol is the basis of communication and interaction of industrial control system, and its security is related to the whole industrial infrastructure. Because many industrial control systems use proprietary protocols, it is necessary to adopt protocol reverse analysis technology to parse them and then detect whether there are secure vulnerabilities in the protocols by means of fuzzy testing. However, most of the existing technologies are designed for common network protocols, and there is no improvement for industrial control protocol. Therefore, we propose a multistage ensemble reverse analysis method, namely, MSERA, which fully considers the design concept of industrial control protocols. MSERA divides the traditional reverse analysis process into three stages and identifies the fields with different semantic characteristics in different stages and combines with field rectification to effectively improve the results of reverse analysis of industrial control protocols. Through the experimental comparison of some public and proprietary industrial control protocols, it is found that MSERA not only outperforms Netzob in the accuracy of field split but also far exceeds Netzob in semantic recognition accuracy. The experimental results show that MSERA is very practical and suitable for reverse analysis of industrial control protocols.

Proceedings 2019 Network and Distributed System Security Symposium

“…One relevant related paper uses sequence alignment algorithms on the contents of unencrypted packets in order to infer the contents of similar segments [23]. This technique applies to the plain-text contents of the packets.…”

Section: Related Workmentioning

confidence: 99%

Profit: Detecting and Quantifying Side Channels in Networked Applications

Rosner

Kadron

Bang

et al. 2019

We present a black-box, dynamic technique to detect and quantify side-channel information leaks in networked applications that communicate through a TLS-encrypted stream. Given a user-supplied profiling-input suite in which some aspect of the inputs is marked as secret, we run the application over the inputs and capture a collection of variable-length network packet traces. The captured traces give rise to a vast side-channel feature space, including the size and timestamp of each individual packet as well as their aggregations (such as total time, median size, etc.) over every possible subset of packets. Finding the features that leak the most information is a difficult problem. Our approach addresses this problem in three steps: 1) Global analysis of traces for their alignment and identification of phases across traces; 2) Feature extraction using the identified phases; 3) Information leakage quantification and ranking of features via estimation of probability distribution. We embody this approach in a tool called Profit and experimentally evaluate it on a benchmark of applications from the DARPA STAC program, which were developed to assess the effectiveness of side-channel analysis techniques. Our experimental results demonstrate that, given suitable profiling-input suites, Profit is successful in automatically detecting information-leaking features in applications, and correctly ordering the strength of the leakage for differently-leaking variants of the same application.