Reverse Engineering of Protocols from Network Traces

2011 18th Working Conference on Reverse Engineering Pub Date : 2011-10-17 DOI:10.1109/WCRE.2011.28

João Antunes, N. Neves, P. Veríssimo

{"title":"Reverse Engineering of Protocols from Network Traces","authors":"João Antunes, N. Neves, P. Veríssimo","doi":"10.1109/WCRE.2011.28","DOIUrl":null,"url":null,"abstract":"Communication protocols determine how network components interact with each other. Therefore, the ability to derive a specification of a protocol can be useful in various contexts, such as to support deeper black-box testing or effective defense mechanisms. Unfortunately, it is often hard to obtain the specification because systems implement closed (i.e., undocumented) protocols, or because a time consuming translation has to be performed, from the textual description of the protocol to a format readable by the tools. To address these issues, we propose a new methodology to automatically infer a specification of a protocol from network traces, which generates automata for the protocol language and state machine. Since our solution only resorts to interaction samples of the protocol, it is well-suited to uncover the message formats and protocol states of closed protocols and also to automate most of the process of specifying open protocols. The approach was implemented in a tool and experimentally evaluated with publicly available FTP traces. Our results show that the inferred specification is a good approximation of the reference specification, exhibiting a high level of precision and recall.","PeriodicalId":350863,"journal":{"name":"2011 18th Working Conference on Reverse Engineering","volume":"6 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2011-10-17","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"85","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2011 18th Working Conference on Reverse Engineering","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/WCRE.2011.28","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 85

Abstract

Communication protocols determine how network components interact with each other. Therefore, the ability to derive a specification of a protocol can be useful in various contexts, such as to support deeper black-box testing or effective defense mechanisms. Unfortunately, it is often hard to obtain the specification because systems implement closed (i.e., undocumented) protocols, or because a time consuming translation has to be performed, from the textual description of the protocol to a format readable by the tools. To address these issues, we propose a new methodology to automatically infer a specification of a protocol from network traces, which generates automata for the protocol language and state machine. Since our solution only resorts to interaction samples of the protocol, it is well-suited to uncover the message formats and protocol states of closed protocols and also to automate most of the process of specifying open protocols. The approach was implemented in a tool and experimentally evaluated with publicly available FTP traces. Our results show that the inferred specification is a good approximation of the reference specification, exhibiting a high level of precision and recall.

查看原文

微信好友朋友圈 QQ好友复制链接

本刊更多论文

网络跟踪协议的逆向工程

通信协议决定了网络组件如何相互作用。因此，派生协议规范的能力在各种上下文中都很有用，例如支持更深入的黑盒测试或有效的防御机制。不幸的是，通常很难获得规范，因为系统实现封闭(例如，未记录的)协议，或者因为必须执行耗时的转换，从协议的文本描述到工具可读的格式。为了解决这些问题，我们提出了一种新的方法来自动从网络跟踪中推断协议的规范，该方法为协议语言和状态机生成自动机。由于我们的解决方案仅使用协议的交互示例，因此它非常适合揭示封闭协议的消息格式和协议状态，也适合自动化指定开放协议的大部分过程。该方法是在一个工具中实现的，并通过公开可用的FTP跟踪进行了实验评估。我们的结果表明，推断的规范是一个很好的近似参考规范，显示出高水平的精度和召回。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文去求助

来源期刊

2011 18th Working Conference on Reverse Engineering

自引率

0.00%

发文量