EDSM-Based Binary Protocol State Machine Reversing

IF 1.7 4区计算机科学 Q3 COMPUTER SCIENCE, INFORMATION SYSTEMS Cmc-computers Materials & Continua Pub Date : 2021-01-01 DOI:10.32604/cmc.2021.016562

Shen Wang, Fanghui Sun, Hongli Zhang, D. Zhan, Shuanggeng Li, Jun Wang

{"title":"EDSM-Based Binary Protocol State Machine Reversing","authors":"Shen Wang, Fanghui Sun, Hongli Zhang, D. Zhan, Shuanggeng Li, Jun Wang","doi":"10.32604/cmc.2021.016562","DOIUrl":null,"url":null,"abstract":": Internet communication protocols define the behavior rules of network components when they communicate with each other. With the continuous development of network technologies, many private or unknown network protocols are emerging in endlessly various network environments. Herein, relevant protocol specifications become difficult or unavailable to translate in many situations such as network security management and intrusion detection. Although protocol reverse engineering is being investigated in recent years to perform reverse analysis on the specifications of unknown protocols, most existing methods have proven to be time-consuming with limited efficiency, especially when applied on unknown protocol state machines. This paper proposes a state merging algorithm based on EDSM (Evidence-Driven State Merging) to infer the transition rules of unknown protocols in form of state machines with high efficiency. Compared with another classical state machine inferring method based on Exbar algorithm, the experiment results demonstrate that our proposed method could run faster, especially when deal-ing with massive training data sets. In addition, this method can also make the state machines have higher similarities with the reference state machines constructed from public specifications.","PeriodicalId":10440,"journal":{"name":"Cmc-computers Materials & Continua","volume":"32 1","pages":""},"PeriodicalIF":1.7000,"publicationDate":"2021-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Cmc-computers Materials & Continua","FirstCategoryId":"94","ListUrlMain":"https://doi.org/10.32604/cmc.2021.016562","RegionNum":4,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q3","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}

引用次数: 0

Abstract

: Internet communication protocols define the behavior rules of network components when they communicate with each other. With the continuous development of network technologies, many private or unknown network protocols are emerging in endlessly various network environments. Herein, relevant protocol specifications become difficult or unavailable to translate in many situations such as network security management and intrusion detection. Although protocol reverse engineering is being investigated in recent years to perform reverse analysis on the specifications of unknown protocols, most existing methods have proven to be time-consuming with limited efficiency, especially when applied on unknown protocol state machines. This paper proposes a state merging algorithm based on EDSM (Evidence-Driven State Merging) to infer the transition rules of unknown protocols in form of state machines with high efficiency. Compared with another classical state machine inferring method based on Exbar algorithm, the experiment results demonstrate that our proposed method could run faster, especially when deal-ing with massive training data sets. In addition, this method can also make the state machines have higher similarities with the reference state machines constructed from public specifications.

查看原文

微信好友朋友圈 QQ好友复制链接

本刊更多论文

基于edsm的二进制协议状态机反转

Internet通信协议定义了网络组件相互通信时的行为规则。随着网络技术的不断发展，各种网络环境中涌现出许多私有的或未知的网络协议。因此，在网络安全管理、入侵检测等诸多场合，相关协议规范的翻译变得困难或不可翻译。尽管近年来正在研究协议逆向工程，以对未知协议的规范执行反向分析，但大多数现有方法已被证明是耗时且效率有限的，特别是在应用于未知协议状态机时。提出了一种基于EDSM (Evidence-Driven state merge)的状态合并算法，以状态机的形式高效地推断未知协议的转移规则。实验结果表明，与另一种经典的基于Exbar算法的状态机推理方法相比，该方法运行速度更快，特别是在处理海量训练数据集时。此外，该方法还可以使状态机与根据公共规范构造的参考状态机具有更高的相似度。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文去求助

来源期刊

Cmc-computers Materials & Continua 工程技术-材料科学：综合

CiteScore

5.30

自引率

19.40%

发文量

345

审稿时长

1 months

期刊介绍： This journal publishes original research papers in the areas of computer networks, artificial intelligence, big data management, software engineering, multimedia, cyber security, internet of things, materials genome, integrated materials science, data analysis, modeling, and engineering of designing and manufacturing of modern functional and multifunctional materials. Novel high performance computing methods, big data analysis, and artificial intelligence that advance material technologies are especially welcome.