Dongxiao Jiang,Chenggang Li,Lixin Ma,Xiaoyu Ji,Yanjiao Chen,Bo Li

DOI: https://doi.org/10.1109/bigdatasecurity-hpsc-ids49724.2020.00015

2020-01-01

Abstract:With the development of network, more and more unkown protocols appear. Network protocols define the rules between network entities and firewall uses network protocol for deep packet detection to prevent intrusions. For detecting these unkown protocols, firewall can’t analyze these protocols, which makes many systems vulnerable. To solve this problem, protocol reverse engineering is getting more and more attention. Protocol reverse engineering is a process that reverses the syntax and grammar of a protocol from its traces of execution codes. It focuses on three protocol features: field boundaries, protocol grammar and state machine. Field boundaries inference is the basis of the protocol reverse engineering, the precision of this process has a big influence on reversing the grammar and state machine. In this paper, we propose a method called ABinfer, which leverage the Field Adjacent information to identify the field boundaries. We evaluate the method on three protocols and the results show that it has a good ability to identify field boundaries of protocols.

Ma Rongkuan,Zheng Hao,Wang Jingyi,Wang Mufeng,Wei Qiang,Wang Qingxian

DOI: https://doi.org/10.1631/fitee.2000709

IF: 2.526

2022-01-01

Frontiers of Information Technology & Electronic Engineering

Abstract:Proprietary (or semi-proprietary) protocols are widely adopted in industrial control systems (ICSs). Inferring protocol format by reverse engineering is important for many network security applications, e.g., program tests and intrusion detection. Conventional protocol reverse engineering methods have been proposed which are considered time-consuming, tedious, and error-prone. Recently, automatical protocol reverse engineering methods have been proposed which are, however, neither effective in handling binary-based ICS protocols based on network traffic analysis nor accurate in extracting protocol fields from protocol implementations. In this paper, we present a framework called the industrial control system protocol reverse engineering framework (ICSPRF) that aims to extract ICS protocol fields with high accuracy. ICSPRF is based on the key insight that an individual field in a message is typically handled in the same execution context, e.g., basic block (BBL) group. As a result, by monitoring program execution, we can collect the tainted data information processed in every BBL group in the execution trace and cluster it to derive the protocol format. We evaluate our approach with six open-source ICS protocol implementations. The results show that ICSPRF can identify individual protocol fields with high accuracy (on average a 94.3% match ratio). ICSPRF also has a low coarse-grained and overly fine-grained match ratio. For the same metric, ICSPRF is more accurate than AutoFormat (88.5% for all evaluated protocols and 80.0% for binary-based protocols).

Butian Huang,Zhenguang Liu,Jianhai Chen,Anan Liu,Qi Liu,Qinming He

DOI: https://doi.org/10.1007/s11042-017-4396-4

IF: 2.577

2017-01-01

Multimedia Tools and Applications

Abstract:Blockchain holds promise for being the revolutionary technology, which has the potential to find applications in numerous fields such as digital money, clearing, gambling and product tracing. However, blockchain faces its own problems and challenges. One key problem is to automatically cluster the behavior patterns of all the blockchain nodes into categories. In this paper, we introduce the problem of behavior pattern clustering in blockchain networks and propose a novel algorithm termed BPC for this problem. We evaluate a long list of potential sequence similarity measures, and select a distance that is suitable for the behavior pattern clustering problem. Extensive experiments show that our proposed algorithm is much more effective than the existing methods in terms of clustering accuracy.

Yi-Chuan Wang,Bin-Bin Bai,Xin-Hong Hei,Ju Ren,Wen-Jiang Ji

DOI: https://doi.org/10.6688/jise.202007_36(4).0005

2020-01-01

Journal of information science and engineering

Abstract:In recent years, unscrupulous hacker attacks have led to the information leakage of enterprise and individual network users, which makes the network security issue unprecedented concerned. Botnet and dark network, which use C & C channel of unknown protocol format to communicate, are the important parts. With the development of wireless mobile networks technology, this problem becomes more prominent. Classifying and identifying the unknown protocol features can help us to judge and predict the unknown attack behavior in the Internet of things environment, so as to protect the network security. Firstly, this paper compares the protocol features to be detected with the existing protocol features in the feature base through the vectorization operation of protocol features, selects the feature set with high recognition rate, and judges the similarity between protocols. The extracted composite features are digitized to generate 0-1 matrix, then Principal Component Analysis (PCA) dimension reduction is processed, and finally clustering analysis is carried out. A Clique to Protocol Feature Vectorization (CPFV) algorithm is designed to improve the efficiency of protocol clustering and finally generate a new protocol format. The experimental results show that compared with the traditional Clique and BIRCH algorithms, the proposed optimization algorithm improves the accuracy by 20% and the stability by 15%. It can cluster and identify unknown protocols accurately and quickly.

Zhang Luoshi,Xue Yibo,Wang Dawei

DOI: https://doi.org/10.14257/ijfgcn.2015.8.2.16

2015-01-01

International Journal of Future Generation Communication and Networking

Abstract:Due to the wide use of encrypted protocols and random ports, traditional methods that based on port number or packet payload have gradually lose their effectiveness. To address this issue, new methods that based on machine learning techniques become the research hotspots. With many further studies, some research institutions show that ML-based protocol identification methods can generally achieve over 95% accuracy. However, different from most research studies, industry claims that ML-based techniques are hardly to be deployed for practical use due to their high false positives and false negatives. In this paper, different Machine Learning techniques are evaluated for the actual accuracy under different network environments, and a variety of features are tested on different encrypted protocols. The results show that the identification accuracy will go down due to the changed network scale and network environment while the same ML-based models are used under different network environments, and the choices among different Machine Learning techniques, protocol types or statistical features are not critical.

Li, Chenglong,Xue, Yibo,Dong, Yingfei,Wang, Dongsheng

DOI: https://doi.org/10.1109/TST.2012.6216767

2012-01-01

Abstract:Traffic classification is critical to effective network management. However, more and more proprietary, encrypted, and dynamic protocols make traditional traffic classification methods less effective. A Message and Command Correlation (MCC) method was developed to identify interactive protocols (such as P2P file sharing protocols and Instant Messaging (IM) protocols) by session analyses. Unlike traditional packet-based classification approaches, this method exploits application session information by clustering packets into application messages which are used for further classification. The efficacy and accuracy of the MCC method was evaluated with real world traffic, including P2P file sharing protocols Thunder and Bit-Torrent, and IM protocols QQ and GTalk. The tests show that the false positive rate is less than 3% and the false negative rate is below 8%, and that MCC only needs to check 8.7% of the packets or 0.9% of the traffic. Therefore, this approach has great potential for accurately and quickly discovering new types of interactive application protocols.

Yangfan Zhou,Xinyu Chen,Michael R. Lyu,Jiangchuan Liu

DOI: https://doi.org/10.1007/978-3-642-31869-6_8

2012-01-01

Abstract:Wireless communication protocols are centric to Wireless Sensor Network (WSN) applications. However, WSN protocols are prune to defects, even after their field deployments. A convenient tool that can facilitate the detection of post-deployment protocol defects is of great importance to WSN practitioners. This paper presents Probe-I (sensor network Protocol behavior Inspector), a novel tool to obtain, visualize, and verify the behaviors of WSN protocols after their field deployments. Probe-I collects the protocol behaviors in a non-intrusive manner, i.e., via passively listening to the packet exchanges in the target network. Then with a role-oriented behavior modeling approach, Probe-I models the protocol behaviors node by node based on the sniffed packets, which well reflects how the target protocol performs in each node. This allows the WSN practitioners to readily see if the target protocol behaves as intended by simply verifying the correctness of the behavior metrics in a simple, baseline test. Finally, the verified metrics allow Probe-I to automatically check the protocol behaviors from time to time during the network lifetime. The suggested behavior discrepancy can unveil potential protocol defects. We apply Probe-I to verify two WSN data collection protocols, and find their design defects. It shows that Probe-I can substantially facilitate WSN protocol verification.

Xiaoxian Chen,Zhenlong Yuan,Yibo Xue

DOI: https://doi.org/10.1109/iccnc.2014.6785437

2014-01-01

Abstract:Tencent QQ is the most popular instant message communication tool in China, which has more than 780 million users and thus generates huge traffic on the Internet. However, due to its proprietary protocol and encryption mechanism, it is very hard to identify QQ traffic at a fine-grained flow level. To solve this issue, this paper proposes a novel identification method, which uses a Payload and Behavior Combination (PBC) technology. PBC combines the packet payload characteristics with behavior characteristics existing in the QQ communication process. The experimental results show that PBC has a good identification accuracy in dealing with QQ traffic.

Dawei Wang,Luoshi Zhang,Zhenlon Yuan,Yibo Xue,Yinfei Dong

DOI: https://doi.org/10.1109/iccnc.2014.6785298

2014-01-01

Abstract:Network traffic classification is critical to both network management and system security. However, existing traffic classification techniques become less effective as more P2P applications use proprietary protocols for delivery and encryption. Especially, current techniques usually focus on individual flows and do not consider all flows associated with an application together. To address this issue, this paper proposes a novel Application Behavior Characterization (ABC) technique. We design a novel application behavior feature extracting method and an effective classification algorithm, which explore the correlation of multiple flows of a specific application. We evaluate the proposed method with real network traffic. The experimental results show that it can correctly identify flows belonging to a set of known P2P applications (such as Skype, Thunder, and PPTV) with a probability over 90%. Moreover, it can further identify the particular application that a flow belongs to with a precision of 90% on average. More information about implementing and deploying ABC can be found in a technical report [10].

Tao Qin,Lei Wang,Zhaoli Liu,Xiaohong Guan

DOI: https://doi.org/10.1016/j.knosys.2015.03.002

IF: 8.139

2015-01-01

Knowledge-Based Systems

Abstract:Application identification plays an essential role in network management such as intrusion detection and security monitoring. But the continuous growth of bandwidth and massive amount of packets pose serious challenges for efficacious and accurate application identification. In this paper, we develop a new method to reduce the number of packets being processed while achieving the goal of accurate P2P and VoIP application identification. Firstly, we employ the Bi-flow model to aggregate traffic packets into Bi-flow, which can capture the exchange behavior characteristics between different terminals. Then we employ the signature of Packet Size Distribution (PSD) to capture flow dynamics, which is defined as the payload length distribution probability of the packets in one Bi-flow. Secondly, we collect PSD of several different P2P and VoIP applications and the analysis results show that PSD of different applications are different with each other, which can be used as features to perform traffic identification. We also find the PSD characteristics of one Bi-flow can be captured by its first few packets, which demonstrate our methods can identify the Bi-flow quickly after its establishment. We employ the Renyi cross entropy to perform identification by calculating the similarity between PSD of the Bi-flow being identified and that of specific application. If the similarity is higher than a selected threshold, the Bi-flow being identified is classified to the specific application. Finally, as the PSD is a type of probability feature which is not sensitive to packet lose, we integrate the Poisson sampling method into our framework to process the massive data in backbone networks. Experimental results using the artificial and actual traces collected from monitoring platform in the Northwest Center of CERNET (China Education and Research Network) verify the accuracy and robustness of our method.

Stephan Kleber,Rens Wouter van der Heijden,Frank Kargl

DOI: https://doi.org/10.1109/INFOCOM41043.2020.9155275

2022-11-08

Abstract:Protocol reverse engineering based on traffic traces infers the behavior of unknown network protocols by analyzing observable network messages. To perform correct deduction of message semantics or behavior analysis, accurate message type identification is an essential first step. However, identifying message types is particularly difficult for binary protocols, whose structural features are hidden in their densely packed data representation. We leverage the intrinsic structural features of binary protocols and propose an accurate method for discriminating message types. Our approach uses a similarity measure with continuous value range by comparing feature vectors where vector elements correspond to the fields in a message, rather than discrete byte values. This enables a better recognition of structural patterns, which remain hidden when only exact value matches are considered. We combine Hirschberg alignment with DBSCAN as cluster algorithm to yield a novel inference mechanism. By applying novel autoconfiguration schemes, we do not require manually configured parameters for the analysis of an unknown protocol, as required by earlier approaches. Results of our evaluations show that our approach has considerable advantages in message type identification result quality and also execution performance over previous approaches.

Networking and Internet Architecture,Cryptography and Security

Tingting Sun,Yanyong Zhang,Wade Trappe

DOI: https://doi.org/10.1109/wowmom.2012.6263766

2012-01-01

Abstract:In this paper, we examine the problem of identifying different association protocols based on client probing patterns. We take the view point of an attacker, who aims to trick certain clients to switch their association to a compromised AP, so that the attacker can easily perform various attacks, such as passing false management frames and stealing client information. In order to do that, the attacker must know what association protocol the client is using since it determines the clients switching criteria. Therefore, the attacker must be able to identify the association protocol by monitoring the network traffic. We investigated methods to identify four association protocols and propose an approach which combines k-means clustering and Gaussian fitting to classify the association protocols based on probing patterns. We tested the designed scheme on traffic traces for a variety of network scenarios. We also designed a method to quantify the likelihood of the identification using confidence intervals. Results show that the proposed method can correctly identify association protocols. Further interpretation of the results also reveals information regarding important metrics of the clients chosen association protocol.

Yu Chen,Xiayu Ping,Tao Wei

DOI: https://doi.org/10.1109/ICITIS.2010.5689522

2010-01-01

Abstract:The principal technique employed in application traffic classification, a task of identifying the applications underlying network traffic, has evolved from based on port number to deep packet inspection to payload-independent classification. We propose a novel approach in the last category. The principal idea of our method is that we associate an application with temporal patterns of the command exchange modes (subsequences of packets) of TCP flows generated by the application. Since these patterns are local by nature, our approach might be able to identify an application even if only a portion of a full flow is observable. We have applied such method to classify a number of popular P2P applications and to detect suspicious botnet traffic. To identify these kinds of traffic, we not only utilize flow patterns, but also incorporate some statistics on multi-flow and host levels. We have tested our algorithm on P2P traffic collected from our institute's computer network and on botnet traffic collected from a national-wide distributed honeynet. The early results are quite encouraging. © 2010 IEEE.

Jinsong Han,Han Ding,Chen Qian,Dan Ma,Wei Xi,Zhi Wang,Zhiping Jiang,Longfei Shangguan

DOI: https://doi.org/10.1109/TNET.2015.2501103

2016-01-01

Abstract:Different from online shopping, in-store shopping has few ways to collect the customer behaviors before purchase. In this paper, we present the design and implementation of an on-site Customer Behavior Identification system based on passive RFID tags, named CBID. By collecting and analyzing wireless signal features, CBID can detect and track tag movements and further infer corresponding customer behaviors. We model three main objectives of behavior identification by concrete problems and solve them using novel protocols and algorithms. The design innovations of this work include a Doppler effect based protocol to detect tag movements, an accurate Doppler frequency estimation algorithm, a multi-RSS based tag localization protocol, and a tag clustering algorithm using cosine similarity. We have implemented a prototype of CBID in which all components are built by off-the-shelf devices. We have deployed CBID in real environments and conducted extensive experiments to demonstrate the accuracy and efficiency of CBID in customer behavior identification.

Rui Li,Xi Xiao,Shiguang Ni,Hai-Tao Zheng,Shu‐Tao Xia

DOI: https://doi.org/10.1109/iwqos.2018.8624128

2018-01-01

Abstract:Network traffic classification, which can map network traffic to protocols in the application layer, is a fundamental technique for network management and security issues such as Quality of Service, network measurement, and network monitoring. Recent researchers focus on extracting features for traditional machine learning methods from flows or datagrams of the specific protocol. However, as the rapid growth of network applications, previous works cannot handle complex novel protocols well. In this paper, we introduce the recurrent neural network to network traffic classification and design a novel neural network, the Byte Segment Neural Network (BSNN). BSNN treats network datagrams as input and gives the classification results directly. In BSNN, a datagram is firstly broken into serval byte segments. Then, these segments are fed to encoders which are based on the recurrent neural network. The information extracted by encoders is combined to a representation vector of the whole datagram. Finally, we apply the softmax function to use this vector for predicting the application protocol of this datagram. There are several key advantages of BSNN: 1) no need for prior knowledge of target applications; 2) can handle both connection-oriented protocols and connection-less protocols; 3) supports multi-classification for protocols; 4) shows outstanding accuracy in both traditional protocols and complex novel protocols. Our thorough experiments on real-world data with different protocols indicate that BSNN gains average F1-measure about 95.82% in multi-classification for five protocols including QQ, PPLive, DNS, 360 and BitTorrent. And it also shows excellent performance for detection of novel protocols. Furthermore, compared with two recent state-of-the-art works, BSNN has superiority over the traditional machine learning-based method and the packet inspection method.

Gang He,Xiaochen Liu,Xiaochun Wu,Decheng Yu

DOI: https://doi.org/10.1109/ihmsc.2014.111

2014-01-01

Abstract:In recent years, with the rapid development of the Internet on a global scale and the prompt popularization of various App applications, the Internet is increasingly becoming an integral part of people's lives. Meanwhile various network problems caused by abnormal network behavior have become more prominent than any time before. Furthermore we also have a lot of personal information on the Internet, which will bring us significant losses if are gave away. For that, to find an effective method to detect the abnormal network behavior is becoming more and more important. This paper first introduces a new detection method based on compound session, and then shows the effectiveness of the proposed method. A further objective of this method is to identify the infected host.

Jianguo Jiang,Qilei Yin,Zhixin Shi,Qiwen Wang,Wei Zhou

DOI: https://doi.org/10.1109/hpcc/smartcity/dss.2019.00090

2019-01-01

Abstract:A great many of botnet detection researches focus on recognizing and blocking its significant C&C channel. And they typically require a certain number of C&C training instances to build a behavior detection model. However, when lacking the C&C training instances for new or even unknown botnets, these methods may become inefficient or even invalid. To overcome it, we propose a new hybrid approach for network based C&C channel detection. It neither needs us to prepare the C&C training instances, nor requires deploying malicious activities monitors. It utilizes two heuristic rules to filter the non C&C traffic disobeying common C&C characteristics, and then makes the final C&C detection through a behavior based anomaly detecting model, which only requires normal traffic for training. Our approach achieved the average C&C F-measure of above 0.9 for most evaluation datasets. Moreover, the comparison result not only demonstrates our approach has significant performance advantages than the pure heuristic rule based methods, but also shows that our behavior model can profile network traffic in detail, mine more useful behavior differences than the anomaly models using traditional statistical features, and then achieve a better detection result.

Ziming Zhao,Zhaoxuan Li,Fan Zhang,Tingting Li,Jianwei Yin

DOI: https://doi.org/10.1145/3672202.3673720

2024-01-01

Abstract:Cyber attacks are increasingly becoming prevalent and influence the Internet ecosystem. Particularly, botnets crafted by adversaries cause significant damage to Internet infrastructure. In the last decade, the boom of P2P protocols broadened and amplified the attack surface, manifested as the built botnet usually containing over 100K nodes. However, the existing state-of-the-art graph-based method exhibits many misclassifications when existing legitimate P2P communication. In this paper, we propose an intelligent node retrieval process based on reinforcement learning to calibrate more misidentifications with as few retrievals as possible. The empirical evaluations that contain >100,000 communication nodes from the real-world IP backbone topology and involve 7 common P2P protocols show our proposal realizes superior outcomes for misidentification calibrations.

Stephan Kleber,Milan Stute,Matthias Hollick,Frank Kargl

DOI: https://doi.org/10.1109/DSN-W54100.2022.00023

2022-11-08

Abstract:Reverse engineering of unknown network protocols based on recorded traffic traces enables security analyses and debugging of undocumented network services. In particular for binary protocols, existing approaches (1) lack comprehensive methods to classify or determine the data type of a discovered segment in a message, e.,g., a number, timestamp, or network address, that would allow for a semantic interpretation and (2) have strong assumptions that prevent analysis of lower-layer protocols often found in IoT or mobile systems. In this paper, we propose the first generic method for analyzing unknown messages from binary protocols to reveal the data types in message fields. To this end, we split messages into segments of bytes and use their vector interpretation to calculate similarities. These can be used to create clusters of segments with the same type and, moreover, to recognize specific data types based on the clusters' characteristics. Our extensive evaluation shows that our method provides precise classification in most cases and a data-type-recognition precision of up to 100% at reasonable recall, improving the state-of-the-art by a factor between 1.3 and 3.7 in realistic scenarios. We open-source our implementation to facilitate follow-up works.

Cryptography and Security,Networking and Internet Architecture

YoungGiu Jung,Chang-Min Jeong

DOI: https://doi.org/10.1007/s11227-019-03108-w

IF: 3.3

2020-01-01

The Journal of Supercomputing

Abstract:The protocol reverse engineering technique can be used to extract the specification of an unknown protocol. However, there is no standardized method, and in most cases, the extracting process is executed manually or semiautomatically. Since only frequently seen values are extracted as fields from the messages of a protocol, it is difficult to understand the complete specification of the protocol. Therefore, if the information about the structure of an unknown protocol could be acquired in advance, it would be easy to conduct reverse engineering. As such, one of the most important techniques for classifying unknown protocols is a feature extraction algorithm. In this paper, we propose a new feature extraction algorithm based on average histogram for classification of an unknown protocol and design unknown protocol classifier using deep belief networks, one of deep learning algorithms. In order to verify the performance of the proposed system, we performed the training using eight open protocols to evaluate the performance using unknown data. Experimental results show that the proposed technique gives significantly more reliable results of about 99% classification performance, regardless of the strength of the modification of the protocol.