Dongxiao Jiang,Chenggang Li,Lixin Ma,Xiaoyu Ji,Yanjiao Chen,Bo Li

DOI: https://doi.org/10.1109/bigdatasecurity-hpsc-ids49724.2020.00015

2020-01-01

Abstract:With the development of network, more and more unkown protocols appear. Network protocols define the rules between network entities and firewall uses network protocol for deep packet detection to prevent intrusions. For detecting these unkown protocols, firewall can’t analyze these protocols, which makes many systems vulnerable. To solve this problem, protocol reverse engineering is getting more and more attention. Protocol reverse engineering is a process that reverses the syntax and grammar of a protocol from its traces of execution codes. It focuses on three protocol features: field boundaries, protocol grammar and state machine. Field boundaries inference is the basis of the protocol reverse engineering, the precision of this process has a big influence on reversing the grammar and state machine. In this paper, we propose a method called ABinfer, which leverage the Field Adjacent information to identify the field boundaries. We evaluate the method on three protocols and the results show that it has a good ability to identify field boundaries of protocols.

Ma Rongkuan,Zheng Hao,Wang Jingyi,Wang Mufeng,Wei Qiang,Wang Qingxian

DOI: https://doi.org/10.1631/fitee.2000709

IF: 2.526

2022-01-01

Frontiers of Information Technology & Electronic Engineering

Abstract:Proprietary (or semi-proprietary) protocols are widely adopted in industrial control systems (ICSs). Inferring protocol format by reverse engineering is important for many network security applications, e.g., program tests and intrusion detection. Conventional protocol reverse engineering methods have been proposed which are considered time-consuming, tedious, and error-prone. Recently, automatical protocol reverse engineering methods have been proposed which are, however, neither effective in handling binary-based ICS protocols based on network traffic analysis nor accurate in extracting protocol fields from protocol implementations. In this paper, we present a framework called the industrial control system protocol reverse engineering framework (ICSPRF) that aims to extract ICS protocol fields with high accuracy. ICSPRF is based on the key insight that an individual field in a message is typically handled in the same execution context, e.g., basic block (BBL) group. As a result, by monitoring program execution, we can collect the tainted data information processed in every BBL group in the execution trace and cluster it to derive the protocol format. We evaluate our approach with six open-source ICS protocol implementations. The results show that ICSPRF can identify individual protocol fields with high accuracy (on average a 94.3% match ratio). ICSPRF also has a low coarse-grained and overly fine-grained match ratio. For the same metric, ICSPRF is more accurate than AutoFormat (88.5% for all evaluated protocols and 80.0% for binary-based protocols).

Haiyang Wei,Zhengjie Du,Haohui Huang,Yue Liu,Guang Cheng,Linzhang Wang,Bing Mao

DOI: https://doi.org/10.48550/arxiv.2405.00393

2024-01-01

Abstract:State machines play a pivotal role in augmenting the efficacy of protocolanalyzing to unveil more vulnerabilities. However, the task of inferring statemachines from network protocol implementations presents significant challenges.Traditional methods based on dynamic analysis often overlook crucial statetransitions due to limited coverage, while static analysis faces difficultieswith complex code structures and behaviors. To address these limitations, wepropose an innovative state machine inference approach powered by LargeLanguage Models (LLMs). Utilizing text-embedding technology, this method allowsLLMs to dissect and analyze the intricacies of protocol implementation code.Through targeted prompt engineering, we systematically identify and infer theunderlying state machines. Our evaluation across six protocol implementationsdemonstrates the method's high efficacy, achieving an accuracy rate exceeding90implementations of the same protocol. Importantly, integrating this approachwith protocol fuzzing has notably enhanced AFLNet's code coverage by 10RFCNLP, showcasing the considerable potential of LLMs in advancing networkprotocol security analysis. Our proposed method not only marks a significantstep forward in accurate state machine inference but also opens new avenues forimproving the security and reliability of protocol implementations.

Haiyang Wei,Zhengjie Du,Haohui Huang,Yue Liu,Guang Cheng,Linzhang Wang,Bing Mao

2024-06-14

Abstract:State machines play a pivotal role in augmenting the efficacy of protocol analyzing to unveil more vulnerabilities. However, the task of inferring state machines from network protocol implementations presents significant challenges. Traditional methods based on dynamic analysis often overlook crucial state transitions due to limited coverage, while static analysis faces difficulties with complex code structures and behaviors. To address these limitations, we propose an innovative state machine inference approach powered by Large Language Models (LLMs). Utilizing text-embedding technology, this method allows LLMs to dissect and analyze the intricacies of protocol implementation code. Through targeted prompt engineering, we systematically identify and infer the underlying state machines. Our evaluation across six protocol implementations demonstrates the method's high efficacy, achieving an accuracy rate exceeding 90% and successfully delineating differences on state machines among various implementations of the same protocol. Importantly, integrating this approach with protocol fuzzing has notably enhanced AFLNet's code coverage by 10% over RFCNLP, showcasing the considerable potential of LLMs in advancing network protocol security analysis. Our proposed method not only marks a significant step forward in accurate state machine inference but also opens new avenues for improving the security and reliability of protocol implementations.

Cryptography and Security

Junhai Yang,Fenghua Li,Yixuan Zhang,Junhao Zhang,Liang Fang,Yunchuan Guo

2024-12-04

Abstract:Protocol Reverse Engineering (PRE) is used to analyze protocols by inferring their structure and behavior. However, current PRE methods mainly focus on field identification within a single protocol and neglect Protocol State Machine (PSM) analysis in mixed protocol environments. This results in insufficient analysis of protocols' abnormal behavior and potential vulnerabilities, which are crucial for detecting and defending against new attack patterns. To address these challenges, we propose an automatic PSM inference framework for unknown protocols, including a fuzzy membership-based auto-converging DBSCAN algorithm for protocol format clustering, followed by a session clustering algorithm based on Needleman-Wunsch and K-Medoids algorithms to classify sessions by protocol type. Finally, we refine a probabilistic PSM algorithm to infer protocol states and the transition conditions between these states. Experimental results show that, compared with existing PRE techniques, our method can infer PSMs while enabling more precise classification of protocols.

Cryptography and Security

Yong Wang,Nan Zhang,Yan-mei Wu,Bin-bin Su

DOI: https://doi.org/10.1007/978-3-642-53917-6_40

2013-01-01

Abstract:Protocol reverse engineering is becoming important in analyzing unknown protocols. Unfortunately, many techniques often have some limitations for few priori information or the time-consuming problem. To address these issues, we propose a framework based on protocol finite state machine FSM construction, which can infer the protocol specifications without any priori information of protocols. To improve our framework's efficiency, we identify the keywords before the finite state construction. Our framework constructs two FSMs, one is L --- FSM language FSM and the other is S --- FSM state FSM. L --- FSM is to illustrate the protocol languages. S --- FSM shows protocol sessions' state transitions. We evaluate our framework with both binary and text protocol. The ARP and the SMTP are the target protocols as inputs. The precision rate and the recall rate are used for evaluation criterias in our experiments. The ARP's precision and recall rate are both reached 100%. The SMTP's precision rate is 100% and recall rate is almost 98%.

Ying Liu,Dongqin Feng

DOI: https://doi.org/10.1109/iccasit48058.2019.8973161

2019-01-01

Abstract:Computer network technology has been increasingly infiltrated into the industrial control system and made the security problems more complex and changeable. Network security situation awareness technology can perceive the real-time threats that the network faced, and provide reliable basis for decision-making. This paper mainly focuses on the situation assessment and introduces finite state machine and fuzzy logic theory. Finite state machine can intuitively show the internal state transition of the industrial control system and detect the malicious packet attack's type and severity. Fuzzy logic balances the semantic fuzziness and event uncertainty in the process of situation assessment, fuses the output data of the state machine and obtains the threat level which is helpful for decision analysis. Proved, the method proposed in this paper can give a reasonable and accurate security assessment of industrial control system.

Qingkai Shi,Xiangzhe Xu,Xiangyu Zhang

2024-07-01

Abstract:Reverse engineering of protocol message formats is critical for many security applications. Mainstream techniques use dynamic analysis and inherit its low-coverage problem -- the inferred message formats only reflect the features of their inputs. To achieve high coverage, we choose to use static analysis to infer message formats from the implementation of protocol parsers. In this work, we focus on a class of extremely challenging protocols whose formats are described via constraint-enhanced regular expressions and parsed using finite-state machines. Such state machines are often implemented as complicated parsing loops, which are inherently difficult to analyze via conventional static analysis. Our new technique extracts a state machine by regarding each loop iteration as a state and the dependency between loop iterations as state transitions. To achieve high, i.e., path-sensitive, precision but avoid path explosion, the analysis is controlled to merge as many paths as possible based on carefully-designed rules. The evaluation results show that we can infer a state machine and, thus, the message formats, in five minutes with over 90% precision and recall, far better than state of the art. We also applied the state machines to enhance protocol fuzzers, which are improved by 20% to 230% in terms of coverage and detect ten more zero-days compared to baselines.

Cryptography and Security,Programming Languages,Software Engineering

Jianxin Xu,Dongqin Feng

DOI: https://doi.org/10.1155/2017/2430835

IF: 1.968

2017-01-01

Security and Communication Networks

Abstract:This paper discusses two aspects of major risks related to the cyber security of an industrial control system (ICS), including the exploitation of the vulnerabilities of legitimate communication parties and the features abused by unauthorized parties. We propose a novel framework for exposing the above two types of risks. A state fusion finite state machine (SF-FSM) model is defined to describe multiple request-response packet pair sequence signatures of various applications using the same protocol. An inverted index of keywords in an industrial protocol is also proposed to accomplish fast state sequence matching. Then we put forward the concept of scenario reconstruction, using state sequence matching based on SF-FSM, to present the known vulnerabilities corresponding to applications of a specific type and version by identifying the packet interaction characteristics from the data flow in the supervisory control layer network. We also implement an anomaly detection approach to identifying illegal access using state sequence matching based on SF-FSM. An anomaly is asserted if none of the state sequence signatures in the SF-FSM is matched with a packet flow. Ultimately, an example based on industrial protocols is demonstrated by a prototype system to validate the methods of scenario reconstruction and anomaly detection.

GONG Jing,WU Chun-ming,SUN Wei-rong,ZHANG Min

2011-01-01

Abstract:We give a new labeling algorithm for sliding windows——a fair adaptive labeling algorithm on congestion control mechanism.The algorithm approximately identifies TCP and UDP flows,moderately distinguishes labels,and avoids the impact of congestion control mechanism on fairness.Based on the fine-grained description and prediction of the network congestion problem,the paper presents the self-adaption of the ratio of yellow package infused by each flow,and gives consideration to the impact on fairness caused by the state of network congestion.Compared with other labeling algorithms of sliding window,simulation experiment results show that FCA-ItswTCM has better effects on ensuring fairness between TCP and UDP flows and raising resource utilization and system stabilization.

ZHANG Yin,HE Hao,ZHAO Li-na,ZHANG San-yuan

DOI: https://doi.org/10.3785/j.issn.1008-973x.2010.05.015

2010-01-01

Abstract:An approach of using abstract state machine (ASM) in Internetware was presented to effectively support and realize the automation of Internetware. The peer-to-peer (P2P) network was used to support the network environment of Internetware. The design model of ASM was proposed to describe the behaviors and the state changes of the whole system from a higher abstract concept level. Then the system characteristic was easy to control. The architecture of the ASM in Internetware was analyzed,the detailed operating rules on ASM were proposed,and the changes were introduced in system states. A supporting platform of Internetware design and operation began to take shape through the design and implementation according to the states,events,methods,data,and rules involved in ASM. ASM is feasible in Internetware and can realize the automation feature of Internetware.

Ting Shu,Shouqian Sun,HaiNing Wang

DOI: https://doi.org/10.1109/CAIDCD.2009.5374861

2009-01-01

Abstract:The existence of predicate and conditional statements of the protocol transition specified in EFSM model results in the generation of infeasible State Identification Sequence using traditional methods. Thus, how to automatically generate executable State Identification Sequences, in an efficient and effective way, becomes the critical issue for protocol conformance testing. In this paper, we present a novel method of executable state identification sequence generation used to preferably solve the executability problem of state identification sequences. Specifically, in terms of an executable analysis tree (EAT), the proposed method can ensure the executability of the generated state identification sequence. In a specific state identification scene, we can use a state projection subspace to simplify, the state identification work. At last, an example was performed to show that the new method is how to work effectively.

Senlin Zhang,Liangfang Qian,Meiqin Liu,Zhen Fan,Qunfei Zhang

DOI: https://doi.org/10.1007/s11265-016-1138-1

2016-01-01

Abstract:Underwater wireless sensor networks are significantly different from terrestrial wireless sensor networks in that sound is mainly used as the communication medium. The limited bandwidth, long propagation delay and high bit error rate pose great challenges in Media Access Control (MAC) protocol design for underwater wireless sensor networks. In this paper, we propose a Slotted-FAMA based MAC protocol for underwater wireless sensor networks with data train, called SFAMA-DT. It improves the channel utilization by forming a train of data packets of multiple transmission pairs during each round of simultaneously handshakes, which overcomes the multiple RTS attempts problem of Slotted-FAMA in high traffic environments and greatly reduces the relative proportion of time wasted due to the propagation delays of control packets. Our simulations show that the SFAMA-DT is able to achieve much higher throughput than the Slotted-FAMA protocol.

吴浩,彭鑫,赵文耘

2008-01-01

Abstract:Object behavior protocols are of great significance in guiding developers to understand and properly use the external functions provided by the object.Nevertheless,the related documents are often missed or inconsistent.Therefore,reverse analysis is used to recover the protocols.To achieve this goal,this paper presents a new method to extract Object State Machine(OSM) based on intentional method invoking and dynamic analysis.This method firstly extracts condition expressions containing class attributes from source code and defines states to be the sets of values of expressions at run-time as well as the exceptions;then gets states transition information by intentional method invoking;and finally uses the sates and the states transition information to construct object state machine.The corresponding prototype system has been realized and the preliminary experimental results show that this method can efficiently and accurately recovers behavior protocols.

Kuize Zhang

DOI: https://doi.org/10.48550/arXiv.2111.02824

2021-11-23

Abstract:Discrete-event systems usually consist of discrete states and transitions between them caused by spontaneous occurrences of labelled (aka partially-observed) events. Due to the partially-observed feature, fundamental properties therein could be classified into two categories: state/event-inference-based properties (e.g., strong detectability, diagnosability, and predictability) and state-concealment-based properties (e.g., opacity). Intuitively, the former category describes whether one can use observed output sequences to infer the current and subsequent states, past occurrences of faulty events, or future certain occurrences of faulty events; while the latter describes whether one cannot use observed output sequences to infer whether some secret states have been visited (that is, whether the DES can conceal the status that its secret states have been visited). Over the past two decades these properties were studied separately using different methods. In this review article, for labeled finite-state automata, a unified concurrent-composition method is shown to verify all above inference-based properties and concealment-based properties, resulting in a unified mathematical framework for the two categories of properties. In addition, compared with the previous methods in the literature, the concurrent-composition method does not depend on assumptions and is more efficient.

Systems and Control,Cryptography and Security

Haifeng Li,Bo Shuai,Jian Wang,Chaojing Tang

DOI: https://doi.org/10.1109/CIS.2015.83

2015-01-01

Abstract:Automatic protocol reverse engineering for application protocol is becoming more and more important for many applications such as application protocol analyzer, penetration testing, intrusion prevention and detection. However, many techniques for extracting the protocol message format specifications of unknown applications often have some limitations for little priori information or the time-consuming problem. In this paper, we present a method for automatically reverse engineering the protocol message formats of an application from its network trace, by using LDA and association analysis. The approach exploits the semantics of protocol messages without the executable code of application protocols, but focuses on the insight that the n-grams of protocol traces exhibit highly semantic information that can be leveraged for accurate protocol message format inference. Firstly, we propose the way to key words extract by utilizing the LDA model, secondly, the association analysis method is applied to constructing the feature words based on the above process. Lastly our experiments Show that the method can accurately infer message format specifications of SMTP text protocol.

YiPeng Wang,Xiaochun Yun,Yongzheng Zhang,Liwei Chen,Guangjun Wu

DOI: https://doi.org/10.1016/j.jnca.2017.10.009

IF: 7.574

2017-01-01

Journal of Network and Computer Applications

Abstract:Protocol fingerprints are a set of byte subsequences within packet payload that can distinguish individual application protocols. They play an important role for deep packet analysis in traffic normalization and network management. In this paper, we propose ProPrint, a network trace-based protocol fingerprint inference system. In ProPrint, we first build a protocol language model based on a modified nonparametric Bayesian statistical model. Second, we use the corresponding protocol language model to identify field boundaries in packet payload, such that we can segment each payload into a set of protocol feature words according to the hidden structure information. Third, we propose a ranking algorithm that selects true protocol fingerprints from the candidate protocol feature words. In evaluations, we measure ProPrint on real-world network traces, and also compare ProPrint to existing state-of-the-art solutions, ProWord and Securitas. The experimental results show that ProPrint performs better than ProWord and Securitas on f-measure for online application classification.

Yipeng Wang,Xiaochun Yun,M. Zubair Shafiq,Liyan Wang,Alex X. Liu,Zhibin Zhang,Danfeng (Daphne) Yao,Yongzheng Zhang,Li Guo

DOI: https://doi.org/10.1109/icnp.2012.6459963

2012-01-01

Abstract:Extracting the protocol message format specifications of unknown applications from network traces is important for a variety of applications such as application protocol parsing, vulnerability discovery, and system integration. In this paper, we propose ProDecoder, a network trace based protocol message format inference system that exploits the semantics of protocol messages without the executable code of application protocols. ProDecoder is based on the key insight that the n-grams of protocol traces exhibit highly skewed frequency distribution that can be leveraged for accurate protocol message format inference. In ProDecoder, we first discover the latent relationship among n-grams by first grouping protocol messages with the same semantics and then inferring message formats by keyword based clustering and cluster sequence alignment. We implemented and evaluated ProDecoder to infer message format specifications of SMB (a binary protocol) and SMTP (a textual protocol). Our experimental results show that ProDecoder accurately parses and infers SMB protocol with 100% precision and recall. For SMTP, ProDecoder achieves approximately 95% precision and recall.

Qianmu Li,Yaozong Liu,Shunmei Meng,Hanrui Zhang,Haiyuan Shen,Huaqiu Long

DOI: https://doi.org/10.1186/s13638-020-01734-0

2020-06-03

EURASIP Journal on Wireless Communications and Networking

Abstract:Abstract The safety of the Industrial Internet Control Systems has been a hotspot in the information security. To meet the needs of communication, a large variety of proprietary protocols have emerged in the field of industrial control. The protocol field is often trusted in the implementation of industrial control terminal code. If attackers modify the data of these fields using the protocol defect, the operation of the program can be controlled and the entire system will be affected. To cope with such security threats, academia and industry generally adopt fuzz test methods. However, the current industrial control protocol fuzz test methods generally have low code coverage, where unified description models are missing and test cases are not targeted. A method of fuzzification processing combined with dynamic multi-modal sensor communication data is proposed. To track the program execution, the dynamic pollution analysis is used to search for the input fields that affect the execution of the conditional branch and capture the dependencies between the conditional branches to guide the grammar generation of test cases, which can increase the chances of executing deep code. The experimental results show that the proposed method improves the validity and code coverage of test cases to a certain extent and greatly increases the probability of anomaly detection in the protocol implementation.

telecommunications,engineering, electrical & electronic

Xia Yin,Jiangyuan Yao,Zhiliang Wang,Xingang Shi,Jun Bi,Jianping Wu

DOI: https://doi.org/10.1587/transinf.2015pap0013

2015-01-01

IEICE Transactions on Information and Systems

Abstract:The researches on model-based testing mainly focus on the models with single component, such as FSM and EFSM. For the network protocols which have multiple components communicating with messages, CFSM is a widely accepted solution. But in some network protocols, parallel and data-shared components maybe exist in the same network entity. It is infeasible to precisely specify such protocol by existing models. In this paper we present a new model, Parallel Parameterized Extended Finite State Machine (PaP-EFSM). A protocol system can be modeled with a group of PaP-EFSMs. The PaP-EFSMs work in parallel and they can read external variables form each other. We present a 2-stage test generation approach for our new models. Firstly, we generate test sequences for internal variables of each machine. They may be non-executable due to external variables. Secondly, we process the external variables. We make the sequences for internal variables executable and generate more test sequences for external variables. For validation, we apply this method to the conformance testing of real-life protocols. The devices from different vendors are tested and implementation faults are exposed.