Ma Rongkuan,Zheng Hao,Wang Jingyi,Wang Mufeng,Wei Qiang,Wang Qingxian

DOI: https://doi.org/10.1631/fitee.2000709

IF: 2.526

2022-01-01

Frontiers of Information Technology & Electronic Engineering

Abstract:Proprietary (or semi-proprietary) protocols are widely adopted in industrial control systems (ICSs). Inferring protocol format by reverse engineering is important for many network security applications, e.g., program tests and intrusion detection. Conventional protocol reverse engineering methods have been proposed which are considered time-consuming, tedious, and error-prone. Recently, automatical protocol reverse engineering methods have been proposed which are, however, neither effective in handling binary-based ICS protocols based on network traffic analysis nor accurate in extracting protocol fields from protocol implementations. In this paper, we present a framework called the industrial control system protocol reverse engineering framework (ICSPRF) that aims to extract ICS protocol fields with high accuracy. ICSPRF is based on the key insight that an individual field in a message is typically handled in the same execution context, e.g., basic block (BBL) group. As a result, by monitoring program execution, we can collect the tainted data information processed in every BBL group in the execution trace and cluster it to derive the protocol format. We evaluate our approach with six open-source ICS protocol implementations. The results show that ICSPRF can identify individual protocol fields with high accuracy (on average a 94.3% match ratio). ICSPRF also has a low coarse-grained and overly fine-grained match ratio. For the same metric, ICSPRF is more accurate than AutoFormat (88.5% for all evaluated protocols and 80.0% for binary-based protocols).

Le Yu,Yangyang Liu,Pengfei Jing,Xiapu Luo,Lei Xue,Kaifa Zhao,Yajin Zhou,Ting Wang,Guofei Gu,Sen Nie,Shi Wu

2022-01-01

Abstract:In-vehicle protocols are very important to the security assessment and protection of modern vehicles since they are used in communicating with, accessing, and even manipulating ECUs (Electronic Control Units) that control various vehicle components. Unfortunately, the majority of in-vehicle protocols are proprietary without publicly available documents. Although recent studies proposed methods to reverse engineer the CAN protocol used in the communication among ECUs, they cannot be applied to vehicle diagnostics protocols, which have been widely exploited by attackers to launch remote attacks. In this paper, we propose a novel framework for automatically reverse engineering the diagnostic protocols of vehicles by leveraging professional diagnostic tools. Specifically, we design and develop a new cyber-physical system that uses a set of algorithms to control a programmable robotics arm with the aid of cameras to automatically trigger and capture the messages of diagnostics protocols as well as reverse engineer their formats, semantic meanings, and proprietary formulas required for processing the response messages. We perform a large-scale experiment to evaluate our prototype using 18 real vehicles. It successfully reverse engineers 570 messages (446 for reading sensor values and 124 for controlling components). The experimental results show that our framework achieves high precision in reverse engineering proprietary formulas and obtains much more messages than the prior approach based on app analysis.

Jiayi Jiang,Xiyuan Zhang,Chengcheng Wan,Haoyi Chen,Haiying Sun,Ting Su

2024-09-03

Abstract:Protocol reverse engineering (PRE) aims to infer the specification of network protocols when the source code is not available. Specifically, field inference is one crucial step in PRE to infer the field formats and semantics. To perform field inference, binary analysis based PRE techniques are one major approach category. However, such techniques face two key challenges - (1) the format inference is fragile when the logics of processing input messages may vary among different protocol implementations, and (2) the semantic inference is limited by inadequate and inaccurate inference rules. To tackle these challenges, we present BinPRE, a binary analysis based PRE tool. BinPRE incorporates (1) an instruction-based semantic similarity analysis strategy for format extraction; (2) a novel library composed of atomic semantic detectors for improving semantic inference adequacy; and (3) a cluster-and-refine paradigm to further improve semantic inference accuracy. We have evaluated BinPRE against five existing PRE tools, including Polyglot, AutoFormat, Tupni, BinaryInferno and DynPRE. The evaluation results on eight widely-used protocols show that BinPRE outperforms the prior PRE tools in both format and semantic inference. BinPRE achieves the perfection of 0.73 on format extraction and the F1-score of 0.74 (0.81) on semantic inference of types (functions), respectively. The field inference results of BinPRE have helped improve the effectiveness of protocol fuzzing by achieving 5-29% higher branch coverage, compared to those of the best prior PRE tool. BinPRE has also helped discover one new zero-day vulnerability, which otherwise cannot be found.

Software Engineering,Cryptography and Security

Zhen Qin,Zeyu Yang,Yangyang Geng,Xin Che,Tianyi Wang,Hengye Zhu,Peng Cheng,Jiming Chen

DOI: https://doi.org/10.1109/infocom52122.2024.10621405

2024-01-01

Abstract:Industrial protocols are widely used in Industrial Control Systems (ICSs) to network physical devices, thus playing a crucial role in securing ICSs. However, most commercial industrial protocols are proprietary and owned by their vendors, which impedes the implementation of protections against cyber threats. In this paper, we design REInPro to Reverse Engineer Industrial Protocols. REInPro is inspired by the fact that the structure of industrial protocols can be determined by a particular field referred to control field. By applying a probabilistic model of network traffic behavior, REInPro automatically identifies the control field and groups the associated network traffic into clusters. REInPro then infers critical semantics of industrial protocols by differentiating the features of corresponding protocol fields. We have experimentally implemented and evaluated REInPro using 8 different industrial protocols across 6 Programmable Logic Controllers (PLCs) belonging to 5 original equipment manufacturers. The experimental results show REInPro to reverse-engineer the formats and semantics of industrial protocols with an average correctness/perfection of 0.70/0.58 and 0.96/0.39.

Kai Liang,Zhengxiong Luo,Yanyang Zhao,Wenlong Zhang,Ronghua Shi,Yu Jiang,Heyuan Shi,Chao Hu

DOI: https://doi.org/10.1109/issre62328.2024.00058

2024-01-01

Abstract:Network protocol reverse engineering is crucial for a wide range of security applications. Many existing techniques accomplish this task by analyzing network traces. However, these methods globally cluster messages and analyze each cluster separately, which causes the loss of valuable field information. To address this problem, we present MDIplier, a protocol reverse engineering tool that leverages the hierarchical structure of protocol messages and performs tailored analysis at each message layer. MDIplier performs an iterative inference process. During each iteration, it identifies the message delimiter for layer separation and infers the format for each layer separately, optimizing the use of available field information. Our evaluation of eight widely used protocols shows that MDIplier outperforms state-of-the-art methods. It identifies fields with a perfection score 4.6×, 1.4×, 5.8×, and 1.8× higher than that of Netzob, Netplier, FieldHunter, and BinaryInferno, respectively. Furthermore, the experiments on proprietary protocols used in three IoT devices demonstrate the effectiveness of MDIplier in real-world scenarios.

Zhengxiong Luo,Kai Liang,Yanyang Zhao,Feifan Wu,Junze Yu,Heyuan Shi,Yu Jiang

DOI: https://doi.org/10.14722/ndss.2024.24083

2024-01-01

Abstract:Automatic protocol reverse engineering is essential for various security applications.While many existing techniques achieve this task by analyzing static network traces, they face increasing challenges due to their dependence on high-quality samples.This paper introduces DYNPRE, a protocol reverse engineering tool that exploits the interactive capabilities of protocol servers to obtain more semantic information and additional traffic for dynamic inference.DYNPRE first processes the initial input network traces and learns the rules for interacting with the server in different contexts based on session-specific identifier detection and adaptive message rewriting.It then applies exploratory request crafting to obtain semantic information and supplementary samples and performs real-time analysis.Our evaluation on 12 widely used protocols shows that DYNPRE identifies fields with a perfection score of 0.50 and infers message types with a V-measure of 0.94, significantly outperforming state-of-the-art methods like Netzob, Netplier, FieldHunter, BinaryInferno, and Nemesys, which achieve average perfection and V-measure scores of (0.15, 0.72), (0.16, 0.73), (0.15, 0.83), (0.15, -), and (0.31, -), respectively.Furthermore, case studies on unknown protocols highlight the effectiveness of DYNPRE in real-world applications.

Yan WANG,Lingdi PING

2011-01-01

Abstract:IP traceback is the technology to control Internet crime. A promising solution to IP traceback is probabilistic packet marking (PPM). In this paper we present a novel and practical IP traceback algorithm which can improve the PPM convergency and computational overhead. This scheme may also reduce the deployment overhead without requiring the participation of all routers on the attack path. It has been used not only to trace Distributed Denial of Service (DDoS) attacking packets but also to enhance filtering attacking traffic. It has wide applications for other security systems. To the best of our knowledge, this thesis is the first of its kind considering the impact of packet loss in designing packet marking scheme.

Junhai Yang,Fenghua Li,Yixuan Zhang,Junhao Zhang,Liang Fang,Yunchuan Guo

2024-12-04

Abstract:Protocol Reverse Engineering (PRE) is used to analyze protocols by inferring their structure and behavior. However, current PRE methods mainly focus on field identification within a single protocol and neglect Protocol State Machine (PSM) analysis in mixed protocol environments. This results in insufficient analysis of protocols' abnormal behavior and potential vulnerabilities, which are crucial for detecting and defending against new attack patterns. To address these challenges, we propose an automatic PSM inference framework for unknown protocols, including a fuzzy membership-based auto-converging DBSCAN algorithm for protocol format clustering, followed by a session clustering algorithm based on Needleman-Wunsch and K-Medoids algorithms to classify sessions by protocol type. Finally, we refine a probabilistic PSM algorithm to infer protocol states and the transition conditions between these states. Experimental results show that, compared with existing PRE techniques, our method can infer PSMs while enabling more precise classification of protocols.

Cryptography and Security

Junchi Xing,Mingliang Yang,Haifeng Zhou,Chunming Wu,Wei Ruan

DOI: https://doi.org/10.1109/IPCCC47392.2019.8958776

2019-01-01

Abstract:Network reconnaissance aims at gathering as much information as possible before an attack is launched. Meanwhile, static host address configuration facilitates network reconnaissance. Currently, more sophisticated network reconnaissance has been emerged with the adaptive and cooperative features. To address this, in this paper, we present Hiding and Trapping (HaT), which is a deceptive approach to disrupt adversarial network reconnaissance with the help of the software-defined networking (SDN) paradigm. HaT is able to hide valuable hosts from attackers and to trap them into decoy nodes through strategic and holistic host address mutation according to characteristic of adversaries. We implement a prototype of HaT, and evaluate its performance by experiments. The experimental results show that HaT is capable to effectively disrupt adversarial network reconnaissance with better deceptive performance than the existing address randomization approach.

Maohua Guo,Yuefei Zhu,Jinlong Fei

DOI: https://doi.org/10.1093/comjnl/bxae096

2024-09-30

The Computer Journal

Abstract:Abstract Protocol reverse engineering is crucial in normative verification, and malware behavior analysis and vulnerability discovery. However, uncovering the structural features of binary protocols concealed within dense data representations remains a significant challenge. Accurately identifying keyword segments associated with message types is a prerequisite for meaningful semantic analysis and protocol state machine reduction. In this work, we introduce a novel approach for inferring keywords from binary protocols based on probabilistic statistics. Our method in terms of Byte employs heuristic rules to filter offset positions that are clearly unrelated to message types. We further filter candidate Byte-offsets utilizing constraint relations and provide the probabilistic ranking of each offset as the keyword segment. To enhance the reliability of keyword segment inference, we utilize the Monte Carlo algorithm to assess the difference between message clustering with candidate Byte-offset and random message clustering, and reorder candidate offsets according to the results. Then we can observe optimal values from both orderings and present the ultimate inference results. Experimental results demonstrate that our method excels in the accuracy of keyword segments identification compared with previous techniques.

computer science, information systems, theory & methods, software engineering, hardware & architecture

Bowei Ning,Xuejun Zong,Kan He,Lian Lian

DOI: https://doi.org/10.3390/sym15030706

2023-03-12

Symmetry

Abstract:The security of industrial control systems relies on the communication and data exchange capabilities provided by industrial control protocols, which can be complex, and may even use encryption. Reverse engineering these protocols has become an important topic in industrial security research. In this paper, we present PREIUD, a reverse engineering tool for industrial control protocols, based on unsupervised learning and deep neural network methods. The reverse process is divided into stages. First, we use the bootstrap voting expert algorithm to infer the keyword segment boundaries of the protocols, considering the symmetry properties. Then, we employ a bidirectional long short-term memory conditional random field with an attention mechanism to classify the protocols and extract their format and semantic features. We manually constructed data sample sets for six commonly used industrial protocols, and used them to train and test our model, comparing its performance to two advanced protocol reverse tools, MSERA and Discoverer. Our results showed that PREIUD achieved an average accuracy improvement of 7.4% compared to MSERA, and 15.4% compared to Discoverer, while also maintaining a balance between computational conciseness and efficiency. Our approach represents a significant advancement in the field of industrial control protocol reverse engineering, and we believe it has practical implications for securing industrial control systems.

multidisciplinary sciences

Qingkai Shi,Junyang Shao,Yapeng Ye,Mingwei Zheng,Xiangyu Zhang

DOI: https://doi.org/10.48550/arXiv.2305.11781

2023-05-20

Abstract:Inferring protocol formats is critical for many security applications. However, existing format-inference techniques often miss many formats, because almost all of them are in a fashion of dynamic analysis and rely on a limited number of network packets to drive their analysis. If a feature is not present in the input packets, the feature will be missed in the resulting formats. We develop a novel static program analysis for format inference. It is well-known that static analysis does not rely on any input packets and can achieve high coverage by scanning every piece of code. However, for efficiency and precision, we have to address two challenges, namely path explosion and disordered path constraints. To this end, our approach uses abstract interpretation to produce a novel data structure called the abstract format graph. It delimits precise but costly operations to only small regions, thus ensuring precision and efficiency at the same time. Our inferred formats are of high coverage and precisely specify both field boundaries and semantic constraints among packet fields. Our evaluation shows that we can infer formats for a protocol in one minute with >95% precision and recall, much better than four baseline techniques. Our inferred formats can substantially enhance existing protocol fuzzers, improving the coverage by 20% to 260% and discovering 53 zero-days with 47 assigned CVEs. We also provide case studies of adopting our inferred formats in other security applications including traffic auditing and intrusion detection.

Cryptography and Security,Programming Languages

Tianxiang Yu,Yang Xin,Yuexin Tao,Bingqing Hou,Hongliang Zhu

DOI: https://doi.org/10.1155/2022/2924479

IF: 1.968

2022-10-08

Security and Communication Networks

Abstract:Network communication protocol reverse engineering is useful for network security, including protocol fuzz testing, botnet command infiltration, and service script generation. Many models have been proposed to generate field boundary, field semantic, state machine, and some other format information from network trace and program execution for text-based protocol and hybrid protocols. However, how to extract format information from network trace data for binary-based protocol still remains a challenging issue. Existing network-trace-based models focus on text-based and hybrid protocols, using tokenization and some other heuristic rules, like field identification, to perform reverse engineering, which makes it hard to apply to binary-based protocol. In this paper, we propose a whole mechanism for binary-based protocol reverse engineering based on auto-encoder models and other clustering algorithms using only network trace data. After evaluation, we set some metrics and compare our model with existing other models, showing its necessity to the field of protocol reverse engineering.

computer science, information systems,telecommunications

Guanding Yu

2005-01-01

Abstract:A distributed IP spoof detection system in Intranet is proposed, which can efficiently detect IP spoof behaviors in Intranet. Current techniques of defending IP spoof are analyzed. Aimed at characteristics of Intranet, the design of the system is introduced in detail. The determination method of IP spoof and the design of the monitor, which is a key component of the system, are presented. The implementation of data capture model is also presented. From the experimentation result, it is concluded that the system has the characteristics of high accuracy and real-time performance, but little data traffic. It can be generalized in Intranet of different scales and in other network security systems.

Haiyang Wei,Zhengjie Du,Haohui Huang,Yue Liu,Guang Cheng,Linzhang Wang,Bing Mao

DOI: https://doi.org/10.48550/arxiv.2405.00393

2024-01-01

Abstract:State machines play a pivotal role in augmenting the efficacy of protocolanalyzing to unveil more vulnerabilities. However, the task of inferring statemachines from network protocol implementations presents significant challenges.Traditional methods based on dynamic analysis often overlook crucial statetransitions due to limited coverage, while static analysis faces difficultieswith complex code structures and behaviors. To address these limitations, wepropose an innovative state machine inference approach powered by LargeLanguage Models (LLMs). Utilizing text-embedding technology, this method allowsLLMs to dissect and analyze the intricacies of protocol implementation code.Through targeted prompt engineering, we systematically identify and infer theunderlying state machines. Our evaluation across six protocol implementationsdemonstrates the method's high efficacy, achieving an accuracy rate exceeding90implementations of the same protocol. Importantly, integrating this approachwith protocol fuzzing has notably enhanced AFLNet's code coverage by 10RFCNLP, showcasing the considerable potential of LLMs in advancing networkprotocol security analysis. Our proposed method not only marks a significantstep forward in accurate state machine inference but also opens new avenues forimproving the security and reliability of protocol implementations.

Yuhuan Liu,Fengyun Zhang,Yulong Ding,Jie Jiang,Shuang-Hua Yang

DOI: https://doi.org/10.1016/j.comcom.2022.07.025

IF: 5.047

2022-10-01

Computer Communications

Abstract:The Industrial Internet of Things (IIoT) connects various industrial devices and processes for smart manufacturing purposes. The industrial devices and processes may employ standard or private communication protocols. Protocol Reverse Engineering (PRE) can infer the format of the unknown protocol by analyzing traffic traces. Existing work in the field mainly focuses on Internet protocol only, handling text messages. PRE for industrial control protocols is difficult and particularly designed for IIoT for real-time interconnection among industrial devices. Given the phenomenon that many consecutive sub-messages are often embedded in a lengthy message payload and have a similar format, a novel sub-messages extraction algorithm is proposed in this work by using template iteration as an intermediate step to form a full message format inference framework. An improved evaluation criterion is also proposed to evaluate the sub-messages extraction results. We carry out our algorithm on three standard industrial control protocols and two unknown protocols. Experiments show that adding our sub-messages extraction in PRE for IIoT can greatly improve the accuracy of the overall protocol format inference compared with the existing work.

computer science, information systems,telecommunications,engineering, electrical & electronic

Shameng Wen,Qingkun Meng,Chao Feng,Chaojing Tang

DOI: https://doi.org/10.1371/journal.pone.0186188

IF: 3.7

2017-10-19

PLoS ONE

Abstract:Network protocol vulnerability detection plays an important role in many domains, including protocol security analysis, application security, and network intrusion detection. In this study, by analyzing the general fuzzing method of network protocols, we propose a novel approach that combines network traffic analysis with the binary reverse engineering method. For network traffic analysis, the block-based protocol description language is introduced to construct test scripts, while the binary reverse engineering method employs the genetic algorithm with a fitness function designed to focus on code coverage. This combination leads to a substantial improvement in fuzz testing for network protocols. We build a prototype system and use it to test several real-world network protocol implementations. The experimental results show that the proposed approach detects vulnerabilities more efficiently and effectively than general fuzzing methods such as SPIKE.

Ji Shi,Zhun Wang,Zhiyao Feng,Yang Lan,Shisong Qin,Wei You,Wei Zou,Mathias Payer,Chao Zhang

2023-01-01

Abstract:Knowledge of a program's input format is essential for effective input generation in fuzzing. Automated input format reverse engineering represents an attractive but challenging approach to learning the format. In this paper, we address several challenges of automated input format reverse engineering, and present a smart fuzzing solution AIFORE which makes full use of the reversed format and benefits from it. The structures and semantics of input fields are determined by the basic blocks (BBs) that process them rather than the input specification. Therefore, we first utilize byte-level taint analysis to recognize the input bytes processed by each BB, then identify indivisible input fields that are always processed together with a minimum cluster algorithm, and learn their types with a neural network model that characterizes the behavior of BBs. Lastly, we design a new power scheduling algorithm based on the inferred format knowledge to guide smart fuzzing. We implement a prototype of AIFORE and evaluate both the accuracy of format inference and the performance of fuzzing against state-of-the-art (SOTA) format reversing solutions and fuzzers. AIFORE significantly outperforms SOTA baselines on the accuracy of field boundary and type recognition. With AIFORE, we uncovered 20 bugs in 15 programs that were missed by other fuzzers.

Haiyang Wei,Zhengjie Du,Haohui Huang,Yue Liu,Guang Cheng,Linzhang Wang,Bing Mao

2024-06-14

Abstract:State machines play a pivotal role in augmenting the efficacy of protocol analyzing to unveil more vulnerabilities. However, the task of inferring state machines from network protocol implementations presents significant challenges. Traditional methods based on dynamic analysis often overlook crucial state transitions due to limited coverage, while static analysis faces difficulties with complex code structures and behaviors. To address these limitations, we propose an innovative state machine inference approach powered by Large Language Models (LLMs). Utilizing text-embedding technology, this method allows LLMs to dissect and analyze the intricacies of protocol implementation code. Through targeted prompt engineering, we systematically identify and infer the underlying state machines. Our evaluation across six protocol implementations demonstrates the method's high efficacy, achieving an accuracy rate exceeding 90% and successfully delineating differences on state machines among various implementations of the same protocol. Importantly, integrating this approach with protocol fuzzing has notably enhanced AFLNet's code coverage by 10% over RFCNLP, showcasing the considerable potential of LLMs in advancing network protocol security analysis. Our proposed method not only marks a significant step forward in accurate state machine inference but also opens new avenues for improving the security and reliability of protocol implementations.

Cryptography and Security

Qun Huang,Patrick P. C. Lee,Zhibin Zhang

DOI: https://doi.org/10.1109/ifipnetworking.2015.7145325

2015-01-01

Abstract:Given the increasing volume and complexity of network traffic nowadays, network operators often leverage application-layer protocols to differentiate network traffic, so as to improve quality-of-service control, security protection, and resource profiling. We present ProGraph, a tool that accurately infers protocol message formats at both byte-level and bit-level granularities. Unlike existing approaches that mainly exploit statistical features across packets, ProGraph exploits intra-packet dependency among the values of different portions of a packet payload. It systematically constructs a graphical model that captures intra-packet dependency, using various techniques in graph theory and information theory. It also achieves several important design properties for real deployment, including fine-grained inference, protocol independence, simple parameterization, robustness to noisy training sets, and fast execution. We show via trace-driven evaluations that ProGraph achieves more accurate inference than existing approaches. We further show how ProGraph can be used for classifying traffic.