Ma Rongkuan,Zheng Hao,Wang Jingyi,Wang Mufeng,Wei Qiang,Wang Qingxian

DOI: https://doi.org/10.1631/fitee.2000709

IF: 2.526

2022-01-01

Frontiers of Information Technology & Electronic Engineering

Abstract:Proprietary (or semi-proprietary) protocols are widely adopted in industrial control systems (ICSs). Inferring protocol format by reverse engineering is important for many network security applications, e.g., program tests and intrusion detection. Conventional protocol reverse engineering methods have been proposed which are considered time-consuming, tedious, and error-prone. Recently, automatical protocol reverse engineering methods have been proposed which are, however, neither effective in handling binary-based ICS protocols based on network traffic analysis nor accurate in extracting protocol fields from protocol implementations. In this paper, we present a framework called the industrial control system protocol reverse engineering framework (ICSPRF) that aims to extract ICS protocol fields with high accuracy. ICSPRF is based on the key insight that an individual field in a message is typically handled in the same execution context, e.g., basic block (BBL) group. As a result, by monitoring program execution, we can collect the tainted data information processed in every BBL group in the execution trace and cluster it to derive the protocol format. We evaluate our approach with six open-source ICS protocol implementations. The results show that ICSPRF can identify individual protocol fields with high accuracy (on average a 94.3% match ratio). ICSPRF also has a low coarse-grained and overly fine-grained match ratio. For the same metric, ICSPRF is more accurate than AutoFormat (88.5% for all evaluated protocols and 80.0% for binary-based protocols).

Dongxiao Jiang,Chenggang Li,Lixin Ma,Xiaoyu Ji,Yanjiao Chen,Bo Li

DOI: https://doi.org/10.1109/bigdatasecurity-hpsc-ids49724.2020.00015

2020-01-01

Abstract:With the development of network, more and more unkown protocols appear. Network protocols define the rules between network entities and firewall uses network protocol for deep packet detection to prevent intrusions. For detecting these unkown protocols, firewall can’t analyze these protocols, which makes many systems vulnerable. To solve this problem, protocol reverse engineering is getting more and more attention. Protocol reverse engineering is a process that reverses the syntax and grammar of a protocol from its traces of execution codes. It focuses on three protocol features: field boundaries, protocol grammar and state machine. Field boundaries inference is the basis of the protocol reverse engineering, the precision of this process has a big influence on reversing the grammar and state machine. In this paper, we propose a method called ABinfer, which leverage the Field Adjacent information to identify the field boundaries. We evaluate the method on three protocols and the results show that it has a good ability to identify field boundaries of protocols.

Le Yu,Yangyang Liu,Pengfei Jing,Xiapu Luo,Lei Xue,Kaifa Zhao,Yajin Zhou,Ting Wang,Guofei Gu,Sen Nie,Shi Wu

2022-01-01

Abstract:In-vehicle protocols are very important to the security assessment and protection of modern vehicles since they are used in communicating with, accessing, and even manipulating ECUs (Electronic Control Units) that control various vehicle components. Unfortunately, the majority of in-vehicle protocols are proprietary without publicly available documents. Although recent studies proposed methods to reverse engineer the CAN protocol used in the communication among ECUs, they cannot be applied to vehicle diagnostics protocols, which have been widely exploited by attackers to launch remote attacks. In this paper, we propose a novel framework for automatically reverse engineering the diagnostic protocols of vehicles by leveraging professional diagnostic tools. Specifically, we design and develop a new cyber-physical system that uses a set of algorithms to control a programmable robotics arm with the aid of cameras to automatically trigger and capture the messages of diagnostics protocols as well as reverse engineer their formats, semantic meanings, and proprietary formulas required for processing the response messages. We perform a large-scale experiment to evaluate our prototype using 18 real vehicles. It successfully reverse engineers 570 messages (446 for reading sensor values and 124 for controlling components). The experimental results show that our framework achieves high precision in reverse engineering proprietary formulas and obtains much more messages than the prior approach based on app analysis.

Zhen Qin,Zeyu Yang,Yangyang Geng,Xin Che,Tianyi Wang,Hengye Zhu,Peng Cheng,Jiming Chen

DOI: https://doi.org/10.1109/infocom52122.2024.10621405

2024-01-01

Abstract:Industrial protocols are widely used in Industrial Control Systems (ICSs) to network physical devices, thus playing a crucial role in securing ICSs. However, most commercial industrial protocols are proprietary and owned by their vendors, which impedes the implementation of protections against cyber threats. In this paper, we design REInPro to Reverse Engineer Industrial Protocols. REInPro is inspired by the fact that the structure of industrial protocols can be determined by a particular field referred to control field. By applying a probabilistic model of network traffic behavior, REInPro automatically identifies the control field and groups the associated network traffic into clusters. REInPro then infers critical semantics of industrial protocols by differentiating the features of corresponding protocol fields. We have experimentally implemented and evaluated REInPro using 8 different industrial protocols across 6 Programmable Logic Controllers (PLCs) belonging to 5 original equipment manufacturers. The experimental results show REInPro to reverse-engineer the formats and semantics of industrial protocols with an average correctness/perfection of 0.70/0.58 and 0.96/0.39.

Bowei Ning,Xuejun Zong,Kan He,Lian Lian

DOI: https://doi.org/10.3390/sym15030706

2023-03-12

Symmetry

Abstract:The security of industrial control systems relies on the communication and data exchange capabilities provided by industrial control protocols, which can be complex, and may even use encryption. Reverse engineering these protocols has become an important topic in industrial security research. In this paper, we present PREIUD, a reverse engineering tool for industrial control protocols, based on unsupervised learning and deep neural network methods. The reverse process is divided into stages. First, we use the bootstrap voting expert algorithm to infer the keyword segment boundaries of the protocols, considering the symmetry properties. Then, we employ a bidirectional long short-term memory conditional random field with an attention mechanism to classify the protocols and extract their format and semantic features. We manually constructed data sample sets for six commonly used industrial protocols, and used them to train and test our model, comparing its performance to two advanced protocol reverse tools, MSERA and Discoverer. Our results showed that PREIUD achieved an average accuracy improvement of 7.4% compared to MSERA, and 15.4% compared to Discoverer, while also maintaining a balance between computational conciseness and efficiency. Our approach represents a significant advancement in the field of industrial control protocol reverse engineering, and we believe it has practical implications for securing industrial control systems.

multidisciplinary sciences

Tianxiang Yu,Yang Xin,Yuexin Tao,Bingqing Hou,Hongliang Zhu

DOI: https://doi.org/10.1155/2022/2924479

IF: 1.968

2022-10-08

Security and Communication Networks

Abstract:Network communication protocol reverse engineering is useful for network security, including protocol fuzz testing, botnet command infiltration, and service script generation. Many models have been proposed to generate field boundary, field semantic, state machine, and some other format information from network trace and program execution for text-based protocol and hybrid protocols. However, how to extract format information from network trace data for binary-based protocol still remains a challenging issue. Existing network-trace-based models focus on text-based and hybrid protocols, using tokenization and some other heuristic rules, like field identification, to perform reverse engineering, which makes it hard to apply to binary-based protocol. In this paper, we propose a whole mechanism for binary-based protocol reverse engineering based on auto-encoder models and other clustering algorithms using only network trace data. After evaluation, we set some metrics and compare our model with existing other models, showing its necessity to the field of protocol reverse engineering.

computer science, information systems,telecommunications

Ke Zuo,Mingyang Sun,Zhenyong Zhang,Peng Cheng,Goran Strbac,Chongqing Kang

DOI: https://doi.org/10.1109/tsg.2024.3397654

IF: 10.275

2024-01-01

IEEE Transactions on Smart Grid

Abstract:Security-constrained optimal power flow (SCOPF) aims to achieve an economical operation while considering the security issues during contingencies. Data-driven security assessment methods can provide security constraints for SCOPF and have been widely developed in the smart grid community to deal with the challenges arising from the increased penetration of renewable energy resources and the deployment of power electronic devices. Nevertheless, it has been recognized that the machine learning model is vulnerable to adversarial examples, and the power system communication network is prone to cyber attacks, which affects the decision-making of security assessment and SCOPF. To this end, a transferability-oriented adversarial robust security-constrained optimal power flow (TOAR-SCOPF) is proposed to diminish the potential security risks from attacks, formulated as an attacker-defender problem. To alleviate the conservatism of TOAR-SCOPF, a more realistic scenario with unknown features and unknown selected machine learning models is considered in this work by developing a novel transferability-oriented adversarial attack (TOA) method for data-driven security assessment while considering the power system’s physical constraints to bypass the bad data detection mechanism. Case studies are conducted based on the IEEE 39-bus and IEEE 68-bus systems, respectively, to explore the vulnerability and demonstrate the effectiveness of the proposed TOAR-SCOPF.

Kaizheng Liu,Ming Yang,Zhen Ling,Huaiyu Yan,Yue Zhang,Xinwen Fu,Wei Zhao

DOI: https://doi.org/10.48550/arXiv.2007.11981

2020-07-24

Abstract:IoT security and privacy has raised grave concerns. Efforts have been made to design tools to identify and understand vulnerabilities of IoT systems. Most of the existing protocol security analysis techniques rely on a well understanding of the underlying communication protocols. In this paper, we systematically present the first manual reverse engineering framework for discovering communication protocols of embedded Linux based IoT systems. We have successfully applied our framework to reverse engineer a number of IoT systems. As an example, we present a detailed use of the framework reverse-engineering the WeMo smart plug communication protocol by extracting the firmware from the flash, performing static and dynamic analysis of the firmware and analyzing network traffic. The discovered protocol exposes severe design flaws that allow attackers to control or deny the service of victim plugs. Our manual reverse engineering framework is generic and can be applied to both read-only and writable Embedded Linux filesystems.

Cryptography and Security

Kaizheng Liu,Ming Yang,Zhen Ling,Huaiyu Yan,Yue Zhang,Xinwen Fu,Wei Zhao

DOI: https://doi.org/10.1109/jiot.2020.3036232

IF: 10.6

2021-04-15

IEEE Internet of Things Journal

Abstract:IoT security and privacy has raised grave concerns. Efforts have been made to design tools to identify and understand vulnerabilities of IoT systems. Most of the existing protocol security analysis techniques rely on a well understanding of the underlying communication protocols. In this article, we systematically present the first manual reverse engineering framework for discovering communication protocols of embedded Linux-based IoT systems. We have successfully applied our framework to reverse engineer a number of IoT systems. As an example, we present a detailed use of the framework reverse engineering the WeMo smart plug communication protocol by extracting the firmware from the flash, performing static and dynamic analysis of the firmware, and analyzing network traffic. The discovered protocol exposes severe design flaws that allow attackers to control or deny the service of victim plugs. Our manual reverse engineering framework is generic and can be applied to both read-only and writable embedded Linux filesystems.

computer science, information systems,telecommunications,engineering, electrical & electronic

Lanting Zeng,Mingyang Sun,Xu Wan,Zhenyong Zhang,Ruilong Deng,Yan Xu

DOI: https://doi.org/10.1109/tpwrs.2022.3192558

IF: 7.326

2022-01-01

IEEE Transactions on Power Systems

Abstract:The decarbonization of energy systems has posed unprecedented challenges in system complexity and operational uncertainty that render it imperative to exploit cutting-edge artificial intelligence (AI) technologies to realize real-time, autonomous power system operation and control. In particular, deep reinforcement learning (DRL)-based approaches in power systems are extensively studied and implemented in several trials worldwide. Nevertheless, the vulnerability of DRL brings new security threats to power systems that have not been well identified and investigated in the literature. To this end, this paper proposes a physics-constrained vulnerability assessment methodological framework for the DRL-based power system operation and control, with a special focus on the problem of security-constrained optimal power flow (SCOPF). In particular, we develop a novel adversarial example generation method, defined as a false data injection attack against the DRL-based SCOPF (FDIAI), to realize a targeted adversarial attack considering the nonlinear physical constraints in power systems via two main stages of constructor function design and unconstrained optimization problem transformation. In this way, the proposed FDIAI can significantly influence the decision-making procedure of DRL while successfully evading the bad data detection mechanism in power systems. Case studies are conducted to explore the stealthiness and effectiveness of FDIAI and then show its severe impacts on system operation and control on the winners' models of the Learning to Run a Power Network (L2RPN) competitions, including L2RPN IJCNN 2019 (IJCNN), L2RPN WCCI 2020 (WCCI), and L2RPN NeurIPS 2020 (NeurIPS).

WANG Huifang,YE Ruikai,LUO Bin,ZHANG Bo,WU Xuefeng,LIU Jianmin

DOI: https://doi.org/10.19585/j.zjdl.202210001

2022-01-01

Abstract:Data-driven modeling， with its integrated use of such research paradigms as theory， experiment， and data， as well as its rapid application， will be more widely used for solving new problems in power system technology. To this end， the practice of data-driven modeling in the electric power domain is summarized and reflections concerning this matter are presented. First， data-driven modeling and its application in the electric power domain are presented. Then， the data-driven modeling practice for the poor performance of theoretical modeling is analyzed， and the common procedures in the modeling process are summarized. The practice of data-driven modeling based on power text data and power image data is introduced， and relevant experience and reflections are summarized. Finally， some comprehensions and reflections on the definition， conditions and procedures， advantages， and risks of data-driven modeling in the electric power domain are presented， and some issues on which importance ought to be attached in data-driven modeling in the electric power domain are discussed and summarized.

Yipeng Wang,Xiaochun Yun,M. Zubair Shafiq,Liyan Wang,Alex X. Liu,Zhibin Zhang,Danfeng (Daphne) Yao,Yongzheng Zhang,Li Guo

DOI: https://doi.org/10.1109/icnp.2012.6459963

2012-01-01

Abstract:Extracting the protocol message format specifications of unknown applications from network traces is important for a variety of applications such as application protocol parsing, vulnerability discovery, and system integration. In this paper, we propose ProDecoder, a network trace based protocol message format inference system that exploits the semantics of protocol messages without the executable code of application protocols. ProDecoder is based on the key insight that the n-grams of protocol traces exhibit highly skewed frequency distribution that can be leveraged for accurate protocol message format inference. In ProDecoder, we first discover the latent relationship among n-grams by first grouping protocol messages with the same semantics and then inferring message formats by keyword based clustering and cluster sequence alignment. We implemented and evaluated ProDecoder to infer message format specifications of SMB (a binary protocol) and SMTP (a textual protocol). Our experimental results show that ProDecoder accurately parses and infers SMB protocol with 100% precision and recall. For SMTP, ProDecoder achieves approximately 95% precision and recall.

Yapeng Ye,Zhuo Zhang,Fei Wang,Xiangyu Zhang,Dongyan Xu

DOI: https://doi.org/10.14722/ndss.2021.24531

2021-01-01

Abstract:Network protocol reverse engineering is an important challenge with many security applications. A popular kind of method leverages network message traces. These methods rely on pair-wise sequence alignment and/or tokenization. They have various limitations such as difficulties of handling a large number of messages and dealing with inherent uncertainty. In this paper, we propose a novel probabilistic method for network trace based protocol reverse engineering. It first makes use of multiple sequence alignment to align all messages and then reduces the problem to identifying the keyword field from the set of aligned fields. The keyword field determines the type of a message. The identification is probabilistic, using random variables to indicate the likelihood of each field (being the true keyword). A joint distribution is constructed among the random variables and the observations of the messages. Probabilistic inference is then performed to determine the most likely keyword field, which allows messages to be properly clustered by their true types and enables the recovery of message format and state machine. Our evaluation on 10 protocols shows that our technique substantially outperforms the state-of-the-art and our case studies show the unique advantages of our technique in IoT protocol reverse engineering and malware analysis.

Yuhuan Liu,Fengyun Zhang,Yulong Ding,Jie Jiang,Shuang-Hua Yang

DOI: https://doi.org/10.1016/j.comcom.2022.07.025

IF: 5.047

2022-10-01

Computer Communications

Abstract:The Industrial Internet of Things (IIoT) connects various industrial devices and processes for smart manufacturing purposes. The industrial devices and processes may employ standard or private communication protocols. Protocol Reverse Engineering (PRE) can infer the format of the unknown protocol by analyzing traffic traces. Existing work in the field mainly focuses on Internet protocol only, handling text messages. PRE for industrial control protocols is difficult and particularly designed for IIoT for real-time interconnection among industrial devices. Given the phenomenon that many consecutive sub-messages are often embedded in a lengthy message payload and have a similar format, a novel sub-messages extraction algorithm is proposed in this work by using template iteration as an intermediate step to form a full message format inference framework. An improved evaluation criterion is also proposed to evaluate the sub-messages extraction results. We carry out our algorithm on three standard industrial control protocols and two unknown protocols. Experiments show that adding our sub-messages extraction in PRE for IIoT can greatly improve the accuracy of the overall protocol format inference compared with the existing work.

computer science, information systems,telecommunications,engineering, electrical & electronic

Zhengxiong Luo,Kai Liang,Yanyang Zhao,Feifan Wu,Junze Yu,Heyuan Shi,Yu Jiang

DOI: https://doi.org/10.14722/ndss.2024.24083

2024-01-01

Abstract:Automatic protocol reverse engineering is essential for various security applications.While many existing techniques achieve this task by analyzing static network traces, they face increasing challenges due to their dependence on high-quality samples.This paper introduces DYNPRE, a protocol reverse engineering tool that exploits the interactive capabilities of protocol servers to obtain more semantic information and additional traffic for dynamic inference.DYNPRE first processes the initial input network traces and learns the rules for interacting with the server in different contexts based on session-specific identifier detection and adaptive message rewriting.It then applies exploratory request crafting to obtain semantic information and supplementary samples and performs real-time analysis.Our evaluation on 12 widely used protocols shows that DYNPRE identifies fields with a perfection score of 0.50 and infers message types with a V-measure of 0.94, significantly outperforming state-of-the-art methods like Netzob, Netplier, FieldHunter, BinaryInferno, and Nemesys, which achieve average perfection and V-measure scores of (0.15, 0.72), (0.16, 0.73), (0.15, 0.83), (0.15, -), and (0.31, -), respectively.Furthermore, case studies on unknown protocols highlight the effectiveness of DYNPRE in real-world applications.

Tingyuan Nie,Lijian Zhou,Zhe-Ming Lu

DOI: https://doi.org/10.1049/iet-sen.2012.0137

2013-01-01

IET Software

Abstract:With the increasingly extensive application of networking technology, security of network becomes significant than ever before. Encryption algorithm plays a key role in construction of a secure network system. However, the encryption algorithm implemented on resource-constrained device is difficult to achieve ideal performance. The issue of power consumption becomes essential to performance of data encryption algorithm. Many methods are proposed to evaluate the power consumption of encryption algorithms yet the authors do not ensure which one is effective. In this study, they give a comprehensive review for the methods of power evaluation. They then design a series of experiments to evaluate the effectiveness of three main types of methods by implementing several traditional symmetric encryption algorithms on a workstation. The experimental results show that external measurement and software profiling are more accurate than that of uninterruptible power system battery. The improvement of power consumption is 27.44 and 33.53% which implies the method of external measurement and software profiling is more effective in power consumption evaluation.

Haifeng Li,Bo Shuai,Jian Wang,Chaojing Tang

DOI: https://doi.org/10.1109/CIS.2015.83

2015-01-01

Abstract:Automatic protocol reverse engineering for application protocol is becoming more and more important for many applications such as application protocol analyzer, penetration testing, intrusion prevention and detection. However, many techniques for extracting the protocol message format specifications of unknown applications often have some limitations for little priori information or the time-consuming problem. In this paper, we present a method for automatically reverse engineering the protocol message formats of an application from its network trace, by using LDA and association analysis. The approach exploits the semantics of protocol messages without the executable code of application protocols, but focuses on the insight that the n-grams of protocol traces exhibit highly semantic information that can be leveraged for accurate protocol message format inference. Firstly, we propose the way to key words extract by utilizing the LDA model, secondly, the association analysis method is applied to constructing the feature words based on the above process. Lastly our experiments Show that the method can accurately infer message format specifications of SMTP text protocol.

Kai Liang,Zhengxiong Luo,Yanyang Zhao,Wenlong Zhang,Ronghua Shi,Yu Jiang,Heyuan Shi,Chao Hu

DOI: https://doi.org/10.1109/issre62328.2024.00058

2024-01-01

Abstract:Network protocol reverse engineering is crucial for a wide range of security applications. Many existing techniques accomplish this task by analyzing network traces. However, these methods globally cluster messages and analyze each cluster separately, which causes the loss of valuable field information. To address this problem, we present MDIplier, a protocol reverse engineering tool that leverages the hierarchical structure of protocol messages and performs tailored analysis at each message layer. MDIplier performs an iterative inference process. During each iteration, it identifies the message delimiter for layer separation and infers the format for each layer separately, optimizing the use of available field information. Our evaluation of eight widely used protocols shows that MDIplier outperforms state-of-the-art methods. It identifies fields with a perfection score 4.6×, 1.4×, 5.8×, and 1.8× higher than that of Netzob, Netplier, FieldHunter, and BinaryInferno, respectively. Furthermore, the experiments on proprietary protocols used in three IoT devices demonstrate the effectiveness of MDIplier in real-world scenarios.

Bin Wang,Jianye Zhang,Cheng Luo,Ling Yang,Jia Chen,Haibo Ma

DOI: https://doi.org/10.1109/itoec53115.2022.9734439

2022-03-04

Abstract:With the continuous and in-depth development of smart grid construction, the degree of automation of the power system is rapidly increasing, and the number of grid sensors, the scale of information network and the number of decision-making units have greatly increased. The network security of the power industry control system is facing severe challenges. This paper studies the in-depth analysis technology of real-time interactive protocols of power industrial control systems, captures data packets and analyzes the data packets layer by layer to obtain application layer field data streams, and realizes in-depth analysis of power industrial control system protocols such as IEC104 protocol and IEC61850 protocol. Research on anomaly detection technology of power industrial control system real-time interaction process based on feature matching, and realize the detection of abnormal behaviors of terminals, networks, and host devices through syntactic and semantic analysis and business command analysis, as well as the detection of regular network attack behaviors such as malicious code and virus Trojan horses.

Jian Ding,Chunyi Lu,Bo Li

DOI: https://doi.org/10.1007/s11265-022-01741-y

2022-03-08

Journal of Signal Processing Systems

Abstract:Power systems are playing an unsubstitutable role in industrial production and inhabitant life. With the deepening of integration process over industrialization and informatization in the field of power systems, an increasing number of industrial control devices (e.g., PLC, SCADA) are exposing in the Internet, which are attracting more and more attention from attackers and malicious communities as the great values. It is crucial for organizations to monitor and evaluate the security situation of power systems. In this paper, we propose a data-driven based security situation awareness towards power systems, which can monitor and evaluate the security situations in power systems and send warnings to organizations when the system encounters suspicious threats. Specifically, the proposed framework continuously collects public data related to electric safety and scan for the power control devices exposed on the Internet to grasp the security landscape of power systems around the world. We then deploy an extensible honeypot system in the real environment to real-time perceive the internal security situation of power systems. Finally, we leverage a graph structure to fuse the cyber threats inside and outside the power system for capturing a comprehensive security awareness of power systems. Experimental results show that our framework can detect system threats in real time and protect it from penetration and intrusion effectively.