[논문]Two-Pathway Model for Enhancement of Protocol Reverse Engineering

Goo, Young-Hoon; Shim, Kyu-Seok; Baek, Ui-Jun; Kim, Myung-Sup

doi:10.3837/tiis.2020.11.004

[국내논문] Two-Pathway Model for Enhancement of Protocol Reverse Engineering 원문보기

KSII Transactions on internet and information systems : TIIS, v.14 no.11, 2020년, pp.4310 - 4330

Goo, Young-Hoon (Advanced KREONET Center, Korea Institute of Science and Technology Information) , Shim, Kyu-Seok (Advanced KREONET Center, Korea Institute of Science and Technology Information) , Baek, Ui-Jun (Department of Computer and Information Science, Korea University) , Kim, Myung-Sup (Department of Computer and Information Science, Korea University)

Abstract ▼ AI-Helper

With the continuous emergence of new applications and cyberattacks and their frequent updates, the need for automatic protocol reverse engineering is gaining recognition. Although several methods for automatic protocol reverse engineering have been proposed, each method still faces major limitations in extracting clear specifications and in its universal application. In order to overcome such limitations, we propose an automatic protocol reverse engineering method using a two-pathway model based on a contiguous sequential pattern (CSP) algorithm. By using this model, the method can infer both command-oriented protocols and non-command-oriented protocols clearly and in detail. The proposed method infers all the key elements of the protocol, which are syntax, semantics, and finite state machine (FSM), and extracts clear syntax by defining fine-grained field types and three types of format: field format, message format, and flow format. We evaluated the efficacy of the proposed method over two non-command-oriented protocols and three command-oriented protocols: the former are HTTP and DNS, and the latter are FTP, SMTP, and POP3. The experimental results show that this method can reverse engineer with high coverage and correctness rates, more than 98.5% and 99.1% respectively, and be general for both command-oriented and non-command-oriented protocols.

Keyword

표/그림 (14)

표 Table 1. Existing methods from the viewpoint of output
그림 Fig. 1. Example of the problem caused by insufficiently compressed message formats
그림 Fig. 2. Example of a message format that is too generic, and a detailed message format
그림 Fig. 3. System architecture of the proposed method
그림 Fig. 4. Concept of extracting protocol syntax using the contiguous sequential algorithm hierarchically
그림 Fig. 5. Contiguous sequential pattern algorithm
그림 Fig. 6. Process of DF(v) field format extractor
그림 Fig. 7. Process of additional field format attacher
표 Table 2. Traffic information of five protocols for experiments
그림 Fig. 8. Intuitive structure of the message formats for HTTP protocol
표 Table 3. Summary of the experimental results
그림 Fig. 9. Sample message format for HTTP protocol
그림 Fig. 10. Sample flow format for FTP protocol
그림 Fig. 11. Extracted FSM of FTP protocol

AI 본문요약
AI-Helper

제안 방법

The proposed method can apply to both command-oriented protocols and non-command-oriented protocols. By defining three types of format and four types of field formats, the proposed method extracts intuitive and detailed protocol specifications using the CSP algorithm hierarchically. Moreover, the proposed method extracts not only syntax but also semantics, and the FSM of the target protocol.
We performed experiments with five known protocols to validate the superiority of the proposed method. In all the protocols, the inferred specification was extracted in less than 1 min.

이론/모형

For example, they cannot extract a login keyword because the keyword occurs only once in a flow. To infer both command-oriented and non-command-oriented protocols in detail, the proposed method uses a two-pathway model.

성능/효과

In all protocols, our method extracted protocol specifications within 1 min. Because our algorithm eliminated unsatisfactory candidate formats at an early stage and considered only satisfactory candidates when making an item length longer, the extraction execution time was reduced. The coverage and correctness values for all protocols were almost 100%.
Because our algorithm eliminated unsatisfactory candidate formats at an early stage and considered only satisfactory candidates when making an item length longer, the extraction execution time was reduced. The coverage and correctness values for all protocols were almost 100%.
The reason that the coverage and correctness values for FTP protocols were not 100% is that there were some abnormal flows; in these flows, some packets were not captured due to the speed limit of the capture device. For sessions that lasted for a long time when capturing a large amount of traffic, there may have been missed packets due to the limitations of the capture device because new sessions continued to occur.
In this paper, we proposed a novel method for automatic protocol reverse engineering using a two-pathway model. The proposed method can apply to both command-oriented protocols and non-command-oriented protocols.
In this paper, we proposed a novel method for automatic protocol reverse engineering using a two-pathway model. The proposed method can apply to both command-oriented protocols and non-command-oriented protocols. By defining three types of format and four types of field formats, the proposed method extracts intuitive and detailed protocol specifications using the CSP algorithm hierarchically.
By defining three types of format and four types of field formats, the proposed method extracts intuitive and detailed protocol specifications using the CSP algorithm hierarchically. Moreover, the proposed method extracts not only syntax but also semantics, and the FSM of the target protocol.
In all the protocols, the inferred specification was extracted in less than 1 min. Furthermore, the proposed method exhibited good performance in terms of coverage and correctness.

후속연구

In future work, we plan to develop a hybrid method that uses both execution traces and network traces to solve the problem of inferring the encrypted protocols. Further, we intend to expand the range of protocol layers to allow for more general use.
In future work, we plan to develop a hybrid method that uses both execution traces and network traces to solve the problem of inferring the encrypted protocols. Further, we intend to expand the range of protocol layers to allow for more general use.

참고문헌 (30)

Cisco VNI, "Cisco Visual Networking Index: Forecast and Methodology, 2016-2017," Cisco, CA, USA, White Paper C11-481360-01, June. 2017.
M. Kuzin, Y. Shmelev, and V. Kuskov, "New trends in the world of IoT threats," Kaspersky Lab, Sep. 2018.
A. Tridgell, "How Samba was written," August 2003 [Online]. Available: http://samba.org/ftp/tridge/misc/french_cafe.txt
B. D. Sija, Y.-H. Goo, K.-S. Shim, H. Hasanova, and M.-S. Kim, "A Survey of Automatic Protocol Reverse Engineering Approaches, Methods, and Tools on the Inputs and Outputs View," Security and Communication Networks, vol. 2018, Article ID 8370341, pp. 1-17, February 2018.

상세보기
J. Cai, J.-Z. Luo, and F. Lei, "Analyzing Network Protocols of Application Layer Using Hidden Semi-Markov Model," Mathematical Problems in Engineering, vol. 2016, Article ID 9161723, pp. 1-14, March 2016.
J. Caballero, H. Yin, Z. Liang, and D. Song, "Polyglot: Automatic Extraction of Protocol Message Format using Dynamic Binary Analysis," in Proc. of 14th ACM Conf. on Computer and Communications Security (CCS), pp. 317-329, October 2007.
W. Cui, M. Peinado, K. Chen, H. J. Wang, and L. Irun-Briz, "Tupni: Automatic Reverse Engineering of Input Formats," in Proc. of 15th ACM Conf. on Computer and Communications Security (CCS), Ocober 2008.
P. M. Comparetti, G. Wondracek, C. Kruegel, and E. Kirda, "Prospex: Protocol Specification Extraction," in Proc. of 30th IEEE Symposium on Security and Privacy, pp. 110-125, May 2009.
J. Caballero and D. Song, "Automatic Protocol Reverse-Engineering: Message Format Extraction and Field Semantics Inference," Computer Networks, vol. 57, no. 2, pp. 451-474, 2013.

상세보기
M. A. Beddoe, "The Protocol Informatics Project," 2004 [Online]. Available: http://www.4tphi.net/-awalters/PI/PI.html
C. Leita, K. Mermoud, and M. Dacier, "ScriptGen: an Automated Script Generation Tool for Honeyd," in Proc. of 21st Annual Computer Security Applications Conf., December 2005.
W. Cui, V. Paxson, N. C. Weaver, and R. H. Katz, "Protocol-Independent Adaptive Replay of Application Dialog," in Proc. 13th Symposium on Network and Distributed System Security (NDSS), February 2006.
J.-Z. Luo and S.-Z. Yu, "Position-based Automatic Reverse Engineering of Network Protocols," J. Network and Computer Applications, vol. 36, no. 3, pp. 1070-1077, May 2013.

상세보기
Y. Wang, N. Zhang, Y.-M. Wu, B.-B. Su, and Y.-J. Liao, "Protocol Formats Reverse Engineering Based on Association Rules in Wireless Environment," in Proc. of 12th IEEE Int. Conf. on Trust, Security and Privacy in Computing and Communication, pp. 134-141, July 2013.
R. Ji, H. Li, and C. Tang, "Extracting Keywords of UAVs Wireless Communication Protocols Based on Association Rules Learning," in Proc. of 12th IEEE Int. Conf. on Computational Intelligence and Security, pp. 310-313, December 2016.
Z. Lin, X. Jiang, D. Xu, and X. Zhang, "Automatic Protocol Reverse Engineering through Context-Aware Monitored Execution," in Proc. of Network and Distributed System Security Symposium (NDSS), February 2008.
Z. Wang, X. Jiang, W. Cui, X. Wang, and M. Grace, "ReFormat: Automatic Reverse Engineering of Encrypted Messages," in Proc. of Computer Security - ESORICS 2009, in Proc. 14th European Symposium on Research in Computer Security, pp. 200-215, September 2009.
W. Cui, J. Kannan, and H. J. Wang, "Discoverer: Automatic Protocol Reverse Engineering from Network Traces," in Proc. of 16th USENIX Security Symposium, pp. 1-14, August 2007.
M. Shevertalov and S. Mancoridis, "A Reverse Engineering Tool for Extracting Protocols of Networked Applications," in Proc. of 14th Working Conf. on Reverse Engineering (WCRE), pp. 229-238, October 2007.
A. Trifilo, S. Burschka, and E. Biersack, "Traffic to protocol reverse engineering," in Proc. of IEEE Symposium on Computational Intelligence for Security and Defense Applications, pp. 1-8, July 2009.
Y. Wang, X. Li, J. Meng, Y. Zhao, Z. Zhang, and L. Guo, "Biprominer: automatic mining of binary protocol features," in Proc. of 12th Int. Conf. on Parallel and Distributed Computing, Applications and Technologies (PDCAT), pp. 179-184, October 2011.
J. Antunes, N. Neves, and P. Verissimo, "Reverse Engineering of Protocols from Network Traces," in Proc. of 18th Working Conf. on Reverse Engineering (WCRE), pp.169-178, October 2011.
Y. Wang, Z. Zhang, D. D. Yao, B. Qu, and L. Guo, "Inferring Protocol State Machine from Network Traces: a Probabilistic Approach," in Proc. of 9th Applied Cryptography and Network Security Int. Conf. (ACNS), pp. 1-18, 2011.
G. Bossert, F. Guihery, and G. Hiet, "Towards Automated Protocol Reverse Engineering using Semantic Information," in Proc. of 9th ACM Symposium on Information, Computer and Communications Security, pp. 51-62, June 2014.
I. Bermudez, A. Tongaonkar, M. Iliofotou, M. Mellia, and M. M. Munafo, "Automatic Protocol Field Inference for Deeper Protocol Understanding," in Proc. of 14th IFIP Networking Conf., pp. 1-9, May 2015.
K. Choi, Y. Son, J. Noh, H. Shin, J. Choi, and Y. Kim, "Dissecting Customized Protocols: Automatic Analysis for Customized Protocols based on IEEE 802.15.4," in Proc. of 9th ACM Conf. on Security and Privacy in Wireless and Mobile Networks, pp. 183-193, July 2016.
G. Ladi, L. Buttyan, and T. Holczer, "Message format and field semantics inference for binary protocols using recorded network traffic," in Proc. of 26th Int. Conf. Software, Telecommunication Computer Networks (SoftCom), September 13-15, 2018.
M. Marchetti and D. Stabili, "READ: Reverse Engineering of Automotive Data Frames," IEEE Transactions on Information Forensics and Security, vol. 14, no. 4, pp. 1083-1097, September 2018.

상세보기
B. D. Sija, K. S. Shim and M. S. Kim, "Automatic Payload Signature Generation for Accurate Identification of Internet Applications and Application Services," KSII Transactions on Internet and Information Systems, vol. 12, no. 4, pp. 1572-1593, April 2018.

원문보기 상세보기
Graphviz - Graph Visualization Software. Available: https://graphviz.org/

저자의 다른 논문 :

LOADING...

활용도 분석정보

상세보기

다운로드

내보내기

활용도 Top5 논문

해당 논문의 주제분야에서 활용도가 높은 상위 5개 콘텐츠를 보여줍니다.
더보기 버튼을 클릭하시면 더 많은 관련자료를 살펴볼 수 있습니다.

표제어: PCR

동의어: Packet Collision Rate

용어 설명 출처 목록 (6)

용어 설명: PCR은 세균 특이성이 있는 primer를 이용하여 적은 수의 세균이 있을지라도 쉽게 검출할 수 있는 유용한 방법이며, 이를 이용하여 구강 내 치면세균막이나 타액에서 직접 세균을 검출할 수 있게 되었다[8].

내보내기 구분	파일저장 인쇄 메일전송
구성항목	기본정보 상세정보 관리번호, 논문명, 저널/프로시딩명, 저자 , 발행년, 권, 호, 시작페이지, 끝페이지, 발행기관 관리번호, 논문명, 대등논문명, 저자 , 저널/프로시딩명, 발행기관, 발행년, 발행언어, 권, 호, 시작페이지, 끝페이지, ISBN, ISSN, 주제분야, 키워드, 초록(한글), 초록(영문), 저자(소속기관)
저장형식	Text(ASCII format) Excel format RefWorks Direct Export RIS format (for Reference Manager, ProCite, EndNote), Scholar's Aids, Mendeley
메일정보	받는사람 (필수) @ 보내는사람 (선택) @ 제목 내용 KISTI 검색결과 이메일 서비스
안내	총 건의 자료가 검색되었습니다. 다운받으실 자료의 인덱스를 입력하세요. (1-10,000) 검색결과의 순서대로 최대 10,000건 까지 다운로드가 가능합니다. 데이타가 많을 경우 속도가 느려질 수 있습니다.(최대 2~3분 소요) 다운로드 파일은 UTF-8 형태로 저장됩니다. 파일의 내용이 제대로 보이지 않을실 때는 웹브라우저 상단의 보기 -> 인코딩 -> 자동선택 여부를 확인하십시오. ~ Text(ASCII format) Excel format

연합인증