Quantifying the Reversibility of Protocol Format

Abstract

Protocol format reverse engineering aims to extract the protocol fields automatically without access to the protocol specification. Existing works focus on the methodology of deriving the protocol format efficiently, but neglect the relationship between the statistical characteristics of protocol data and the intrinsic properties of the protocol format. In this paper, we study two problems to see how the protocol specification affects the statistical properties, and how the latter affect the difficulty of format reverse analysis. Through empirical analysis of known protocols, we first verify the stationarity of protocol features, which is the stand for developing trace-based reverse methods. We study the position arrangement and value distribution of protocol fields, and investigate their influence on the statistical properties of the protocol format. Then we propose an HMP-based model of protocol data. Using this model, we define two quantitative indicators by protocol fields' structure and content to reflect the reversibility of protocol format: the field non-interlacing ratio and the field information variation. We apply the analysis of format reversibility to a number of typical realistic protocols. The results suggest that the fields of most protocols can be partially revealed, but there are also certain fields difficult for reverse analysis. The quantitative results can provide hints for improving protocol reverse engineering approaches.