Network Message Field Type Clustering for Reverse Engineering of Unknown Binary Protocols

2022 52nd Annual IEEE/IFIP International Conference on Dependable Systems and Networks Workshops (DSN-W) Pub Date : 2022-06-01 DOI:10.1109/DSN-W54100.2022.00023

Stephan Kleber, F. Kargl, Milan State, M. Hollick

{"title":"Network Message Field Type Clustering for Reverse Engineering of Unknown Binary Protocols","authors":"Stephan Kleber, F. Kargl, Milan State, M. Hollick","doi":"10.1109/DSN-W54100.2022.00023","DOIUrl":null,"url":null,"abstract":"Reverse engineering of unknown network protocols based on recorded traffic traces enables security analyses and debugging of undocumented network services. One important step in protocol reverse engineering is to determine data types of message fields. Existing approaches for binary protocols (1) lack comprehensive methods to interpret message content and determine the data types of discovered segments in a message and (2) assume the availability of context, which prevents the analysis of complex and lower-layer protocols. Overcoming these limitations, we propose the first generic method to analyze message field data types in unknown binary protocols by clustering of segments with the same data type. Our extensive evaluation shows that our method in most cases provides clustering of up to 100 % precision at reasonable recall. Particularly relevant for use in fuzzing and misbehavior detection, we increase the coverage of message bytes over the state-of-the-art to 87 % by almost a factor of 30. We provide an open-source implementation to allow follow-up works.","PeriodicalId":349937,"journal":{"name":"2022 52nd Annual IEEE/IFIP International Conference on Dependable Systems and Networks Workshops (DSN-W)","volume":"53 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2022-06-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"1","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2022 52nd Annual IEEE/IFIP International Conference on Dependable Systems and Networks Workshops (DSN-W)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/DSN-W54100.2022.00023","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 1

Abstract

Reverse engineering of unknown network protocols based on recorded traffic traces enables security analyses and debugging of undocumented network services. One important step in protocol reverse engineering is to determine data types of message fields. Existing approaches for binary protocols (1) lack comprehensive methods to interpret message content and determine the data types of discovered segments in a message and (2) assume the availability of context, which prevents the analysis of complex and lower-layer protocols. Overcoming these limitations, we propose the first generic method to analyze message field data types in unknown binary protocols by clustering of segments with the same data type. Our extensive evaluation shows that our method in most cases provides clustering of up to 100 % precision at reasonable recall. Particularly relevant for use in fuzzing and misbehavior detection, we increase the coverage of message bytes over the state-of-the-art to 87 % by almost a factor of 30. We provide an open-source implementation to allow follow-up works.

查看原文本刊更多论文

未知二进制协议逆向工程的网络消息字段类型聚类

基于记录的流量跟踪对未知网络协议进行逆向工程，可以对未记录的网络服务进行安全分析和调试。协议逆向工程中的一个重要步骤是确定消息字段的数据类型。现有的二进制协议方法(1)缺乏全面的方法来解释消息内容和确定消息中发现的段的数据类型;(2)假设上下文的可用性，这阻碍了对复杂和低级协议的分析。克服这些限制，我们提出了第一个通用的方法来分析消息字段数据类型在未知的二进制协议通过聚类具有相同的数据类型的段。我们的广泛评估表明，在大多数情况下，我们的方法在合理的召回率下提供了高达100%精度的聚类。特别是在模糊检测和不当行为检测中，我们将最先进的消息字节覆盖率提高到87%，几乎是30倍。我们提供了一个开源实现，以允许后续工作。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2022 52nd Annual IEEE/IFIP International Conference on Dependable Systems and Networks Workshops (DSN-W)

自引率

0.00%

发文量