IPSMInfer: Industrial proprietary protocol state machine inference from network traces

IF 4.1 3区工程技术 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS

International Journal of Critical Infrastructure Protection Pub Date : 2025-05-10 DOI:10.1016/j.ijcip.2025.100765

Yahui Yang, Yangyang Geng, Qiang Wei, Rongkuan Ma, Zihan Wei

{"title":"IPSMInfer: Industrial proprietary protocol state machine inference from network traces","authors":"Yahui Yang, Yangyang Geng, Qiang Wei, Rongkuan Ma, Zihan Wei","doi":"10.1016/j.ijcip.2025.100765","DOIUrl":null,"url":null,"abstract":"<div><div>Industrial protocols are ubiquitous in industrial control systems (ICS), and their security is intimately tied to the entire industrial infrastructure. Analyzing industrial protocol state machines can assist researchers in understanding the protocol’s state transition rules, event-triggering conditions, and behavioral characteristics. However, the proprietary nature of many industrial protocols and the lack of knowledge about their state machines significantly impede the implementation of related protection measures in ICS. While several protocol state machine inference methods have been proposed, few are practically and widely applicable to industrial protocols. This is primarily attributed to the unique structure of industrial protocols, which poses challenges for protocol state machine inference.</div><div>This paper introduces IPSMInfer, a framework that automatically infers industrial proprietary protocol state machines from network traffic. IPSMInfer labels message types based on the length of preprocessed request–response messages, which eliminates the need to identify key protocol fields and restore the original protocol formats. Subsequently, a directed graph is created using the message type labeling results along with their timing relationships to generate a protocol state machine. Finally, the generated protocol state machine is optimized by replaying captured protocol messages and actively interacting with protocol entities to ensure its accuracy and efficiency. We evaluated IPSMInfer using seven programmable logic controllers (PLCs) from five different industrial manufacturers, applying five distinct industrial proprietary protocols. The experimental results clearly demonstrate that IPSMInfer can accurately infer the state machines of these industrial proprietary protocols. It outperforms open-source tools such as ReverX and Netzob by an average of 19.8% and 8.8%, respectively, in terms of protocol state labeling perfection.</div></div>","PeriodicalId":49057,"journal":{"name":"International Journal of Critical Infrastructure Protection","volume":"49 ","pages":"Article 100765"},"PeriodicalIF":4.1000,"publicationDate":"2025-05-10","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"International Journal of Critical Infrastructure Protection","FirstCategoryId":"5","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S1874548225000265","RegionNum":3,"RegionCategory":"工程技术","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}

引用次数: 0

Abstract

Industrial protocols are ubiquitous in industrial control systems (ICS), and their security is intimately tied to the entire industrial infrastructure. Analyzing industrial protocol state machines can assist researchers in understanding the protocol’s state transition rules, event-triggering conditions, and behavioral characteristics. However, the proprietary nature of many industrial protocols and the lack of knowledge about their state machines significantly impede the implementation of related protection measures in ICS. While several protocol state machine inference methods have been proposed, few are practically and widely applicable to industrial protocols. This is primarily attributed to the unique structure of industrial protocols, which poses challenges for protocol state machine inference.

This paper introduces IPSMInfer, a framework that automatically infers industrial proprietary protocol state machines from network traffic. IPSMInfer labels message types based on the length of preprocessed request–response messages, which eliminates the need to identify key protocol fields and restore the original protocol formats. Subsequently, a directed graph is created using the message type labeling results along with their timing relationships to generate a protocol state machine. Finally, the generated protocol state machine is optimized by replaying captured protocol messages and actively interacting with protocol entities to ensure its accuracy and efficiency. We evaluated IPSMInfer using seven programmable logic controllers (PLCs) from five different industrial manufacturers, applying five distinct industrial proprietary protocols. The experimental results clearly demonstrate that IPSMInfer can accurately infer the state machines of these industrial proprietary protocols. It outperforms open-source tools such as ReverX and Netzob by an average of 19.8% and 8.8%, respectively, in terms of protocol state labeling perfection.

查看原文本刊更多论文

IPSMInfer：工业专有协议状态机从网络轨迹推断

工业协议在工业控制系统（ICS）中无处不在，其安全性与整个工业基础设施密切相关。分析工业协议状态机可以帮助研究人员理解协议的状态转换规则、事件触发条件和行为特征。然而，许多工业协议的专有性质以及缺乏对其状态机的了解严重阻碍了ICS中相关保护措施的实现。虽然已经提出了几种协议状态机推理方法，但很少有实际和广泛适用于工业协议的方法。这主要归因于工业协议的独特结构，这给协议状态机推理带来了挑战。本文介绍了一个从网络流量中自动推断工业专用协议状态机的框架IPSMInfer。IPSMInfer根据预处理的请求-响应消息的长度标记消息类型，从而消除了识别关键协议字段和恢复原始协议格式的需要。随后，使用消息类型标记结果及其定时关系创建有向图，以生成协议状态机。最后，通过重放捕获的协议消息并主动与协议实体交互来优化生成的协议状态机，以确保其准确性和效率。我们使用来自五家不同工业制造商的七种可编程逻辑控制器（plc）评估ipsmminfer，应用五种不同的工业专有协议。实验结果清楚地表明，IPSMInfer可以准确地推断出这些工业专有协议的状态机。在协议状态标记完美性方面，它比开源工具（如ReverX和Netzob）平均分别高出19.8%和8.8%。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

International Journal of Critical Infrastructure Protection COMPUTER SCIENCE, INFORMATION SYSTEMS-ENGINEERING, MULTIDISCIPLINARY

CiteScore

8.90

自引率

5.60%

发文量

审稿时长

>12 weeks

期刊介绍： The International Journal of Critical Infrastructure Protection (IJCIP) was launched in 2008, with the primary aim of publishing scholarly papers of the highest quality in all areas of critical infrastructure protection. Of particular interest are articles that weave science, technology, law and policy to craft sophisticated yet practical solutions for securing assets in the various critical infrastructure sectors. These critical infrastructure sectors include: information technology, telecommunications, energy, banking and finance, transportation systems, chemicals, critical manufacturing, agriculture and food, defense industrial base, public health and health care, national monuments and icons, drinking water and water treatment systems, commercial facilities, dams, emergency services, nuclear reactors, materials and waste, postal and shipping, and government facilities. Protecting and ensuring the continuity of operation of critical infrastructure assets are vital to national security, public health and safety, economic vitality, and societal wellbeing. The scope of the journal includes, but is not limited to: 1. Analysis of security challenges that are unique or common to the various infrastructure sectors. 2. Identification of core security principles and techniques that can be applied to critical infrastructure protection. 3. Elucidation of the dependencies and interdependencies existing between infrastructure sectors and techniques for mitigating the devastating effects of cascading failures. 4. Creation of sophisticated, yet practical, solutions, for critical infrastructure protection that involve mathematical, scientific and engineering techniques, economic and social science methods, and/or legal and public policy constructs.