流量到协议逆向工程

2009 IEEE Symposium on Computational Intelligence for Security and Defense Applications Pub Date : 2009-07-08 DOI:10.1109/CISDA.2009.5356565

A. Trifilo, S. Burschka, E. Biersack

{"title":"流量到协议逆向工程","authors":"A. Trifilo, S. Burschka, E. Biersack","doi":"10.1109/CISDA.2009.5356565","DOIUrl":null,"url":null,"abstract":"Network Protocol Reverse Engineering (NPRE) has played an increasing role in honeypot operations. It allows to automatically generate Statemodels and scripts being able to act as realistic counterpart for capturing unknown malware. This work proposes a novel approach in the field of NPRE. By passively listening to network traces, our system automatically derives the protocol state machines of the peers involved allowing the analyst to understand its intrinsic logic. We present a new methodology to extract the relevant fields from arbitrary binary protocols to construct a state model. We prove our methodology by deriving the state machine of documented protocols ARP, DHCP and TCP. We then apply it to Kademlia, the results show the usefulness to support binary reverse engineering processes and detect a new undocumented feature.","PeriodicalId":6407,"journal":{"name":"2009 IEEE Symposium on Computational Intelligence for Security and Defense Applications","volume":"70 1","pages":"1-8"},"PeriodicalIF":0.0000,"publicationDate":"2009-07-08","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"42","resultStr":"{\"title\":\"Traffic to protocol reverse engineering\",\"authors\":\"A. Trifilo, S. Burschka, E. Biersack\",\"doi\":\"10.1109/CISDA.2009.5356565\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Network Protocol Reverse Engineering (NPRE) has played an increasing role in honeypot operations. It allows to automatically generate Statemodels and scripts being able to act as realistic counterpart for capturing unknown malware. This work proposes a novel approach in the field of NPRE. By passively listening to network traces, our system automatically derives the protocol state machines of the peers involved allowing the analyst to understand its intrinsic logic. We present a new methodology to extract the relevant fields from arbitrary binary protocols to construct a state model. We prove our methodology by deriving the state machine of documented protocols ARP, DHCP and TCP. We then apply it to Kademlia, the results show the usefulness to support binary reverse engineering processes and detect a new undocumented feature.\",\"PeriodicalId\":6407,\"journal\":{\"name\":\"2009 IEEE Symposium on Computational Intelligence for Security and Defense Applications\",\"volume\":\"70 1\",\"pages\":\"1-8\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2009-07-08\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"42\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"2009 IEEE Symposium on Computational Intelligence for Security and Defense Applications\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/CISDA.2009.5356565\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"2009 IEEE Symposium on Computational Intelligence for Security and Defense Applications","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/CISDA.2009.5356565","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 42

摘要

网络协议逆向工程(NPRE)在蜜罐操作中发挥着越来越重要的作用。它允许自动生成状态模型和脚本，能够作为捕获未知恶意软件的现实对应物。这项工作为NPRE领域提出了一种新的方法。通过被动地监听网络轨迹，我们的系统自动派生相关节点的协议状态机，允许分析人员理解其内在逻辑。提出了一种从任意二进制协议中提取相关字段来构建状态模型的新方法。我们通过推导ARP、DHCP和TCP协议的状态机来证明我们的方法。然后我们将其应用于Kademlia，结果表明它支持二进制逆向工程过程和检测新的未记录的特性的有用性。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

查看原文本刊更多论文

Traffic to protocol reverse engineering

Network Protocol Reverse Engineering (NPRE) has played an increasing role in honeypot operations. It allows to automatically generate Statemodels and scripts being able to act as realistic counterpart for capturing unknown malware. This work proposes a novel approach in the field of NPRE. By passively listening to network traces, our system automatically derives the protocol state machines of the peers involved allowing the analyst to understand its intrinsic logic. We present a new methodology to extract the relevant fields from arbitrary binary protocols to construct a state model. We prove our methodology by deriving the state machine of documented protocols ARP, DHCP and TCP. We then apply it to Kademlia, the results show the usefulness to support binary reverse engineering processes and detect a new undocumented feature.

求助全文

通过发布文献求助，成功后即可免费获取论文全文。去求助

来源期刊

2009 IEEE Symposium on Computational Intelligence for Security and Defense Applications

自引率

0.00%

发文量