Message type identification of binary network protocols using continuous segment similarity

Thumbnail Image

Files

oparuauthorversion.pdf (413.26 KB)

Date

2020-02-07

Authors

Journal Title

Journal ISSN

Volume Title

Publication Type

Beitrag zu einer Konferenz

DOI

http://dx.doi.org/10.18725/OPARU-25231

Published in

Abstract

Protocol reverse engineering based on traffic traces infers the behavior of unknown network protocols by analyzing observable network messages. To perform correct deduction of message semantics or behavior analysis, accurate message type identification is an essential first step. However, identifying message types is particularly difficult for binary protocols, whose structural features are hidden in their densely packed data representation. In this paper, we leverage the intrinsic structural features of binary protocols and propose an accurate method for discriminating message types. Our approach uses a continuous similarity measure by comparing feature vectors where vector elements correspond to the fields in a message, rather than discrete byte values. This enables a better recognition of structural patterns, which remain hidden when only exact value matches are considered. We combine Hirschberg alignment with DBSCAN as cluster algorithm to yield a novel inference mechanism. By applying novel autoconfiguration schemes, we do not require manually configured parameters for the analysis of an unknown protocol, as required by earlier approaches. Results of our evaluations show that our approach has considerable advantages in message type identification result quality but also execution performance over previous approaches.

Description

Faculties

Fakultät für Ingenieurwissenschaften, Informatik und Psychologie

Institutions

Institut für Verteilte Systeme

Citation

DFG Project uulm

License

Standard (ohne Print-on-Demand)
https://oparu.uni-ulm.de/xmlui/license_opod_v1

Is version of

Has version

Supplement to

Supplemented by

Has errratum

Erratum to

Has Part

Part of

DOI external

Institutions

Periodical

Degree Program

DFG Project THU

Series

Keywords

network reconnaissance, protocol reverse engineering, vulnerability research, Netzwerk, Computersicherheit, Evaluation, Kommunikationsprotokoll, Data transmission systems, Reversible computing, Computer networks, Testing; Data processing, Computer network protocols, DDC 004 / Data processing & computer science