DocumentCode :
2296497
Title :
Automatic Network Protocol Automaton Extraction
Author :
Xiao, Ming-Ming ; Yu, Shun-zheng ; Wang, Yu
Author_Institution :
Dept. of Electron. & Commun. Eng., Sun Yat-Sen Univ., Guanghzou, China
fYear :
2009
fDate :
19-21 Oct. 2009
Firstpage :
336
Lastpage :
343
Abstract :
Protocol reverse engineering, the process of (re)constructing the protocol context of communication sessions by an implementation, which involves translating a sequence of packets into protocol messages, grouping them into sessions, and modeling state transitions in the protocol state machine, is well-known to be invaluable for many network security applications, including intrusion prevention and detection, traffic normalization, and penetration testing, etc. However, current practice in deriving protocol specifications is either mostly manual or focusing on automatic reverse engineering the message format only and leaving the protocol state machine inverse undone. Although regular expressions offer superior expressive ability and flexibility, application protocols are described by regular expression manually based on sufficiently understanding protocol itself. At present there is not an effect method to realize classification, recognition and control automatically for the known applications and the unknown applications in future. In this paper a novel approach is presented to model network application specification. In this work, the whole automatic protocol reverse engineering is realized through accomplishing the protocol state machine, and then the FSMs are translated to corresponding regular expressions to enrich and update the pattern database. This approach uses grammatical inference and is motivated by the observation that an implementation of the protocol is inherently a state transition process, the state machine model the essence exactly. The important significance is to describe various state protocols with a common method through modeling the protocol state transition, including known and unknown ones. This approach had been implemented in the system and evaluated using real-world implementations of three different protocols: HTTP, SMTP, FTP, and compared the extracted protocol to the corresponding other newly system, such as 17-filter.
Keywords :
finite state machines; formal specification; grammars; protocols; reverse engineering; telecommunication security; FSM; FTP; HTTP; SMTP; automatic network protocol automaton extraction; communication session; grammatical inference; intrusion detection; intrusion prevention; network application specification; network security; pattern database; penetration testing; protocol specification; protocol state machine; regular expression; reverse engineering; traffic normalization; Automata; Automatic control; Context modeling; Databases; Intrusion detection; Protocols; Reverse engineering; Telecommunication traffic; Testing; Traffic control; Protocol analysis; automaton inference; protocol reverse engineering; regular expression;
fLanguage :
English
Publisher :
ieee
Conference_Titel :
Network and System Security, 2009. NSS '09. Third International Conference on
Conference_Location :
Gold Coast, QLD
Print_ISBN :
978-1-4244-5087-9
Electronic_ISBN :
978-0-7695-3838-9
Type :
conf
DOI :
10.1109/NSS.2009.71
Filename :
5319072
Link To Document :
بازگشت