Reverse engineering of protocols from network traces

João Antunes, Nuno Neves, Paulo Verissimo

Research output: Chapter in Book/Report/Conference proceedingConference contribution

53 Scopus citations

Abstract

Communication protocols determine how network components interact with each other. Therefore, the ability to derive a specification of a protocol can be useful in various contexts, such as to support deeper black-box testing or effective defense mechanisms. Unfortunately, it is often hard to obtain the specification because systems implement closed (i.e., undocumented) protocols, or because a time consuming translation has to be performed, from the textual description of the protocol to a format readable by the tools. To address these issues, we propose a new methodology to automatically infer a specification of a protocol from network traces, which generates automata for the protocol language and state machine. Since our solution only resorts to interaction samples of the protocol, it is well-suited to uncover the message formats and protocol states of closed protocols and also to automate most of the process of specifying open protocols. The approach was implemented in a tool and experimentally evaluated with publicly available FTP traces. Our results show that the inferred specification is a good approximation of the reference specification, exhibiting a high level of precision and recall. © 2011 IEEE.
Original languageEnglish (US)
Title of host publicationProceedings - Working Conference on Reverse Engineering, WCRE
Pages169-178
Number of pages10
DOIs
StatePublished - Dec 19 2011
Externally publishedYes

Fingerprint

Dive into the research topics of 'Reverse engineering of protocols from network traces'. Together they form a unique fingerprint.

Cite this