An effective method for reverse engineering message format specification is proposed, which is a necessary step to extract the protocol’s state machine. First, separators are scanned and compared to accomplish protocol fields partitioned hierarchically, so as to determine the field boundaries recursively and achieve the basic field; second, the protocol candidate tokens are extracted by frequency statistics; finally, the logic feature selector is designed for filtering the logic feature keywords. The experimental valuation demonstrates the validation of partitioning fields and extracting logic feature keyword.
CaballeroJ. and SongD., Polyglot: Automatic extraction of protocol format using dynamic binary analysis, Proc CCS, 2007, pp. 317–329.
2.
PangR., VernP. and RobinS., Binpac: A yacc for writing application protocol parsers, Proc SIGCOMM, 2006, pp. 289–300.
3.
WangY., YunX. and ShafiqZ.M., A semantics aware approach to automated reverse engineering unknown protocols, Proc ICNP, 2012, pp. 1–10.
4.
WondracekG.P., ComparettiM., KruegelC. and KirdaE., Automatic Network Protocol Analysis, Proc NDSS, 2008, pp. 1–18.
5.
TrifilòA., BurschkaS. and BiersackE., Traffic to protocol reverse engineering, Proc CISD, 2009, pp. 257–264.
6.
CuiW., PeinadoM. and WangH.J., Shieldgen: Automated data patch generation for unknown vulnerabilities with informed probing, Proc of IEEE Security and Privacy, 2007, pp. 252–266.
7.
LuoJ.Z. and YuS.Z., Position-based automatic reverse engineering of network protocols, JNCA36(3) (2013), 1070–1077.
8.
YingL.Y., YangY. and FengD.G., Syntax and behavior semantics analysis of network protocol of malware, Journal of Software22 (2011), 1676–1689.
9.
LiZ., GaoX., GaoH., TangY., ChenY. and LiuB., NetShield: Massive semantics-based vulnerability signature matching for high-speed networks, Proc SIGCOMM, 2010, pp. 279–290.
10.
ComparettiP.M., WondracekG., KruegelC. and KirdaE., Prospex: Protocol specification extraction, Proc IEEE Symposium on Security and Privacy, 2009, pp. 110–125.
