• DocumentCode
    2716658
  • Title

    Traffic to protocol reverse engineering

  • Author

    Trifilò, Antonio ; Burschka, Stefan ; Biersack, Ernst

  • Author_Institution
    Swisscom Schweiz AG, Bern, Switzerland
  • fYear
    2009
  • fDate
    8-10 July 2009
  • Firstpage
    1
  • Lastpage
    8
  • Abstract
    Network Protocol Reverse Engineering (NPRE) has played an increasing role in honeypot operations. It allows to automatically generate Statemodels and scripts being able to act as realistic counterpart for capturing unknown malware. This work proposes a novel approach in the field of NPRE. By passively listening to network traces, our system automatically derives the protocol state machines of the peers involved allowing the analyst to understand its intrinsic logic. We present a new methodology to extract the relevant fields from arbitrary binary protocols to construct a state model. We prove our methodology by deriving the state machine of documented protocols ARP, DHCP and TCP. We then apply it to Kademlia, the results show the usefulness to support binary reverse engineering processes and detect a new undocumented feature.
  • Keywords
    invasive software; protocols; reverse engineering; ARP protocol; DHCP protocol; TCP protocol; binary protocols; honeypot operation; intrinsic logic; malware; network protocol reverse engineering; protocol state machines; state model construction; Protocols; Reverse engineering;
  • fLanguage
    English
  • Publisher
    ieee
  • Conference_Titel
    Computational Intelligence for Security and Defense Applications, 2009. CISDA 2009. IEEE Symposium on
  • Conference_Location
    Ottawa, ON
  • Print_ISBN
    978-1-4244-3763-4
  • Electronic_ISBN
    978-1-4244-3764-1
  • Type

    conf

  • DOI
    10.1109/CISDA.2009.5356565
  • Filename
    5356565
    • Link To Document
    https://search.isc.ac/dl/search/defaultta.aspx?DTC=49&DC=2716658