Title :
Traffic to protocol reverse engineering
Author :
Trifilò, Antonio ; Burschka, Stefan ; Biersack, Ernst
Author_Institution :
Swisscom Schweiz AG, Bern, Switzerland
Abstract :
Network Protocol Reverse Engineering (NPRE) has played an increasing role in honeypot operations. It allows to automatically generate Statemodels and scripts being able to act as realistic counterpart for capturing unknown malware. This work proposes a novel approach in the field of NPRE. By passively listening to network traces, our system automatically derives the protocol state machines of the peers involved allowing the analyst to understand its intrinsic logic. We present a new methodology to extract the relevant fields from arbitrary binary protocols to construct a state model. We prove our methodology by deriving the state machine of documented protocols ARP, DHCP and TCP. We then apply it to Kademlia, the results show the usefulness to support binary reverse engineering processes and detect a new undocumented feature.
Keywords :
invasive software; protocols; reverse engineering; ARP protocol; DHCP protocol; TCP protocol; binary protocols; honeypot operation; intrinsic logic; malware; network protocol reverse engineering; protocol state machines; state model construction; Protocols; Reverse engineering;
Conference_Titel :
Computational Intelligence for Security and Defense Applications, 2009. CISDA 2009. IEEE Symposium on
Conference_Location :
Ottawa, ON
Print_ISBN :
978-1-4244-3763-4
Electronic_ISBN :
978-1-4244-3764-1
DOI :
10.1109/CISDA.2009.5356565
