Protocol Reverse Engineering Using LDA and Association Analysis

Automatic protocol reverse engineering for application protocol is becoming more and more important for many applications such as application protocol analyzer, penetration testing, intrusion prevention and detection. However, many techniques for extracting the protocol message format specifications of unknown applications often have some limitations for little priori information or the time-consuming problem. In this paper, we present a method for automatically reverse engineering the protocol message formats of an application from its network trace, by using LDA and association analysis. The approach exploits the semantics of protocol messages without the executable code of application protocols, but focuses on the insight that the n-grams of protocol traces exhibit highly semantic information that can be leveraged for accurate protocol message format inference. Firstly, we propose the way to key words extract by utilizing the LDA model, secondly, the association analysis method is applied to constructing the feature words based on the above process. Lastly our experiments Show that the method can accurately infer message format specifications of SMTP text protocol.