Protocol Formats Reverse Engineering Based on Association Rules in Wireless Environment

With the wide deployment of wireless networks, attackers may exploit Wi-Fi network vulnerabilities to transfer data secretly, or covert communication channels to spread malicious codes. The protocol formats reverse engineering technique can be used to detect such attacks, however, previous works are focused on the application layer protocol analysis, and can hardly work under the scenarios that the captured data is only in binary format due to the lack of semantics. In this paper, we propose a novel protocol formats reverse engineering framework, which utilizes the association rules of feature sequences to identify unknown protocols from captured binary data. We first convert the captured binary data into a bit stream, and segment it into frames. The improved AC algorithm is adopted to analyze the binary sequences. After which, we extract the feature sequences and analyze their association rules to detect potential unknown protocols. The experimental results show that our framework can identify 100% ARP packets and 98% ICMP packets from captured binary data.