IPART: an automatic protocol reverse engineering tool based on global voting expert for industrial protocols

ABSTRACT

The industrial control system is an important part of many critical infrastructures and has a big influence on the security of them. With the rapid development of the industrial control system, there has been a significant increase for industrial control system to use the computer network, which has brought many security issues. Protocol security is one of the most important security issues. Many industrial protocols are unknown, which prevent firewall parsing and analysing network traffic, thus it brings a big challenge for intrusion detection, deep packet inspection and traffic management. One method to solve the problem is the reverse engineering technology. However, previous works are mainly for traditional network protocols and not very suitable for reversing industrial protocols. To address this problem, we propose IPART, an unsupervised tool for automatically reverse the format of the industrial protocol from network trace. IPART applies an extended voting expert algorithm to infer the boundaries of industrial protocol fields. Types of these fields are derived by statistical methods. It then classifies messages into sub-clusters by their field types and infers the format of each sub-cluster. Finally, IPART combines all results and gets the format tree of the protocol. We evaluate our work on three industrial protocols: Modbus, IEC104 and Ethernet/IP. Compared with some state-of-art approaches (lda model, Voting expert, netzob), our tool shows a better performance.

IPART reverse industrial protocols mainly by three stages. The tool firstly split raw packages into tokens and infer the fields of the protocol. Both fields property (offset, length, etc.) and semantic (length, transition id, etc.). It then class messages belong to the same format to a cluster and each cluster approximates a format. Finally, the tool combines all formats and get the protocol format tree.     

Automatic protocol reverse-engineering: Message format extraction and field semantics inference

Understanding the command-and-control (C&C) protocol used by a botnet is crucial for anticipating its repertoire of nefarious activity. However, the C&C protocols of botnets, similar to many other application layer protocols, are undocumented. Automatic protocol reverse-engineering techniques enable understanding undocumented protocols and are important for many security applications, including the analysis and defense against botnets. For example, they enable active botnet infiltration, where a security analyst rewrites messages sent and received by a bot in order to contain malicious activity and to provide the botmaster with an illusion of successful and unhampered operation.In this work, we propose a novel approach to automatic protocol reverse engineering based on dynamic program binary analysis. Compared to previous work that examines the network traffic, we leverage the availability of a program that implements the protocol. Our approach extracts more accurate and complete protocol information and enables the analysis of encrypted protocols. Our automatic protocol reverse-engineering techniques extract the message format and field semantics of protocol messages sent and received by an application that implements an unknown protocol specification. We implement our techniques into a tool called Dispatcher and use it to analyze the previously undocumented C&C protocol of MegaD, a spam botnet that at its peak produced one third of the spam on the Internet.     

SNMP协议版本共存机制的研究

通过SNMP版本转换代理来实现SNMP不同版本之间报文的转换是网络管理软件实现不同版本SNMP间兼容的一种有效途径。通过分析各种SNMP版本之间的差异，针对它们在报文格式、PDU类型和MIB结构上的差异，提出通过在版本转换代理中实现不同版本的PDU共存、报文共存和管理信息共存来解决SNMP协议版本共存的方法。     

融合自动化逆向和聚类分析的协议识别方法

网络流分类与协议识别是网络管理的前提和必要条件,但是越来越多加密协议的出现,使得传统的流分类方法失效。针对加密协议的协议识别问题,提出了一种融合自动化逆向分析技术和网络消息聚类分析技术的新型分类方法(automatic reverse and message analysis,ARCA)。该方法通过自动化逆向分析技术获得网络协议的结构特征;再利用网络消息聚类分析技术,获得网络协议的交互过程;最后将网络协议的结构特征与交互过程用于加密协议流量的识别和分类检测。该方法不依赖于网络包的内容检测,能够解决协议加密带来的识别问题。通过对多个加密协议(如迅雷、BT、QQ和GTalk等)真实流量的实验,其准确率和召回率分别高于96.9%和93.1%,而且只需要检测流量中0.9%的字节内容即可。因此,ARCA方法能够对各类加密协议流量进行有效和快速的识别。     

Trustworthy clients: Extending TNC to web-based environments

In Trusted Network Connect (TNC), a network access decision is based on the security state of an access requesting party. This mechanism is limited to closed environments such as LANs and VPNs. In this paper, we propose solutions based on authentication standards for enabling TNC in open, web-based scenarios. In particular, an architectural model for TNC is proposed that takes additional security and privacy requirements into account. Furthermore, a communication scheme is proposed that is based on standardised protocols and message formats. This approach provides assurance as to the security state of clients accessing security sensitive web-based services.     

ARES P2P资源共享协议分析技术研究

近年来,内容服务提供商提出离线下载的缓存服务解决方案,旨在大幅度提升对等（Peer-to-Peer,P2P）文件传输性能,解决长期以来由拓扑失配所导致的性能下降问题。而实现缓存服务解决方案的关键在于对P2P协议的分析。针对在南美区域较为流行的ARES协议展开技术研究。首先采用小波支持向量机模型将ARES P2P协议报文从抓取到的网络报文中进行分离,然后综合各类逆向协议分析的方法和技术分析出完整的ARES P2P协议报文格式和报文发送时序。最后,通过ARES离线下载实验验证ARES P2P协议分析的正确性和完整性。     

基于FPGA的并行多发可编程解析器

传统的报文解析器解析的协议类型和协议层次固定,缺乏对新网络协议的支撑,限制了网络设备的可编程性。抽象出形式化的解析流程,并基于FPGA实现协议无关的可编程解析器,对新协议的支撑无需更改硬件,仅需要重新映射解析图。基于该机制,引入一系列优化技术,克服了包解析固有的串行性,节约了存储资源,为实现高速的可编程报文解析提供了有效的解决方案。基于通用多核和高性能FPGA实验平台,进行了硬件代价和性能的评估。实验结果表明,采用可编程解析器能大幅提升报文解析性能,实现了通用网络协议及潜在的网络协议快速的解析,可有效地支持快速的定制网络协议发展。     

Universal Continuous Routing Strategies

We analyze universal routing protocols, that is, protocols that can be used for any communication pattern in any network, under a stochastic model of continuous message generation. In particular, we present two universal protocols, a store-and-forward and a wormhole routing protocol, and characterize their performance by the following three parameters: the maximum message generation rate for which the protocol is stable, the expected delay of a message from generation to service, and the time the protocol needs to recover from worst-case scenarios. Both protocols yield significant performance improvements over all previously known continuous routing protocols. In addition, we present adaptations of our protocols to continuous routing in node-symmetric networks, butterflies, and meshes. Received October 1996, and in final form April 1997.     

Global data computation in chordal rings

Existing Global Data Computation (GDC) protocols for asynchronous systems are round-based algorithms designed for fully connected networks. In this paper, we discuss GDC in asynchronous chordal rings, a non-fully connected network. The virtual links approach to solve the consensus problem may be applied to GDC for non-fully connected networks, but it incurs high message overhead. To reduce the overhead, we propose a new non-round-based GDC protocol for asynchronous chordal rings with perfect failure detectors. The main advantage of the protocol is that there is no notion of rounds. Every process creates two messages initially, with one message traversing in a clockwise direction and visiting each and every process in the chordal ring. The second message traverses in a counterclockwise direction. When there is direct connection between two processes, a message is sent directly. Otherwise, the message is sent via virtual links. When the two messages return, the process decides according to the information maintained by the two messages. The perfect failure detector of a process need only detect the crash of neighboring processes, and the crash information is disseminated to all other processes. Analysis and comparison with two virtual links approaches show that our protocol reduces message complexity significantly.     

基于网络轨迹的协议逆向技术研究进展

协议逆向广泛应用于入侵检测系统、深度包检测、模糊测试、僵尸网络检测等领域.首先给出了协议逆向工程的形式化定义和基本原理,然后针对网络运行轨迹的协议逆向方法和工具从协议格式提取和协议状态机推断两个方面对现有的协议逆向方法进行了详细分析,阐释其基本模块、主要原理和特点,最后从多个角度对现有算法进行了比较,对基于网络流量的协...     

基于VxWorks的高可靠性网络通信研究

基于Windows的以太网的商业应用环境,不适合高科技领域网络通信对强实时性和高可靠性的需求.针对上述问题,研究了在嵌入式实时操作系统VxWorks的支持下,如何设计一个双网冗余备份的高可靠性网络.论述了这种网络的拓扑结构,通信协议,报文格式及其相关软件接口.实践结果表明,该网络完全满足特殊应用对象的强实时、高可靠性要求,     

基于协议分析的网络入侵检测技术

网络协议分析是网络入侵检测中的一种关键技术,当前主要方法是对网络层和传输层协议进行分析。文章基于状态转换进行协议分析和检测,以充分利用协议的状态信息检测入侵,有效地完成包括应用层协议在内的网络各层协议的分析,更加精确地定位了检测域,提高了检测的全面性、准确性和检测效率;这种方法综合了异常检测和误用检测技术,可以更有效地检测协议执行时的异常和针对协议的攻击,并且可检测变体攻击、拒绝服务攻击等较难检测的攻击。     

The Research of Address Message of an Unknown Single Protocol Data Frame

Network protocols are sets of standards for certain network communications. The identification and analysis of network protocol are of significance to network management and security. There are various technologies of protocol identification, but in the process of identification protocols, in order to simplify the identification process and improve the efficiency of protocol identification, unknown mixed multi-protocol needs to be separated into single protocol so as to make further identification. This paper presents an efficient method to determine the single protocol address message based on the previous research of separating unknown mixed data frame into single protocol. By this way, the data frames of single protocol are split into point-to-point data frame according to the address; consequently, the final identification of unknown protocol can be realized. Moreover, the method was evaluated by analysis of the ARP and TCP data; this method is able to find the more than 2/3 of address information.     

基于主动网络技术的战术互联网无线子网的管理

为克服管理战术互联网无线子网的拓扑、设备状态以及流量工程的困难，提出了利用主动网络技术管理战术互联网无线子网的方法。在连接电台的战术互联网网关或互联网控制器上部署主动网管节点服务器，侦听网络相关信息，推测无线子网的拓扑和设备状态；依据报文的业务类型和链路状态，实时控制信息传输的路由和优先级，解决流量控制问题；允许用户动态定制无线子网的管理服务和管理策略。该方法提高了网络管理的实时性，减轻了网管业务对网络的负担，改善了网络服务能力，并与传统的管理体制兼容。     

A new approach for delay-constrained routing

Delay-constrained routing protocols are used to find paths subject to a delay constraint while efficiently using network resources. Many of the delay-constrained routing protocols that have been proposed in the literature give priority to cost minimization during the path computing process. With this approach, paths with end-to-end delays too close to the delay constraint are obtained. We believe that such paths are prone to delay constraint violations during load variations in the network. The root of such violations can be found in the imprecision of delay information during the routing process. In this paper, we propose a new approach for delay-constrained routing which captures the tradeoff between cost minimization and the risk level regarding to the delay constraint. We propose a protocol called Parameterized Delay-Constrained Routing protocol that implements our approach using a simple and efficient parameterized selection function. We expand this work to multicasting by proposing three new delay-constrained multicast routing protocols based on the source (Naïve), destination (Greedy) and mixed multicast routing techniques. Our simulations show that our protocols produce paths and trees which are stable, less risky and suitable for various network conditions.     

Meeting the deadline: on the complexity of fault-tolerant continuous gossip

In this paper we introduce the problem of Continuous Gossip in which rumors are continually and dynamically injected throughout the network. Each rumor has a deadline, and the goal of a continuous gossip protocol is to ensure good ??Quality of Delivery,?? i.e., to deliver every rumor to every process before the deadline expires. Thus, a trivial solution to the problem of Continuous Gossip is simply for every process to broadcast every rumor as soon as it is injected. Unfortunately, this solution has high per-round message complexity. Complicating matters, we focus our attention on a highly dynamic network in which processes may continually crash and recover. In order to achieve good per-round message complexity in a dynamic network, processes need to continually form and re-form coalitions that cooperate to spread their rumors throughout the network. The key challenge for a Continuous Gossip protocol is the ongoing adaptation to the ever-changing set of active rumors and non-crashed process. In this work we show how to address this challenge; we develop randomized and deterministic protocols for Continuous Gossip and prove lower bounds on the per-round message-complexity, indicating that our protocols are close to optimal.     

Moving routing protocols to the user space in MANET middleware

Mobile Ad Hoc Network (MANET) middleware must be aware of the underlying multi-hop topology to self-adapt and to improve its communication efficiency. For this reason, many approaches rely on specific cross-layer communications to interact with the network protocols in the kernel space. But these solutions break the strict layering of the network stack and hinder the portability of middleware and applications.The main argument of this paper is to move the routing protocols to the user space to simplify the development, testing, deployment and portability of middleware and applications. If routing is just another software component in the user space, cross-layering can be elegantly solved using advanced software engineering techniques like component frameworks and explicit APIs. As a consequence, a slight performance cost must be paid to achieve portability and easy deployment. But we will demonstrate that the performance obtained by a user-space routing protocol is satisfactory for a wide range of applications.We have implemented the unicast MANET OLSR protocol in Java (jOLSR) and, on top of it, we have created a novel overlay multicast protocol (OMOLSR). We have then integrated both routing protocols (jOLSR, OMOLSR) as software components in a well-known group communication toolkit (JGroups). Modifying the JGroups toolkit, we have devised a topology-aware group communication middleware for MANETs (MChannel). In our MChannel middleware, group membership is obtained directly from OMOLSR multicast trees and failure detection is obtained from jOLSR active probing. We have validated our approach in several real testbeds to demonstrate the feasibility and efficiency of our middleware.     

状态绑定的安全协议消息块设计方法

研究抗攻击的安全协议设计方法是安全专家一直努力的方向,而安全协议中利用密码机制形成的消息块本身结构的构造,对于安全协议的抗攻击性起着非常重要的作用.本文在重放攻击层次基础上,通过提炼安全协议为避免各种攻击应具备的状态参数,提出了一种基于状态绑定的安全协议消息块设计方法.该方法针对安全协议各个层次可能存在的缺陷,通过状态绑定来解决这些缺陷,可极大限度地提高安全协议抗攻击的能力.     

Design, Analysis and Performance Evaluation of Group Key Establishment in Wireless Sensor Networks

Wireless sensor networks are comprised of a vast number of ultra-small autonomous computing, communication and sensing devices, with restricted energy and computing capabilities, that co-operate to accomplish a large sensing task. Such networks can be very useful in practice, e.g. in the local monitoring of ambient conditions and reporting them to a control center. In this paper we propose a new lightweight, distributed group key establishment protocol suitable for such energy constrained networks. Our approach basically trade-offs complex message exchanges by performing some amount of additional local computations. The extra computations are simple for the devices to implement and are evenly distributed across the participants of the network leading to good energy balance. We evaluate the performance our protocol in comparison to existing group key establishment protocols both in simulated and real environments. The intractability of all protocols is based on the Diffie-Hellman problem and we used its elliptic curve analog in our experiments. Our findings basically indicate the feasibility of implementing our protocol in real sensor network devices and highlight the advantages and disadvantages of each approach given the available technology and the corresponding efficiency (energy, time) criteria.