research-article

Automatically complementing protocol specifications from network traces

Authors:

Nuno NevesAuthors Info & Claims

EWDC '11: Proceedings of the 13th European Workshop on Dependable Computing

Pages 87 - 92

https://doi.org/10.1145/1978582.1978601

Published: 11 May 2011 Publication History

Abstract

Network servers can be tested for correctness by resorting to a specification of the implemented protocol. However, producing a protocol specification can be a time consuming task. In addition, protocols are constantly evolving with new functionality and message formats that render the previously defined specifications incomplete or deprecated. This paper presents a methodology to automatically complement an existing specification with extensions to the protocol by analyzing the contents of the messages in network traces. The approach can be used on top of existing protocol reverse engineering techniques allowing it to be applied to both open and closed protocols. This approach also has the advantage of capturing unpublished or undocumented features automatically, thus obtaining a more complete and realistic specification of the implemented protocol. The proposed solution was evaluated with a prototype tool that was able to complement an IETF protocol (FTP) specification with several extensions extracted from traffic data collected in 320 public servers.

References

[1]

J. Antunes, N. Neves, M. Correia, P. Verissimo, and R. Neves. Vulnerability removal with attack injection. IEEE Trans. on Software Engineering, 36:357--370, 2010.

Digital Library

[2]

J. Antunes, N. Neves, and P. Verissimo. ReverX: Reverse engineering of protocols. Technical Report TR-2011-01, Faculdade de Ciências da Universidade de Lisboa, Jan. 2011.

[3]

E. Bayse, A. Cavalli, M. Núñez, and F. Zaïdi. A passive testing approach based on invariants: Application to the WAP. Computer Networks, 48(2):247--266, 2005.

Digital Library

[4]

A. Biermann and J. Feldman. On the synthesis of finite-state machines from samples of their behavior. IEEE Trans. on Computers, 21(6):592--597, 1972.

Digital Library

[5]

J. Caballero, H. Yin, Z. Liang, and D. Song. Polyglot: Automatic extraction of protocol message format using dynamic binary analysis. In Proc. of the Conf. on Computer and Communications Security, 2007.

Digital Library

[6]

A. Cavalli, C. Gervy, and S. Prokopenko. New approaches for passive testing using an extended finite state machine specification. Information and Software Technology, 45(12):837--852, 2003.

[7]

P. M. Comparetti, G. Wondracek, C. Kruegel, and E. Kirda. Prospex: Protocol specification extraction. In IEEE Security and Privacy, 2009.

Digital Library

[8]

M. Crispin. Internet Message Access Protocol -- Version 4rev1 (IMAP). RFC 3501 (Proposed Standard), Mar. 2003.

Digital Library

[9]

W. Cui, M. Peinado, K. Chen, H. Wang, and L. Irun-Briz. Tupni: Automatic reverse engineering of input formats. In Proc. of the Conf. on Computer and Communications Security, 2008.

Digital Library

[10]

C. de la Higuera. Grammatical Inference: Learning Automata and Grammars. Cambridge University Press, 2010.

Digital Library

[11]

R. Droms. Dynamic Host Configuration Protocol (DHCP). RFC 2131 (Draft Standard), Mar. 1997.

[12]

J. Klensin. Simple Mail Transfer Protocol (SMTP). RFC 5321 (Draft Standard), 2008.

[13]

R. Lai. A survey of communication protocol testing. Journal of Systems and Software, 62(1):21--46, 2002.

Digital Library

[14]

Z. Lin, X. Jiang, D. Xu, and X. Zhang. Automatic protocol format reverse engineering through context-aware monitored execution. In Proc. of the Network and Distributed System Security Symposium, 2008.

[15]

D. Lo, L. Mariani, and M. Pezzè. Automatic steering of behavioral model inference. In Proc. of the 7th joint meeting of the European Software Engineering Conf. and the ACM SIGSOFT Int. Symp. on Foundations of Software Engineering, pages 345--354, 2009.

Digital Library

[16]

P. Mockapetris. Domain names - implementation and specification. RFC 1035 (Standard), Nov. 1987.

Digital Library

[17]

J. Myers and M. Rose. Post Office Protocol -- Version 3 (POP). RFC 1939 (Standard), May 1996.

Digital Library

[18]

V. Paxson. Bro intrusion detection system. http://www.bro-ids.org/, accessed in 2011.

[19]

J. Postel and J. Reynolds. File transfer protocol (ftp). RFC 959, 1985.

Digital Library

[20]

R. Russell. Iptables. http://www.netfilter.org/, first release in 1998.

[21]

Y. Sakakibara. Grammatical inference in bioinformatics. IEEE Trans. on Pattern Analysis and Machine Intelligence, 27(7):1051--1062, 2005.

Digital Library

[22]

M. Shevertalov and S. Mancoridis. A reverse engineering tool for extracting protocols of networked applications. In Proc. of the Working Conf. on Reverse Engineering, 2007.

Digital Library

[23]

A. Trifilò, S. Burschka, and E. Biersack. Traffic to protocol reverse engineering. In Proc. of the Int. Conf. on Computational Intelligence for Security and Defense Applications, 2009.

Digital Library

[24]

G. Wondracek, P. Comparetti, C. Kruegel, E. Kirda, and S. Anna. Automatic network protocol analysis. In Proc. of the Network and Distributed System Security Symp., 2008.

[25]

F. Zaidi, E. Bayse, and A. Cavalli. Network protocol interoperability testing based on contextual signatures and passive testing. In Proc. of the ACM Symp. on Applied Computing, 2009.

Digital Library

Cited By

Han ZXu X(2024)DSFuzz: deep state of stateful protocol fuzzing2024 5th International Conference on Computer Engineering and Application (ICCEA)10.1109/ICCEA62105.2024.10603807(213-220)Online publication date: 12-Apr-2024
https://doi.org/10.1109/ICCEA62105.2024.10603807
Natella R(2022)StateAFL: Greybox fuzzing for stateful network serversEmpirical Software Engineering10.1007/s10664-022-10233-327:7Online publication date: 4-Oct-2022
https://doi.org/10.1007/s10664-022-10233-3
Farahmandpour ZSeyedmahmoudian MStojcevski A(2021)A Review on the Service Virtualisation and Its Structural PillarsApplied Sciences10.3390/app1105238111:5(2381)Online publication date: 8-Mar-2021
https://doi.org/10.3390/app11052381
Show More Cited By

Index Terms

Automatically complementing protocol specifications from network traces

Recommendations

Inferring protocol state machine from network traces: a probabilistic approach
ACNS'11: Proceedings of the 9th international conference on Applied cryptography and network security

Application-level protocol specifications (i.e., how a protocol should behave) are helpful for network security management, including intrusion detection and intrusion prevention. The knowledge of protocol specifications is also an effective way of ...
Executable logic specifications for protocol service interfaces

A general, formal modeling technique for protocol service interfaces is discussed. An executable description of the model using a logic-programming-based language, Prolog, is presented. The specification of protocol layers consists of two parts, the ...
Deriving protocol specifications from service specifications written in LOTOS

A complete communication system is broken down into a number of protocol layers each of which provides services to the layer above it and uses services provided by its underlying layer. A service specification defines a particular ordering of the ...

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

EWDC '11: Proceedings of the 13th European Workshop on Dependable Computing

May 2011

106 pages

ISBN:9781450302845

DOI:10.1145/1978582

Conference Chair:
Felicita Di Giandomenico
ISTI-CNR, Istituto di Scienza e Tecnologie dell'Informazione

Copyright © 2011 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 11 May 2011

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Qualifiers

Research-article

Funding Sources

Conference

EWDC '11

EWDC '11: 13th European Workshop on Dependable Computing

May 11 - 12, 2011

Pisa, Italy

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

5
Total Citations
View Citations
161
Total Downloads

Downloads (Last 12 months)10
Downloads (Last 6 weeks)1

Reflects downloads up to 24 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Han ZXu X(2024)DSFuzz: deep state of stateful protocol fuzzing2024 5th International Conference on Computer Engineering and Application (ICCEA)10.1109/ICCEA62105.2024.10603807(213-220)Online publication date: 12-Apr-2024
https://doi.org/10.1109/ICCEA62105.2024.10603807
Natella R(2022)StateAFL: Greybox fuzzing for stateful network serversEmpirical Software Engineering10.1007/s10664-022-10233-327:7Online publication date: 4-Oct-2022
https://doi.org/10.1007/s10664-022-10233-3
Farahmandpour ZSeyedmahmoudian MStojcevski A(2021)A Review on the Service Virtualisation and Its Structural PillarsApplied Sciences10.3390/app1105238111:5(2381)Online publication date: 8-Mar-2021
https://doi.org/10.3390/app11052381
Esoul OWalkinshaw N(2017)Using Segment-Based Alignment to Extract Packet Structures from Network Traces2017 IEEE International Conference on Software Quality, Reliability and Security (QRS)10.1109/QRS.2017.49(398-409)Online publication date: Jul-2017
https://doi.org/10.1109/QRS.2017.49
Kim JChoi HNamkung HChoi WChoi BHong HKim YLee JHan DMarkopoulou AFaloutsos MSekar VKostic D(2016)Enabling Automatic Protocol Behavior Analysis for Android ApplicationsProceedings of the 12th International on Conference on emerging Networking EXperiments and Technologies10.1145/2999572.2999596(281-295)Online publication date: 6-Dec-2016
https://dl.acm.org/doi/10.1145/2999572.2999596
Yang RLi GLau WZhang KHu PChen XWang XHuang X(2016)Model-based Security TestingProceedings of the 11th ACM on Asia Conference on Computer and Communications Security10.1145/2897845.2897874(651-662)Online publication date: 30-May-2016
https://dl.acm.org/doi/10.1145/2897845.2897874

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten