Inference of network unknown protocol structure using CSP(Contiguous Sequence Pattern) algorithm based on tree structure

• Published in: NOMS 2018 - 2018 IEEE/IFIP Network Operations and Management Symposium pp. 1 - 4
• Main Authors: Shim, Kyu-Seok, Goo, Young-Hoon, Lee, Min-Seob, Hasanova, Huru, Kim, Myung-Sup
• Format: Conference Proceeding
• Language: English
• Published: IEEE 01.04.2018
• Subjects: Communication networks; CSP Algorithm; Field Format; Flow Format; Inference algorithms; Internet; Message Format; protocol reverse engineering; Protocols; Reverse engineering; Security; State Machine; Syntactics
• ISSN: 2374-9709
• DOI: 10.1109/NOMS.2018.8406311

As Internet traffic generation grows and new applications and malicious acts continue to emerge, traffic to be analyzed is growing rapidly. Most network security threat traffic is communicated using unknown protocol. Thus, protocol reverse engineering is very important to address network security issues. While various protocol reverse engineering methods have been studied, there is no single standardized method to extract protocol specification completely yet, and each of methods has some limitations. This paper proposes to extract the static fields of the protocol. The method uses CSP algorithm based on Apriori to extract the common strings. However, we propose the method of extraction of a protocol static field using the CSP algorithm based on the tree structure because it is not possible to extract all static fields with only CSP algorithm. This method allows extraction of all static fields that are infrequent but possible, not just frequently occurring. This method has been validated by experiments with HTTP protocol.