Research On Protocol Specification Mining And Its Applications

Network protocol specifications mining is a reverse engineering technology, which makes analysis of network traffic or monitors the execution series of a network application handling packets. Since the results of this technology are widely applied in network fuzz test, intrusion detection system and software development area, therefore, more and more researchers devote to this area and its applications in recent years. This dissertation proposes two novel protocol packet specifications mining methods, and moreover, improves and complements other related methods to get better results. Finally applies the research results to resolve the problems such as how to calculate the coverage of fuzz test and how to drive fuzz test based on protocol state machine in the network security area. In summary, this dissertation makes the major contributions as follows:1. Summarizes all kinds of methods in the past decades and makes the formal definitions of the research problem by removing complex engineering details and abstracting all kinds of specific methods, which could benefit researchers on seeing the essence of the problem and avoids the inaccurate description based on natural langurage.2. A method based on the length semantic constraints for mining packet formats of unknown protocols is proposed, which scans reversely a group of packet segments with the same format separately to infer their length fields and corresponding referred field(s). Finally, the formats (hierarchy structure) of the packets are obtained. On the basis of the above results, implements the common seen protocol idioms inference, constructs and sends plenty of pertinent packets to the target network device and observes their reactions, which could further infer the field semantic meanings and it is a helpful complement to the packet format specification mining area.3. This dissertation designs and implements a general framework to mine the protocol behavior specification (protocol state machine), which applies the XML language to describe the packet formats and network implements’behaviors to support many network protocols. Further more, this framework adopts the "high cohesion and low coupling" and hierarchical design principle, which could make it support many behavior modeling methods. When selecting the most appropriate method for modeling protocol behaviors, this dissertation improves the QSM algorithm, which judges the loop structures and generates more querying sequences in the inferring process to get more accurate results. Finally, applies the improved QSM algorithm to the protocol behavior modeling area, and displays its advantages compared with others methods by experimental results.4Finally designs a flexible testing framework and applies the above research results to the network robust testing based on the fuzz technology. Solves several problems such as how to calculate the test coverage reasonably, increases the test efficiency on private protocol by packet format mining, and drives a fuzz test based on a protocol state machine. Combines theoretical researches and practical applications.