Research And Implementation Of Network Trace-based Protocol Reverse Engineering

Increasing complexity of network traffic poses a big challenge to network security supervision.It is the fact that both the fine-grained classification of network traffic and network security protection highly rely on protocol specifications.Nowadays,with increasing network traffic using private protocols,the main approach to obtain the protocol description is protocol reverse engineering,which is to obtain protocol format,semantic relationships,protocol state machine and other descriptions of specific protocol without prior knowledge,usually by observing the network behavior or system behavior.Due to the low efficiency of manual analysis,automatic protocol analysis methods are urged to be developed.In allusion to these problems,we propose a series of net-trace based methods for protocol reverse engineering given the key requirements for protocol reverse analysis.Methods are proposed for each phase from pre-processing to different steps in protocol reverse analysis,and a protocol reverse system is implemented.The main contents are as follows:Firstly,to better characterize the randomness of encrypted traffic,we propose an encrypted traffic identification method based on n-gram entropy and cumulative sum testing.The result shows its superiority to current methods.Current protocol reverse methods are of inadequate reverse ability and lack semantic analysis,so we develop a whole protocol reverse process based on network trace,mainly including three phases of message segmentation,protocol feature words extraction,and protocol format identification,with corresponding methods proposed for each phase.In segmentation phase,messages are segmented by utilizing the entropy of word boundary.Then feature words are merged and extracted from the frequency and length of the segmented words.According to the feature words,messages are transformed to token formats for the next phases.By training word2 ve model,semantic information of feature words is obtained for the semanticbased multi-sequence alignment to merging all message formats,so the protocol format identification is achieved.Based on proposed methods,a network trace-based protocol system is designed and implemented,with related experiments are performed.Experiments are conducted for the encrypted traffic identification in pre-processing phase,message segmentation,protocol feature words extraction and protocol format identification.It is shown that the system has the ability for extracting protocol feature words and recognizing protocol format for non-encrypted application layer protocols.