Research On Protocol State Machine Reverse Method Based On Interaction Process

Network protocol reverse engineering refers to the process of extracting the syntax and semantic features of the network protocol and inferring the protocol state machine by analyzing the network protocol traffic without relying on the protocol description.With the rapid development of network slicing and software defined network technology,a large number of customized proprietary protocols emerge in the network,and the scale of unknown protocols is further increased.Protocol reverse technology will play an important role in improving the quality of network service,understanding the operation status of the network and monitoring the malicious traffic of the network.In particular,the protocol state machine reverse technology can help analyze the protocol's behavior pattern,which has an important impact on protocol vulnerability mining,protocol reuse and other fields,and helps to improve the reliability and robustness of the network.However,most of the current protocol state machine reverse methods are oriented to the application layer protocol,and they are difficult to apply to the communication subnet layer protocol with complex message interaction and various control signaling,which brings challenges to the accurate analysis of the computer network full stack protocol.In this paper,the key issues in protocol state machine reverse such as fuzzy state definition,inaccurate state annotation and reflection of detailed characteristics are solved,which guarantees the accurate inference results of the protocol state machine.The specific work is as follows:The solution and development of the existing protocol state machine reverse method are summarized.The challenges of protocol state machine reverse in communication subnet layer are analyzed,including that how to accurately characterize the protocol state,how to mine valid information from the limited information of protocol session messages sequence.A protocol state machine reverse method based on interaction flow in communication subnet layer is proposed.The protocol state is represented by a set of acceptable message semantics,and the state is marked by mining the message semantic information in the protocol message sequence to improve the accuracy of protocol reverse inference.Specifically,the protocol state transition process is characterized by modeling the operation processes of the communications subnet layer protocol as different interaction processes;the semantic information of messages in different directions is mined by introducing the transmission direction of the message;and semantics information in different interaction processes are mined by describing the interaction process of the message through the prefix sequence and suffix sequence experienced in the conversation sequence.The reverse scheme of communication subnet protocol state machine based on interaction process is designed.The messages with the same semantics in the protocol session sequence are merged in advance because of the repeated interaction in communication subnet layer,which reduces the length of session sequence and improves the efficiency of protocol state machine reverse.A comparison with other reverse methods is given on the experiments of some typical communication subnet layer protocol such as TCP,OSPF and SCTP,the results show the superiority of the proposed method based on interaction process,which can infer more details of the protocol.