Journal of Beijing University of Posts and Telecommunications

  • EI核心期刊

JOURNAL OF BEIJING UNIVERSITY OF POSTS AND TELECOM ›› 2012, Vol. 35 ›› Issue (6): 55-59.doi: 10.13190/jbupt.201206.55.zhangzh

• Papers • Previous Articles     Next Articles

A Length Semantic Constraints Based Approach for Mining Packet Formats of Unknown Protocols

ZHANG Zhao, TANG Wen, WEN Qiao-yan   

  1. 1. State Key Laboratory of Networking and Switching Technology, Beijing University of Posts and Telecommunications, Beijing 100876, China;2. IT Security, Cooperate Technology, Siemens (China) Ltd, Beijing 100102, China
  • Received:2012-04-09 Revised:2012-07-24 Online:2012-12-28 Published:2013-01-07
  • Contact: Zhao ZHANG E-mail:108283@bupt.edu.cn
  • Supported by:

    ;Specialized Research Fund for the Doctoral Program of Higher Education

Abstract:

In order to get the format of unknown protocols, a length semantic constraints based packet format mining method is proposed based on length semantic constraints. First, multiple sequence alignment method is applied to partition a packet into segments. Then, a length identification algorithm is utilized to scan the segments separately to infer length fields and corresponding referred field(s). At last, the format (hierarchy structure) of the packets is obtained. Experiments demonstrate the effectiveness of this method: the false negative rates of length fields for GetNextRequest and GetResponse of simple network management protocol version 1 are both 9.1%, and the false positive rates are 16.7% and 23.1%. The packet hierarchy is also obtained, approximately consistent with protocol format specification.

Key words: length field, packet format, protocol specification mining, protocol reverse engineering, multiple sequence alignment

CLC Number: