Feature Extraction Optimization for Bitstream Communication Protocol Format Reverse Analysis

Sun

Security and Communication Networks

et al. 2021

Industrial control protocol is the basis of communication and interaction of industrial control system, and its security is related to the whole industrial infrastructure. Because many industrial control systems use proprietary protocols, it is necessary to adopt protocol reverse analysis technology to parse them and then detect whether there are secure vulnerabilities in the protocols by means of fuzzy testing. However, most of the existing technologies are designed for common network protocols, and there is no improvement for industrial control protocol. Therefore, we propose a multistage ensemble reverse analysis method, namely, MSERA, which fully considers the design concept of industrial control protocols. MSERA divides the traditional reverse analysis process into three stages and identifies the fields with different semantic characteristics in different stages and combines with field rectification to effectively improve the results of reverse analysis of industrial control protocols. Through the experimental comparison of some public and proprietary industrial control protocols, it is found that MSERA not only outperforms Netzob in the accuracy of field split but also far exceeds Netzob in semantic recognition accuracy. The experimental results show that MSERA is very practical and suitable for reverse analysis of industrial control protocols.

Section: Related Workmentioning

confidence: 96%

A Practical Format and Semantic Reverse Analysis Approach for Industrial Control Protocols

Sun

Security and Communication Networks

et al. 2021

“…e amount of data has a significant impact on the quality of the protocol specification, but multiple sequence matching has exponential complexity because sequence matching algorithms use only two messages at a time as input [29]. Zhang et al [30][31][32] studied and proposed a feature extraction method combining multipattern matching and association rules by investigating the bitstream protocol feature extraction technique to divide the bitstream protocol multiprotocol data frames into single-protocol data frames. e work is done for offline data, which cannot meet the real-time nature of bitstream data analysis and identification.…”

Section: Related Workmentioning

confidence: 99%

From Unknown to Similar: Unknown Protocol Syntax Analysis for Network Flows in IoT

Security and Communication Networks

Hei

et al. 2021

Self Cite

Internet of Things (IoT) is the development and extension of computer, Internet, and mobile communication network and other related technologies, and in the new era of development, it increasingly shows its important role. To play the role of the Internet of Things, it is especially important to strengthen the network communication information security system construction, which is an important foundation for the Internet of Things business relying on Internet technology. Therefore, the communication protocol between IoT devices is a point that cannot be ignored, especially in recent years; the emergence of a large number of botnet and malicious communication has seriously threatened the communication security between connected devices. Therefore, it is necessary to identify these unknown protocols by reverse analysis. Although the development of protocol analysis technology has been quite mature, it is impossible to identify and analyze the unknown protocols of pure bitstreams with zero a priori knowledge using existing protocol analysis tools. In this paper, we make improvements to the existing protocol analysis algorithm, summarize and learn from the experience and knowledge of our predecessors, improve the algorithm ideas based on the Apriori algorithm idea, and perform feature string finding under the idea of composite features of CFI (Combined Frequent Items) algorithm. The advantages of existing algorithm ideas are combined together to finally propose a more efficient OFS (Optimal Feature Strings) algorithm with better performance in the face of bitstream protocol feature extraction problems.

“…It is considered that the central point of each class is the sequence of protocol features, which can represent the characteristics of this class, so as to realize the recognition of the protocol. Clustering analysis 14 mostly focuses on the analysis of protocol semantics. Association analysis is to analyze by setting the minimum support and minimum confidence, filter the nonfeature string with support, and then calculate the implied relationship between the string and the string with confidence.…”

Section: Related Workmentioning

confidence: 99%

An unknown protocol syntax analysis method based on convolutional neural network

Trans Emerging Tel Tech

Bai

Hei

et al. 2020

Self Cite

In recent years, a large number of botnets and dark networks rely on command and control channels of unknown protocol formats for communication, and with the development of Internet of Things technology, this problem becomes more prominent. The syntax analysis of the unknown protocol is helpful to measure the boundary of Botnet in the environment of Internet of things, so as to protect the network security. Based on the analysis of the characteristics of the current bitstream protocol data format, this article proposes an unknown protocol syntax analysis method based on convolutional neural network (CNN). First, the protocol data are preprocessed, and then the image is transformed. Next, the converted image is input to the convolution layer for convolution. After convolution, the data are flattened. Then the flattened data are put into the fully connected neural network. Finally, the unknown protocol is analyzed and predicted. The experimental results show that compared with the traditional feature extraction combine frequent item algorithm (CFI) and other neural network deep neural networks, CNN is 15% more accurate than CFI in the analysis of unknown protocol syntax, and it can accurately analyze and identify the unknown protocol.