Learning Regular Languages from Simple Positive Examples
Machine Learning
Computation of the probability of initial substring generation by stochastic context-free grammars
Computational Linguistics
ScriptGen: an automated script generation tool for honeyd
ACSAC '05 Proceedings of the 21st Annual Computer Security Applications Conference
Semi-automated discovery of application session structure
Proceedings of the 6th ACM SIGCOMM conference on Internet measurement
binpac: a yacc for writing application protocol parsers
Proceedings of the 6th ACM SIGCOMM conference on Internet measurement
Unexpected means of protocol inference
Proceedings of the 6th ACM SIGCOMM conference on Internet measurement
RAID'06 Proceedings of the 9th international conference on Recent Advances in Intrusion Detection
Polyglot: automatic extraction of protocol message format using dynamic binary analysis
Proceedings of the 14th ACM conference on Computer and communications security
Grammar-based whitebox fuzzing
Proceedings of the 2008 ACM SIGPLAN conference on Programming language design and implementation
TestCom '08 / FATES '08 Proceedings of the 20th IFIP TC 6/WG 6.1 international conference on Testing of Software and Communicating Systems: 8th International Workshop
Detecting Communication Protocol Security Flaws by Formal Fuzz Testing and Machine Learning
FORTE '08 Proceedings of the 28th IFIP WG 6.1 international conference on Formal Techniques for Networked and Distributed Systems
Advanced Network Fingerprinting
RAID '08 Proceedings of the 11th international symposium on Recent Advances in Intrusion Detection
Deriving input syntactic structure from execution
Proceedings of the 16th ACM SIGSOFT International Symposium on Foundations of software engineering
Towards automatic reverse engineering of software security configurations
Proceedings of the 15th ACM conference on Computer and communications security
Tupni: automatic reverse engineering of input formats
Proceedings of the 15th ACM conference on Computer and communications security
Experiences with model inference assisted fuzzing
WOOT'08 Proceedings of the 2nd conference on USENIX Workshop on offensive technologies
To catch a predator: a natural language approach for eliciting malicious payloads
SS'08 Proceedings of the 17th conference on Security symposium
Somniloquy: augmenting network interfaces to reduce PC energy usage
NSDI'09 Proceedings of the 6th USENIX symposium on Networked systems design and implementation
Dispatcher: enabling active botnet infiltration using automatic protocol reverse-engineering
Proceedings of the 16th ACM conference on Computer and communications security
Control flow obfuscation with information flow tracking
Proceedings of the 42nd Annual IEEE/ACM International Symposium on Microarchitecture
Passive testing for reverse engineering: specification recovery
PDCN '08 Proceedings of the IASTED International Conference on Parallel and Distributed Computing and Networks
Traffic to protocol reverse engineering
CISDA'09 Proceedings of the Second IEEE international conference on Computational intelligence for security and defense applications
Reverse engineering of binary device drivers with RevNIC
Proceedings of the 5th European conference on Computer systems
ReFormat: automatic reverse engineering of encrypted messages
ESORICS'09 Proceedings of the 14th European conference on Research in computer security
Towards automatic inference of task hierarchies in complex systems
HotDep'08 Proceedings of the Fourth conference on Hot topics in system dependability
Inference and analysis of formal models of botnet command and control protocols
Proceedings of the 17th ACM conference on Computer and communications security
Reverse engineering for mobile systems forensics with Ares
Proceedings of the 2010 ACM workshop on Insider threats
Reverse engineering ECUs of automotive components: a case study
Proceedings of the First International Workshop on Model Inference In Testing
Automatic discovery of unspecified behaviors in automotive control software
TAIC PART'10 Proceedings of the 5th international academic and industrial conference on Testing - practice and research techniques
Efficient file fuzz testing using automated analysis of binary file format
Journal of Systems Architecture: the EUROMICRO Journal
ASAP: automatic semantics-aware analysis of network payloads
PSDML'10 Proceedings of the international ECML/PKDD conference on Privacy and security issues in data mining and machine learning
Checksum-Aware Fuzzing Combined with Dynamic Taint Analysis and Symbolic Execution
ACM Transactions on Information and System Security (TISSEC)
Inferring protocol state machine from network traces: a probabilistic approach
ACNS'11 Proceedings of the 9th international conference on Applied cryptography and network security
Forensic triage for mobile phones with DEC0DE
SEC'11 Proceedings of the 20th USENIX conference on Security
MACE: model-inference-assisted concolic exploration for protocol and vulnerability discovery
SEC'11 Proceedings of the 20th USENIX conference on Security
Challenges in network application identification
LEET'12 Proceedings of the 5th USENIX conference on Large-Scale Exploits and Emergent Threats
B@bel: leveraging email delivery for spam mitigation
Security'12 Proceedings of the 21st USENIX conference on Security symposium
Learning stateful models for network honeypots
Proceedings of the 5th ACM workshop on Security and artificial intelligence
StegoTorus: a camouflage proxy for the Tor anonymity system
Proceedings of the 2012 ACM conference on Computer and communications security
PeerPress: utilizing enemies' P2P strength against them
Proceedings of the 2012 ACM conference on Computer and communications security
Towards network containment in malware analysis systems
Proceedings of the 28th Annual Computer Security Applications Conference
Automatic protocol reverse-engineering: Message format extraction and field semantics inference
Computer Networks: The International Journal of Computer and Telecommunications Networking
iBinHunt: binary hunting with inter-procedural control flow
ICISC'12 Proceedings of the 15th international conference on Information Security and Cryptology
Software model synthesis using satisfiability solvers
Empirical Software Engineering
Tappan Zee (north) bridge: mining memory accesses for introspection
Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security
ProVeX: detecting botnets with encrypted command and control channels
DIMVA'13 Proceedings of the 10th international conference on Detection of Intrusions and Malware, and Vulnerability Assessment
Hi-index | 0.02 |
Application-level protocol specifications are useful for many security applications, including intrusion prevention and detection that performs deep packet inspection and traffic normalization, and penetration testing that generates network inputs to an application to uncover potential vulnerabilities. However, current practice in deriving protocol specifications is mostly manual. In this paper, we present Discoverer, a tool for automatically reverse engineering the protocol message formats of an application from its network trace. A key property of Discoverer is that it operates in a protocol-independent fashion by inferring protocol idioms commonly seen in message formats of many application-level protocols. We evaluated the efficacy of Discoverer over one text protocol (HTTP) and two binary protocols (RPC and CIFS/SMB) by comparing our inferred formats with true formats obtained from Ethereal [5]. For all three protocols, more than 90% of our inferred formats correspond to exactly one true format; one true format is reflected in five inferred formats on average; our inferred formats cover over 95% of messages, which belong to 30-40% of true formats observed in the trace.