Protocol normalization using attribute grammars

Authors:
Drew Davidson;Randy Smith;Nic Doyle;Somesh Jha
Affiliations:
Computer Sciences Department, University of Wisconsin, Madison, WI;Computer Sciences Department, University of Wisconsin, Madison, WI;ERBU, XE Security group, CISCO systems;Computer Sciences Department, University of Wisconsin, Madison, WI
Venue:
ESORICS'09 Proceedings of the 14th European conference on Research in computer security
Year:
2009

Citing 11
Cited 2

Higher order attribute grammars

PLDI '89 Proceedings of the ACM SIGPLAN 1989 Conference on Programming language design and implementation
lex & yacc (2nd ed.)

lex & yacc (2nd ed.)
Attribute grammar paradigms—a high-level methodology in language implementation

ACM Computing Surveys (CSUR)
Network performance effects of HTTP/1.1, CSS1, and PNG

SIGCOMM '97 Proceedings of the ACM SIGCOMM '97 conference on Applications, technologies, architectures, and protocols for computer communication
A grammar-based methodology for protocol specification and implementation

SIGCOMM '85 Proceedings of the ninth symposium on Data communications
The Genesis of Attribute Grammars

Proceedings of the International Conference WAGA on Attribute Grammars and their Applications
Testing network-based intrusion detection signatures using mutant exploits

Proceedings of the 11th ACM conference on Computer and communications security
Automatic Generation and Analysis of NIDS Attacks

ACSAC '04 Proceedings of the 20th Annual Computer Security Applications Conference
Towards Automatic Generation of Vulnerability-Based Signatures

SP '06 Proceedings of the 2006 IEEE Symposium on Security and Privacy
binpac: a yacc for writing application protocol parsers

Proceedings of the 6th ACM SIGCOMM conference on Internet measurement
Network intrusion detection: evasion, traffic normalization, and end-to-end protocol semantics

SSYM'01 Proceedings of the 10th conference on USENIX Security Symposium - Volume 10

Automated testing of industrial control devices: the delphi database

Proceedings of the 6th International Workshop on Automation of Software Test
Adversarial attacks against intrusion detection systems: Taxonomy, solutions and open issues

Information Sciences: an International Journal

Quantified Score

Hi-index	0.00

Visualization

Abstract

Protocol parsing is an essential step in several networkingrelated tasks. For instance, parsing network traffic is an essential step for Intrusion Prevention Systems (IPSs). The task of developing parsers for protocols is challenging because network protocols often have features that cannot be expressed in a context-free grammar. We address the problem of parsing protocols by using attribute grammars (AGs), which allow us to factor features that are not context-free and treat them as attributes. We investigate this approach in the context of protocol normalization, which is an essential task in IPSs. Normalizers generated using systematic techniques, such as ours, are more robust and resilient to attacks. Our experience is that such normalizers incur an acceptable level of overhead (approximately 15% in the worst case) and are straightforward to implement.