A high-level programming environment for packet trace anonymization and transformation
Proceedings of the 2003 conference on Applications, technologies, architectures, and protocols for computer communications
Non-negative Matrix Factorization with Sparseness Constraints
The Journal of Machine Learning Research
ScriptGen: an automated script generation tool for honeyd
ACSAC '05 Proceedings of the 21st Annual Computer Security Applications Conference
Replayer: automatic protocol replay by binary analysis
Proceedings of the 13th ACM conference on Computer and communications security
Learning Sparse Representations by Non-Negative Matrix Factorization and Sequential Cone Programming
The Journal of Machine Learning Research
Polyglot: automatic extraction of protocol message format using dynamic binary analysis
Proceedings of the 14th ACM conference on Computer and communications security
Discoverer: automatic protocol reverse engineering from network traces
SS'07 Proceedings of 16th USENIX Security Symposium on USENIX Security Symposium
Linear-Time Computation of Similarity Measures for Sequential Data
The Journal of Machine Learning Research
Hidden Markov Models and Dynamical Systems
Hidden Markov Models and Dynamical Systems
Tupni: automatic reverse engineering of input formats
Proceedings of the 15th ACM conference on Computer and communications security
Prospex: Protocol Specification Extraction
SP '09 Proceedings of the 2009 30th IEEE Symposium on Security and Privacy
Dispatcher: enabling active botnet infiltration using automatic protocol reverse-engineering
Proceedings of the 16th ACM conference on Computer and communications security
ReFormat: automatic reverse engineering of encrypted messages
ESORICS'09 Proceedings of the 14th European conference on Research in computer security
ASAP: automatic semantics-aware analysis of network payloads
PSDML'10 Proceedings of the international ECML/PKDD conference on Privacy and security issues in data mining and machine learning
JACKSTRAWS: picking command and control connections from bot traffic
SEC'11 Proceedings of the 20th USENIX conference on Security
RAID'06 Proceedings of the 9th international conference on Recent Advances in Intrusion Detection
ProVeX: detecting botnets with encrypted command and control channels
DIMVA'13 Proceedings of the 10th international conference on Detection of Intrusions and Malware, and Vulnerability Assessment
| Hi-index | 0.00 |
Attacks like call fraud and identity theft often involve sophisticated stateful attack patterns which, on top of normal communication, try to harm systems on a higher semantic level than usual attack scenarios. To detect these kind of threats via specially deployed honeypots, at least a minimal understanding of the inherent state machine of a specific service is needed to lure potential attackers and to keep a communication for a sufficiently large number of steps. To this end we propose PRISMA, a method for protocol inspection and state machine analysis, which infers a functional state machine and message format of a protocol from network traffic alone. We apply our method to three real-life network traces ranging from 10,000 up to 2 million messages of both binary and textual protocols. We show that PRISMA is capable of simulating complete and correct sessions based on the learned models. A case study on malware traffic reveals the different states of the execution, rendering PRISMA a valuable tool for malware analysis.