• KSII Transactions on Internet and Information Systems (TIIS)
• /
• v.14 no.11
• /
• pp.4310-4330
• /
• 2020

With the continuous emergence of new applications and cyberattacks and their frequent updates, the need for automatic protocol reverse engineering is gaining recognition. Although several methods for automatic protocol reverse engineering have been proposed, each method still faces major limitations in extracting clear specifications and in its universal application. In order to overcome such limitations, we propose an automatic protocol reverse engineering method using a two-pathway model based on a contiguous sequential pattern (CSP) algorithm. By using this model, the method can infer both command-oriented protocols and non-command-oriented protocols clearly and in detail. The proposed method infers all the key elements of the protocol, which are syntax, semantics, and finite state machine (FSM), and extracts clear syntax by defining fine-grained field types and three types of format: field format, message format, and flow format. We evaluated the efficacy of the proposed method over two non-command-oriented protocols and three command-oriented protocols: the former are HTTP and DNS, and the latter are FTP, SMTP, and POP3. The experimental results show that this method can reverse engineer with high coverage and correctness rates, more than 98.5% and 99.1% respectively, and be general for both command-oriented and non-command-oriented protocols.

• The Journal of the Institute of Internet, Broadcasting and Communication
• /
• v.19 no.5
• /
• pp.251-255
• /
• 2019

On today, Protocol reverse-engineering technique can be used to extract the specification of an unknown protocol. However, there is no standardized method, and in most cases, the extracting process is executed manually or semi-automatically. If the information about the structure of an unknown protocol could be acquired in advance, it would be easy to conduct reverse engineering. the feature extraction is an important step in unknown protocol classification. However, in this paper, we present a comparison several feature extraction techniques and suggests a method of feature extraction algorithm for recognizing unknown protocol. In order to verify the performance of the proposed system, we performed the training using eight open protocols to evaluate the performance using unknown data.

• KSII Transactions on Internet and Information Systems (TIIS)
• /
• v.7 no.3
• /
• pp.576-599
• /
• 2013

Protocol reverse engineering is useful for many security applications, including intelligent fuzzing, intrusion detection and fingerprint generation. Since manual reverse engineering is a time-consuming and tedious process, a number of automatic techniques have been proposed. However, the accuracy of these techniques is limited due to the complexity of binary instructions, and the derived formats have missed constraints that are critical for security applications. In this paper, we propose a new approach for protocol format extraction. Our approach reasons about only the evaluation behavior of a program on the input message from concolic execution, and enables field identification and constraint inference with high accuracy. Moreover, it performs binary analysis with low complexity by reducing modern instruction sets to BIL, a small, well-specified and architecture-independent language. We have implemented our approach into a system called Icefex and evaluated it over real-world implementations of DNS, eDonkey, FTP, HTTP and McAfee ePO protocols. Experimental results show that our approach is more accurate and effective at extracting protocol formats than other approaches.

• Journal of the Korea Institute of Military Science and Technology
• /
• v.11 no.3
• /
• pp.58-66
• /
• 2008

In this paper, we have proposed a method and procedure which can find out the unknown network protocol. Although it seems to be difficult to identify the protocol, we can find out the rule in the packet according to the method we have proposed. We have to recognize functions of the system and make the list of events first. Then we capture the network packet whenever the event are occurred. The captured packets are examined by means of the method that is finding repeated parts, changed parts according to the input value, fixed parts and changed parts according to regular rules. Finally we make the test program to verify the protocol. We applied this method and procedure to upgrade Electronic Warfare Test System which is operated by ADD. We have briefly described the redesign of control and analysis software for Electronic Warfare Test System

• KNOM Review
• /
• v.22 no.1
• /
• pp.42-51
• /
• 2019

Recently, the amount of internet traffic is increasing due to the increase in speed and capacity of the network environment, and protocol data is increasing due to mobile, IoT, application, and malicious behavior. Most of these private protocols are unknown in structure. For efficient network management and security, analysis of the structure of private protocols must be performed. Many protocol reverse engineering methodologies have been proposed for this purpose, but there are disadvantages to applying them. In this paper, we propose a methodology for inferring a detailed protocol structure based on network trace analysis by hierarchically combining CSP (Contiguous Sequential Pattern) and SP (Sequential Pattern) Algorithm. The proposed methodology is designed and implemented in a way that improves the preceeding study, A²PRE, We describe performance index for comparing methodologies and demonstrate the superiority of the proposed methodology through the example of HTTP, DNS protocol.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.28 no.1
• /
• pp.167-177
• /
• 2018

As the number of attacks on vehicles has increased, studies on CAN-based security technologies are actively being carried out. However, since the upper layer protocol of CAN differs for each vehicle manufacturer and model, there is a great difficulty in researches such as developing anomaly detection for CAN or finding vulnerabilities of ECUs. In this paper, we propose a method to infer the detailed structure of the data field of CAN frame by analyzing CAN trace to mitigate this problem. In the existing Internet environment, many researches for reverse engineering proprietary protocols have already been carried out. However, CAN bus has a structure difficult to apply the existing protocol reverse engineering technology as it is. In this paper, we propose new field classification methods with low computation-cost based on the characteristics of data in CAN frame and existing field classification method. The proposed methods are verified through implementation that analyze CAN traces generated by simulations of CAN communication and actual vehicles. They show higher accuracy of field classification with lower computational cost compared to the existing method.

• KSII Transactions on Internet and Information Systems (TIIS)
• /
• v.6 no.5
• /
• pp.1354-1372
• /
• 2012

Route establishment in Mobile Ad Hoc Network (MANET) is the key mechanism to a successful connection between a pair of source and destination nodes. An efficient routing protocol constructs routing path with minimal time, less routing overhead and capable of utilizing all possible link connectivity. In general, most on-demand MANET routing protocols operates over symmetrical and bidirectional routing path, which is infeasible due to the inherent heterogeneous properties of wireless devices. Simulation results show that the presence of unidirectional links on a network severely affect the performance of a routing protocol. In this paper, a robust protocol independent scheme is proposed, which enable immediate rediscovery of alternative route for a path blocked by a unidirectional link. The proposed scheme is efficient; route rediscovery is locally computed, which results in significant minimization of multiple route packets flooding. Nodes may exploit route information of immediate neighbors using the local reply broadcast technique, which then redirect the control packets around the unidirectional links, therefore maintaining the end-to-end bidirectional connection. The proposed scheme along with Ad Hoc On-demand Distance Vector (AODV) and AODV-Blacklist routing protocol is investigated over three types of mobility models. Simulation results show that the proposed scheme is extremely reliable under poor network conditions and the route connectivity can be improved by as much as 75%.

• Journal of Electrical Engineering and Technology
• /
• v.10 no.3
• /
• pp.740-754
• /
• 2015

This paper focuses on the reverse blocking busbar protection scheme with aim to improve the speed of its operation and at the same time to increase operational reliability, flexibility and stability of the protection during external and internal faults by implementation of the extended functionality provided by the IEC61850 standard-based protective Intelligent Electronic Devices (IEDs). The practical implementation of the scheme by the use of IEC 61850 standard communication protocol is investigated. The proposed scheme is designed for a radial type of a distribution network and is modeled and simulated in the DigSILENT software environment for various faults on the busbar and its outgoing feeders. A laboratory test bench is built using three ABB IEDs 670 series that are compliant with the IEC 61850 standard, CMC 356 Omicron test injection device, PC, MOXA switch, and a DC power supplier. Two types of the reverse blocking signals between the IEDs in the test bench are considered: hard wired and Ethernet communication by using IEC 61850 standard GOOSE messages. Comparative experimental study of the operational trip response speeds of the two implementations for various traffic conditions of the communication network shows that the performance of the protection scheme for the case of Ethernet IEC 61850 standard-based communication is better.

• Proceedings of the Korea Information Processing Society Conference
• /
• 2012.11a
• /
• pp.837-840
• /
• 2012

본 논문에서는, 패킷 모니터링을 이용하여 모바일 환경에서 페이스북 서버와 클라이언트의 어플리케이션간의 동작을 분석하고 페이스북 Graph API 를 사용하여 프로토콜을 분석하였다. 페이스북 프로토콜의 분석결과는 향후 다양한 플랫폼에서 페이스북 사용과 게이트웨이 서버와 페이스북 서버간의 통신 기능을 수행하는데 활용하고자 한다.

• International Journal of Computer Science & Network Security
• /
• v.24 no.6
• /
• pp.41-48
• /
• 2024

Existing PoS (Point of Sale) based payment frameworks are vulnerable as the Payment Application's integrity in the smart phone and PoS are compromised, vulnerable to reverse engineering attacks. In addition to these existing PoS (Point of Sale) based payment frameworks do not perform point-to-point encryption and do not ensure communication security. We propose a Smart and Secure PoS (SSPoS) Framework which overcomes these attacks. Our proposed SSPoS framework ensures point-to-point encryption (P2PE), Application hardening and Application wrapping. SSPoS framework overcomes repackaging attacks. SSPoS framework has very less communication and computation cost. SSPoS framework also addresses Heartbleed vulnerability. SSPoS protocol is successfully verified using Burrows-Abadi-Needham (BAN) logic, so it ensures all the security properties. SSPoS is threat modeled and implemented successfully.