Inferring Protocol State Machine From Real-World Trace

Date Added: Jul 2010
Format: PDF

Application-level protocol specifications are helpful for network security management, including intrusion detection, intrusion prevention and detecting malicious code. However, current methods for obtaining unknown protocol specifications highly rely on manual operations, such as reverse engineering. This paper provides a novel insight into inferring a protocol state machine from real-world trace of an application. The chief feature of the authors' method is that it has no priori knowledge of protocol format, and their technique is based on the statistical nature of the protocol specifications. They evaluate their approach with text and binary protocols, their experimental results demonstrate their proposed method has a good performance in practice.