IPART: an automatic protocol reverse engineering tool based on global voting expert for industrial protocols. Issue 3 (3rd May 2020)
- Record Type:
- Journal Article
- Title:
- IPART: an automatic protocol reverse engineering tool based on global voting expert for industrial protocols. Issue 3 (3rd May 2020)
- Main Title:
- IPART: an automatic protocol reverse engineering tool based on global voting expert for industrial protocols
- Authors:
- Wang, Xiaowei
Lv, Kezhi
Li, Bo - Abstract:
- ABSTRACT: The industrial control system is an important part of many critical infrastructures and has a big influence on the security of them. With the rapid development of the industrial control system, there has been a significant increase for industrial control system to use the computer network, which has brought many security issues. Protocol security is one of the most important security issues. Many industrial protocols are unknown, which prevent firewall parsing and analysing network traffic, thus it brings a big challenge for intrusion detection, deep packet inspection and traffic management. One method to solve the problem is the reverse engineering technology. However, previous works are mainly for traditional network protocols and not very suitable for reversing industrial protocols. To address this problem, we propose IPART, an unsupervised tool for automatically reverse the format of the industrial protocol from network trace. IPART applies an extended voting expert algorithm to infer the boundaries of industrial protocol fields. Types of these fields are derived by statistical methods. It then classifies messages into sub-clusters by their field types and infers the format of each sub-cluster. Finally, IPART combines all results and gets the format tree of the protocol. We evaluate our work on three industrial protocols: Modbus, IEC104 and Ethernet/IP. Compared with some state-of-art approaches (lda model, Voting expert, netzob), our tool shows a betterABSTRACT: The industrial control system is an important part of many critical infrastructures and has a big influence on the security of them. With the rapid development of the industrial control system, there has been a significant increase for industrial control system to use the computer network, which has brought many security issues. Protocol security is one of the most important security issues. Many industrial protocols are unknown, which prevent firewall parsing and analysing network traffic, thus it brings a big challenge for intrusion detection, deep packet inspection and traffic management. One method to solve the problem is the reverse engineering technology. However, previous works are mainly for traditional network protocols and not very suitable for reversing industrial protocols. To address this problem, we propose IPART, an unsupervised tool for automatically reverse the format of the industrial protocol from network trace. IPART applies an extended voting expert algorithm to infer the boundaries of industrial protocol fields. Types of these fields are derived by statistical methods. It then classifies messages into sub-clusters by their field types and infers the format of each sub-cluster. Finally, IPART combines all results and gets the format tree of the protocol. We evaluate our work on three industrial protocols: Modbus, IEC104 and Ethernet/IP. Compared with some state-of-art approaches (lda model, Voting expert, netzob), our tool shows a better performance. IPART reverse industrial protocols mainly by three stages. The tool firstly split raw packages into tokens and infer the fields of the protocol. Both fields property (offset, length, etc.) and semantic (length, transition id, etc.). It then class messages belong to the same format to a cluster and each cluster approximates a format. Finally, the tool combines all formats and get the protocol format tree. GRAPHICAL ABSTRACT: … (more)
- Is Part Of:
- International journal of parallel, emergent and distributed systems. Volume 35:Issue 3(2020)
- Journal:
- International journal of parallel, emergent and distributed systems
- Issue:
- Volume 35:Issue 3(2020)
- Issue Display:
- Volume 35, Issue 3 (2020)
- Year:
- 2020
- Volume:
- 35
- Issue:
- 3
- Issue Sort Value:
- 2020-0035-0003-0000
- Page Start:
- 376
- Page End:
- 395
- Publication Date:
- 2020-05-03
- Subjects:
- Security of critical infrastructures -- industrial control system -- industrial protocols -- protocol reverse engineering -- global voting experts
Parallel computers -- Periodicals
Electronic data processing -- Distributed processing -- Periodicals
Computer algorithms -- Periodicals
004.35 - Journal URLs:
- http://www.tandfonline.com/toc/gpaa20/current ↗
http://www.tandfonline.com/ ↗ - DOI:
- 10.1080/17445760.2019.1655740 ↗
- Languages:
- English
- ISSNs:
- 1744-5760
- Deposit Type:
- Legaldeposit
- View Content:
- Available online (eLD content is only available in our Reading Rooms) ↗
- Physical Locations:
- British Library DSC - 4542.441300
British Library DSC - BLDSS-3PM
British Library STI - ELD Digital store - Ingest File:
- 13645.xml