• KSII Transactions on Internet and Information Systems (TIIS)
• /
• 제14권11호
• /
• pp.4310-4330
• /
• 2020

With the continuous emergence of new applications and cyberattacks and their frequent updates, the need for automatic protocol reverse engineering is gaining recognition. Although several methods for automatic protocol reverse engineering have been proposed, each method still faces major limitations in extracting clear specifications and in its universal application. In order to overcome such limitations, we propose an automatic protocol reverse engineering method using a two-pathway model based on a contiguous sequential pattern (CSP) algorithm. By using this model, the method can infer both command-oriented protocols and non-command-oriented protocols clearly and in detail. The proposed method infers all the key elements of the protocol, which are syntax, semantics, and finite state machine (FSM), and extracts clear syntax by defining fine-grained field types and three types of format: field format, message format, and flow format. We evaluated the efficacy of the proposed method over two non-command-oriented protocols and three command-oriented protocols: the former are HTTP and DNS, and the latter are FTP, SMTP, and POP3. The experimental results show that this method can reverse engineer with high coverage and correctness rates, more than 98.5% and 99.1% respectively, and be general for both command-oriented and non-command-oriented protocols.

• 한국인터넷방송통신학회논문지
• /
• 제19권5호
• /
• pp.251-255
• /
• 2019

프로토콜 reverse-engineering 기술은 unknown protocol 의 스펙을 추출하기 위해서 보통 표준화된 방법이 없어서 대부분 수동으로 스펙을 분석하거나 반자동 방식으로 이를 분석한다. 만약 unknown protocol의 근간이 되는 프로토콜을 알 수 있다면, 이를 이용하여 스펙을 분석할 수 있으므로 자동화되고 정확한 분석이 가능할 것이다. 학습되지 않은 프로토콜을 분류하기 위해서는 특징추출은 매우 중요한 단계 중의 하나이다. 본 논문은 기존 프로토콜을 변형한 프로토콜에 대해서 높은 성능을 갖는 분류기를 개발하기 위해서 몇 가지 특징 추출 알고리즘을 제안하고, 프로토콜의 형태 변화에 강인한 특징추출 알고리즘을 제안한다. 성능 검증을 위해서 8개 공개 프로토콜을 대상으로 학습을 수행하고 이를 변형한 프로토콜을 대상으로 성능 측정을 진행하였다.

• KSII Transactions on Internet and Information Systems (TIIS)
• /
• 제7권3호
• /
• pp.576-599
• /
• 2013

Protocol reverse engineering is useful for many security applications, including intelligent fuzzing, intrusion detection and fingerprint generation. Since manual reverse engineering is a time-consuming and tedious process, a number of automatic techniques have been proposed. However, the accuracy of these techniques is limited due to the complexity of binary instructions, and the derived formats have missed constraints that are critical for security applications. In this paper, we propose a new approach for protocol format extraction. Our approach reasons about only the evaluation behavior of a program on the input message from concolic execution, and enables field identification and constraint inference with high accuracy. Moreover, it performs binary analysis with low complexity by reducing modern instruction sets to BIL, a small, well-specified and architecture-independent language. We have implemented our approach into a system called Icefex and evaluated it over real-world implementations of DNS, eDonkey, FTP, HTTP and McAfee ePO protocols. Experimental results show that our approach is more accurate and effective at extracting protocol formats than other approaches.

• 한국군사과학기술학회지
• /
• 제11권3호
• /
• pp.58-66
• /
• 2008

In this paper, we have proposed a method and procedure which can find out the unknown network protocol. Although it seems to be difficult to identify the protocol, we can find out the rule in the packet according to the method we have proposed. We have to recognize functions of the system and make the list of events first. Then we capture the network packet whenever the event are occurred. The captured packets are examined by means of the method that is finding repeated parts, changed parts according to the input value, fixed parts and changed parts according to regular rules. Finally we make the test program to verify the protocol. We applied this method and procedure to upgrade Electronic Warfare Test System which is operated by ADD. We have briefly described the redesign of control and analysis software for Electronic Warfare Test System

• KNOM Review
• /
• 제22권1호
• /
• pp.42-51
• /
• 2019

최근 네트워크 환경은 고속화, 대용량화 등으로 인터넷 트래픽 발생량이 증가하고 있으며, 모바일 및 IoT 환경, 지속적으로 증가하는 어플리케이션, 악성행위로 인해 비공개 프로토콜 데이터가 늘어나고 있다. 이러한 비공개 프로토콜들의 대다수는 구조가 전혀 알려지지 않고 있다. 효율적인 네트워크 관리 및 보안을 위해 비공개 프로토콜의 구조 분석은 반드시 선행되어야 한다. 이를 위해 많은 프로토콜 리버스 엔지니어링 방법론이 제안되었지만, 적용하기에 각기 다른 단점이 존재한다. 본 논문에서는 CSP(Contiguous Sequential Pattern)와 SP(Sequential Pattern) Algorithm을 계층적으로 결합하여 네트워크 트레이스 분석 기반의 상세한 프로토콜 구조를 추론하는 방법론을 제안한다. 제안된 방법론은 선행 연구인 A²PRE을 개선하는 방식으로 설계 및 구현을 하였으며 다른 방법론과 성능 비교를 위해 성능지표를 정의하고 HTTP, DNS 프로토콜의 예를 통해 제안하는 방법론의 우수성을 설명한다.

• 정보보호학회논문지
• /
• 제28권1호
• /
• pp.167-177
• /
• 2018

최근 차량에 대한 공격 사례가 늘어남에 따라 CAN 기반의 보안 기술에 대한 연구가 활발히 진행되고 있다. 그러나 CAN의 상위 계층 프로토콜은 차량 제조사 및 모델 별로 상이하므로 이상 탐지 기술 또는 ECU 대상의 취약점 탐지를 위한 연구에는 큰 어려움이 따른다. 본 논문에서는 이러한 문제를 완화하기 위하여 CAN 트레이스의 분석을 통해 데이터 필드 영역의 세부 구조를 추론하는 방법을 제안한다. 기존 인터넷 환경에서는 이미 프로토콜 역공학을 위한 연구가 다수 진행되었으나, CAN 버스는 기존의 프로토콜 역공학 기술을 그대로 적용하기 어려운 구조를 지닌다. 본 논문에서는 CAN 프레임 내 데이터의 특성을 이용한 낮은 계산 비용의 필드 구분 방법 및 기존의 CAN 데이터필드 내 필드 분류 방법을 이용한 새로운 추론 방법을 제안한다. 본 논문에서 제안하는 방식은 실제 차량의 CAN 트레이스 및 시뮬레이션으로 생성된 CAN 트레이스를 대상으로 검증되며, 기존 방식 대비 더 낮은 계산 비용으로 더 높은 정확도의 필드 구조 추론 결과를 보인다.

• KSII Transactions on Internet and Information Systems (TIIS)
• /
• 제6권5호
• /
• pp.1354-1372
• /
• 2012

Route establishment in Mobile Ad Hoc Network (MANET) is the key mechanism to a successful connection between a pair of source and destination nodes. An efficient routing protocol constructs routing path with minimal time, less routing overhead and capable of utilizing all possible link connectivity. In general, most on-demand MANET routing protocols operates over symmetrical and bidirectional routing path, which is infeasible due to the inherent heterogeneous properties of wireless devices. Simulation results show that the presence of unidirectional links on a network severely affect the performance of a routing protocol. In this paper, a robust protocol independent scheme is proposed, which enable immediate rediscovery of alternative route for a path blocked by a unidirectional link. The proposed scheme is efficient; route rediscovery is locally computed, which results in significant minimization of multiple route packets flooding. Nodes may exploit route information of immediate neighbors using the local reply broadcast technique, which then redirect the control packets around the unidirectional links, therefore maintaining the end-to-end bidirectional connection. The proposed scheme along with Ad Hoc On-demand Distance Vector (AODV) and AODV-Blacklist routing protocol is investigated over three types of mobility models. Simulation results show that the proposed scheme is extremely reliable under poor network conditions and the route connectivity can be improved by as much as 75%.

• Journal of Electrical Engineering and Technology
• /
• 제10권3호
• /
• pp.740-754
• /
• 2015

This paper focuses on the reverse blocking busbar protection scheme with aim to improve the speed of its operation and at the same time to increase operational reliability, flexibility and stability of the protection during external and internal faults by implementation of the extended functionality provided by the IEC61850 standard-based protective Intelligent Electronic Devices (IEDs). The practical implementation of the scheme by the use of IEC 61850 standard communication protocol is investigated. The proposed scheme is designed for a radial type of a distribution network and is modeled and simulated in the DigSILENT software environment for various faults on the busbar and its outgoing feeders. A laboratory test bench is built using three ABB IEDs 670 series that are compliant with the IEC 61850 standard, CMC 356 Omicron test injection device, PC, MOXA switch, and a DC power supplier. Two types of the reverse blocking signals between the IEDs in the test bench are considered: hard wired and Ethernet communication by using IEC 61850 standard GOOSE messages. Comparative experimental study of the operational trip response speeds of the two implementations for various traffic conditions of the communication network shows that the performance of the protection scheme for the case of Ethernet IEC 61850 standard-based communication is better.

• 한국정보처리학회:학술대회논문집
• /
• 한국정보처리학회 2012년도 추계학술발표대회
• /
• pp.837-840
• /
• 2012

본 논문에서는, 패킷 모니터링을 이용하여 모바일 환경에서 페이스북 서버와 클라이언트의 어플리케이션간의 동작을 분석하고 페이스북 Graph API 를 사용하여 프로토콜을 분석하였다. 페이스북 프로토콜의 분석결과는 향후 다양한 플랫폼에서 페이스북 사용과 게이트웨이 서버와 페이스북 서버간의 통신 기능을 수행하는데 활용하고자 한다.

• International Journal of Computer Science & Network Security
• /
• 제24권6호
• /
• pp.41-48
• /
• 2024

Existing PoS (Point of Sale) based payment frameworks are vulnerable as the Payment Application's integrity in the smart phone and PoS are compromised, vulnerable to reverse engineering attacks. In addition to these existing PoS (Point of Sale) based payment frameworks do not perform point-to-point encryption and do not ensure communication security. We propose a Smart and Secure PoS (SSPoS) Framework which overcomes these attacks. Our proposed SSPoS framework ensures point-to-point encryption (P2PE), Application hardening and Application wrapping. SSPoS framework overcomes repackaging attacks. SSPoS framework has very less communication and computation cost. SSPoS framework also addresses Heartbleed vulnerability. SSPoS protocol is successfully verified using Burrows-Abadi-Needham (BAN) logic, so it ensures all the security properties. SSPoS is threat modeled and implemented successfully.