Automating bit-level field localization with hybrid neural network

Protocol Reverse Engineering (PRE), which can decipher the format specifications of unknown protocols, lays the groundwork for numerous security analysis applications. Network trace-based PRE has emerged as the dominant technology given its ease of implementation. However, its current identification precision is primarily limited to byte-level granularity. While a few advanced methods can achieve precise identification of fine-grained bit-level fields within given bytes, their target byte localization relies heavily on subjective prior domain knowledge and tedious manual labor, significantly restricting their generalizability and adoption. To address these limitations, we propose BitFiL that is an automated bit-level field localization method. BitFiL features a hybrid neural network architecture delicately designed to capture both intra-byte temporal features and inter-byte contextual structural features from known protocol bytes, enabling automated bit-level field localization and consequent field count identification for unknown protocol bytes. Experimental results demonstrate that BitFiL delivers accurate localization performance for bit-level fields in byte-oriented protocols, with robustness against variations in training-validation protocol combinations and training protocol set sizes. Although limited diversity in bit-level field samples may affect the identification accuracy of field counts, the overall prediction deviations remain relatively small, showcasing high accuracy, convergence, and stability.