TY - JOUR
T1 - FineBID: Fine-grained Protocol Reverse Engineering for Bit-level Field IDentification
AU - Huang, Tao
AU - Gao, Yansong
AU - Zheng, Yifeng
AU - Wang, Zhanfeng
AU - Hu, Chao
AU - Fu, Anmin
N1 - Publisher Copyright:
© 2004-2012 IEEE.
PY - 2024/12
Y1 - 2024/12
N2 - Protocol Reverse Engineering (PRE) serves as the foundation for numerous security analysis techniques, such as vulnerability mining and intrusion detection, etc. The PRE analysis precision can directly affect the accuracy of these downstream techniques. The network-trace-based PRE technique has become the mainstream PRE technique attributed to its ease of implementation. However, without the prerequisite of additional dedicated devices or knowledge of information, the analysis precision of existing network-trace-based PRE methods is often achievable at only byte or half-byte level but not the fine-grained bit-level, which makes it increasingly challenging to meet the precision requirements of those downstream security applications. In this work, we propose a fine-grained PRE scheme, named FineBID, which makes the identification capability in a fine-grained manner for existing network-trace-based PRE methods into bit-level fields. FineBID follows the global characteristics of protocol fields and constructively models the bit-level field identification problem as a multi-objective decision model, which thus effectively overcomes the insufficient representativeness of bit-level fields' local characteristics. Then, the multi-objective decision model is solved to obtain the Pareto solution set for different field segmentation levels, and the utility value per bit is further computed. The utility value can be used as the immediate indicator to determine whether each bit is a field boundary or not. Meanwhile, we propose an Actual Ground Truth that is more in line with the actual usage of each bit. With extensive experiments on the Internet, wireless, and industrial protocols, we affirm that FineBID can not only significantly reduce the search space for Ground Truth or Actual Ground Truth with a space reduction of 95.3% compared to exhaustive search, but also identify Ground Truth or Actual Ground Truth more accurately than other similar methods.
AB - Protocol Reverse Engineering (PRE) serves as the foundation for numerous security analysis techniques, such as vulnerability mining and intrusion detection, etc. The PRE analysis precision can directly affect the accuracy of these downstream techniques. The network-trace-based PRE technique has become the mainstream PRE technique attributed to its ease of implementation. However, without the prerequisite of additional dedicated devices or knowledge of information, the analysis precision of existing network-trace-based PRE methods is often achievable at only byte or half-byte level but not the fine-grained bit-level, which makes it increasingly challenging to meet the precision requirements of those downstream security applications. In this work, we propose a fine-grained PRE scheme, named FineBID, which makes the identification capability in a fine-grained manner for existing network-trace-based PRE methods into bit-level fields. FineBID follows the global characteristics of protocol fields and constructively models the bit-level field identification problem as a multi-objective decision model, which thus effectively overcomes the insufficient representativeness of bit-level fields' local characteristics. Then, the multi-objective decision model is solved to obtain the Pareto solution set for different field segmentation levels, and the utility value per bit is further computed. The utility value can be used as the immediate indicator to determine whether each bit is a field boundary or not. Meanwhile, we propose an Actual Ground Truth that is more in line with the actual usage of each bit. With extensive experiments on the Internet, wireless, and industrial protocols, we affirm that FineBID can not only significantly reduce the search space for Ground Truth or Actual Ground Truth with a space reduction of 95.3% compared to exhaustive search, but also identify Ground Truth or Actual Ground Truth more accurately than other similar methods.
KW - bit-level
KW - field identification
KW - fine-grained
KW - global characteristic
KW - Protocol reverse engineering
UR - http://www.scopus.com/inward/record.url?scp=85213450049&partnerID=8YFLogxK
U2 - 10.1109/TDSC.2024.3521592
DO - 10.1109/TDSC.2024.3521592
M3 - Journal article
AN - SCOPUS:85213450049
SN - 1545-5971
JO - IEEE Transactions on Dependable and Secure Computing
JF - IEEE Transactions on Dependable and Secure Computing
ER -