Full Text:   <12216>

Summary:  <657>

Suppl. Mater.: 

CLC number: TP309.2

On-line Access: 2024-08-27

Received: 2023-10-17

Revision Accepted: 2024-05-08

Crosschecked: 2021-04-15

Cited: 0

Clicked: 6852

Citations:  Bibtex RefMan EndNote GB/T7714

 ORCID:

Rongkuan MA

https://orcid.org/0000-0002-4791-6847

Qiang WEI

https://orcid.org/0000-0002-7207-6691

-   Go to

Article info.
Open peer comments

Frontiers of Information Technology & Electronic Engineering  2022 Vol.23 No.3 P.351-360

http://doi.org/10.1631/FITEE.2000709


Automatic protocol reverse engineering for industrial control systems with dynamic taint analysis


Author(s):  Rongkuan MA, Hao ZHENG, Jingyi WANG, Mufeng WANG, Qiang WEI, Qiang WEI

Affiliation(s):  State Key Laboratory of Mathematical Engineering and Advanced Computing, Zhengzhou 450001, China; more

Corresponding email(s):   rongkuan233@gmail.com, zjuzhenghao@gmail.com, wangjyee@gmail.com, csewmf@zju.edu.cn, weiqiang66@126.com, wangqingxian2015@163.com

Key Words:  Industrial control system (ICS), ICS protocol reverse engineering, Dynamic taint analysis, Protocol format


Share this article to: More |Next Article >>>

Rongkuan MA, Hao ZHENG, Jingyi WANG, Mufeng WANG, Qiang WEI, Qiang WEI. Automatic protocol reverse engineering for industrial control systems with dynamic taint analysis[J]. Frontiers of Information Technology & Electronic Engineering, 2022, 23(3): 351-360.

@article{title="Automatic protocol reverse engineering for industrial control systems with dynamic taint analysis",
author="Rongkuan MA, Hao ZHENG, Jingyi WANG, Mufeng WANG, Qiang WEI, Qiang WEI",
journal="Frontiers of Information Technology & Electronic Engineering",
volume="23",
number="3",
pages="351-360",
year="2022",
publisher="Zhejiang University Press & Springer",
doi="10.1631/FITEE.2000709"
}

%0 Journal Article
%T Automatic protocol reverse engineering for industrial control systems with dynamic taint analysis
%A Rongkuan MA
%A Hao ZHENG
%A Jingyi WANG
%A Mufeng WANG
%A Qiang WEI
%A Qiang WEI
%J Frontiers of Information Technology & Electronic Engineering
%V 23
%N 3
%P 351-360
%@ 2095-9184
%D 2022
%I Zhejiang University Press & Springer
%DOI 10.1631/FITEE.2000709

TY - JOUR
T1 - Automatic protocol reverse engineering for industrial control systems with dynamic taint analysis
A1 - Rongkuan MA
A1 - Hao ZHENG
A1 - Jingyi WANG
A1 - Mufeng WANG
A1 - Qiang WEI
A1 - Qiang WEI
J0 - Frontiers of Information Technology & Electronic Engineering
VL - 23
IS - 3
SP - 351
EP - 360
%@ 2095-9184
Y1 - 2022
PB - Zhejiang University Press & Springer
ER -
DOI - 10.1631/FITEE.2000709


Abstract: 
Proprietary (or semi-proprietary) protocols are widely adopted in industrial control systems (ICSs). Inferring protocol format by reverse engineering is important for many network security applications, e.g., program tests and intrusion detection. Conventional protocol reverse engineering methods have been proposed which are considered time-consuming, tedious, and error-prone. Recently, automatical protocol reverse engineering methods have been proposed which are, however, neither effective in handling binary-based ICS protocols based on network traffic analysis nor accurate in extracting protocol fields from protocol implementations. In this paper, we present a framework called the industrial control system protocol reverse engineering framework (ICSPRF) that aims to extract ICS protocol fields with high accuracy. ICSPRF is based on the key insight that an individual field in a message is typically handled in the same execution context, e.g., basic block (BBL) group. As a result, by monitoring program execution, we can collect the tainted data information processed in every BBL group in the execution trace and cluster it to derive the protocol format. We evaluate our approach with six open-source ICS protocol implementations. The results show that ICSPRF can identify individual protocol fields with high accuracy (on average a 94.3% match ratio). ICSPRF also has a low coarse-grained and overly fine-grained match ratio. For the same metric, ICSPRF is more accurate than AutoFormat (88.5% for all evaluated protocols and 80.0% for binary-based protocols).

基于动态污点分析的工业控制系统协议自动逆向工程分析

麻荣宽1,郑豪2,王竟亦2,汪慕峰2,魏强1,王清贤1
1数学工程与先进计算国家重点实验室,中国郑州市,450001
2浙江大学NGICS平台,中国杭州市,310000
摘要:私有(或半私有)协议广泛应用于工业控制系统(ICS)。通过逆向工程推断协议格式对于许多网络安全应用(例如程序测试和入侵检测)具有重要意义。传统协议逆向工程方法耗时,繁琐、易出错。最近提出的自动化逆向协议方法既不能有效处理基于网络流量分析的二进制ICS协议,也不能从协议程序实现中准确提取协议字段。本文提出一个工业控制系统协议逆向工程框架(ICSPRF),旨在以更高准确度提取ICS协议字段。ICSPRF基于以下关键见解架构:消息中单个字段通常在同一执行上下文中处理,例如基本块(BBL)组。通过监视程序的执行,ICSPRF可以在执行跟踪中收集每个BBL组中处理的污染数据信息,并将它们聚类以得出协议格式。用6个开源ICS协议实现评估所提方法。结果表明,ICSPRF可以高精度地识别各个协议字段(平均匹配率为94.3%)。ICSPRF还具有较低粗粒度匹配率和过细粒度匹配率。对于同一指标,ICSPRF比Autoformat更准确(后者对于所有评估协议匹配率为88.5%,对二进制协议匹配率为80.0%)。

关键词:工业控制系统(ICS);ICS协议逆向工程;动态污点分析;协议格式

Darkslateblue:Affiliate; Royal Blue:Author; Turquoise:Article

Open peer comments: Debate/Discuss/Question/Opinion

<1>

Please provide your name, email address and a comment





Journal of Zhejiang University-SCIENCE, 38 Zheda Road, Hangzhou 310027, China
Tel: +86-571-87952783; E-mail: cjzhang@zju.edu.cn
Copyright © 2000 - 2024 Journal of Zhejiang University-SCIENCE