CLC number: TP309.2
On-line Access: 2022-03-22
Received: 2020-12-19
Revision Accepted: 2022-04-22
Crosschecked: 2021-04-15
Cited: 0
Clicked: 6579
Citations: Bibtex RefMan EndNote GB/T7714
Rongkuan MA, Hao ZHENG, Jingyi WANG, Mufeng WANG, Qiang WEI, Qiang WEI. Automatic protocol reverse engineering for industrial control systems with dynamic taint analysis[J]. Frontiers of Information Technology & Electronic Engineering, 2022, 23(3): 351-360.
@article{title="Automatic protocol reverse engineering for industrial control systems with dynamic taint analysis",
author="Rongkuan MA, Hao ZHENG, Jingyi WANG, Mufeng WANG, Qiang WEI, Qiang WEI",
journal="Frontiers of Information Technology & Electronic Engineering",
volume="23",
number="3",
pages="351-360",
year="2022",
publisher="Zhejiang University Press & Springer",
doi="10.1631/FITEE.2000709"
}
%0 Journal Article
%T Automatic protocol reverse engineering for industrial control systems with dynamic taint analysis
%A Rongkuan MA
%A Hao ZHENG
%A Jingyi WANG
%A Mufeng WANG
%A Qiang WEI
%A Qiang WEI
%J Frontiers of Information Technology & Electronic Engineering
%V 23
%N 3
%P 351-360
%@ 2095-9184
%D 2022
%I Zhejiang University Press & Springer
%DOI 10.1631/FITEE.2000709
TY - JOUR
T1 - Automatic protocol reverse engineering for industrial control systems with dynamic taint analysis
A1 - Rongkuan MA
A1 - Hao ZHENG
A1 - Jingyi WANG
A1 - Mufeng WANG
A1 - Qiang WEI
A1 - Qiang WEI
J0 - Frontiers of Information Technology & Electronic Engineering
VL - 23
IS - 3
SP - 351
EP - 360
%@ 2095-9184
Y1 - 2022
PB - Zhejiang University Press & Springer
ER -
DOI - 10.1631/FITEE.2000709
Abstract: Proprietary (or semi-proprietary) protocols are widely adopted in industrial control systems (ICSs). Inferring protocol format by reverse engineering is important for many network security applications, e.g., program tests and intrusion detection. Conventional protocol reverse engineering methods have been proposed which are considered time-consuming, tedious, and error-prone. Recently, automatical protocol reverse engineering methods have been proposed which are, however, neither effective in handling binary-based ICS protocols based on network traffic analysis nor accurate in extracting protocol fields from protocol implementations. In this paper, we present a framework called the industrial control system protocol reverse engineering framework (ICSPRF) that aims to extract ICS protocol fields with high accuracy. ICSPRF is based on the key insight that an individual field in a message is typically handled in the same execution context, e.g., basic block (BBL) group. As a result, by monitoring program execution, we can collect the tainted data information processed in every BBL group in the execution trace and cluster it to derive the protocol format. We evaluate our approach with six open-source ICS protocol implementations. The results show that ICSPRF can identify individual protocol fields with high accuracy (on average a 94.3% match ratio). ICSPRF also has a low coarse-grained and overly fine-grained match ratio. For the same metric, ICSPRF is more accurate than AutoFormat (88.5% for all evaluated protocols and 80.0% for binary-based protocols).
Open peer comments: Debate/Discuss/Question/Opinion
<1>