Abstract
Industrial control systems (ICSs) are used to control and monitor industrial processes ranging from critical infrastructures, such as power grids and water supply, to manufacturing. However, the design of ICS emphasizes mainly on the reliability and efficiency but not security. Thus, ICS, especially the ones for critical infrastructures, become clear targets for attacks. There were many examples of serious attacks on ICS in the past years. The problem of protecting ICS is now a major concern. On the other hand, the network protocols of ICS are usually proprietary. Even for the same industry (e.g., how to control elevators), the specifications of the protocols are not standardized and depend on the vendors. Moreover, these specifications may not be accessible easily. This poses a challenge to security community as it is difficult to learn each protocol one by one and develop a generic protection scheme for ICS, even for the same industry. In this paper, we attempt to tackle this issue by proposing a reverse engineering technique to learn the protocols automatically. Technical speaking, our proposed solution is based on network trace for ICS private protocols. We cluster the source packets, represent protocols using sequences of critical packets, then use pair-HMM to align these sequences to obtain nonredundant sequences as protocol templates. Our experiments show that these templates can effectively represent important fields and attributes of the protocols.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Narayan, J., Shukla, S.K., Clancy, T.C.: A survey of automatic protocol reverse engineering tools. ACM Comput. Surv. 48(3), 1–26 (2016)
Caballero, J., Yin, H., Liang, Z.: Polyglot: automatic extraction of protocol message format using dynamic binary analysis. In: 14th ACM Conference on Computer and Communications Security, pp. 317–329. ACM, New York, NY, USA (2007)
Caballero, J., Poosankam, P., Kreibich, C.: Dispatcher: enabling active botnet infiltration using automatic protocol re-verse-engineering. In: 16th ACM Conference on Computer and Communications Security, pp. 621–634. ACM, New York, NY, USA (2009)
Caballero, J., Song, D.: Automatic protocol reverse-engineering: message format extraction and field semantics inference. Comput. Netw. 57(2), 451–474 (2013)
Zhao, L., Ren, X., Liu, M.: Collaborative reversing of input formats and program data structures for security applications. China Commun. 11(9), 135–147 (2014)
Lin, Z., Zhang, X., Xu, D.: Reverse engineering input syntactic structure from program execution and its applications. IEEE Trans. Softw. Eng. 36(5), 688–703 (2010)
Cui, B., Wang, F., Hao, Y.: A taint based approach for automatic reverse engineering of gray-box file formats. Soft Comput. 1–16 (2015)
Beddoe, M.A.: Network protocol analysis using bioinformatics algorithms [EB/OL]. http://www.4tphi.net/~awalters/PI/PI.html (2004)
Cui, W., Kannan, J., Wang, H.: Discoverer: automatic protocol reverse engineering from network traces. In: 16th USENIX Security Symposium on USENIX Security Symposium, pp. 1–14. USENIX Association, Berkeley, CA, USA (2007)
Wang, Y., Yun, X., Shafiq, M.: A semantics aware approach to automated reverse engineering unknown protocols. In: 20th IEEE International Conference on Network Protocols (ICNP), pp. 1–10 (2012)
Zhou, Z., Zhang, Z., Lee, P.: Toward unsupervised protocol feature word extraction. IEEE J. Sel. Areas Commun. 32(10), 1894–1906 (2014)
Zhang, Z., Zhang, Z.B., Lee, P.P., et al.: ProWord: an unsupervised approach to protocol feature word extraction. In: 2014 Proceedings IEEE INFOCOM, pp. 1393–1401 (2014)
Li, T., Liu, Y., Zhang, C.: A noise-tolerant system for protocol formats extraction from binary data. In: 2014 IEEE Workshop on Advanced Research and Technology in Industry Applications (WARTIA), pp. 862–865 (2014)
Tao, S., Yu, H., Li, Q.: Bit-oriented format extraction approach for automatic binary protocol reverse engineering. IET Commun. 10(6), 709–716 (2016)
Cui, W., Paxson, V., Weaver, N.C., Katz, R.H.: Protocol-independent adaptive replay of application dialog. In: Proceedings of the 13th Symposium on Network and Distributed System Security (NDSS 2006), Feb 2006
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 Springer Nature Singapore Pte Ltd.
About this paper
Cite this paper
Wu, Z. et al. (2019). How to Reverse Engineer ICS Protocols Using Pair-HMM. In: Satapathy, S., Joshi, A. (eds) Information and Communication Technology for Intelligent Systems . Smart Innovation, Systems and Technologies, vol 107. Springer, Singapore. https://doi.org/10.1007/978-981-13-1747-7_12
Download citation
DOI: https://doi.org/10.1007/978-981-13-1747-7_12
Published:
Publisher Name: Springer, Singapore
Print ISBN: 978-981-13-1746-0
Online ISBN: 978-981-13-1747-7
eBook Packages: Intelligent Technologies and RoboticsIntelligent Technologies and Robotics (R0)