Automatic protocol reverse-engineering: Message format extraction and field semantics inference
作者: Juan Caballero , Dawn Song
DOI: 10.1016/J.COMNET.2012.08.003
关键词:
摘要: Understanding the command-and-control (C&C) protocol used by a botnet is crucial for anticipating its repertoire of nefarious activity. However, C&C protocols botnets, similar to many other application layer protocols, are undocumented. Automatic reverse-engineering techniques enable understanding undocumented and important security applications, including analysis defense against botnets. For example, they active infiltration, where analyst rewrites messages sent received bot in order contain malicious activity provide botmaster with an illusion successful unhampered operation. In this work, we propose novel approach automatic reverse engineering based on dynamic program binary analysis. Compared previous work that examines network traffic, leverage availability implements protocol. Our extracts more accurate complete information enables encrypted protocols. extract message format field semantics unknown specification. We implement our into tool called Dispatcher use it analyze previously MegaD, spam at peak produced one third Internet.
berkeley.edu
acm.org
core.ac.uk
elsevier.com参考文章(36)
Vicente Trigo, Aurora Conde Martín, Windows Live Messenger Manual formativo de ACTA. pp. 27- 38 ,(2006)
Xuxian Jiang, Dongyan Xu, Zhiqiang Lin, Xiangyu Zhang, Automatic Protocol Format Reverse Engineering through Context-Aware Monitored Execution. network and distributed system security symposium. ,(2008)
Alexander Moshchuk, Steven D. Gribble, Arvind Krishnamurthy, John P. John, Studying spamming botnets using Botlab networked systems design and implementation. pp. 291- 306 ,(2009)
John Dunagan, Pallavi Joshi, Helen J. Wang, Nikita Borisov, David Brumley, Chuanxiong Guo, Generic Application-Level Protocol Analyzer and its Language. network and distributed system security symposium. pp. 15- ,(2007)
Vern Paxson, Weidong Cui, Nicholas Weaver, Randy H. Katz, Protocol-Independent Adaptive Replay of Application Dialog. network and distributed system security symposium. ,(2006)
Tal Garfinkel, Mendel Rosenblum, Kevin Christopher, Ben Pfaff, Jim Chow, Understanding data lifetime via whole system simulation usenix security symposium. pp. 22- 22 ,(2004)
Vern Paxson, Bro: a system for detecting network intruders in real-time Computer Networks. ,vol. 31, pp. 2435- 2463 ,(1999) , 10.1016/S1389-1286(99)00112-7
Weidong Cui, Helen J. Wang, Jayanthkumar Kannan, Discoverer: automatic protocol reverse engineering from network traces usenix security symposium. pp. 14- ,(2007)
Zhi Wang, Xuxian Jiang, Weidong Cui, Xinyuan Wang, Mike Grace, ReFormat: automatic reverse engineering of encrypted messages european symposium on research in computer security. pp. 200- 215 ,(2009) , 10.1007/978-3-642-04444-1_13
Juan Caballero, Dawn Song, Rosetta: Extracting Protocol Semantics using Binary Analysis with Applications to Protocol Replay and NATRewriting ,(2007)