Traceability of Private Industrial Control Protocol Based on Subgraph Isomorphic Matching of Protocol State Machine

doi:10.3969/j.issn.1671-1122.2022.09.001

Abstract

Abstract:

In the security analysis of private industrial control protocol of industrial equipment, it becomes very difficult to trace the industrial control network protocol standard. This paper proposes a traceability method of private industrial control protocol based on subgraph isomorphic matching of state machine, which can quickly match the industrial control network protocol standard adopted by private industrial control protocol. In this method, the traffic data of private industrial control protocol is reverse-parsed, the message format and key fields are extracted by clustering algorithm, and the protocol state machine graph is deduced by constructing an augmented prefix tree acceptor based on the key fields. In order to solve the problem of incomplete state machine graph generated by limited traffic data, the state machine graph is matched with the standard state machine graph of industrial control protocol by using the subgraph isomorphism matching algorithm. Experiments show that the traceability accuracy of the proposed method is more than 95%, which can quickly locate the industrial control network protocol standard adopted by private protocol, thus providing help for further security analysis.

Key words: industrial control protocol, protocol reverse engineering, state machine comparison, subgraph isomorphism

CLC Number:

TP309

SONG Yubo, CHEN Ye, CAI Yihan, ZHANG Bo. Traceability of Private Industrial Control Protocol Based on Subgraph Isomorphic Matching of Protocol State Machine[J]. Netinfo Security, 2022, 22(9): 1-10.

Figures/Tables 10

References 17

[1]	LIU Kaizheng, YANG Ming, LING Zhen, et al. On Manually Reverse Engineering Communication Protocols of Linux-Based IoT Systems[J]. IEEE, 2020, 8(8): 6815-6827.
[2]	FANG Weiqing, LI Peng, ZHANG Yujie, et al. Research on Optimization of Fuzzing Test of Unknown Protocol Based on Message Type[C]// Springer.International Conference on Big Data and Security.Heidelberg:Springer, 2021: 284-298.
[3]	BEDDOE M A. Network Protocol Analysis Using Bioinformatics Algorithms[J]. Toorcon, 2004, 26(6): 1095-1098
[4]	LEITA C, MERMOUD K, DACIER M. Scriptgen: An Automated Script Generation Tool for Honeyd[C]// IEEE. Computer Security Applications Conference, 21st Annual. New York: IEEE, 2005: 203-214.
[5]	CUI Weidong, KANNAN J, WANG H J. Discoverer: Automatic Protocol Reverse Engineering From Network Traces[EB/OL]. (2007-8-6)[2022-06-05]. https://www.cs.purdue.edu/homes/xyzhang/fall07/Papers/discoverer.pdf
[6]	BOSSERT G, GUIHERY F, HIET G. Towards Automated Protocol Reverse Engineering Using Semantic information[C]// ACM. Proceedings of the 9th ACM Symposium on Information, Computer and Communications Security. New York: ACM, 2014: 51-62.
[7]	WANG Yiping, LI Xingjian, MENG Jiao, et al. Biprominer: Automatic Mining of Binary Protocol Features[C]// IEEE. 2011 12th International Conference on Parallel and Distributed Computing, Applications and Technologies. New York: IEEE, 2011: 179-184.
[8]	LUO Jianzheng, YU Shunzheng. Position-Based Automatic Reverse Engineering of Network Protocols[J]. Journal of Network and Computer Applications, 2003(3): 1070-1077.
[9]	CAI Jun, LUO Jianzhen, LEI Fangyuan. Analyzing Network Protocols of Application Layer Using Hidden Semi-Markov Model[J]. Mathematical Problems in Engineering, 2016(11): 1-14.
[10]	LIN Y D, LAI Y K, BUI Q T, et al. ReFSM: Reverse Engineering From Protocol Packet Traces to Test Generation by Extended Finite State Machines[J]. Journal of Network and Computer Applications, 2020, 171: 102819-102830.
[11]	KLEBER S, KOPP H, KARGL F. {NEMESYS}: Network Message Syntax Reverse Engineering by Analysis of the Intrinsic Structure of Individual Messages[EB/OL]. (2018-08-13)[2022-06-05]. https://dl.acm.org/doi/abs/10.5555/3307423.3307431.
[12]	YE Yapeng, ZHANG Zhuo, WANG Fei, et al. NetPlier: Probabilistic Network Protocol Reverse Engineering From Message Traces[EB/OL]. (2021-01-10)[2022-06-05]. https://www.researchgate.net/publication/350051374_NetPlier_Probabilistic_Network_Protocol_Reverse_Engineering_from_Message_Traces.
[13]	ULLMANN J R. An Algorithm for Subgraph Isomorphism[J]. ACM, 1976, 23(1): 31-42.
[14]	CORDELLA L P, FOGGIA P, SANSONE C, et al. A (Sub) Graph Isomorphism Algorithm for Matching Large Graphs[J]. IEEE Transactions on Pattern Analysis and Machine Intelligence, 2004, 26(10): 1367-1372.
[15]	NEEDLEMAN S B, Wunsch C D. A General Method Applicable to the Search for Similarities in the Amino Acid Sequence of Two Proteins[J]. Journal of Molecular Biology, 1970, 48(3): 443-453.
[16]	KAUFMAN L, ROUSSEEUW P J. Finding Groups in Data: An Introduction to Cluster Analysis[M]. New Jersey: John Wiley & Sons, 2009.
[17]	ANTUNES J, NEVES N. Automatically Complementing Protocol Specifications From Network Traces[EB/OL]. (2011-5-11)[2022-06-07]. https://doi.org/10.1145/1978582.1978601.

报文数量协议	100/个	200/个	500/个	1000/个	2000/个	3000/个
FTP	0.761	0.806	0.598	0.689	0.719	0.653
Modbus	0.960	0.955	0.989	0.988	0.959	0.951