|
Sean Whalen, Matt Bishop, and James P. Crutchfield |
ABSTRACT: Reverse engineering of network protocols is an active area of security research with a growing list of applications. Recent work has focused on identifying basic structure, such as protocol field boundaries and the semantics of those fields, or creating state machines from instrumented source code. We introduce an automated technique for passively inferring a probabilistic state machine directly from network traffic, without access to the source code or protocol specification. We apply this technique to Modbus, DNP3, ICMP, HTTP, and FTP protocols and demonstrate several security applications including mimicry, intelligent fuzzing, traffic generation, and anomaly detection.