IPART: an automatic protocol reverse engineering tool based on global voting expert for industrial protocols

摘要

ABSTRACT The industrial control system is an important part of many critical infrastructures and has a big influence on the security of them. With the rapid development of the industrial control system, there has been a significant increase for industrial control system to use the computer network, which has brought many security issues. Protocol security is one of the most important security issues. Many industrial protocols are unknown, which prevent firewall parsing and analysing network traffic, thus it brings a big challenge for intrusion detection, deep packet inspection and traffic management. One method to solve the problem is the reverse engineering technology. However, previous works are mainly for traditional network protocols and not very suitable for reversing industrial protocols. To address this problem, we propose IPART, an unsupervised tool for automatically reverse the format of the industrial protocol from network trace. IPART applies an extended voting expert algorithm to infer the boundaries of industrial protocol fields. Types of these fields are derived by statistical methods. It then classifies messages into sub-clusters by their field types and infers the format of each sub-cluster. Finally, IPART combines all results and gets the format tree of the protocol. We evaluate our work on three industrial protocols: Modbus, IEC104 and Ethernet/IP. Compared with some state-of-art approaches (lda model, Voting expert, netzob), our tool shows a better performance.IPART reverse industrial protocols mainly by three stages. The tool firstly split raw packages into tokens and infer the fields of the protocol. Both fields property (offset, length, etc.) and semantic (length, transition id, etc.). It then class messages belong to the same format to a cluster and each cluster approximates a format. Finally, the tool combines all formats and get the protocol format tree.