TY - JOUR
T1 - FineBID
T2 - Fine-Grained Protocol Reverse Engineering for Bit-Level Field IDentification
AU - Huang, Tao
AU - Gao, Yansong
AU - Zheng, Yifeng
AU - Wang, Zhanfeng
AU - Hu, Chao
AU - Fu, Anmin
PY - 2025/5
Y1 - 2025/5
N2 - Protocol Reverse Engineering (PRE) serves as the foundation for numerous security analysis techniques, such as vulnerability mining and intrusion detection, etc. The PRE analysis precision can directly affect the accuracy of these downstream techniques. The network-trace-based PRE technique has become the mainstream PRE technique attributed to its ease of implementation. However, without the prerequisite of additional dedicated devices or knowledge of information, the analysis precision of existing network-trace-based PRE methods is often achievable at only byte or half-byte level but not the fine-grained bit-level, which makes it increasingly challenging to meet the precision requirements of those downstream security applications. In this work, we propose a fine-grained PRE scheme, named FineBID, which makes the identification capability in a fine-grained manner for existing network-trace-based PRE methods into bit-level fields. FineBID follows the global characteristics of protocol fields and constructively models the bit-level field identification problem as a multi-objective decision model, which thus effectively overcomes the insufficient representativeness of bit-level fields' local characteristics. Then, the multi-objective decision model is solved to obtain the Pareto solution set for different field segmentation levels, and the utility value per bit is further computed. The utility value can be used as the immediate indicator to determine whether each bit is a field boundary or not. Meanwhile, we propose an Actual Ground Truth that is more in line with the actual usage of each bit. With extensive experiments on the Internet, wireless, and industrial protocols, we affirm that FineBID can not only significantly reduce the search space for Ground Truth or Actual Ground Truth with a space reduction of 95.3% compared to exhaustive search, but also identify Ground Truth or Actual Ground Truth more accurately than other similar methods.
AB - Protocol Reverse Engineering (PRE) serves as the foundation for numerous security analysis techniques, such as vulnerability mining and intrusion detection, etc. The PRE analysis precision can directly affect the accuracy of these downstream techniques. The network-trace-based PRE technique has become the mainstream PRE technique attributed to its ease of implementation. However, without the prerequisite of additional dedicated devices or knowledge of information, the analysis precision of existing network-trace-based PRE methods is often achievable at only byte or half-byte level but not the fine-grained bit-level, which makes it increasingly challenging to meet the precision requirements of those downstream security applications. In this work, we propose a fine-grained PRE scheme, named FineBID, which makes the identification capability in a fine-grained manner for existing network-trace-based PRE methods into bit-level fields. FineBID follows the global characteristics of protocol fields and constructively models the bit-level field identification problem as a multi-objective decision model, which thus effectively overcomes the insufficient representativeness of bit-level fields' local characteristics. Then, the multi-objective decision model is solved to obtain the Pareto solution set for different field segmentation levels, and the utility value per bit is further computed. The utility value can be used as the immediate indicator to determine whether each bit is a field boundary or not. Meanwhile, we propose an Actual Ground Truth that is more in line with the actual usage of each bit. With extensive experiments on the Internet, wireless, and industrial protocols, we affirm that FineBID can not only significantly reduce the search space for Ground Truth or Actual Ground Truth with a space reduction of 95.3% compared to exhaustive search, but also identify Ground Truth or Actual Ground Truth more accurately than other similar methods.
KW - Accuracy
KW - Codes
KW - Correlation
KW - Electronic mail
KW - Fuzzing
KW - Industries
KW - Information entropy
KW - Mutual information
KW - Protocol reverse engineering (PRE)
KW - Protocols
KW - Security
KW - Bit-level
KW - Field identification
KW - Fine-grained
KW - Global characteristic
UR - https://www.webofscience.com/api/gateway?GWVersion=2&SrcApp=uwapure5-25&SrcAuth=WosAPI&KeyUT=WOS:001488108000019&DestLinkType=FullRecord&DestApp=WOS_CPL
U2 - 10.1109/TDSC.2024.3521592
DO - 10.1109/TDSC.2024.3521592
M3 - Article
SN - 1545-5971
VL - 22
SP - 2670
EP - 2686
JO - IEEE Transactions on Dependable and Secure Computing
JF - IEEE Transactions on Dependable and Secure Computing
IS - 3
ER -