Reverse Engineering Of Industrial Control Protocols By XGBoost With Variable Gram

Protocol Reverse Engineering(PRE)technology plays an important role in improving the safety protection capability of industrial control systems.In the process of industrial control safety testing,protocol reverse analysis and test script development are performed manually,which is insufficient in detection efficiency and breadth.The implementation of automatic protocol reverse technology can significantly reduce the workload of manual analysis,improve the efficiency of private protocol analysis,and make it possible to respond to network security events quickly and automatically.The research objective of this thesis is to extract the protocol format and primary semantics from the captured unknown industrial traffic without introducing the prior knowledge of protocol specifications.Specific research contents are as follows.1.Progressive multi-sequence algorithm which suits for industrial control protocol format extraction is proposed.In view of the periodic and structurally fixed characteristics of industrial control protocol,progressive multi-sequence alignment algorithm is used to cluster initial message samples for traffic with the same payload length.Variable domain and fixed domain of message sequences are separated.2.Reverse Engineering of Industrial Control Protocols by XGBoost with Variable gram is proposed.The flexible N value selection method is helpful to solve the problem of inefficient half-byte keyword recognition in binary feature recognition.Variable gram is generated after the variable domain and fixed domain of message sequences are separated,and feature words are extracted by XGBoost model.The states of data packets are classified and tagged with XGBoost,which works in the construction of FSM model.Experimental results show that the proposed approach is effective in mining junior semantic information for industrial control protocols.3.Designed and implemented prototype system for reverse analysis of industrial control protocol deployed on Web.It can analyze the protocol by loading PCAP file,and users can adjust the parameter selection.The protocol format information and key word information can be displayed simply and clearly,providing intuitive visualization results.