Many application protocols on the Internet, especially those used by malware, are proprietary and have no publicly released specifications. According to the Internet2 NetFlow weekly reports on backbone traffic, more than 40% of Internet traffic belongs to unidentified application protocols. Therefore, it is critical for network security solutions to understand the specifications of these unknown application protocols. For instance, protocol specifications are needed for parsing unknown application protocol in advanced intrusion prevention systems. Protocol specifications are also useful for many other applications such as vulnerability discovery and system integration. Furthermore, even for some application protocols with known specifications, protocol inference is also needed sometimes for identifying implementation details and bugs that are not unambiguously specified. Inferring protocol specification for unknown application protocols is therefore fundamental to network security.
The objective of this project is to develop schemes for automatically inferring the protocol specification of unknown applications from their network traces. The PI proposes a semantics aware approach that takes network traces as the input and automatically outputs the inferred protocol message format. This project represents the first effort towards developing semantics aware approaches to protocol inference, a fundamental building block of many network security solutions. This project is potentially transformative research with high-impact. It will enable a spectrum of new network security applications and solutions. The proposed project is interdisciplinary in nature as it applies natural language processing techniques to network security problems.
