Context Sensitive and Secure Parser Generation for Deep Packet Inspection of Binary Protocols

Network protocol parsers constantly dissect a large number of packets to place into internal data structures for further processing. We propose an approach that automatically generates custom protocol parsers to process network traffic to be used as part of an Intrusion Detection System. This paper takes a look at the case of command and control/industrial control networks that are characterized by a limited number of known protocols. We present a robust, secure, and highperforming solution that deals with the issues that have only partially been addressed in this domain.

[1]  Brad Cain,et al.  Internet Group Management Protocol, Version 3 , 2002, RFC.

[2]  Thomas R. Dean,et al.  SCL: a language for security testing of network applications , 2005, CASCON.

[3]  Kim Mens,et al.  Taming context-sensitive languages with principled stateful parsing , 2016, SLE.

[4]  David L. Mills,et al.  Internet Engineering Task Force (ietf) Network Time Protocol Version 4: Protocol and Algorithms Specification , 2010 .

[5]  Thomas Dean,et al.  An empirical evaluation of a language-based security testing technique , 2009, CASCON.

[6]  Thomas R. Dean,et al.  Packet decoding using context sensitive parsing , 2006, CASCON.

[7]  Jeffrey D. Case,et al.  Simple network management protocol , 1995 .

[8]  Philippe Fouquart,et al.  ASN.1 Communication Between Heterogeneous Systems , 2000 .

[9]  James R. Cordy,et al.  The TXL source transformation language , 2006, Sci. Comput. Program..

[10]  Jeffrey D. Case,et al.  Simple Network Management Protocol (SNMP) , 1989, RFC.

[11]  Thomas R. Dean,et al.  A lightweight approach to state based security testing , 2006, CASCON.

[12]  Nickolai Zeldovich,et al.  Nail: A Practical Interface Generator for Data Formats , 2014, 2014 IEEE Security and Privacy Workshops.

[13]  Kevin A. Schneider,et al.  Source transformation in software engineering using the TXL transformation system , 2002, Inf. Softw. Technol..

[14]  Mohammad Zulkernine,et al.  A Constraint-based intrusion detection system , 2017, ECBS.

[15]  Robin Sommer,et al.  Spicy: a unified deep packet inspection framework for safely dissecting all your data , 2016, ACSAC.

[16]  Mohammad Zulkernine,et al.  Intrusion detection in a private network by satisfying constraints , 2016, 2016 14th Annual Conference on Privacy, Security and Trust (PST).

[17]  Kevin A. Schneider,et al.  Using design recovery techniques to transform legacy systems , 2001, Proceedings IEEE International Conference on Software Maintenance. ICSM 2001.

[18]  Terence Parr,et al.  LL(*): the foundation of the ANTLR parser generator , 2011, PLDI '11.

[19]  Jon Postel,et al.  User Datagram Protocol , 1980, RFC.