NEMESYS: Network Message Syntax Reverse Engineering by Analysis of the Intrinsic Structure of Individual Messages

Website Maintenance Alert

Due to scheduled maintenance, the USENIX website may not be available on Monday, March 17, from 10:00 am–6:00 pm Pacific Daylight Time (UTC -7). We apologize for the inconvenience and thank you for your patience.

If you would like to register for NSDI '25, SREcon25 Americas, or PEPR '25, please complete your registration before or after this time period.

Authors: 

Stephan Kleber, Henning Kopp, and Frank Kargl, Institute of Distributed Systems, Ulm University

Abstract: 

Protocol reverse engineering based on traffic traces allows to analyze observable network messages. Thereby, message formats of unknown protocols can be inferred. We present a novel method to infer structure from network messages of binary protocols. The method derives field boundaries from the distribution of value changes throughout individual messages. None of many previous approaches exploits features of structure which are contained within each single message. Our method exploits this intrinsic structure instead of comparing multiple messages with each other. We implement our approach in the tool NEMESYS: NEtwork Message SYntax analysiS. Additionally, we introduce the Format Match Score: the first quantitative measure of the quality of a message format inference. We apply the Format Match Score to NEMESYS and a previous approach and compare the results to mutually validate our new format inference method and the measure of its quality.

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

BibTeX
@inproceedings {220576,
author = {Stephan Kleber and Henning Kopp and Frank Kargl},
title = {{NEMESYS}: Network Message Syntax Reverse Engineering by Analysis of the Intrinsic Structure of Individual Messages},
booktitle = {12th USENIX Workshop on Offensive Technologies (WOOT 18)},
year = {2018},
address = {Baltimore, MD},
url = {https://www.usenix.org/conference/woot18/presentation/kleber},
publisher = {USENIX Association},
month = aug
}