Journal:IEEE Transactions on Information Forensics and Security

Impact Factor:6.3

Abstract:Reverse engineering of agnostic industrial control protocols (ICPs) based on traffic traces is significant for the security analysis of industrial control systems. Field semantics deduction is an essential step in protocol reverse engineering following the discovery of the message field. Most existing methods rely on knowledge-based analysis for specific fields of common protocols, which require too numerous assumptions and lack semantic knowledge about ICPs. In this paper, we propose a new concept, pattern series, and design the first classification framework for inferring the semantic types of unknown ICPs. Specifically, we first present the definition of pattern series and design the field pattern series generation algorithm for building training data, then develop a field semantics classification model to learn and apply semantic features from known protocols to predict semantic types in unknown protocols. Lastly, we implement a probability-maximizing selection algorithm to obtain optimal semantic types. We demonstrate the effectiveness of the proposed method through extensive experiments with five popular ICPs, including their mixed protocols. Evaluations show that our approach significantly outperforms baseline methods in field semantic recognition, achieving ≥90.8% F1-score.

Key Words:Industrial control systems, protocol reverse engineering, field semantics analysis

Indexed by:CCF A类期刊

Note:https://ieeexplore.ieee.org/document/11000284

Document Type:JCR 一区

Translation or Not:no