Abstract: As the one-to-one mapping relationship does not exist between the message format type and the message status type in the communication protocol specification,it is difficult to separate messages with the same format type and different status type by clustering.Therefore,a state machine inference method for binary private protocol based on state-related field is proposed.State-related field are identified according to the Longest Common Subsequence Distance(LCSD) to obtain the logical similarity of protocol sessions.An initial state machine based on adjacency table is constructed,and its abnormal session is removed and similar state is merged to reduce the size of protocol state machine.Test results on TCP and SMB protocol datasets show that the proposed method can effectively infer the state machine of binary private protocol,and both its accuracy and recall rate are high.
protocol state machine,
the Longest Common Subsequence Distance(LCSD),
abnormal session removal,
similar state merging