Protocol reverse engineering for improved intrusion detection systems

Type of work: Master thesis

Technical Background:

We are doing research in several projects for fieldbus security. Often Machine Learning (ML) methods are used to make statements about the security of the network. These include:

Estimating risk based on information about fieldbus network topology and attacker access capabilities.
Intrusion detection systems (IDS) and firewalling on fieldbuses.
Recently, machine learning methods have been used in IDS (Data Driven Security). In this process, certain features are extracted from the data stream. Based on these features, a classification takes place. Especially with unknown protocols in automation technology (fieldbuses), this classification is difficult, since the selection of features is severely limited if one does not know where the boundaries between fields in the protocol are and what the individual fields mean.

Task Description:

This work will explore ways to reverse engineer unknown protocols. For example, field boundaries and their meaning are to be determined using statistical methods from long-term records of data traffic. The found fields shall then be used as a basis for feature extraction for classification in intrusion detection systems.

Then the following questions shall be answered:

What methods can be used for reverse engineering?
How reliably do these methods work?
Can the methods be used for arbitrary protocols? Do they work for fieldbus protocols in building automation?
How well does an IDS work on this basis?
A prototype is to be developed for this purpose.

Possible work steps:

  • Consideration of existing procedures for protocol reverse engineering.
  • Consideration of the protocols to be investigated
  • Consideration of the procedures of intrusion detection systems
  • Conception of a procedure for the extraction of data fields from fieldbus protocols
  • Prototype
  • Evaluation

The exact definition of the topic is done in coordination with the supervisor.

Literature and Resources:

 

  • Narayan, John, Sandeep K. Shukla, and T. Charles Clancy. "A survey of automatic protocol reverse engineering tools." ACM Computing Surveys (CSUR) 48.3 (2015): 1-26.
  • Sija, Baraka D., et al. "Survey on network protocol reverse engineering approaches, methods and tools." 2017 19th Asia-Pacific Network Operations and Management Symposium (APNOMS). IEEE, 2017.
  • Duchene, Julien, et al. "State of the art of network protocol reverse engineering tools." Journal of Computer Virology and Hacking Techniques 14.1 (2018): 53-68.
  • Peters, M., Goltz, J., Wiedenmann, S., & Mundt, T. "Using Machine Learning to Find Anomalies in Field Bus Network Traffic." International Conference on Security, Privacy and Anonymity in Computation, Communication and Storage. Springer, Cham, 2019.

Supervisor: Dr. Thomas Mundt (thomas.mundt@uni-rostock.de)

Prerequisites: Basic skills in the area of network security are advantageous.