One Step More: Automatic ICS Protocol Field Analysis

  • Yeop ChangEmail author
  • Seungoh Choi
  • Jeong-Han Yun
  • SinKyu Kim
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10707)


Industrial control system (ICS) protocols have been developed to obtain the values measured using sensors, control the field devices, and share the collected information. It is necessary to monitor the ICS network continuously based on the ICS protocol knowledge (protocol field’s meaning and protocol’s behavior) for detecting ICS attackers’ suspicious activities. However, the ICS protocols are often proprietary, making it difficult to obtain their exact specifications. Hence, we need an automatic ICS protocol analysis because the tasks involved in the manual reverse engineering are tedious. After analyzing the network traffic obtained from a real ICS, we found that the variable structures were common and packet fragmentation frequently occurred during the operation. We recognized the need for an automated process wherein the packet fragmentation and variable structures are considered. In this paper, we describe our ongoing research to resolve the intricate structures of the ICS protocols in addition to the existing statistical analysis approach and present the implementation results.


ICS protocol Binary protocol Protocol reversing 


  1. 1.
    Caballero, J., Song, D.: Polyglot: automatic extraction of protocol message format using dynamic binary analysis. In: Proceedings of the 14th ACM Conference on Computer and Communications Security, pp. 317–329 (2007)Google Scholar
  2. 2.
    Cui, W., Kannan, J., Wang, H.J.: Discoverer: automatic protocol reverse engineering from network traces. In: USENIX Security, pp. 199–212 (2007)Google Scholar
  3. 3.
    Caballero, J., Poosankam, P., Kreibich, C., Song, D.: Dispatcher: enabling active botnet infiltration using automatic protocol reverse-engineering. In: ACM Conference on Computer and Communications Security, pp. 621–634 (2009)Google Scholar
  4. 4.
    Wang, Z., Jiang, X., Cui, W., Wang, X., Grace, M.: ReFormat: automatic reverse engineering of encrypted messages. In: Backes, M., Ning, P. (eds.) ESORICS 2009. LNCS, vol. 5789, pp. 200–215. Springer, Heidelberg (2009). Scholar
  5. 5.
    Li, H., Shuai, B., Wang, J., Tang, C.: Protocol feature word construction based on machine learning n-gram generation, pp. 93–97 (2011)Google Scholar
  6. 6.
    Caballero, J., Song, D.: Automatic protocol reverse-engineering: message format extraction and field semantics inference. Comput. Netw. 57, 451–474 (2013)CrossRefGoogle Scholar
  7. 7.
    Luo, J.Z., Yu, S.Z.: Position-based automatic reverse engineering of network protocols. J. Netw. Comput. Appl. 36, 1070–1077 (2013)CrossRefGoogle Scholar
  8. 8.
    Sood, A.K., Enbody, R.J., Bansal, R.: Dissecting SpyEye-Understanding the design of third generation botnets. Comput. Netw. 57, 436–450 (2013)CrossRefGoogle Scholar
  9. 9.
    Choi, S., Chang, Y., Yun, J.-H., Kim, W.: Multivariate statistic approach to field specifications of binary protocols in SCADA system. In: Rhee, K.-H., Yi, J.H. (eds.) WISA 2014. LNCS, vol. 8909, pp. 345–357. Springer, Cham (2015). Scholar
  10. 10.
    Tao, S., Yu, H., Li, Q.: Bit-oriented format extraction approach for automatic binary protocol reverse engineering, pp. 709–716 (2015)Google Scholar
  11. 11.
    Bermudez, I., Tongaonkar, A., Iliofotou, M., Mellia, M., Munaf, M.M.: Towards automatic protocol field inference. Comput. Commun. 84, 40–51 (2016)CrossRefGoogle Scholar
  12. 12.
    Choi, K., Son, Y., Noh, J., Shin, H., Choi, J., Kim, Y.: Dissecting customized protocols: automatic analysis for customized protocols based on IEEE 802.15.4. In: ACM Conference on Security and Privacy in Wireless and Mobile Networks, pp. 183–193 (2016)Google Scholar

Copyright information

© Springer Nature Switzerland AG 2018

Authors and Affiliations

  • Yeop Chang
    • 1
    Email author
  • Seungoh Choi
    • 1
  • Jeong-Han Yun
    • 1
  • SinKyu Kim
    • 1
  1. 1.National Security Research InstituteDaejeonKorea

Personalised recommendations