Protocol Normalization Using Attribute Grammars

  • Drew Davidson
  • Randy Smith
  • Nic Doyle
  • Somesh Jha
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5789)


Protocol parsing is an essential step in several networking-related tasks. For instance, parsing network traffic is an essential step for Intrusion Prevention Systems (IPSs). The task of developing parsers for protocols is challenging because network protocols often have features that cannot be expressed in a context-free grammar. We address the problem of parsing protocols by using attribute grammars (AGs), which allow us to factor features that are not context-free and treat them as attributes. We investigate this approach in the context of protocol normalization, which is an essential task in IPSs. Normalizers generated using systematic techniques, such as ours, are more robust and resilient to attacks. Our experience is that such normalizers incur an acceptable level of overhead (approximately 15% in the worst case) and are straightforward to implement.


Network Protocol Parse Tree Chunk Data File Transfer Protocol Terminal Symbol 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Anderson, D.P., Landweber, L.H.: A grammar-based methodology for protocol specification and implementation. In: Proceedings of SIGCOMM (1985)Google Scholar
  2. 2.
    Borisov, N., Brumley, D.J., Wang, H.J.: A generic application-level protocol analyzer and its language. In: 14th Annual Network & Distributed System Security Symposium (2007)Google Scholar
  3. 3.
    Brumley, D., Newsome, J., Song, D., Wang, H., Jha, S.: Towards automatic generation of vulnerability-based signatures. In: SP 2006: Proceedings of the IEEE Symposium on Security and Privacy, pp. 2–16. IEEE Computer Society, Los Alamitos (2006)Google Scholar
  4. 4.
    CERT. Superfluous Decoding Vulnerability in IIS. CA-2001-12 (2001)Google Scholar
  5. 5.
    Chapman, N.P.: Defining, analysing and implementing communication protocols using attribute grammars. In: Formal Aspects of Computing 1990, pp. 359–392 (1990)Google Scholar
  6. 6.
    Fielding, R., Gettys, J., Mogul, J., Frystyk, H., Masinter, L., Leach, P., Berners-Lee, T.: Hypertext transfer protocol – HTTP/1.1, RFC2616 (1999)Google Scholar
  7. 7.
    Handley, M., Paxson, V., Kreibich, C.: Network intrusion detection: evasion, traffic normalization, and end-to-end protocol semantics. In: Proceedings of the 10th conference on USENIX Security Symposium (2001)Google Scholar
  8. 8.
    Knuth, D.E.: The genesis of attribute grammars. In: Proceedings of the International Conference on Attribute grammars and their Applications (1990)Google Scholar
  9. 9.
    Levine, J.R., Mason, T., Brown, D.: lex & yacc, 2nd edn. O’Reilly & Associates, Inc., Sebastopol (1992)Google Scholar
  10. 10.
    Nielsen, H.F., Gettys, J., Baird-Smith, A., Prud’hommeaux, E., Lie, H.W., Lilley, C.: Network performance effects of HTTP/1.1, CSS1, and PNG. SIGCOMM Comput. Commun. Rev. 27(4), 155–166 (1997)CrossRefGoogle Scholar
  11. 11.
    NVD. CVE-2002-0613. National Vulnerability Database (June 2002),
  12. 12.
    Paakki, J.: Attribute grammar paradigms–a high-level methodology in language implementation. ACM Computing Surveys 27(2) (June 1995)Google Scholar
  13. 13.
    Pang, R., Paxson, V., Sommer, R., Peterson, L.: binpac: A yacc for writing application protocol parsers. In: Proceedings of the Internet Measurement Conference, IMC (2006)Google Scholar
  14. 14.
    Parr, T.: The Complete Antlr Reference Guide. Pragmatic Bookshelf (2007)Google Scholar
  15. 15.
    Ptacek, T.H., Newsham, T.N.: Insertion, evasion, and denial of service: Eluding network intrusion detection. Technical report, Secure Networks, Inc. (January 1998),
  16. 16.
    Rubin, S., Jha, S., Miller, B.P.: Automatic generation and analysis of NIDS attacks. In: Annual Computer Security Applications Conference (ACSAC) (December 2004)Google Scholar
  17. 17.
    Vigna, G., Robertson, W., Balzarotti, D.: Testing network-based intrusion detection signatures using mutant exploits. In: Proceedings of the ACM Conference on Computer and Communication Security (ACM CCS) (October 2004)Google Scholar
  18. 18.
    Vogt, H.H., Swierstra, S.D., Kuiper, M.F.: Higher order attribute grammars. In: PLDI 1989: Proceedings of the ACM SIGPLAN 1989 Conference on Programming language design and implementation, pp. 131–145. ACM, New York (1989)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2009

Authors and Affiliations

  • Drew Davidson
    • 1
  • Randy Smith
    • 1
  • Nic Doyle
    • 2
  • Somesh Jha
    • 1
  1. 1.Computer Sciences DepartmentUniversity of WisconsinMadison
  2. 2.ERBU XE Security group, CISCO systemsFrance

Personalised recommendations