Industrial Control Protocol Type Inference Using Transformer and Rule-based Re-Clustering

Yuhuan Liu1,2; Yulong Ding2,3; Jie Jiang2,4; Bin Xiao1; Shuang-Hua Yang2,3,5

10.1109/INFOCOM52122.2024.10621186

2024-05-23

0743-166X

979-8-3503-8351-5

IEEE INFOCOM 2024 - IEEE Conference on Computer Communications

20-23 May 2024

Vancouver, BC, Canada

The development of the Industrial Internet of Things (IIoT) is impeded by the lack of unknown protocol specifications. Protocol Reverse Engineering (PRE) plays a crucial role in inferring unpublished protocol specifications by analyzing traffic messages. Since different types within a protocol often have distinct formats, inferring the protocol type is essential for subsequent reverse analysis. Natural Language Processing (NLP) models have demonstrated remarkable capabilities in various sequence tasks, and traffic messages of unknown protocols can be analyzed as sequences. In this paper, we propose a framework for clustering unknown industrial control protocol types. Our framework utilizes a transformer-based auto-encoder network to train corresponding request and response messages, leveraging intermediate layer embedding vectors learned by the network for clustering. The clustering results are employed to extract candidate keywords and establish empirical rules. Subsequently, rule-based re-clustering is performed, and its effectiveness is evaluated based on previous clustering results. Through this re-clustering process, we identify the most effective combination of keywords that define the type. We evaluate the proposed framework using three general protocols that have different type rules and successfully separate the protocol internal types completely.

其他

EI

1.Department of Computing, The Hong Kong Polytechnic University
2.Department of Computer Science and Engineering, Southern University of Science and Technology
3.Shenzhen Key Laboratory of Safety and Security for Next Generation of Industrial Internet
4.College of Information Science and Engineering, China University of Petroleum-Beijing
5.Department of Computer Science, University of Reading

Yuhuan Liu,Yulong Ding,Jie Jiang,et al. Industrial Control Protocol Type Inference Using Transformer and Rule-based Re-Clustering[C],2024.