Research and Development of Wireless Protocol Automatic Analyzer

Woorim Bang, Youngbae Jeon, Shinwoo Shim, Kwangsoo Kim, Ji Won Yoon

http://doi.org/10.5626/JOK.2019.46.8.852

Automatic Protocol Reverse Engineering (APRE) defines automatic analysis of the format, semantics, and parameters of an unknown protocol. APRE can be used to detect malware that is distributed on the network, or for security and suitability verification of protocols that have been defined own their own. Conventional APRE studies have been conducted mostly on text-based protocols and wired protocols. As the number of wireless devices increases, there is an increasing need for a protocol analyzer for wireless protocols. Therefore, in this paper, research and development of the protocol automatic analyzer were performed by considering the characteristics of the wireless protocols. For the analysis of the wireless protocol, this study analyzed the messages in binary units. We propose a method to calculate the message distance by assigning a weight according to the packet acquisition time interval to perform clustering among similar messages. As a result of collecting and analyzing the messages according to the IEEE 802.11 protocol using the proposed method, we could correctly classify 95.1% message types among 800messages, and the degree of conciseness was 3.6. By using one of the existing APRE tools, Netzob, 92.1% precision was obtained with the conciseness of 3.5. Consequently, the proposed method showed better performance than Netzob.