Extracting Information from Unknown Protocols On CampusNet

• Published in: 2007 First IEEE International Symposium on Information Technologies and Applications in Education pp. 535 - 539
• Main Authors: Zhuanghui Yu, Yongzhong Huang, Shaozhong Guo, Bei Zhou, Hua Ren
• Format: Conference Proceeding
• Language: English
• Published: IEEE 01.11.2007
• Subjects: Algorithm design and analysis; Data mining; Dynamic Field; Information analysis; Information Extraction; Information security; Intrusion detection; Message Format; Programmable logic arrays; Protocols; Reverse engineering; Telecommunication traffic; Testing
• ISBN: 9781424413850; 1424413850
• DOI: 10.1109/ISITAE.2007.4409343

As information security has been increasingly concerned on our campus network, in many occasions, it's highly useful to extract information from various network traces, including recognizing malware variants, detecting intrusion, and normalizing traffic. Traditionally, the extracting work often depends on the protocol specification. However, there are often no sufficient documents or time for parsing the protocol specified. We present Catcher, a system for semi-automatically extracting information from unknown protocols. The key novelty in our work is that we locate the information and pick it out directly. Catcher does not require knowledge of any protocol, it automatically parses packets given. In the afterward step, if the same type packets come up, it Mill recognize them and extract information out of them. In order to test the effectiveness of our tool, we use Catcher to extract information over Http and DNS (with no predefinitions of these protocols), as well as chat applications such as MSN, the result reveals that Catcher can extract information from unknown protocols effectively.