Application-specific parsing of text-based network protocols

Thumbnail Image
Salloum, Mohammad
Parsing , Text-based protocols , Intrusion Detection , ANTLR , Constraint-based intrusion detection , Application-specific
Application-specific parsing can be used to extract application data presented in a format that is customized to a particular application. Effective parsing of application data found in network traffic sets a solid ground to develop application-level traffic analysis software. An example application of application-level traffic analysis software is an intrusion detection system that works at the application-level. In this thesis, we present our work on message categorization and targeted parsing of text-based network protocol messages. We categorize protocol messages into types and parse each message with a parser targeted for that type of messages. We created a parser specification language to automatically generate custom parsers. The specification language is used to define the types of protocol messages, names of the grammars to be used for parsing, application data parts of a message and functions to be applied on the parsed data. We use the parser generation framework ANTLR to generate parsers for our system. We tested our parser approach on network traffic generated by four different applications running over text-based protocols. Our parser was able to parse any application data found in the network traffic. We created a Constraint Engine to demonstrate how our parsing system can be used to validate application-level constraints on network traffic.
External DOI