Network protocol fingerprinting is used to identify a protocol implementation by analyzing its input-output behavior. Traditionally, fingerprinting operates under a closed-world assumption, where models of all implementations are assumed to be available. However, this assumption is unrealistic in practice. When this assumption does not hold, fingerprinting results in numerous misclassifications without indicating that a model for an implementation is missing. Therefore, we introduce an open-world variant of the fingerprinting problem, where not all models are known in advance. We propose an incremental fingerprinting approach to solve the problem by combining active automata learning with closed-world fingerprinting. Our approach quickly determines whether the implementation under consideration matches an available model using fingerprinting and conformance checking. If no match is found, it learns a new model by exploiting the structure of available models. We prove the correctness of our approach and improvements in asymptotic complexity compared to naive baselines. Moreover, experimental results on a variety of protocols demonstrate a significant reduction in misclassifications and interactions with these black-boxes.
翻译:网络协议指纹识别通过分析协议实现的输入-输出行为来识别具体实现。传统指纹识别方法基于封闭世界假设,即假定所有实现模型均已知。然而该假设在实践中往往不成立。当假设失效时,指纹识别会产生大量误分类,且无法提示缺失实现模型的情况。为此,我们提出指纹识别问题的开放世界变体,其中并非所有模型均预先已知。我们通过将主动自动机学习与封闭世界指纹识别相结合,提出增量式指纹识别方法来解决该问题。该方法首先利用指纹识别与一致性检验快速判断目标实现是否匹配现有模型;若无匹配模型,则利用现有模型结构学习新模型。我们证明了方法的正确性,并论证了相较于朴素基线方法在渐近复杂度上的改进。此外,在多种协议上的实验结果表明,该方法能显著减少误分类次数及与黑盒系统的交互次数。