MARS: Automated Protocol Analysis Framework for Internet of Things

Abstract

Internet of Things (IoT) devices generate a massive quantity of network traffic every moment, which undoubtedly poses an urgent demand for an accurate and efficient network protocol analysis tool in cyberspace management and security. However, the existing popular methods have limitations, such as incomplete functionality and insufficient accuracy. For example, the large number of novel network applications brings unprecedented protocols for protocol analysis, which greatly limit the analysis capabilities of existing tools. In this article, we devise an automated protocol analysis framework for IoT devices called <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">MARS</i> to solve these problems. To the best of our knowledge, this is the first unified framework including all three analysis stages: 1) classifying protocol; 2) analyzing the protocol phase; and 3) parsing the protocol field. At each stage, we provide effective solutions to solve the corresponding tasks and improve the efficiency of protocol analysis. <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">MARS</i> can also deal with unknown protocols that are common in IoT scenarios but are rarely concerned by previous works. Finally, we develop a distributed computing engine to ensure the high throughput and processing speed of the whole framework for the huge amount of network traffic. The evaluation on a variety of different protocols shows the superiority of our <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">MARS</i> over previous works in terms of comprehensiveness and accuracy.