Nikita Borisov, David Brumley, Helen J. Wang, and Chuanxiong Guo
Application-level protocol analyzers are important components in tools such as intrusion detection systems, firewalls, and network monitors. Currently, protocol analyzers are written in an ad-hoc fashion using low-level languages such as C, incurring a high development cost and security risks inherent in low-level language programming. Motivated by the large number of application-level protocols and new ones constantly emerging, we have architected and prototyped a Generic Application-level Protocol Analyzer (GAPA), consisting of a protocol specification language (GAPAL) and an analysis engine that operates on network streams and traces. GAPA allows rapid creation of protocol analyzers, greatly reducing the development time needed. It uses a syntax similar to that found in existing specification documents and supports both binary and text-based protocols. The GAPA design goals include expressiveness, ease of use, safety, and low overhead; it is intended to operate well in an adversarial environment. Our evaluation demonstrates that our GAPA language is expressive and easy to use for practical protocols, and our GAPA system is scalable and allows online analysis of protocol traffic. We have already found GAPA to be useful in intrusion detection, firewall, and networking monitoring contexts, and we envision additional applications, such as automatic vulnerability signature generation.