Clustering method in protocol reverse engineering for industrial protocols

Summary Automation in all aspects of industrial activity is currently needed in today's industries. Networks, which are the most essential elements of automation, have been widely used in industrial sites to realize such needs. However, network security threats and malfunctions at industrial sites can cause considerable physical damage. Damage can be prevented, and threats can be detected through network traffic monitoring. However, industrial protocols use self‐developed protocols to ensure rapid and efficient data transfer, and most self‐developed protocols are private networking protocols. Efficient network traffic monitoring requires a detailed understanding of the structure of industrial protocols. Studies on existing protocol reverse engineering methods for commercial protocols have indicated that there are many limitations in applying these methods to industrial protocols. Therefore, in this paper, we propose a method of analyzing the structure of private protocols that can be employed as industrial protocols. This methodology consists of six modules: traffic collection, message extraction, message clustering by size, message clustering by similarity, field extraction, and session analysis. We collect traffic using the Schneider Modicon M580 and demonstrate the validity of the proposed methodology by comparing collected traffic with existing protocol reverse engineering methods.