{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,8]],"date-time":"2026-04-08T04:31:52Z","timestamp":1775622712044,"version":"3.50.1"},"reference-count":103,"publisher":"Institute of Electrical and Electronics Engineers (IEEE)","issue":"1","license":[{"start":{"date-parts":[[2019,1,1]],"date-time":"2019-01-01T00:00:00Z","timestamp":1546300800000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/ieeexplore.ieee.org\/Xplorehelp\/downloads\/license-information\/IEEE.html"},{"start":{"date-parts":[[2019,1,1]],"date-time":"2019-01-01T00:00:00Z","timestamp":1546300800000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-029"},{"start":{"date-parts":[[2019,1,1]],"date-time":"2019-01-01T00:00:00Z","timestamp":1546300800000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-037"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["IEEE Commun. Surv. Tutorials"],"published-print":{"date-parts":[[2019]]},"DOI":"10.1109\/comst.2018.2867544","type":"journal-article","created":{"date-parts":[[2018,8,29]],"date-time":"2018-08-29T16:13:09Z","timestamp":1535559189000},"page":"526-561","source":"Crossref","is-referenced-by-count":57,"title":["Survey of Protocol Reverse Engineering Algorithms: Decomposition of Tools for Static Traffic Analysis"],"prefix":"10.1109","volume":"21","author":[{"ORCID":"https:\/\/orcid.org\/0000-0001-9836-4897","authenticated-orcid":false,"given":"Stephan","family":"Kleber","sequence":"first","affiliation":[]},{"given":"Lisa","family":"Maile","sequence":"additional","affiliation":[]},{"ORCID":"https:\/\/orcid.org\/0000-0003-3800-8369","authenticated-orcid":false,"given":"Frank","family":"Kargl","sequence":"additional","affiliation":[]}],"member":"263","reference":[{"key":"ref39","first-page":"200","article-title":"ReFormat: Automatic reverse engineering of encrypted messages","author":"wang","year":"2009","journal-title":"Proceedings of Computers Security"},{"key":"ref38","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2009.14"},{"key":"ref33","doi-asserted-by":"publisher","DOI":"10.3233\/JIFS-169294"},{"key":"ref32","first-page":"1","article-title":"Inferring protocol state machine from network traces: A probabilistic approach","author":"wang","year":"2011","journal-title":"Proceeding of Applied Cryptography and Network Security (ACNS)"},{"key":"ref31","doi-asserted-by":"publisher","DOI":"10.1109\/CISDA.2009.5356565"},{"key":"ref30","doi-asserted-by":"publisher","DOI":"10.1109\/WCRE.2007.6"},{"key":"ref37","article-title":"Automatic protocol format reverse engineering through context- aware monitored execution","author":"lin","year":"2008","journal-title":"Proc Network and Distributed System Security Symp (NDSS)"},{"key":"ref36","doi-asserted-by":"publisher","DOI":"10.1145\/1315245.1315286"},{"key":"ref35","first-page":"50","article-title":"ASAP: Automatic semantics-aware analysis of network payloads","author":"krueger","year":"2010","journal-title":"Proc Privacy Security Issues Data Min Mach Learn (PSDML)"},{"key":"ref34","first-page":"239","article-title":"AutoFuzz: Automated network protocol fuzzing framework","volume":"10","author":"gorbunov","year":"2010","journal-title":"Int J Comput Sci Netw Security"},{"key":"ref28","article-title":"NEMESYS: Network message syntax reverse engineering by analysis of the intrinsic structure of individual messages","author":"kleber","year":"2018","journal-title":"Proc USENIX Workshop Offensive Technol"},{"key":"ref27","doi-asserted-by":"publisher","DOI":"10.3233\/JIFS-169067"},{"key":"ref29","doi-asserted-by":"publisher","DOI":"10.1109\/CSAC.2005.49"},{"key":"ref20","doi-asserted-by":"publisher","DOI":"10.1109\/PDCAT.2011.25"},{"key":"ref22","doi-asserted-by":"publisher","DOI":"10.1109\/CIS.2015.83"},{"key":"ref21","doi-asserted-by":"publisher","DOI":"10.1109\/ICNP.2012.6459963"},{"key":"ref24","doi-asserted-by":"publisher","DOI":"10.1016\/j.comcom.2016.02.015"},{"key":"ref23","doi-asserted-by":"publisher","DOI":"10.1109\/IFIPNetworking.2015.7145307"},{"key":"ref101","doi-asserted-by":"publisher","DOI":"10.1109\/TNET.2010.2044046"},{"key":"ref26","doi-asserted-by":"publisher","DOI":"10.1049\/iet-com.2015.0797"},{"key":"ref100","doi-asserted-by":"publisher","DOI":"10.1109\/TNET.2012.2219591"},{"key":"ref25","doi-asserted-by":"publisher","DOI":"10.1155\/2016\/9161723"},{"key":"ref50","doi-asserted-by":"publisher","DOI":"10.1145\/1180405.1180444"},{"key":"ref51","article-title":"SGNET: Automated protocol learning for the observation of malicious threats","author":"leita","year":"2008"},{"key":"ref59","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-04898-2_326"},{"key":"ref58","doi-asserted-by":"crossref","first-page":"5228","DOI":"10.1073\/pnas.0307752101","article-title":"Finding scientific topics","volume":"101","author":"griffiths","year":"2004","journal-title":"Proc Nat Acad Sci USA"},{"key":"ref57","first-page":"993","article-title":"Latent Dirichlet allocation","volume":"3","author":"blei","year":"2003","journal-title":"J Mach Learn Res"},{"key":"ref56","first-page":"3247","article-title":"Sally: A tool for embedding strings in vector spaces","volume":"13","author":"rieck","year":"2012","journal-title":"J Mach Learn Res"},{"key":"ref55","article-title":"Consumer media capture: Time-based analysis and event clustering","author":"gargi","year":"2003"},{"key":"ref54","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-04898-2_327"},{"key":"ref53","doi-asserted-by":"publisher","DOI":"10.1145\/1629607.1629610"},{"key":"ref52","doi-asserted-by":"publisher","DOI":"10.1093\/nar\/16.22.10881"},{"key":"ref40","article-title":"Automatic reverse engineering of data structures from binary execution","author":"lin","year":"2010","journal-title":"Proc Network and Distributed System Security Symp (NDSS)"},{"key":"ref4","doi-asserted-by":"publisher","DOI":"10.1016\/j.comnet.2012.08.003"},{"key":"ref3","year":"2014","journal-title":"CAPEC–CAPEC-192 Protocol Reverse Engineering (Version 2 6)"},{"key":"ref6","first-page":"129","article-title":"Pacemakers and implantable cardiac defibrillators: Software radio attacks and zero-power defenses","author":"halperin","year":"2008","journal-title":"Prof IEEE Symp Security and Privacy (SP)"},{"key":"ref5","first-page":"580","article-title":"A network protocol reverse engineering method based on dynamic taint propagation similarity","author":"li","year":"2016","journal-title":"Proc 12th Int Conf Intell Comput (ICIC)"},{"key":"ref8","doi-asserted-by":"publisher","DOI":"10.1109\/CIS.2011.156"},{"key":"ref49","doi-asserted-by":"publisher","DOI":"10.1145\/1653662.1653737"},{"key":"ref7","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2010.26"},{"key":"ref9","article-title":"A survey of automatic protocol reverse engineering tools","volume":"48","author":"narayan","year":"2015","journal-title":"ACM Comput Surveys"},{"key":"ref46","doi-asserted-by":"crossref","first-page":"48","DOI":"10.1007\/978-3-319-66332-6_3","article-title":"Breaking fitness records without moving: Reverse engineering and spoofing fitbit","author":"fereidooni","year":"2017","journal-title":"Proc 20th Int Symp Res Attacks Intrusions Defenses (RAID)"},{"key":"ref45","doi-asserted-by":"publisher","DOI":"10.1155\/2017\/1308045"},{"key":"ref48","doi-asserted-by":"publisher","DOI":"10.1109\/ICFSP.2016.7802969"},{"key":"ref47","doi-asserted-by":"publisher","DOI":"10.1371\/journal.pone.0186188"},{"key":"ref42","author":"tridgell","year":"2003","journal-title":"How Samba was Written"},{"key":"ref41","first-page":"139","article-title":"Protocol reverse engineering: Challenges and obfuscation","author":"duch\u00eane","year":"2016","journal-title":"Proc 11th Int Conf Risks Security Internet Syst Revised Sel Papers (CRiSIS)"},{"key":"ref44","first-page":"114","article-title":"A model-based approach to security flaw detection of network protocol implementations","author":"hsu","year":"2008","journal-title":"Proc IEEE Int Conf Netw Protocols (ICNP)"},{"key":"ref43","author":"tartaro","year":"2014","journal-title":"Cyber Necromancy"},{"key":"ref73","first-page":"68","article-title":"Partitioning around medoids (program PAM)","author":"kaufman","year":"2005","journal-title":"Finding Groups in Data An Introduction to Cluster Analysis"},{"key":"ref72","doi-asserted-by":"publisher","DOI":"10.1002\/widm.53"},{"key":"ref71","doi-asserted-by":"publisher","DOI":"10.1093\/nar\/gkh340"},{"key":"ref70","doi-asserted-by":"publisher","DOI":"10.1016\/0022-2836(81)90087-5"},{"key":"ref76","doi-asserted-by":"publisher","DOI":"10.1145\/860435.860485"},{"key":"ref77","first-page":"617","article-title":"Agglomerative information bottleneck","volume":"12","author":"slonim","year":"1999","journal-title":"Proc Adv Neural Inf Process Syst"},{"key":"ref74","doi-asserted-by":"crossref","first-page":"972","DOI":"10.1126\/science.1136800","article-title":"Clustering by passing messages between data points","volume":"315","author":"frey","year":"2007","journal-title":"Science"},{"key":"ref75","first-page":"535","article-title":"Algorithms for non-negative matrix factorization","volume":"13","author":"lee","year":"2000","journal-title":"Proc Conf Adv Neural Inf Process Syst (NIPS)"},{"key":"ref78","article-title":"The information bottleneck method","author":"tishby","year":"2000","journal-title":"arXiv physics\/0004057 [physics data-an]"},{"key":"ref79","first-page":"504","article-title":"Blind construction of optimal nonlinear recursive predictors for discrete sequences","author":"shalizi","year":"2004","journal-title":"Proc 20th Conf Uncertainty Artif Intell (UAI)"},{"key":"ref60","doi-asserted-by":"publisher","DOI":"10.1111\/j.1469-8137.1912.tb05611.x"},{"key":"ref62","first-page":"65","article-title":"A simple sequentially rejective multiple test procedure","volume":"6","author":"holm","year":"1979","journal-title":"Scandinavian J Stat"},{"key":"ref61","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-04898-2_641"},{"key":"ref63","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-04898-2_194"},{"key":"ref64","first-page":"487","article-title":"Fast algorithms for mining association rules","author":"agrawal","year":"1994","journal-title":"Proc 20th Int Conf Very Large Data Bases (VLDB)"},{"key":"ref65","doi-asserted-by":"publisher","DOI":"10.1145\/342009.335372"},{"key":"ref66","first-page":"1409","article-title":"A statistical method for evaluating systematic relationships","volume":"38","author":"sokal","year":"1958","journal-title":"Univ Kansas Sci Bull"},{"key":"ref67","doi-asserted-by":"publisher","DOI":"10.1109\/PROC.1973.9030"},{"key":"ref68","first-page":"605","article-title":"A novel clustering algorithm based on hierarchical and K-means clustering","author":"wenchao","year":"2007","journal-title":"Proc IEEE Chin Control Conf"},{"key":"ref2","doi-asserted-by":"publisher","DOI":"10.1145\/1866307.1866355"},{"key":"ref69","doi-asserted-by":"publisher","DOI":"10.1016\/0022-2836(70)90057-4"},{"key":"ref1","doi-asserted-by":"publisher","DOI":"10.1145\/2857705.2857746"},{"key":"ref95","author":"overell","year":"2008","journal-title":"Augmented BNF for syntax specifications ABNF"},{"key":"ref94","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-29145-6"},{"key":"ref93","first-page":"1","article-title":"A virtual honeypot framework","author":"provos","year":"2004","journal-title":"Proc 13th Usenix Security Symp"},{"key":"ref92","author":"sutton","year":"2007","journal-title":"Fuzzing Brute Force Vulnerability Discovery"},{"key":"ref91","first-page":"111","article-title":"Consensus sequence zen","volume":"1","author":"schneider","year":"2002","journal-title":"Appl Bioinformat"},{"key":"ref90","year":"0"},{"key":"ref103","doi-asserted-by":"publisher","DOI":"10.1093\/bioinformatics\/btu177"},{"key":"ref102","first-page":"399","article-title":"Statistical protocol identification with SPID: Preliminary results","author":"hjelmvik","year":"2009","journal-title":"swedish National computer networking Workshop"},{"key":"ref98","doi-asserted-by":"crossref","first-page":"330","DOI":"10.1007\/978-3-319-28865-9_18","article-title":"PULSAR: Stateful black-box fuzzing of proprietary network protocols","author":"gascon","year":"2015","journal-title":"Proc 11th Int Conf Security Privacy Commun Netw Revised Sel Papers (SecureComm)"},{"key":"ref99","doi-asserted-by":"publisher","DOI":"10.1109\/TNET.2014.2381230"},{"key":"ref96","author":"linn","year":"1995","journal-title":"Conformance Testing Methodologies and Architectures for OSI Protocols"},{"key":"ref97","year":"2015","journal-title":"Information technology—Abstract syntax notation one"},{"key":"ref10","doi-asserted-by":"publisher","DOI":"10.1007\/s11416-016-0289-8"},{"key":"ref11","article-title":"Network protocol analysis using bioinformatics algorithms","author":"beddoe","year":"2004"},{"key":"ref12","article-title":"Protocol debug (PDB)","author":"rauch","year":"2006","journal-title":"Proc Black Hat USA"},{"key":"ref13","article-title":"Discoverer: Automatic protocol reverse engineering from network traces","author":"cui","year":"2007","journal-title":"Proc 16th USENIX Security Symp"},{"key":"ref14","doi-asserted-by":"publisher","DOI":"10.1109\/WCRE.2011.28"},{"key":"ref15","doi-asserted-by":"publisher","DOI":"10.1145\/2381896.2381904"},{"key":"ref16","doi-asserted-by":"publisher","DOI":"10.1145\/2590296.2590346"},{"key":"ref82","first-page":"238","article-title":"The prefix tree acceptor (PTA)","author":"de la higuera","year":"2010","journal-title":"Grammatical Inference Learning Automata and Grammars"},{"key":"ref17","doi-asserted-by":"publisher","DOI":"10.1016\/j.jnca.2013.01.013"},{"key":"ref81","doi-asserted-by":"publisher","DOI":"10.1214\/aoms\/1177697196"},{"key":"ref18","article-title":"Protocol-independent adaptive replay of application dialog","author":"cui","year":"2006","journal-title":"Proc Symp Network and Distributed System Security"},{"key":"ref84","doi-asserted-by":"publisher","DOI":"10.1017\/CBO9781139194655"},{"key":"ref19","first-page":"415","article-title":"Hidden Markov models for automated protocol learning","author":"whalen","year":"2010","journal-title":"Proc 6th Int Conf Security Privacy Commun Syst (SecureComm)"},{"key":"ref83","doi-asserted-by":"crossref","first-page":"788","DOI":"10.1038\/44565","article-title":"Learning the parts of objects by non-negative matrix factorization","volume":"401","author":"lee","year":"1999","journal-title":"Nature"},{"key":"ref80","doi-asserted-by":"publisher","DOI":"10.1016\/j.artint.2009.11.011"},{"key":"ref89","doi-asserted-by":"publisher","DOI":"10.1016\/0890-5401(87)90052-6"},{"key":"ref85","doi-asserted-by":"publisher","DOI":"10.1089\/cmb.1994.1.337"},{"key":"ref86","doi-asserted-by":"publisher","DOI":"10.1126\/science.1205438"},{"key":"ref87","doi-asserted-by":"publisher","DOI":"10.1109\/5.18626"},{"key":"ref88","article-title":"Minimization of automata","author":"berstel","year":"2010","journal-title":"arXiv 1010 5318 [cs FL]"}],"container-title":["IEEE Communications Surveys & Tutorials"],"original-title":[],"link":[{"URL":"http:\/\/xplorestaging.ieee.org\/ielx7\/9739\/8649699\/08449079.pdf?arnumber=8449079","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2022,7,13]],"date-time":"2022-07-13T20:52:59Z","timestamp":1657745579000},"score":1,"resource":{"primary":{"URL":"https:\/\/ieeexplore.ieee.org\/document\/8449079\/"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2019]]},"references-count":103,"journal-issue":{"issue":"1"},"URL":"https:\/\/doi.org\/10.1109\/comst.2018.2867544","relation":{},"ISSN":["1553-877X","2373-745X"],"issn-type":[{"value":"1553-877X","type":"electronic"},{"value":"2373-745X","type":"electronic"}],"subject":[],"published":{"date-parts":[[2019]]}}}