A Generic Application-Level Protocol Analyzer and its Language

Nikita Borisov, David J. Brumley, Helen J. Wang, John Dunagan, Pallavi Joshi, Chuanxiong Guo

Research output: Contribution to conferencePaperpeer-review


The Shield project relied on application protocol analyzers to detect potential exploits of application vulnerabilities. We present the design of a second-generation generic application-level protocol analyzer (GAPA) that encompasses a domain-specific language and the associated run-time. We designed GAPA to satisfy three important goals: safety, real-time analysis and response, and rapid development of analyzers. We have found that these goals are relevant for many network monitors that implement protocol analysis. Therefore, we built GAPA to be readily integrated into tools such as Ethereal as well as Shield. GAPA preserves safety through the use of a memory-safe language for both message parsing and analysis, and through various techniques to reduce the amount of state maintained in order to avoid denial-of-service attacks. To support online analysis, the GAPA runtime uses a stream-processing model with incremental parsing. In order to speed protocol development, GAPA uses a syntax similar to many protocol RFCs and other specifications, and incorporates many common protocol analysis tasks as built-in abstractions. We have specified 10 commonly used protocols in the GAPA language and found it expressive and easy to use. We measured our GAPA prototype and found that it can handle an enterprise client HTTP workload at up to 60 Mbps, sufficient performance for many end-host firewall/IDS scenarios. At the same time, the trusted code base of GAPA is an order of magnitude smaller than Ethereal.

Original languageEnglish (US)
StatePublished - 2007
Externally publishedYes
Event14th Symposium on Network and Distributed System Security, NDSS 2007 - San Diego, United States
Duration: Feb 28 2007Mar 2 2007


Conference14th Symposium on Network and Distributed System Security, NDSS 2007
Country/TerritoryUnited States
CitySan Diego

ASJC Scopus subject areas

  • Safety, Risk, Reliability and Quality
  • Computer Networks and Communications
  • Control and Systems Engineering


Dive into the research topics of 'A Generic Application-Level Protocol Analyzer and its Language'. Together they form a unique fingerprint.

Cite this