Maxim Shevertalov

A Reverse Engineering Tool for Extracting Protocols of Networked Applications

Networked applications play a significant role in todays interconnected world. It is important for software engineers to be able to understand and model the behavior of these applications during software maintenance. Some networked applications use legacy protocols in ways they were not intended to be used. Others use newly created protocols that are designed in an ad hoc way to simply meet requirements. Protocol usage needs to be understood so that applications can be effectively tested and maintained. In this paper we propose the first step in achieving this goal by presenting a dynamic analysis tool, called PEXT, that can reverse engineer a networked applications underlying protocol by analyzing a collection of packets captured from the application at runtime. We demonstrate the effectiveness of this tool by extracting a protocol from an FTP application, and comparing the extracted protocol to the documented FTP protocol defined in RFC 959.

A Probabilistic Approach to Source Code Authorship Identification

There exists a need for tools to help identify the authorship of source code. This includes situations in which the ownership of code is questionable, such as in plagiarism or intellectual property infringement disputes. Authorship identification can also be used to assist in the apprehension of the creators of malware. In this paper we present an approach to identifying the authors of source code. We begin by computing a set of metrics to build profiles for a population of known authors using code samples that are verified to be authentic. We then compute metrics on unidentified source code to determine the closest matching profile. We demonstrate our approach on a case study that involves two kinds of software: one based on open source developers working on various projects, and another based on students working on assignments with the same requirements. In our case study we are able to determine authorship with greater than 70% accuracy in choosing the single nearest match and greater than 90% accuracy in choosing the top three ordered nearest matches

On the use of computational geometry to detect software faults at runtime

Despite advances in software engineering, software faults continue to cause system downtime. Software faults are difficult to detect before the system fails, especially since the first symptom of a fault is often system failure itself. This paper presents a computational geometry technique and a supporting tool to tackle the problem of timely fault detection during the execution of a software application. The approach in- volves collecting a variety of runtime measurements and building a geometric enclosure, such as a convex hull, which represents the normal (i.e., non-failing) operating space of the application being monitored. When collected runtime measurements are classified as being outside of the enclosure, the application is considered to be in an anomalous (i.e., failing) state. This paper presents exper- imental results that illustrate the advantages of using a computational geometry approach over the distance based approaches of Chi-Squared and Mahalanobis distance. Additionally, we present results illustrating the advantages of using the convex-hull enclosure for fault detection in favor of a simpler enclosure such as a hyperrectangle

A Case Study on the Automatic Composition of Network Application Mashups

MaxMash is a tool that can compose select features of networked application and generate the source code for application mashups that can integrate those features. This paper presents a case study that demonstrates how MaxMash is used to combine the Jabber chatting protocol and the Microsoft Maps Web application. The composed mashup is able to answer direction queries via a chat client.

Using Search Methods for Selecting and Combining Software Sensors to Improve Fault Detection in Autonomic Systems

Fault-detection approaches in autonomic systems typically rely on runtime software sensors to compute metrics for CPU utilization, memory usage, network throughput, and so on. One detection approach uses data collected by the runtime sensors to construct a convex-hull geometric object whose interior represents the normal execution of the monitored application. The approach detects faults by classifying the current application state as being either inside or outside of the convex hull. However, due to the computational complexity of creating a convex hull in multi-dimensional space, the convex-hull approach is limited to a few metrics. Therefore, not all sensors can be used to detect faults and so some must be dropped or combined with others. This paper compares the effectiveness of genetic-programming, genetic-algorithm, and random-search approaches in solving the problem of selecting sensors and combining them into metrics. These techniques are used to find 8 metrics that are derived from a set of 21 available sensors. The metrics are used to detect faults during the execution of a Java-based HTTP web server. The results of the search techniques are compared to two hand-crafted solutions specified by experts.

Task Dependency of User Perceived Utility in Autonomic VoIP Systems

The transmission of voice-over-Internet protocol (VoIP) network traffic is used in an increasing variety of applications and settings. Many of these applications involve communications where VoIP systems are deployed under unpredictable conditions with poor network support. These conditions make it difficult for users to configure and optimize VoIP systems and this creates a need for self configuring and self optimizing systems. To build an autonomic system for VoIP communications, it is valuable to be able to measure the user perceived utility of a system. In this paper we identify factors important to the estimation of user perceived utility in task dependent VoIP communications.

A genetic algorithm for solving the binning problem in networked applications detection

Network administrators need a tool that detects the kind of applications running on their networks, in order to allocate resources and enforce security policies. Previous work shows that applications can be detected by analyzing packet size distributions. Detection by packet size distribution is more efficient and accurate if the distribution is binned. An unbinned packet size distribution considers the occurrences of each packet size individually. In contrast, a binned packet size distribution considers the occurrences of packets within packet size ranges. This paper reviews some of the common methods for binning distributions and presents an improved approach to binning using a genetic algorithms to assist the detection of network applications.

Diagnosis of software failures using computational geometry

Complex software systems have become commonplace in modern organizations and are considered critical to their daily operations. They are expected to run on a diverse set of platforms while interoperating with a wide variety of other applications. Although there have been advances in the discipline of software engineering, software faults, and malicious attacks still regularly cause system downtime [1]. Downtime of critical applications can create additional work, cause delays, and lead to financial loss [2]. This paper presents a computational geometry technique to tackle the problem of timely failure diagnosis during the execution of a software application. Our approach to failure diagnosis involves collecting a set of software metrics and building a geometric enclosures corresponding to known classes of faults. The geometric enclosures are then used to partition the state space defined by the metrics

An Approach to Comprehending Networked Applications through Analogy

Distributed applications rely on packet-switched networks to connect their various elements. This paper describes a technique that can help software engineers and network administrators characterize unfamiliar networked applications by matching them to a single, or a combination of several, analogous and familiar networked applications). This matching is based on the size distribution of the packets sent and received by the application undergoing scrutiny.