Protocol reverse engineering is helpful to automatically obtain the specifications of protocols that are useful for network management, network security systems and test case generation tools. To achieve better accuracy, these kinds of applications require good models that can capture not only the order of exchanging messages (control flow aspect) but also the data being transmitted (data flow aspect). However, current techniques only focus on inferring the control flow represented as a Finite State Machine (FSM) and without interpreting the data flow. The Extended Finite State Machine (EFSM), embedding memory in the states and data guard in the FSM transitions, is a method commonly used to represent the data flow. In this work, we propose ReFSM, a novel approach to infer the EFSMs of protocols from only network packet traces. The proposed method is evaluated by using datasets of real-world network traffic traces of four protocols: FTP, SMTP, BitTorrent and PPLive. Based on the results, the coverage, accuracy scores of correctness and behavior of inferred models are always higher than 90%. The precision and recall values of message type identification are, at least, well above 94% and 96%, respectively. The inferred EFSMs are close to the correct model derived from protocol specification.

协议反向工程有助于自动获取对网络管理，网络安全系统和测试用例生成工具有用的协议规范。为了获得更高的准确性，这些类型的应用程序需要良好的模型，这些模型不仅可以捕获交换消息的顺序（控制流方面），而且还可以捕获正在传输的数据（数据流方面）。但是，当前技术仅专注于推断表示为有限状态机（FSM）的控制流，而没有解释数据流。扩展有限状态机（EFSM）是在状态中嵌入内存，而在FSM转换中则是数据保护，是一种通常用于表示数据流的方法。在这项工作中，我们提出了ReFSM，这是一种仅从网络数据包跟踪中推断EFSM协议的新颖方法。通过使用四种协议的真实网络流量跟踪数据集对所提出的方法进行评估：FTP，SMTP，BitTorrent和PPLive。根据结果​​，推断模型的覆盖率，正确性和行为的准确性得分始终高于90％。消息类型标识的准确性和召回率分别至少远高于94％和96％。推断的EFSM接近于从协议规范得出的正确模型。