Treffer: ProRE: A Protocol Message Structure Reconstruction Method Based on Execution Slice Embedding

Message structure reconstruction is a critical task in protocol reverse engineering, aiming to recover protocol field structures without access to source code. It enables important applications in network security, including malware analysis and protocol fuzzing. However, existing methods suffer from inaccurate field boundary delineation and lack hierarchical relationship recovery, resulting in imprecise and incomplete reconstructions. In this paper, we propose <sc>ProRE</sc>, a novel method for reconstructing protocol field structures based on program execution slice embedding. <sc>ProRE</sc> extracts code slices from protocol parsing at runtime, converts them into embedding vectors using a data flow-sensitive assembly language model, and performs hierarchical clustering to recover complete protocol field structures. Evaluation on two datasets containing 12 protocols shows that <sc>ProRE</sc> achieves an average F1 score of 0.85 and a cophenetic correlation coefficient of 0.189, improving by 19% and 0.126% respectively over state-of-the-art methods (including B<sc>in</sc>PRE, T<sc>upni</sc>, N<sc>etlifter</sc>, and QwQ-32B-preview ), demonstrating significant superiority in both accuracy and completeness of field structure recovery. Case studies further validate the effectiveness of <sc>ProRE</sc> in practical malware analysis scenarios.