Existing static and dynamic analysis methods for inferring protocol state machines from implementations suffer from path explosion and insufficient code coverage, hindering accurate state-machine reconstruction. This paper introduces, for the first time, large language models (LLMs) to automate protocol state-machine inference. Our approach integrates retrieval-augmented generation (RAG), source-code semantic parsing, and structured prompt engineering to enable end-to-end identification, modeling, and formal representation of state machines directly from protocol source code. It overcomes classical analysis bottlenecks and supports precise characterization of cross-version state-machine differences. Evaluated on six mainstream protocol implementations, our method achieves over 90% state-machine recognition accuracy, improves fuzz-testing coverage by more than 20%, and successfully uncovers two zero-day vulnerabilities.

State machines play a pivotal role in augmenting the efficacy of protocol analyzing to unveil more vulnerabilities. However, inferring state machines from network protocol implementations presents significant challenges, mainly because of the complicated code syntax and semantics. Traditional methods based on dynamic analysis often overlook crucial state transitions due to limited coverage, while static analysis suffers from path explosion facing to protocol implementations. To address these limitations, we propose an innovative state machine inference approach powered by Large Language Models (LLMs) named ProtocolGPT. Utilizing retrieval augmented generation technology, this method augments pre-trained model with specific knowledge drawn from protocol implementations. Through targeted prompt engineering, we systematically identify and infer the underlying state machines. Our evaluation across six protocol implementations demonstrates the method's high efficacy, achieving precision exceeding 90% and successfully delineating differences on state machines among various implementations of the same protocol. Integrating our approach with protocol fuzzing significantly improves fuzzers by more than 20% in terms of coverage and detects two zero-day vulnerabilities compared to the baseline. Our proposed method represents a major advancement in accurate state machine inference and highlights the substantial potential of LLMs in enhancing network protocol security analysis.