计算机科学 ›› 2024, Vol. 51 ›› Issue (3): 326-334.doi: 10.11896/jsjkx.221200147
梁晨1, 洪征2, 吴礼发1, 吉庆兵3
LIANG Chen1, HONG Zheng2, WU Lifa1, JI Qingbing3
摘要: 未知密码协议被广泛用于敏感信息的安全传输,对其进行逆向分析对攻防双方都具有重要意义。为从网络流量中推断结构复杂的密码协议格式,提出了一种基于信息熵与闭合频繁序列的密码协议逆向方法。利用字节信息熵划分报文的明文域与密文域,使用BIDE算法挖掘闭合频繁序列,划分报文的动态域和静态域;设计了一种长度域识别算法,对报文进行字节片切,将片切后的字段值与长度域取值集合进行循环比对,实现了密码协议中多种形式的长度域识别;设计了启发策略,用于对加密套件、加密算法等密码协议特有的关键字段进行语义识别。实验结果表明,该方法可以有效地对密码协议进行域划分,提取密码协议的格式,并且在长度域识别和密码协议特有关键字段的语义识别上优于现有方法。
中图分类号:
[1]WANG Z F,CHENG G,MA W J,et al.Research progress of network protocol reverse engineering technologies based on network trace [J].Journal of Software,2022,33(1):254-273. [2]KLEBER S,MAILE L,KARGL F.Survey of protocol reverse engineering algorithms:decomposition of tools for static traffic analysis[J/OL].IEEE Communications Surveys & Tutorials,2018.https://ieeexplore.ieee.org/document/8449079. [3]WU L F,HONG Z,PAN F.Network protocol reverse analysis and application[M].Beijing:National Defense Industry Press,2016. [4]YE Y,ZHANG Z,WANG F,et al.Netplier:probabilistic network protocol reverse engineering from message Traces[C]//Network and Distributed System Security Symposium.2021. [5]GENTRY C,WATERS B.Adaptive security in broadcast en-cryption systems(with short ciphertexts) [C]//Annual International Conference on the Theory and Applications of Cryptographic Techniques.2009:171-188. [6]ZHAO X,ZHANG F.Fully CCA2 secure identity-based broadcast encryption with black-box accountable authority[J].Journal of Systems and Software,2012,85(3):708-716. [7]SHI X L,ZHU Y F,LIU L,et al.Method of encrypted protocol reverse engineering[J].Application Research of Computers,2015,32(1):214-217. [8]GAO J F,ZHANG Y F,LUO S ,et al.Research on Taint Backtracking Reverse Analysis Method of Network Encoding Protocol[J].Netinfo Security,2017(1):68-76. [9]MA R K,ZHENG H,WANG J Y,et al.Automatic protocol reverse engineering for industrial control systems with dynamic taint analysis[J].Frontiers of Information Technology & Electronic Engineering,2022,23(3):351-360. [10]ZHU Y,HAN J,YUAN L,et al.SPFPA:A format parsing approach for unknown security protocols[J].Journal of Computer Research and Development,2015,52(10):2200. [11]HE X D.Security Analysis of Security Protocol Implementations Based on Network Trace [D].Wuhan:South-Central Minzu University,2019. [12]TANG S Y,CHENG G,JIANG B M,et al.Detection and recognition of VPN encrypted traffic based on segmented entropy distribution[J].Cyberspace Security.2020,11(8):23-27,33. [13]XIAO D Q,ZHOU Q,ZHANG H G,et al.Analyzing encryption protocols based on temporal logic[J].Chinese Journal of Computers,2002,25(10):1083-1089. [14]DING S F,ZHU H,XU X Z,et al.Entropy-based fuzzy information measures[J].Chinese Journal of Computers,2012,35(4):796-801. [15]ZHU Y N,HAN J H,YUAN L,et al.Protocol ciphertext field identification by entropy estimating[J].Journal of Electronics & Information Technology,2016,38(8):1865-1871. [16]FELFMANN A,ZITTERBART M,CROWCROFT J,et al.Technologies,Architectures,and Protocols for Computer Communication[C]//ACM SIGCOMM Conference on Applications,Technologies,Architectures,and Protocols for Computer Communication.2003. [17]OLIVIAN J,GUOBAULT-LARRECG J.Detecting subvertedcryptographic protocols by entropy checking[D].LSV,ENS Cachan,2006. [18]KLEBER S,MAILE L,KARGL F.Survey of protocol reverseengineering algorithms:Decomposition of tools for static traffic analysis[J].IEEE Communications Surveys & Tutorials,2018,21(1):526-561. [19]WANG H,DING S F.Research and development of sequential pattern mining(SPM)[J].Computer Science,2009,36(12):14-17. [20]WANG J,HAN J.BIDE:efficient mining of frequent closed sequences[C]//Proceedings 20th International Conference on Data Engineering.2004:79-90. [21]SRIKANT R,AGRAWAL R.Mining sequential patterns:Generalizations and performance improvements[C]//International Conference on Extending Database Technology.1996:1-17. [22]ZAKI M J.SPADE:An efficient algorithm for mining frequent sequences[J].Machine Learning,2001,42(1):31-60. [23]PEI J,HAN J,MORTAZAVI-ASL B,et al.Mining sequential patterns by pattern-growth:The prefixspan approach[J].IEEE Transactions on knowledge and data engineering,2004,16(11):1424-1440. |
|