计算机科学

计算机科学 ›› 2024, Vol. 51 ›› Issue (3): 326-334.doi: 10.11896/jsjkx.221200147

• 信息安全 • 上一篇    下一篇

基于信息熵与闭合频繁序列的密码协议逆向方法

梁晨1, 洪征2, 吴礼发1, 吉庆兵3   

  1. 1 南京邮电大学网络空间安全学院 南京210023
    2 陆军工程大学指挥控制工程学院 南京210007
    3 中国电子科技集团公司第三十研究所 成都610041
  • 收稿日期:2022-12-25 修回日期:2023-04-06 出版日期:2024-03-15 发布日期:2024-03-13
  • 通讯作者: 吴礼发(wulifa@njupt.edu.cn)
  • 作者简介:(1020041310@njupt.edu.cn)
  • 基金资助:
    国家重点研发计划(2019YFB2101704)

Cryptographic Protocol Reverse Method Based on Information Entropy and Closed Frequent Sequences

LIANG Chen1, HONG Zheng2, WU Lifa1, JI Qingbing3   

  1. 1 School of Cybersecurity,Nanjing University of Posts and Telecommunications,Nanjing 210023,China
    2 College of Command and Control Engineering,Army Engineering University,Nanjing 210007,China
    3 No.30 Institute of CETC,Chengdu 610041,China
  • Received:2022-12-25 Revised:2023-04-06 Online:2024-03-15 Published:2024-03-13
  • About author:LIANG Chen,born in 1998,postgra-duate.Her main research interests include cybersecurity and reverse engineering.WU Lifa,born in 1968,Ph.D,professor,Ph.D supervisor.His main research interests include cybersecurity and software security.
  • Supported by:
    National Key Research and Development Program of China(2019YFB2101704).

PDF (PC)

90

摘要: 未知密码协议被广泛用于敏感信息的安全传输,对其进行逆向分析对攻防双方都具有重要意义。为从网络流量中推断结构复杂的密码协议格式,提出了一种基于信息熵与闭合频繁序列的密码协议逆向方法。利用字节信息熵划分报文的明文域与密文域,使用BIDE算法挖掘闭合频繁序列,划分报文的动态域和静态域;设计了一种长度域识别算法,对报文进行字节片切,将片切后的字段值与长度域取值集合进行循环比对,实现了密码协议中多种形式的长度域识别;设计了启发策略,用于对加密套件、加密算法等密码协议特有的关键字段进行语义识别。实验结果表明,该方法可以有效地对密码协议进行域划分,提取密码协议的格式,并且在长度域识别和密码协议特有关键字段的语义识别上优于现有方法。

关键词: 协议逆向, 密码协议, 信息熵, 闭合频繁序列, 网络流量, 语义分析

Abstract: Unknown cryptographic protocols are widely used for the secure transmission of sensitive information,and reversing cryptographic protocol is of great significance to both attackers and defenders.In order to efficiently reverse complex cryptographic protocols,a cryptographic protocol reverse method based on information entropy and closed frequent sequences is proposed.The information entropy is used to distinguish the plaintext and ciphertext,and the closed frequent sequences mined by BIDE algorithm are used to identify dynamic fields and static fields in the messages.A length field identification algorithm is proposed.It slices the message,and compares the sliced field values with the set of length field values to achieve various forms of length field recognition in cryptographic protocols.Heuristic strategies are proposed to recognize the semantics of key fields including the fields specific to cryptographic protocols such as encryption suites and encryption algorithms.Experimental results show that the method can effectively identity fields and extract the formats of cryptographic protocols,outperforms the existing me-thods in various length fields identification and semantic recognition of key fields specific to cryptographic protocols as well.

Key words: Protocol reverse, Cryptographic protocol, Information entropy, Closed frequent sequence, Network traffic, Semantic recognition

中图分类号: 

  • TP393
[1]WANG Z F,CHENG G,MA W J,et al.Research progress of network protocol reverse engineering technologies based on network trace [J].Journal of Software,2022,33(1):254-273.
[2]KLEBER S,MAILE L,KARGL F.Survey of protocol reverse engineering algorithms:decomposition of tools for static traffic analysis[J/OL].IEEE Communications Surveys & Tutorials,2018.https://ieeexplore.ieee.org/document/8449079.
[3]WU L F,HONG Z,PAN F.Network protocol reverse analysis and application[M].Beijing:National Defense Industry Press,2016.
[4]YE Y,ZHANG Z,WANG F,et al.Netplier:probabilistic network protocol reverse engineering from message Traces[C]//Network and Distributed System Security Symposium.2021.
[5]GENTRY C,WATERS B.Adaptive security in broadcast en-cryption systems(with short ciphertexts) [C]//Annual International Conference on the Theory and Applications of Cryptographic Techniques.2009:171-188.
[6]ZHAO X,ZHANG F.Fully CCA2 secure identity-based broadcast encryption with black-box accountable authority[J].Journal of Systems and Software,2012,85(3):708-716.
[7]SHI X L,ZHU Y F,LIU L,et al.Method of encrypted protocol reverse engineering[J].Application Research of Computers,2015,32(1):214-217.
[8]GAO J F,ZHANG Y F,LUO S ,et al.Research on Taint Backtracking Reverse Analysis Method of Network Encoding Protocol[J].Netinfo Security,2017(1):68-76.
[9]MA R K,ZHENG H,WANG J Y,et al.Automatic protocol reverse engineering for industrial control systems with dynamic taint analysis[J].Frontiers of Information Technology & Electronic Engineering,2022,23(3):351-360.
[10]ZHU Y,HAN J,YUAN L,et al.SPFPA:A format parsing approach for unknown security protocols[J].Journal of Computer Research and Development,2015,52(10):2200.
[11]HE X D.Security Analysis of Security Protocol Implementations Based on Network Trace [D].Wuhan:South-Central Minzu University,2019.
[12]TANG S Y,CHENG G,JIANG B M,et al.Detection and recognition of VPN encrypted traffic based on segmented entropy distribution[J].Cyberspace Security.2020,11(8):23-27,33.
[13]XIAO D Q,ZHOU Q,ZHANG H G,et al.Analyzing encryption protocols based on temporal logic[J].Chinese Journal of Computers,2002,25(10):1083-1089.
[14]DING S F,ZHU H,XU X Z,et al.Entropy-based fuzzy information measures[J].Chinese Journal of Computers,2012,35(4):796-801.
[15]ZHU Y N,HAN J H,YUAN L,et al.Protocol ciphertext field identification by entropy estimating[J].Journal of Electronics & Information Technology,2016,38(8):1865-1871.
[16]FELFMANN A,ZITTERBART M,CROWCROFT J,et al.Technologies,Architectures,and Protocols for Computer Communication[C]//ACM SIGCOMM Conference on Applications,Technologies,Architectures,and Protocols for Computer Communication.2003.
[17]OLIVIAN J,GUOBAULT-LARRECG J.Detecting subvertedcryptographic protocols by entropy checking[D].LSV,ENS Cachan,2006.
[18]KLEBER S,MAILE L,KARGL F.Survey of protocol reverseengineering algorithms:Decomposition of tools for static traffic analysis[J].IEEE Communications Surveys & Tutorials,2018,21(1):526-561.
[19]WANG H,DING S F.Research and development of sequential pattern mining(SPM)[J].Computer Science,2009,36(12):14-17.
[20]WANG J,HAN J.BIDE:efficient mining of frequent closed sequences[C]//Proceedings 20th International Conference on Data Engineering.2004:79-90.
[21]SRIKANT R,AGRAWAL R.Mining sequential patterns:Generalizations and performance improvements[C]//International Conference on Extending Database Technology.1996:1-17.
[22]ZAKI M J.SPADE:An efficient algorithm for mining frequent sequences[J].Machine Learning,2001,42(1):31-60.
[23]PEI J,HAN J,MORTAZAVI-ASL B,et al.Mining sequential patterns by pattern-growth:The prefixspan approach[J].IEEE Transactions on knowledge and data engineering,2004,16(11):1424-1440.
Viewed
Full text


Abstract

Cited
  Shared   
  Discussed   
No Suggested Reading articles found!
渝ICP备16013121号-4
地址:重庆市渝北区洪湖西路18号    邮编:401121  
电话:023-63500828(编辑部) 023-67039612(会议/专题) 023-67039623(财务/发票)
E-mail:jsjkx12@163.com
本系统由北京玛格泰克科技发展有限公司设计开发