| 摘要: |
| 协议状态机逆构技术是分析未知协议行为逻辑的基本方法,是网络安全、信息对抗领域的一个重要研究方向。针对截获的未知二进制协议的通信数据,提出了一种二进制协议状态机逆向方法,该方法能够根据通信数据逆构协议状态转移图。在该方法中,设计了针对通信数据帧的基于多序列比对的对应字段对齐算法以及基于字段统计量分析的协议状态相关字段提取算法,并根据提取出的协议状态相关字段构建状态转换模型。在地址解析协议(ARP)和传输控制协议(TCP)上的实验结果表明该方法能够有效逆构出协议的状态转换模型。 |
| 关键词: 信息对抗 通信数据 二进制协议 协议逆向 状态重构 状态相关字段 |
| DOI: |
|
| 基金项目:中国工程物理研究院科学技术发展基金(2012A040321) |
|
| State reverse method for unknown binary protocol based on state-related fields |
| MENG Fanzhi,LIU Yuan,ZHANG Chunrui,LI Tong |
| () |
| Abstract: |
| Inferring protocol state machine for unknown protocol is a basic technology for understanding the protocol's intrinsic behavior logic,which has played an important role in the fields of network security and information countermeasure. This paper proposes a novel approach in the mining of unknown binary protocol state machine from the communication data. It allows automatically generating the state models for binary protocol by listening to network traces.A new method is presented to align the corresponding fields and extract the state related fields from binary protocol communication traces based on statistical analysis,and then construct the protocol state model based on the state related fields. The experimental results of Address Resolution Protocol(ARP) and Transmission Control Protocol(TCP) show that the approach is effective. |
| Key words: information countermeasure communication data binary protocol protocol reverse state reconstruction states related fields |
