期刊文献+
任意字段
题名或关键词
题名
关键词
文摘
作者
第一作者
机构
刊名
分类号
参考文献
作者简介
基金资助
栏目信息

基于文法推断的协议逆向工程 被引量:9

Protocol Reverse Engineering Using Grammatical Inference
下载PDF
导出
摘要 要深入了解网络中的各种应用过程,进而对这些应用进行自动分类、识别、跟踪和控制,首先就要获得代表这些应用会话过程的状态机.为此提出一种新的方法从采集的应用层数据中反推协议状态机.它采用基于差错纠正的文法推断方法,利用应用层协议交互过程中出现的标识符状态序列,逆向工程其协议状态机.为充分挖掘和发挥差错纠正的性能,提出了最佳路径匹配标准确定纠正路径,以及基于概率统计的异常入度区分及其剪枝的方法;通过去重的状态合并和相似行为意义的协议结构化简措施解决状态膨胀问题,从而获取最精简的协议状态机.通过在包含多种应用层协议的实际网络中的实验,验证了该方法的有效性. To deeply understand procedures of various network applications, and to automatically classify, recognize, trace and control them, protocol state machine that represents the application sessions have to be obtained in advance. A novel approach is presented to reversely infer protocol state machine from collected application layer data. Protocol state machine is derived with a method of error-correcting grammatical inference based on the state sequences that appear in the application sessions. To richly mine and bring into play the performance of error-collecting, a criterion of best- matching path is presented to solve the difficulty of path selection during the error-correcting process. A method with regard to abnormal indegree discrimination and pruning on the basis of statistical probability is proposed. Moreover, negative example sets with similar tokens are adopted to reinforce the error-collecting performance. In order to solve the state expansion during the reconstruction of the state machine, a simplifying measure to obtain a compact protocol state machine that expresses the internal operating mechanism of the protocol accurately is used based on state merging with removal of the identical token and model reduction with a similar behavioral semantic. The experiments conducted in a real network, containing a number of real applications with several application layer protocols, validate this method.
作者 肖明明 余顺争
机构地区 中山大学信息科学与技术学院 仲恺农业工程学院信息科学与技术学院
出处 《计算机研究与发展》 EI CSCD 北大核心 2013年第10期2044-2058,共15页 Journal of Computer Research and Development
基金 国家"八六三"高技术研究发展计划基金项目(2007AA01Z449) 国家自然科学基金-广东联合基金重点项目(U0735002) 国家自然科学基金项目(60970146 61202271)
关键词 协议逆向工程 协议状态机推断 协议分析 差错纠正文法推断 网络安全 protocol reverse engineering protocol state machine inference protocol analysis error-correcting grammatical inferences network security
分类号 TP393.08 [自动化与计算机技术—计算机应用技术]
  • 相关文献

参考文献33

  • 1Oehlert P. Violating assumptions with fuzzing [J]. IEEE Security and Privacy, 2005, 3(2): 58-62.
  • 2Roesch M. Snort: Lightweight intrusion detection for networks [C] //Proc of the 13th Systems Administration Conf (LISA). Berkeley: USENIX Association, 1999: 229- 238.
  • 3Paxson Vern. Bro: A system {or detecting network intruders in real-time [J]. Computer Networks, 1999, 31(23/24): 2435-2463.
  • 4Aitel D. MSRPC fuzzing with SPIKE 2006 [R/OL]. Miami: Immunity Inc, 2006 [2011-02 01]. http://xcon, xfocus, net/ XCon2006/archieves/Dave_ Aitel Microsoft _ System_ RPC_Fuzz. pdf.
  • 5李伟明,张爱芳,刘建财,李之棠.网络协议的自动化模糊测试漏洞挖掘方法[J].计算机学报,2011,34(2):242-255. 被引量:67
  • 6陈曙晖,苏金树,范慧萍,侯婕.一种基于深度报文检测的FSM状态表压缩技术[J].计算机研究与发展,2008,45(8):1299-1306. 被引量:16
  • 7Aaraj N, Raghunathan A, Jha NK. Dynamic binary instrumentation-based framework for malware defense [G] // LNCS 5137: Proc of the 5th Int Conf on Detection of Intrusions and Malware, and Vulnerability Assessment. Berlin: Springer, 2008: 64-87.
  • 8Cui W, Paxson V, Weaver N, et al. Protocol-independent adaptive replay of application dialog [C] //Proc of the 13th Symp on Network and Distributed System Security (NDSS 2006). San Diego, CA: Internet Society, 2006:1-15.
  • 9Cui W, Kannan J, Wang H. Discoverer: Automatic protocol reverse engineering from network traces [C] //Proc of the 16th Usenix Security Symp. Berkeley: USENIX Association, 2007: 199-212.
  • 10Ma J, Levchenko K, Kreibich C, et al. Unexpected means of protocol inference [C] //Proc of the 6th ACM SIGCOMM Conf on Internet Measurement. New York: ACM, 2006: 313-326.

二级参考文献43

  • 1刘立芳,霍红卫,王宝树.PHGA-COFFEE:多序列比对问题的并行混合遗传算法求解[J].计算机学报,2006,29(5):727-733. 被引量:11
  • 2李伟男,鄂跃鹏,葛敬国,钱华林.多模式匹配算法及硬件实现[J].软件学报,2006,17(12):2403-2415. 被引量:42
  • 3Aho A V, Corasick M J. Efficient string matching: An aid to bibliographic search [J]. Communications of the ACM, 1975, 18(6): 333-340.
  • 4Tuck N, Sherwood T, Calder B, et al. Deterministic memory efficient string matching algorithms for intrusion detection [C] //Proc of the IEEE INFOCOM 2004. Piscataway, NJ: IEEE Press, 2004:333-340.
  • 5Fang Yu, Randy H Katz, Lakshman T V. Gigabit rate packet pattern-matching using TCAM[C] //Proc of the 12th IEEE Int'l Conf on Network Protocols (ICNP' 04). Washington: IEEE Computer Society, 2004.
  • 6Application Layer Packet Classifier for Linux[OL]. [2007-02-14]. http://17-filter, sourceforge, net.
  • 7IPP2P[OL]. [2007-02-14]. http://www, ipp2p, org.
  • 8Snort. Network Intrusion Detection System[OL]. [2007-02- 14]. http://www, snort, org.
  • 9Bro. Intrusion Detection System [ OL]. [ 2007-02-14 ]. http ://bro ids. org/Overview.
  • 10Fang Yu, Zhifeng Chen, Yanlei Diao. Fast and memory-efficient regular expression matching for deep packet inspection, UCB/EECS-2006-76 [R/OL]. Berkeley: University of California, 2006. [2007-02-14]. http://www. eecs. berkeley, edu/Pubs/TechRpts/2006/EECS-2006-76, html.

共引文献96

同被引文献144

  • 1赵咏,姚秋林,张志斌,郭莉,方滨兴.TPCAD:一种文本类多协议特征自动发现方法[J].通信学报,2009,30(S1):28-35. 被引量:10
  • 2蔡罡,冯辉宗.基于协议分析状态机的入侵检测系统[J].重庆邮电学院学报(自然科学版),2005,17(1):97-101. 被引量:4
  • 3William S. Cryptography and Network Security: Principles and Practice[M]. Englewood Cliffs, NJ: Prentice Hall, 201 1 : 30-35.
  • 4Felix G. , Carsten W, Thorsten H. Automatic identification of cryptographic primitives in binary programs [C] //Proc of the 14th Annual hat Symp on Recent Advances in Intrusion Detection. Ferlin: Springer, 2011:41-60.
  • 5Calvet J, Fernandez J M, Marion J Y. Aligot: Cryptograpbie function identification in obfuscated binary programs [C]// Proc of the 2012 ACM Conf on Computer and Communications Security. New York: ACM, 2012:169-182.
  • 6Wondracek G. Comparetti P M, Kruegel C, et al. Automatic network protocol analysis [C] //Proc of the t5th Annual Network and Distributed System Security Symp. San Diego: Internet Society, 2008: 1-14.
  • 7Juan C, Yin H, Liang Z, et al. Polyglot.. Automatic extraction of protocol message format using dynamic binary analysis [C] //Proc of the 14th ACM Conf on Computer and Communications Security. New York: ACM, 2007:317-329.
  • 8Li X, Wang X, Chang W. CipherXRay: Exposing cryptographic operations and transient secrets from monitored binary execution [J]. IEEE Trans on Dependable and Secure Computing, 2012, 99(1): 1-14.
  • 9Wang Z, Jiang X, Cui W, et al. ReFormat: Automatic reverse engineering of encrypted messages [G]//LNCS 5789: Proc of the 14th European Symp on Research in Computer Security. Berlin: Springer, 2009:200-215.
  • 10Lutz N. Towards revealing attackers' intent by automatically decrypting network traffic [D]. Zurich: Swiss Federal Institute of Technology, 2009.

引证文献9

二级引证文献24

计算机研究与发展
2013年 第10期

相关作者

内容加载中请稍等...

相关机构

内容加载中请稍等...

相关主题

内容加载中请稍等...

浏览历史

内容加载中请稍等...
;
使用帮助 返回顶部