摘要
针对移动终端通信协议及通信数据的解析,其难点在于大部分移动终端应用程序并无相关公开的技术文档,难以获知其采取的通信协议类型。指令执行序列分析技术通过分析程序执行的指令序列逆向推断出消息格式和状态机。但有时序列信息采集不全,导致状态机推断不完备,从而无法获取全部协议信息。针对上述问题,提出了一个新型的基于状态机对比推断分析的移动终端通信协议解析方案,可用于取证场景提高数据取证的准确性和完备性。该方案首先利用PIN动态二进制插桩,识别污点源并跟踪污点轨迹分析出协议消息格式;然后根据格式信息对提取的协议消息进行聚类分析推断出原始状态机;最后利用最长公共子序列(LCS, longest common subsequence)算法与已知的协议状态机进行对比,相似度最高者即为推断出的通信协议类型。在Android平台上基于两类应用程序设计实验对该方案进行测试和评估,实验结果表明可准确提取应用程序的通信内容,实用价值强。
The most problem in analysis of communication protocols and communication data for mobile terminals is that many mobile applications do not have the relevant public technical documents,and it is difficult to know the type of communication protocol it adopts.The instruction execution sequence analysis technique takes the instruction sequence executed by the program as a research object,and inversely infers the message format and the state machine to obtain the communication protocol.However,due to the incomplete collection of sequence information,the state machine infers that the inference is incomplete and cannot be effective.A novel protocol reverse scheme based on state machine comparison is proposed,which can be used for the forensics of mobile terminal communication data.The scheme first uses PIN for dynamical identification of the taint,and track it and analyzes the trajectory to obtain the message format.Secondly,the message clustering is performed on the basis of the message format to infer the protocol state machine.Finally,the LCS algorithm is used to compare the state machines to get a complete protocol state machine.This article tests and evaluates the scheme based on two types of application design experiments on the Android platform.The experimental results show that the results are both complete and real-time,and have practical value.
作者
张明远
祁欣妤
宋宇波
顾荣荣
胡爱群
朱珍超
ZHANG Mingyuan;QI Xinyu;SONG Yubo;GU Rongrong;HU Aiqun;ZHU Zhenchao(The State Radio Monitoring Center Testing Center, Beijing 100041, China;School of Cyber Science and Engineering South East University, Nanjing 211189, China)
出处
《网络与信息安全学报》
2018年第12期54-61,共8页
Chinese Journal of Network and Information Security
基金
国家自然科学基金资助项目(No.61601113)
中央高校基本科研业务费专项基金资助项目(No.2242017K40013)~~
关键词
移动终端
数据取证
动态污点分析
协议逆向分析
相似性对比
mobile terminal
data forensics
dynamic stain analysis
protocol reverse analysis
similarity comparison