NetExtractor:基于网络轨迹的未知协议逆向方法

NetExtractor:Unknown protocol reverse approach based on network traces

网络协议逆向工程是许多安全领域面临的重要挑战.当前主流方法是对网络轨迹间的字符和令牌进行比对切分,但现有工作在推导时受限于二进制协议字段取值差异高、状态复杂等特性,存在格式过度切分和多状态字段标注精度低等问题.基于此,本文提出NetEx‐tractor工具,集成格式提取优化方法和状态标注优化方法.在格式提取阶段,提取网络轨迹时空特性进行粗聚类,而后进行多序列比对,利用统计特性进行优化合并,进一步提高格式提取的精准度.在状态标注阶段,引入编辑距离衡量字段间差异,结合随机森林和统计特性对候选状态字段进行约束,提升多状态字段标注精度.为验证该方法的有效性,本文使用NetExtrac‐tor工具对僵尸网络zeroaccess协议的格式和状态机进行自动化逆向,并在8个常用协议上开展评估实验验证方法效率,实验表明与领域最领先研究工作相比,NetExtractor可提升协议格式和协议状态识别准确度,对网络安全分析具有较大意义.

Network protocol reverse engineering is an important challenge in many security domains.The current mainstream approach is to compare and slice characters and tokens between network traces,but the existing work is limited by the high variance and complex state of binary protocol field values in the derivation,and also suffers from the problems of format over-slicing and low accuracy of multi-state field annotation.To address these challenges,the authors propose the NetExtractor tool,which integrates optimization methods for format extraction and state annotation.In the format extraction phase,the spatiotemporal characteristics of network trajectories are extracted for coarse clustering,followed by multiple sequence alignment,by merging and optimizing using statistical characteristics to further improve the accuracy of format extraction.In the state annotation phase,edit distance is introduced to measure the differences between fields,and random forest and statistical properties are combined to constrain the candidate state fields to improve the accuracy of multi-state field annotation.To validate the effectiveness of the proposed method,the NetExtractor tool is employed for automating the inversion of the botnet zeroaccess protocol format and state machine,Evaluation experiments are conducted on eight commonly used protocols to access the efficiency of the proposed method.The experiment results demonstrate that compared to the leading research work in the field,NetExtractor can enhance the accuracy of protocol format and protocol state identification,which is of great significance for network security analysis.