基于熵估計(jì)的安全協(xié)議密文域識(shí)別方法

朱玉娜; 韓繼紅; 袁霖; 谷文; 范鈺丹

doi:10.11999/JEIT151205

基于熵估計(jì)的安全協(xié)議密文域識(shí)別方法

doi: 10.11999/JEIT151205

基金項(xiàng)目:

國(guó)家自然科學(xué)基金(61309018)

計(jì)量
- 文章訪問(wèn)數(shù): 1406
- HTML全文瀏覽量: 128
- PDF下載量: 518
- 被引次數(shù): 0
出版歷程
- 收稿日期: 2015-10-29
- 修回日期: 2016-02-25
- 刊出日期: 2016-08-19

Protocol Ciphertext Field Identification by Entropy Estimating

Funds:

The National Natural Science Foundation of China (61309018)

摘要

摘要: 現(xiàn)有基于網(wǎng)絡(luò)報(bào)文流量信息的協(xié)議分析方法僅考慮報(bào)文載荷中的明文信息，不適用于包含大量密文信息的安全協(xié)議。為充分發(fā)掘利用未知規(guī)范安全協(xié)議的密文數(shù)據(jù)特征，針對(duì)安全協(xié)議報(bào)文明密文混合、密文位置可變的特點(diǎn)，該文提出一種基于熵估計(jì)的安全協(xié)議密文域識(shí)別方法CFIA(Ciphertext Field Identification Approach)。在挖掘關(guān)鍵詞序列的基礎(chǔ)上，利用字節(jié)樣本熵描述網(wǎng)絡(luò)流中字節(jié)的分布特性，并依據(jù)密文的隨機(jī)性特征，基于熵估計(jì)預(yù)定位密文域分布區(qū)間，進(jìn)而查找密文長(zhǎng)度域，定位密文域邊界，識(shí)別密文域。實(shí)驗(yàn)結(jié)果表明，該方法僅依靠網(wǎng)絡(luò)數(shù)據(jù)流量信息即可有效識(shí)別協(xié)議密文域，并具有較高的準(zhǔn)確率。
- 未知安全協(xié)議 /
- 協(xié)議格式 /
- 密文域 /
- 熵估計(jì)
Abstract: Previous network-trace-based methods only consider the plaintext format of payload data, and are not suitable for security protocols which include a large number of ciphertext data; therefore, a novel approach named CFIA (Ciphertext Field Identification Approach) is proposed based on entropy estimation for unknown security protocols. On the basis of keywords sequences extraction, CFIA utilizes byte sample entropy and entropy estimation to pre-locate ciphertext filed, and further searches ciphertext length field to identify ciphertext field. The experimental results show that without using dynamic binary analysis, the proposed method can effectively identify ciphertext fields purely from network traces, and the inferred formats are highly accurate in identifying the protocols.
- Unknown security protocol /
- Protocol format /
- Ciphertext field /
- Entropy estimation

HTML全文

參考文獻(xiàn)(19)

CABALLERO J, YIN H, LIANG Zhenkai, et al. Polyglot: automatic extraction of protocol message format using dynamic binary analysis[C]. Proceedings of the 14th ACM Conference on Computer and Communications Security, New York: 2007: 317-329. doi: 10.1145/1315245.1315286.

CUI Weidong, PEINADO M, CHEN K, et al. Automatic reverse engineering of input format[P]. USA, 8935677 B2, 2015-1-13.

WANG Zhi, JIANG Xuxian, CUI Weidong, et al. ReFormat: Automatic reverse engineering of encrypted messages[C]. European Symposium on Research in Computer Security, Berlin, 2009: 200-215. doi: 10.1007/978-3-642-04444-1_13.

CABALLERO J, POOSANKAM P, KREIBICH C, et al. Dispatcher: enabling active botnet infiltration using automatic protocol reverse-engineering[C]. Proceedings of the 16th ACM Conference on Computer and Communications Security, New York, 2009: 621-634. doi: 10.1145/1653662. 1653737.

CABALLERO J and SONG D. Automatic protocol reverse- engineering: message format extraction and field semantics inference[J]. Computer Network, 2013, 57(2): 451-474. doi: 10.1016/j.comnet.2012.08.003.

CUI Weidong, KANNAN J, and WANG H J. Discoverer: Automatic protocol reverse engineering from network traces[C]. Proceedings of the 16th USENIX Security Symposium, Berkeley, 2007: 199-212.

黎敏, 余順爭(zhēng). 抗噪的未知應(yīng)用層協(xié)議報(bào)文格式最佳分段方法[J]. 軟件學(xué)報(bào), 2013, 24(3): 604-617. doi: 10.3724/SP.J. 1001.2013.04243.

LI Min and YU Shunzheng. Noise-tolerant and optimal segmentation of message formats for unknown application- layer protocols[J]. Journal of Software, 2013, 24(3): 604-617. doi: 10.3724/SP.J.1001.2013.04243.

LUO Jianzhen and YU Shunzheng. Position-based automatic reverse engineering of network protocols[J]. Journal of Network and Computer Applications, 2013, 36(3): 1070-1077. doi: 10.1016/j.jnca.2013.01.013.

ZHANG Zhuo, ZHANG Zhibin, Lee P P C, et al. Toward unsupervised protocol feature Word extraction[J]. IEEE Journal on Selected Areas in Communications, 2014, 32(10): 1894-1906. doi: 10.1109/JSAC.2014.2358857.

BOSSERT G, GUIHRY F, and HIET G. Towards automated protocol reverse engineering using semantic information[C]. Proceedings of the 9th ACM Symposium on Information, Computer and Communications Security, Kyoto, 2014: 51-62. doi: 10.1145/2590296.2590346.

KUMANO Y, ATA S, NAKAMURA N, et al. Towards real- time processing for application identification of encrypted traffic[C]. International Conference on Computing, Networking and Communications, Honolulu, HI, 2014: 136-140. doi: 10.1109/ICCNC.2014.6785319.

趙博, 郭虹, 劉勤讓, 等. 基于加權(quán)累積和檢驗(yàn)的加密流量盲識(shí)別算法[J]. 軟件學(xué)報(bào), 2013, 24(6): 1334-1345. doi: 10. 3724/SP.J.1001.2013.04279.

ZHAO Bo, GUO Hong, LIU Qinrang, et al. Protocol independent identification of encrypted traffic based on weighted cumulative sum test[J]. Journal of Software, 2013, 24(6): 1334-1345. doi: 10.3724/SP.J.1001.2013.04279.

OLIVAIN J and GOUBAULT-LARRECQ J. Detecting subverted cryptographic protocols by entropy checking[R]. LSV-06-13, 2006.

BONFIGLIO D, MELLIA M, MEO M, et al. Revealing skype traffic: when randomness plays with you[C]. Proceedings of the ACM SIGCOMM Conference on Applications, Technologies, Architectures, and Protocols for Computer Communications, Kyoto, 2007: 37-48. doi: 10.1145/1282380. 1282386.

PANINSKI L. A coincidence-based test for uniformity given very sparsely sampled discrete data[J]. IEEE Transactions on Information Theory, 2008, 54(10): 4750-4755. doi: 10.1109/ TIT.2008.928987.

PIRONTI A, POZZA D, and SISTO R. Spi2Java User Manual-Version 3.1[R]. Turin: Piedmont: Italy, Polytechnic University of Turin, 2008.

ACETO G, DAINOTTI A, DONATO W, et al. PortLoad: taking the best of two worlds in traffic classification[C]. Proceedings of IEEE International Conference on Computer Communications, San Diego, CA, 2010: 1-5. doi: 10.1109/ INFCOMW.2010.5466645.

相關(guān)文章

施引文獻(xiàn)

資源附件(0)

訪問(wèn)統(tǒng)計(jì)