Research On Reverse Analysis Technology Of Unknown Protocol Based On Network Traffic

The number of unknown protocols on the Internet today is increasing,and these unknown protocols pose many potential security issues.Many malware and botnets use unknown protocols for communication and transmission.Reverse analysis of these unknown protocols and analysis of their control and propagation behavior are increasingly demanding.Reverse analysis of unknown protocols is one of the urgent problems in the future security field.The traditional reverse analysis of unknown protocols requires a lot of manpower and time.Automated unknown protocol reverse tools can reduce many complicated processes and help researchers to carry out related reverse work.In this thesis,the advantages and disadvantages of the existing reverse technology are analyzed through various stages in the reverse analysis process of unknown protocols.At present,most of the unknown analysis techniques based on network traffic are based on the similarity between messages to infer the protocol format and state machine.And most of these techniques are only studied separately for protocol format extraction or state machine inference,without paying attention to the link between protocol format extraction and state machines.Moreover,the reverse protocol analysis technique based on network traffic is dependent on the sample.If the coverage of the sample is very low,the reverse results are very poor.This thesis creatively proposes an unknown protocol inverse algorithm combined with fuzzy test,and uses existing tools to complete the engineering implementation of the algorithm.This algorithm includes both protocol format extraction and state machine inference,without prior knowledge.The initial inverse result can be generated from the original sample,and the fuzzy test is performed on the basis of the initial result,and more samples are iterated,and field correction and state transition are performed on the additional samples.Then the Netzob platform and the fuzzy test tool Sulley are used for experiments.The final experimental results show that the algorithm proposed in this thesis has a correct rate of 90% or more in the reverse direction of the protocol format,and the recall rate is above 40%,which is inferred from the state machine inference.The recall rate of the state machine reached 47% or more.