Research On Unknown Protocol Vulnerability Mining Method Based On Fuzz Testing

Different from the known protocols that fully disclose the details,there are many unknown protocols in today's networks.Individuals or some software vendors have considered about economic benefits,security issues,privacy issues,and other factors,choosing to make the details of the protocol confidential.Because unknown protocols may have various types of security threats in the process of implementation and actual application,and in actual network environments,current network security devices mostly perform detection and protection based on known protocol message formats,leading great security threats in actual unknown protocols.Analyzing this kind of unknown protocol and analyzing its existing security vulnerabilities is one of the problems that need to be solved urgently in the security field in the future.The traditional vulnerability mining methods for network protocols need to understand the protocol specifications in advance,and are difficult to directly apply to unknown protocols,or require complex manual operations and remarkable testers.Therefore,this paper designs an unknown protocol vulnerability mining framework that combines protocol reverse analysis and fuzzing test,which can be applied to the vulnerability mining for unknown protocols,and the testing process does not require a lot of manual operations that are required when using traditional methods.The main work of this paper includes the following:(1)Proposing an unsupervised packet clustering technology based on Bert model and K-means algorithm.Aiming at the problem that the protocol features are difficult to extract in the protocol reverse,it proves that the network protocol has some characteristics of natural language,and introduces the technology in the field of natural language processing into the protocol reverse,and using Bert model to extract the message features.Aiming at the shortcomings of the K-means algorithm,improving the initial center selection method,and the number of clusters is determined based on the CalinskiHarabasz score.The experimental results on the DARPA data set prove that the algorithm has a good clustering effect in various scenarios,and the Purity and F-Measure are both around 90%.(2)Proposing a method of fuzzing network protocol based on AFL tool.The AFL(American Fuzz Lop)tool was selected as an auxiliary tool,the problems and limitations were analyzed,the using process of the AFL tool was improved,and the fuzzing test method of the network protocol was realized.Compared with other methods and frameworks,this method has the advantages of less manual operation and no prior knowledge of the protocol.(3)Based on protocol reverse technology and network protocol fuzzing testing methods,a vulnerability mining framework for unknown protocols is designed.The framework was used to fuzz test the implementation of libmodbus of Modbus protocol,and two vulnerabilities were found,which verified the validity of the framework.The framework does not require prior knowledge of the protocol and can be applied to the fuzzing test of all network protocol software based on C or C++.Compared with the traditional Peach and Sulley frameworks,it has the advantages of less manual configuration,high degree of automation,and low cumbersomeness.