Research And Implementation Of Binary Protocol Reverse Analysis Method Based On Traffic Behavior

Binary protocol reverse technology is of great significance for managing network communication behaviors,ensuring network security and improving network service quality.Different from the text protocol,the binary protocol lacks text encoding information,the field boundary has no obvious delimiter,and the reverse engineering is more difficult than the text protocol reverse engineering.The binary protocol format extraction method based on multiple sequence alignment is highly sensitive to noise,and when the protocol format is more complicated and the field value is changeable,the multiple sequence alignment algorithm has too many blanking operations,causing some field boundaries to shift.In addition,the protocol state machine based on the protocol state field has strict requirements on the extraction of the protocol field.The current method only uses a single indicator to infer the protocol state field,which is susceptible to network traffic.In view of the above shortcomings,a binary protocol reversal method based on traffic behavior is put forward based on the analysis of the overall demand for binary protocol reverse.Research has been carried out from two aspects: format extraction and state machine inference,and binary protocol reverse system is implemented.The work done is as follows.(1)Aiming at the problem that the binary protocol extraction algorithm is more sensitive to noise and the field boundary features are shifted in the sequence comparison process,which makes the algorithm less accurate,A binary protocol format extraction algorithm is proposed.First,based on the length and frequent terms,the mixed protocol traffic is clustered into a single format and similar length protocol message cluster;Then a multiple sequence alignment algorithm based on semantic sequence alignment in a single protocol format grouping cluster is used to obtain the protocol format of the cluster;Finally,multiple single protocol formats are merged into protocol formats to achieve protocol format extraction.Experimental results show that the algorithm can effectively remove noise,extract protocol semantic fields,and infer protocol format.(2)Aiming at the problem that the evaluation index of the binary protocol state machine inference algorithm based on the extraction of the state field has a single dimension,and the index cannot fully characterize the logical similarity of the behavior of the state field,a binary protocol state machine inference algorithm is proposed.The algorithm determines the binary protocol state field from multiple indicators such as the changing law of the binary state field,the value range of the field,the frequency of each value,the location of the field,and the logical similarity of behavior.The degree of dispersion of field values in the same packet sequence number messages in different sessions is used to measure the logical similarity of field behaviors,and the protocol probability state machine is constructed according to the protocol state field.Experiments show that this algorithm effectively characterizes the logical similarity of the behavior of the protocol state field,accurately extracts the protocol state field,and constructs the protocol state machine.(3)Based on the method proposed above,a prototype system that can display the results of the binary protocol reverse method is designed and implemented.The system mainly includes protocol message clustering module,protocol format extraction module,protocol state machine inference module and interface display module,etc.The experiment has carried on the function and the performance test to the system,has verified the system has the good binary agreement reverse ability.