Research On Protocol Reverse Analysis Technology Based On Network Trace

Due to various requirements such as economic benefits and personal privacy protection,current network protocols in many industries tend to be more complex,private,and specialized,and the implementation details of protocol specifications are not disclosed.In the real network environment,most of the current monitoring methods cannot effectively monitor and analyze the interaction process of such ”unknown” protocols(private protocols)for non-designers,which makes it impossible for the protection party to pre-defend the security risks in the protocol algorithm design and engineering implementation.In addition,there is a demand for obtaining network protocol specifications in network security activities such as protocol vulnerability mining,asset detection,behavior audit,and confrontation drill.Therefore,the identification and analysis of unknown network protocols based on reverse engineering is a key problem to be solved in the security field.Without relying on the prior knowledge of the protocol specification,how to reverse the binary continuous sequence corresponding to the traffic into the protocol format with interpretability,infer the corresponding semantics of the protocol format,and construct the protocol state machine reflecting the functional relationship are three extremely challenging problems.Based on the fine-grained analysis of the temporal and spatial characteristics of the traffic,this thesis designs a reverse method for the unencrypted application layer variablelength binary unknown protocol.The main work of this thesis includes the following:Firstly,to solve the problems of variable-length sequence feature deviation and field over-segmentation in the existing protocol format inference methods,we combine the spatio-temporal,statistical and protocol design characteristics to improve the multiple sequence alignment process of the boundary determination process.The experimental results on DARPA dataset show that compared with the latest Netplier,the proposed method reduces the average offset of 6.25 bits,the average over-segmentation of 9.67 and the average missegmentation of 8.05.Secondly,in order to solve the problems of missing semantic recognition rules and low accuracy of multi-state field labeling in the existing deep parsing methods of unknown protocols,this thesis introduces a heuristic semantic inference method and a state labeling method based on weighted edit distance to improve the heuristic semantic decision rules and state labeling process.The experimental results show that the proposed method can derive the semantic location of protocols containing check codes and addresses.In addition,when labeling the states of five representative protocols,compared with Netplier and vdv,the inference results of this method on the DARPA data set can improve the homogeneity by 16.70% and the v-measure score by 8.97% on average.On other datasets such as DDOS-2017,the proposed method can improve the homogeneity of 38.70% and the v-measure score of 14.36% on average.Finally,an unknown protocol reverse platform using the above two methods was designed and implemented.The various reverse links with correlation and dependence are connected in series to form a complete process from binary traffic input to protocol format acquisition and automatic extraction of protocol deep information.The platform is used to automatically reverse unknown protocol built into malware zeroaccess for building botnets.The comparison between the extracted results and the manual analysis results shows that the protocol format and state machine inferred by the platform are similar to the manual analysis results,which further indicates that the proposed method can extract the specifications of unknown protocols without prior conditions and assist security analysis such as protocol leakage.