网络协议隐形攻击行为的聚类感知挖掘

胡燕京; 裴庆祺

doi:10.11959/j.issn.1000-436x.2017123

您当前的位置：

首页 >

文章列表页 >

网络协议隐形攻击行为的聚类感知挖掘

学术论文 | 更新时间：2024-06-05

- 网络协议隐形攻击行为的聚类感知挖掘
- Clustering perception mining of network protocol’s stealth attack behavior
- 通信学报 2017年38卷第6期页码：39-48
- 作者机构：
  
  1. 武警工程大学网络与信息安全武警部队重点实验室，陕西西安 710086
  2. 西安电子科技大学综合业务网理论及关键技术国家重点实验室，陕西西安 710071
- 作者简介：
  
  [ "胡燕京（1980-），男，陕西西安人，博士，武警工程大学讲师，主要研究方向为信息系统安全防护、网络协议逆向分析。" ]
  [ "裴庆祺（1975-），男，广西玉林人，西安电子科技大学教授、博士生导师，主要研究方向为数字内容保护与无线网络安全。" ]
- 基金信息：
  
  国家自然科学基金资助项目(61373170);国家自然科学基金资助项目(61402530);国家自然科学基金资助项目(61309022);国家自然科学基金资助项目(61309008)
- DOI：10.11959/j.issn.1000-436x.2017123
  中图分类号： TP393
- 网络出版日期：2017-06，
  
  纸质出版日期：2017-06-25
- 稿件说明：
移动端阅览
胡燕京, 裴庆祺. 网络协议隐形攻击行为的聚类感知挖掘[J]. 通信学报, 2017,38(6):39-48.

Yan-jing HU, Qing-qi PEI. Clustering perception mining of network protocol’s stealth attack behavior[J]. Journal on communications, 2017, 38(6): 39-48.
胡燕京, 裴庆祺. 网络协议隐形攻击行为的聚类感知挖掘[J]. 通信学报, 2017,38(6):39-48. DOI： 10.11959/j.issn.1000-436x.2017123.

Yan-jing HU, Qing-qi PEI. Clustering perception mining of network protocol’s stealth attack behavior[J]. Journal on communications, 2017, 38(6): 39-48. DOI： 10.11959/j.issn.1000-436x.2017123.

摘要

深藏在网络协议中的隐形攻击行为日益成为网络安全面临的新挑战。针对现有协议逆向分析方法在协议行为分析特别是隐形攻击行为挖掘方面的不足，提出了一种新颖的指令聚类感知挖掘方法。通过抽取协议的行为指令序列，利用指令聚类算法对所有的行为指令序列进行聚类分析，根据行为距离的计算结果，从大量未知协议程序中快速准确地挖掘出隐形攻击行为指令序列。将动态污点分析和指令聚类分析相结合，在自主研发的虚拟分析平台HiddenDisc上分析了1 297个协议样本，成功挖掘出193个隐形攻击行为，自动分析和手动分析的结果完全一致。实验结果表明，该方案在效率和准确性方面对协议隐形攻击行为的感知挖掘都是理想的。

Abstract

Deep stealth attack behavior in the network protocol becomes a new challenge to network security.In view of the shortcomings of the existing protocol reverse methods in the analysis of protocol behavior

especially the stealth attack behavior mining

a novel instruction clustering perception mining algorithm was proposed.By extracting the protocol's behavior instruction sequences，and clustering analysis of all the behavior instruction sequences using the instruction clustering algorithm

the stealth attack behavior instruction sequences can be mined quickly and accurately from a large number of unknown protocol programs according to the calculation results of the behavior distance.Combining dynamic taint analysis with instruction clustering analysis

1 297 protocol samples were analyzed in the virtual analysis platform hidden disc which was developed independently，and 193 stealth attack behaviors were successfully mined，the results of automatic analysis and manual analysis were completely consistent.Experimental results show that，the solution is ideal for perception mining the protocol's stealth attack behavior in terms of efficiency and accuracy.

关键词

Keywords

references

CUI B , WANG F , HAO Y , et al . A taint based approach for automatic reverse engineering of gray-box file formats [J ] . Soft Computing , 2015 : 1 - 16 .

BOSSERT G , GUIHÉRY F , HIET G . Towards automated protocol reverse engineering using semantic information [C ] // Proceedings of the 9th ACM Symposium on Information,Computer and Communications Security . 2014 .

NARAYAN J , SHUKLA S K , CLANCY T C . A survey of automatic protocol reverse engineering tools [J ] . ACM Comput Surv , 2015 , 48 : 1 - 26 .

LI X D , . A survey on methods of automatic protocol reverse engineering [C ] // Proceedings of the 2011 Seventh International Conference on Computational Intelligence and Security . 2011 : 685 - 689 .

CABALLERO D S J . Automatic protocol reverse-engineering:message format extraction and field semantics inference [J ] . Computer Networks , 2012 , 54 ( 2 ): 451 - 474 .

JOÃO A N N , . Automatically complementing protocol specifications from network traces [C ] // European Workshop on Dependable Computer , 2011 : 87 - 92 .

MENG F Z , LIU Y , ZHANG C R , et al . Inferring protocol state machine for binary communication protocol [C ] // Advanced Research and Technology in Industry Applications (WARTIA) . 2014 : 870 - 874 .

HAN K , LIM J H , IM E G . Malware analysis method using visualization of binary files [C ] // Proceedings of the 2013 Research in Adaptive and Convergent Systems,Montreal,Quebec,Canada , 2013 .

苏璞睿 , 杨轶 . 基于可执行文件静态分析的入侵检测模型 [J ] . 计算机学报 , 2006 , 29 : 1572 - 1578 .

SU P R , YANG Y . Intrusion detection model based on executable static analysis [J ] . Chinese Journal of Computers , 2006 , 29 : 1572 - 1578 .

胡燕京 , 裴庆祺 , 庞辽军 . 消息和指令分析相结合的网络协议异常行为分析 [J ] . 通信学报 , 2015 , 36 ( 11 ): 147 - 155 .

HU Y J , PEI Q Q , PANG L J . Message combined with instruction analysis for network protocol’s abnormal behavior [J ] . Journal on Communications , 2015 , 36 ( 11 ): 147 - 155 .

LIN W , ZHU Y F , SHI X L . A method of multiple encryption and sectional encryption protocol reverse engineering [C ] // 2014 Tenth International Conference on Computational Intelligence and Security (CIS) . 2014 : 420 - 424 .

RAHIMIAN A , ZIARATI R , PREDA S , et al . On the reverse engineering of the citadel botnet [J ] . Foundations and Practice of Security , 2014 : 408 - 425 .

COMPARETTI P M , SALVANESCHI G , KIRDA E , et al . Identifying dormant functionality in malware programs [C ] // IEEE Symposium on Security ＆Privacy , 2010 : 61 - 76 .

KANG B , KIM T , KWON H , et al . Malware classification method via binary content comparison [C ] // ACM Research in Applied Computation Symposium . 2012 : 316 - 321 .

NATANI P , VIDYARTHI D . An overview of detection techniques for metamorphic malware [J ] . Intelligent Computing,Networking,and Informatics , 2014 : 637 - 643 .

浏览量

993

下载量

CSCD

文章被引用时，请邮件提醒。

提交

工具集

关联资源

网络协议隐形攻击行为的挖掘和利用