基于协议逆向的移动终端通信数据解析

doi:10.11959/j.issn.2096-109x.2018099

网络与信息安全学报 ›› 2018, Vol. 4 ›› Issue (12): 54-61.doi: 10.11959/j.issn.2096-109x.2018099

基于协议逆向的移动终端通信数据解析

张明远¹,祁欣妤²(),宋宇波²,顾荣荣²,胡爱群²,朱珍超²

¹ 国家无线电监测中心检测中心，北京 100041
² 东南大学网络空间安全学院，江苏南京 211189

修回日期:2018-11-28 出版日期:2018-12-01 发布日期:2018-12-30
作者简介:张明远（1982-），男，内蒙古人，硕士，国家无线电监测中心检测中心工程师，主要研究方向为新型无线电检测技术。|祁欣妤（1995-），女，江苏南京人，东南大学硕士生，主要研究方向为通信网络安全。|宋宇波（1977-），男，江苏无锡人，博士，东南大学副教授，主要研究方向为通信网络安全及协议安全性分析。|顾荣荣（1990-），女，江苏盐城人，东南大学硕士生，主要研究方向为智能移动终端。|胡爱群（1952-），男，江苏南通人，博士，东南大学教授、博士生导师，主要研究方向为通信网络安全。|朱珍超（1982-），男，安徽霍邱人，博士，东南大学讲师，主要研究方向为密码学与网络安全。
基金资助:
国家自然科学基金资助项目(61601113);中央高校基本科研业务费专项基金资助项目(2242017K40013)

Analysis of communication data of mobile terminal based on protocol reversal

Mingyuan ZHANG¹,Xinyu QI²(),Yubo SONG²,Rongrong GU²,Aiqun HU²,Zhenchao ZHU²

¹ The State Radio Monitoring Center Testing Center,Beijing 100041,China
² School of Cyber Science and Engineering South East University,Nanjing 211189,China

Revised:2018-11-28 Online:2018-12-01 Published:2018-12-30
Supported by:
The National Natural Science Foundation of China(61601113);The Fundamental Research Funds for the Central Universities of China(2242017K40013)

摘要/Abstract

摘要：

针对移动终端通信协议及通信数据的解析，其难点在于大部分移动终端应用程序并无相关公开的技术文档，难以获知其采取的通信协议类型。指令执行序列分析技术通过分析程序执行的指令序列逆向推断出消息格式和状态机。但有时序列信息采集不全，导致状态机推断不完备，从而无法获取全部协议信息。针对上述问题，提出了一个新型的基于状态机对比推断分析的移动终端通信协议解析方案，可用于取证场景提高数据取证的准确性和完备性。该方案首先利用PIN动态二进制插桩，识别污点源并跟踪污点轨迹分析出协议消息格式；然后根据格式信息对提取的协议消息进行聚类分析推断出原始状态机；最后利用最长公共子序列（LCS,longest common subsequence）算法与已知的协议状态机进行对比，相似度最高者即为推断出的通信协议类型。在Android平台上基于两类应用程序设计实验对该方案进行测试和评估，实验结果表明可准确提取应用程序的通信内容，实用价值强。

关键词: 移动终端, 数据取证, 动态污点分析, 协议逆向分析, 相似性对比

Abstract:

The most problem in analysis of communication protocols and communication data for mobile terminals is that many mobile applications do not have the relevant public technical documents,and it is difficult to know the type of communication protocol it adopts.The instruction execution sequence analysis technique takes the instruction sequence executed by the program as a research object,and inversely infers the message format and the state machine to obtain the communication protocol.However,due to the incomplete collection of sequence information,the state machine infers that the inference is incomplete and cannot be effective.A novel protocol reverse scheme based on state machine comparison is proposed,which can be used for the forensics of mobile terminal communication data.The scheme first uses PIN for dynamical identification of the taint,and track it and analyzes the trajectory to obtain the message format.Secondly,the message clustering is performed on the basis of the message format to infer the protocol state machine.Finally,the LCS algorithm is used to compare the state machines to get a complete protocol state machine.This article tests and evaluates the scheme based on two types of application design experiments on the Android platform.The experimental results show that the results are both complete and real-time,and have practical value.

Key words: mobile terminal, data forensics, dynamic stain analysis, protocol reverse analysis, similarity comparison

中图分类号:

TN915.08

张明远,祁欣妤,宋宇波,顾荣荣,胡爱群,朱珍超. 基于协议逆向的移动终端通信数据解析[J]. 网络与信息安全学报, 2018, 4(12): 54-61.

Mingyuan ZHANG,Xinyu QI,Yubo SONG,Rongrong GU,Aiqun HU,Zhenchao ZHU. Analysis of communication data of mobile terminal based on protocol reversal[J]. Chinese Journal of Network and Information Security, 2018, 4(12): 54-61.

图/表 12

图1

表1

表2

图2

图3

表3

图4

表4

图5

图6

图7

图8

参考文献 16

[1]	SIJA B D , GOO Y H , KYU S S ,et al. Survey on network protocol reverse engineering approaches,methods and tools[C]// IEEE Network Operations and Management Symposium. 2017: 271-274.
[2]	PAN D , WANG Y , XUE Z . Remote control trojan vulnerability mining based on reverse analysis of network protocol[J]. Computer Engineering, 2016: 124-140
[3]	WEN S , MENG Q , FENG C ,et al. Protocol vulnerability detection based on network traffic analysis and binary reverse engineering[J]. Plos One, 2017,12(10): 186-188.
[4]	LI W , AI M , JIN B . A network protocol reverse engineering method based on dynamic taint propagation similarity[M]. Intelligent Computing Theories and Application. Springer International Publishing, 2016: 580-592.
[5]	WEI X , LIU R , XU F . Reverse analysis of industrial control protocol based on static binary analysis[J]. Application of Electronic Technique, 2018: 366-372.
[6]	BLUMBERGS B , VAARANDI R . BBUZZ:a bit-aware fuzzing framework for network protocol systematic reverse engineering and analysis[C]// IEEE Military Communications Conference. 2017: 707-712.
[7]	SIJA B D , GOO Y H , SHIM K S ,et al. Protocol reverse engineering methods for undocumented ethernet and wireless protocols;survey[C]// Symposium of the Korean Institute of Communications and Information Sciences. 2017: 281-312.
[8]	GOO Y H , SHIM K S , CHAE B M ,et al. Framework for precise protocol reverse engineering based on network traces[C]// IEEE/IFIP Network Operations and Management Symposium. 2018: 1-4.
[9]	BARMPATSALON K , DAMOPOULOS D , KAMBOURAKIS G ,et al. A critical review of 7 years of mobile device forensics[J]. Digital Investigation, 2015,(10): 323-349.
[10]	DU J . Android mobile forensics privilege promotion[J]. Silicon Valley, 2016,14: 563-578.
[11]	AL BARGHOUTHY N , MARRINGTON A . A comparison of forensic acquisition techniques for android devices:a case study investigation of or Web browsing sessions[C]// 2014 6th International Conference on New Technologies Mobility and Security (NTMS). 2014: 1-4.
[12]	JONKERS K . The forensic use of mobile phone flasher boxes[J]. Digital Investigation, 2015,(6): 168-178.
[13]	JEON S , BANG J , BYUN K ,et al. A recovery method of deleted record for SQLite database[J]. Personal and Ubiquitous Computing, 2017,16(6): 707-715.
[14]	YANG Y T , ZU Z Y , SUN G Z . Historical data recovery from android devices[M]// Future Information Technology. Berlin Heidelberg:Springer, 2016: 251-257.
[15]	GROBLER C , LOUWRENS C , VON SOLMS S . A multi-component view of digital forensics:fifth international conference on availability,reliability,and security[C]// IEEE Piscataway. 2011: 647-652.
[16]	THING V L L , NG K Y , CHANG E C . Live memory forensics of mobile phones[J]. Digital Investigation, 2015: 74-82.

字段名称	字段类型	字段说明
ID	长整型	自动编号
Time	长整型	消息发生时间
Msg_Type	长整型	消息类型（接收/发送）
Protocol	长整型	消息所属协议
Msg_Content	长整型	消息内容

字段名称	字段类型	字段说明
Status_ID	长整型	状态标号
Pre_Status	长整型	前一个状态
Next_Status	长整型	后一个状态
Pre_Trans	长整型	前一个状态转换规则
Next_Trans	长整型	后一个状态转换规则
First_Status	长整型	状态机第一个状态
Last_Status	长整型	状态机最后一个状态

协议p	协议1	协议2
AabBc	AabBFc	GmHnc
Cac	Cabc	DmEc
DdEc	DdEc	Cac

状态转换信息	FTP	SMTP
State_Tr1	100%	64.28%
State_Tr2	100%	55.14%
State_Tr3	100%	28.57%
State_Tr4	100%	0
State_Tr5	100%	0
State_Tr6	100%	0
State_Tr7	100%	0
State_Tr8	100%	0
State_Tr9	100%	0
State_Tr10	100%	0
State_Tr11	100%	49.06%
State_Tr12	100%	50%
State_Tr13	100%	22.35%

基于协议逆向的移动终端通信数据解析

Analysis of communication data of mobile terminal based on protocol reversal

在线阅读

pdf下载

可视化

摘要/Abstract

引用本文

使用本文

图/表 12

参考文献 16

相关文章 3

Metrics

推荐阅读 0

[1]	潘雁, 林伟, 祝跃飞. 渐进式的协议状态机主动推断方法[J]. 网络与信息安全学报, 2023, 9(2): 81-93.
[2]	裘佳浩, 邱卫东, 王杨德, 查言, 谢宇明, 李岩. 智能化的安卓手势密码取证关键技术[J]. 网络与信息安全学报, 2022, 8(1): 118-127.
[3]	李济洋,赵鹏远,刘喆. 基于加密SD卡的内网移动终端可信接入方案[J]. 网络与信息安全学报, 2019, 5(4): 108-118.