基于协议逆向的移动终端通信数据解析

doi:10.11959/j.issn.2096-109x.2018099

Abstract

Abstract:

The most problem in analysis of communication protocols and communication data for mobile terminals is that many mobile applications do not have the relevant public technical documents,and it is difficult to know the type of communication protocol it adopts.The instruction execution sequence analysis technique takes the instruction sequence executed by the program as a research object,and inversely infers the message format and the state machine to obtain the communication protocol.However,due to the incomplete collection of sequence information,the state machine infers that the inference is incomplete and cannot be effective.A novel protocol reverse scheme based on state machine comparison is proposed,which can be used for the forensics of mobile terminal communication data.The scheme first uses PIN for dynamical identification of the taint,and track it and analyzes the trajectory to obtain the message format.Secondly,the message clustering is performed on the basis of the message format to infer the protocol state machine.Finally,the LCS algorithm is used to compare the state machines to get a complete protocol state machine.This article tests and evaluates the scheme based on two types of application design experiments on the Android platform.The experimental results show that the results are both complete and real-time,and have practical value.

Key words: mobile terminal, data forensics, dynamic stain analysis, protocol reverse analysis, similarity comparison

CLC Number:

TN915.08

Mingyuan ZHANG,Xinyu QI,Yubo SONG,Rongrong GU,Aiqun HU,Zhenchao ZHU. Analysis of communication data of mobile terminal based on protocol reversal[J]. Chinese Journal of Network and Information Security, 2018, 4(12): 54-61.

Figures/Tables 12

References 16

[1]	SIJA B D , GOO Y H , KYU S S ,et al. Survey on network protocol reverse engineering approaches,methods and tools[C]// IEEE Network Operations and Management Symposium. 2017: 271-274.
[2]	PAN D , WANG Y , XUE Z . Remote control trojan vulnerability mining based on reverse analysis of network protocol[J]. Computer Engineering, 2016: 124-140
[3]	WEN S , MENG Q , FENG C ,et al. Protocol vulnerability detection based on network traffic analysis and binary reverse engineering[J]. Plos One, 2017,12(10): 186-188.
[4]	LI W , AI M , JIN B . A network protocol reverse engineering method based on dynamic taint propagation similarity[M]. Intelligent Computing Theories and Application. Springer International Publishing, 2016: 580-592.
[5]	WEI X , LIU R , XU F . Reverse analysis of industrial control protocol based on static binary analysis[J]. Application of Electronic Technique, 2018: 366-372.
[6]	BLUMBERGS B , VAARANDI R . BBUZZ:a bit-aware fuzzing framework for network protocol systematic reverse engineering and analysis[C]// IEEE Military Communications Conference. 2017: 707-712.
[7]	SIJA B D , GOO Y H , SHIM K S ,et al. Protocol reverse engineering methods for undocumented ethernet and wireless protocols;survey[C]// Symposium of the Korean Institute of Communications and Information Sciences. 2017: 281-312.
[8]	GOO Y H , SHIM K S , CHAE B M ,et al. Framework for precise protocol reverse engineering based on network traces[C]// IEEE/IFIP Network Operations and Management Symposium. 2018: 1-4.
[9]	BARMPATSALON K , DAMOPOULOS D , KAMBOURAKIS G ,et al. A critical review of 7 years of mobile device forensics[J]. Digital Investigation, 2015,(10): 323-349.
[10]	DU J . Android mobile forensics privilege promotion[J]. Silicon Valley, 2016,14: 563-578.
[11]	AL BARGHOUTHY N , MARRINGTON A . A comparison of forensic acquisition techniques for android devices:a case study investigation of or Web browsing sessions[C]// 2014 6th International Conference on New Technologies Mobility and Security (NTMS). 2014: 1-4.
[12]	JONKERS K . The forensic use of mobile phone flasher boxes[J]. Digital Investigation, 2015,(6): 168-178.
[13]	JEON S , BANG J , BYUN K ,et al. A recovery method of deleted record for SQLite database[J]. Personal and Ubiquitous Computing, 2017,16(6): 707-715.
[14]	YANG Y T , ZU Z Y , SUN G Z . Historical data recovery from android devices[M]// Future Information Technology. Berlin Heidelberg:Springer, 2016: 251-257.
[15]	GROBLER C , LOUWRENS C , VON SOLMS S . A multi-component view of digital forensics:fifth international conference on availability,reliability,and security[C]// IEEE Piscataway. 2011: 647-652.
[16]	THING V L L , NG K Y , CHANG E C . Live memory forensics of mobile phones[J]. Digital Investigation, 2015: 74-82.

Metrics

Recommended 0

No Suggested Reading articles found!

字段名称	字段类型	字段说明
ID	长整型	自动编号
Time	长整型	消息发生时间
Msg_Type	长整型	消息类型（接收/发送）
Protocol	长整型	消息所属协议
Msg_Content	长整型	消息内容

字段名称	字段类型	字段说明
Status_ID	长整型	状态标号
Pre_Status	长整型	前一个状态
Next_Status	长整型	后一个状态
Pre_Trans	长整型	前一个状态转换规则
Next_Trans	长整型	后一个状态转换规则
First_Status	长整型	状态机第一个状态
Last_Status	长整型	状态机最后一个状态

协议p	协议1	协议2
AabBc	AabBFc	GmHnc
Cac	Cabc	DmEc
DdEc	DdEc	Cac

状态转换信息	FTP	SMTP
State_Tr1	100%	64.28%
State_Tr2	100%	55.14%
State_Tr3	100%	28.57%
State_Tr4	100%	0
State_Tr5	100%	0
State_Tr6	100%	0
State_Tr7	100%	0
State_Tr8	100%	0
State_Tr9	100%	0
State_Tr10	100%	0
State_Tr11	100%	49.06%
State_Tr12	100%	50%
State_Tr13	100%	22.35%

Analysis of communication data of mobile terminal based on protocol reversal

RichHTML

PDF下载

Knowledge

Abstract

Cite this article

share this article

Figures/Tables 12

References 16

Related Articles 4

Metrics

Recommended 0

[1]	Yan PAN, Wei LIN, Yuefei ZHU. Progressive active inference method of protocol state machine [J]. Chinese Journal of Network and Information Security, 2023, 9(2): 81-93.
[2]	Wenxuan WU, Wenbo ZHOU, Weiming ZHANG, Nenghai YU. Deepfake detection method based on patch-wise lighting inconsistency [J]. Chinese Journal of Network and Information Security, 2023, 9(1): 167-177.
[3]	Jiyang LI,Pengyuan ZHAO,Zhe LIU. Trusted access scheme for intranet mobile terminal based on encrypted SD card [J]. Chinese Journal of Network and Information Security, 2019, 5(4): 108-118.
[4]	Qiuhan WU,Wei HU. Design of identity authentication agreement in mobile terminal based on SM2 algorithm and blockchain [J]. Chinese Journal of Network and Information Security, 2018, 4(9): 60-65.