通信学报 ›› 2017, Vol. 38 ›› Issue (6): 39-48.doi: 10.11959/j.issn.1000-436x.2017123

• 学术论文 • 上一篇    下一篇

网络协议隐形攻击行为的聚类感知挖掘

胡燕京1,2,裴庆祺2   

  1. 1 武警工程大学网络与信息安全武警部队重点实验室,陕西 西安 710086
    2 西安电子科技大学综合业务网理论及关键技术国家重点实验室,陕西 西安 710071
  • 修回日期:2017-04-18 出版日期:2017-06-25 发布日期:2017-06-30
  • 作者简介:胡燕京(1980-),男,陕西西安人,博士,武警工程大学讲师,主要研究方向为信息系统安全防护、网络协议逆向分析。|裴庆祺(1975-),男,广西玉林人,西安电子科技大学教授、博士生导师,主要研究方向为数字内容保护与无线网络安全。
  • 基金资助:
    国家自然科学基金资助项目(61373170);国家自然科学基金资助项目(61402530);国家自然科学基金资助项目(61309022);国家自然科学基金资助项目(61309008)

Clustering perception mining of network protocol’s stealth attack behavior

Yan-jing HU1,2,Qing-qi PEI2   

  1. 1 Network and Information Security Key Laboratory,Engineering University of CAPF,Xi’an 710086,China
    2 State Key Laboratory of Integrated Services Networks,Xidian University,Xi’an 710071,China
  • Revised:2017-04-18 Online:2017-06-25 Published:2017-06-30
  • Supported by:
    The National Natural Science Foundation of China(61373170);The National Natural Science Foundation of China(61402530);The National Natural Science Foundation of China(61309022);The National Natural Science Foundation of China(61309008)

摘要:

深藏在网络协议中的隐形攻击行为日益成为网络安全面临的新挑战。针对现有协议逆向分析方法在协议行为分析特别是隐形攻击行为挖掘方面的不足,提出了一种新颖的指令聚类感知挖掘方法。通过抽取协议的行为指令序列,利用指令聚类算法对所有的行为指令序列进行聚类分析,根据行为距离的计算结果,从大量未知协议程序中快速准确地挖掘出隐形攻击行为指令序列。将动态污点分析和指令聚类分析相结合,在自主研发的虚拟分析平台HiddenDisc上分析了1 297个协议样本,成功挖掘出193个隐形攻击行为,自动分析和手动分析的结果完全一致。实验结果表明,该方案在效率和准确性方面对协议隐形攻击行为的感知挖掘都是理想的。

关键词: 协议逆向分析, 隐形攻击行为, 指令聚类

Abstract:

Deep stealth attack behavior in the network protocol becomes a new challenge to network security.In view of the shortcomings of the existing protocol reverse methods in the analysis of protocol behavior,especially the stealth attack behavior mining,a novel instruction clustering perception mining algorithm was proposed.By extracting the protocol's behavior instruction sequences,and clustering analysis of all the behavior instruction sequences using the instruction clustering algorithm,the stealth attack behavior instruction sequences can be mined quickly and accurately from a large number of unknown protocol programs according to the calculation results of the behavior distance.Combining dynamic taint analysis with instruction clustering analysis,1 297 protocol samples were analyzed in the virtual analysis platform hidden disc which was developed independently,and 193 stealth attack behaviors were successfully mined,the results of automatic analysis and manual analysis were completely consistent.Experimental results show that,the solution is ideal for perception mining the protocol's stealth attack behavior in terms of efficiency and accuracy.

Key words: protocol reverse analysis, stealth attack behavior, instruction clustering

中图分类号: 

No Suggested Reading articles found!