网络协议隐形攻击行为的挖掘和利用

doi:10.11959/j.issn.1000-436x.2017244

通信学报 ›› 2017, Vol. 38 ›› Issue (Z1): 118-126.doi: 10.11959/j.issn.1000-436x.2017244

网络协议隐形攻击行为的挖掘和利用

胡燕京^1,²,裴庆祺²

¹ 武警工程大学网络与信息安全武警部队重点实验室，陕西西安 710086
² 西安电子科技大学综合业务网理论及关键技术国家重点实验室，陕西西安 710071

出版日期:2017-10-01 发布日期:2018-06-07
作者简介:胡燕京（1980-），男，陕西西安人，博士，武警工程大学讲师，主要研究方向为信息系统安全防护、网络协议逆向分析。|裴庆祺（1975-），男，广西玉林人，西安电子科技大学教授、博士生导师，主要研究方向为数字内容保护与无线网络安全。
基金资助:
国家自然科学基金资助项目(61373170);国家自然科学基金资助项目(61402530);国家自然科学基金资助项目(61309022);国家自然科学基金资助项目(61309008)

Mining and utilization of network protocol’s stealth attack behavior

Yan-jing HU^1,²,Qing-qi PEI²

¹ Network and Information Security Key Laboratory,Engineering University of the Armed Police Force,Xi’an 710086,China
² National Key Laboratory of Integrated Services Networks,Xidian University,Xi’an 710071,China

Online:2017-10-01 Published:2018-06-07
Supported by:
The National Natural Science Foundation of China(61373170);The National Natural Science Foundation of China(61402530);The National Natural Science Foundation of China(61309022);The National Natural Science Foundation of China(61309008)

摘要/Abstract

摘要：

网络协议的隐形攻击行为生存性、隐蔽性和攻击性强，且不易被现有的安全防护手段检测到。为了弥补现有协议分析方法的不足，从实现协议程序的指令入手，通过动态二进制分析捕获协议的正常行为指令序列。然后通过指令聚类和特征距离计算挖掘出潜在的隐形攻击行为指令序列。将挖掘出的隐形攻击行为指令序列以内联汇编的方式加载到通用运行框架，在自主研发的虚拟分析平台HiddenDisc上动态分析执行，并评估隐形攻击行为的安全性。除了挖掘分析和有针对性的防御隐形攻击行为之外，还通过自主设计的隐形变换方法对隐形攻击行为进行形式变换，利用改造后的隐形攻击行为对虚拟靶机成功实施了攻击而未被发现。实验结果表明，对协议隐形攻击行为的挖掘是准确的，对其改造利用以增加信息攻防能力。

关键词: 协议逆向分析, 隐形攻击行为, 指令聚类, 隐形变换

Abstract:

The survivability,concealment and aggression of network protocol’s stealth attack behaviors were very strong,and they were not easy to be detected by the existing security measures.In order to compensate for the shortcomings of existing protocol analysis methods,starting from the instructions to implement the protocol program,the normal behavior instruction sequences of the protocol were captured by dynamic binary analysis.Then,the potential stealth attack behavior instruction sequences were mined by means of instruction clustering and feature distance computation.The mined stealth attack behavior instruction sequences were loaded into the general executing framework for inline assembly.Dynamic analysis was implemented on the self-developed virtual analysis platform HiddenDisc,and the security of stealth attack behaviors were evaluated.Excepting to mining analysis and targeted defensive the stealth attack behaviors,the stealth attack behaviors were also formally transformed by the self-designed stealth transformation method,by using the stealth attack behaviors after transformation,the virtual target machine were successfully attacked and were not detected.Experimental results show that,the mining of protocol stealth attack behaviors is accurate,the transformation and use of them to increase information offensive and defensive ability is also feasible.

Key words: protocol reverse analysis, stealth attack behavior, instruction clustering, stealth transformation

中图分类号:

TP393

胡燕京,裴庆祺. 网络协议隐形攻击行为的挖掘和利用[J]. 通信学报, 2017, 38(Z1): 118-126.

Yan-jing HU,Qing-qi PEI. Mining and utilization of network protocol’s stealth attack behavior[J]. Journal on Communications, 2017, 38(Z1): 118-126.

图/表 7

图1

图2

图3

图4

图5

图6

表1

参考文献 18

[1]	HARALE S T A . Detection and analysis of network ＆ application layer attacks using honey pot with system security features[J]. International Journal of Advance Research,Ideas and Innovations in Technology, 2017: 1-4.
[2]	MING J , XIN Z , LAN P ,et al. Impeding behavior-based malware analysis via replacement attacks to malware specifications[J]. Journal of Computer Virology and Hacking Techniques, 2016: 1-15.
[3]	BOSSERT G,GUIHéRY F , HIET G . Towards automated protocol reverse engineering using semantic information[J]. 9th ACM Symposium on Information,Computer and Communications Security, 2014.
[4]	胡燕京, 裴庆祺 . 网络协议隐形攻击行为的聚类感知挖掘[J]. 通信学报, 2017,38(6): 39-48.
	HU Y J , PEI Q Q . Clustering perception mining of network protocol’s stealth attack behavior[J]. Journal on Communicaitons, 2017,38(6): 39-48.
[5]	ANDERSON B , STORLIE C , LANE T . Improving malware classification:bridging the static/dynamic gap[C]// The 5th ACM Workshop on Security and Artificial Intelligence. 2012.
[6]	EGELE M , SCHOLTE T , KIRDA E ,et al. A survey on automated dynamic malware-analysis techniques and tools[J]. ACM Computing Surveys, 2012: 1-42.
[7]	CABALLERO J , SONG D . Automatic protocol reverse-engineering:message format extraction and field semantics inference[J]. Computer Networks, 2013: 451-474.
[8]	LCLI X D , . A survey on methods of automatic protocol reverse engineering[C]// The 2011 Seventh International Conference on Computational Intelligence and Security. 2011: 685-689.
[9]	CANFORA G , IANNACCONE A , VISAGGIO C . Static analysis for the detection of metamorphic computer viruses using repeatedinstructions counting heuristics[J]. Journal of Computer Virology and Hacking Techniques, 2014: 11-27.
[10]	KANG B , KIM T , KWON H ,et al. Malware classification method via binary content comparison[C]// The 2012 ACM Research in Applied Computation Symposium. 2012.
[11]	HAN K , LIM J H , IM E G . Malware analysis method using visualization of binary files[C]// The 2013 Research in Adaptive and Convergent Systems. Canada, 2013.
[12]	QIAO Y , HE J , YANG Y ,et al. A lightweight design of malware behavior representation[C]// IEEE International Conference on Trust Security and Privacy in Computing and Communications,IEEE Computer Society. 2013: 1607-1612.
[13]	CABALLERO J , POOSANKAM P , KREIBICH C ,et al. Dispatcher:enabling active botnet infiltration using automatic protocol reverse-engineering[C]// The 16th ACM Conference on Computer and Communications Security. Chicago,Illinois,USA, 2009.
[14]	KANG J , PARK J H . A secure-coding and vulnerability check system based on smart-fuzzing and exploit[J]. Neurocomputing, 2017.
[15]	BUCHLER M , HOSSEN K , MIHANCEA P F ,et al. Model inference and security testing in the spacios project[C]// Software Maintenance,Reengineering and Reverse Engineering. 2014: 411-414.
[16]	CUI B , WANG F , HAO Y ,et al. A taint based approach for automatic reverse engineering of gray-box file formats[J]. Soft Computing, 2015: 1-16.
[17]	POLINO M , SCORTI A , MAGGI F ,et al. Jackdaw:towards automatic reverse engineering of large datasets of binaries[J]. Detection of Intrusions and Malware,and Vulnerability Assessment.Springer International Publishing, 2015: 121-143.
[18]	RAHIMIAN A , ZIARATI R , PREDA S ,et al. On the reverse engineering of the citadel botnet[M]. Foundations and Practice of Security. Springer International Publishing, 2014: 408-425.

方案	技术路线	分析对象	能否抵御加密/混淆技术	能否识别隐形攻击行为	成果
方案[13]方案	分析协议程序指令流	协议程序	×	×	推断出协议格式
文献[14]方案	使用试探性攻击挖掘协议漏洞	协议程序、协议消息	√	×	挖掘出协议漏洞
文献[15]方案	逆向分析协议工作原理，伪装成被控端加入到控制网络	僵尸网络C＆C协议	√	×	C＆C协议规格和工作原理
文献[16]方案	利用数据流图分析自动识别加密算法	二进制代码	√	×	自动识别加密算法
文献[17]方案	采用Win32 API从大量二进制程序集中发现感兴趣的动态行为模式	二进制程序集	×	×	识别程序行为模式
方案[18]方案	逆向工程堡垒恶意软件，并掌握其内部结构和功能	堡垒恶意软件	√	×	提高了逆向工程相似恶意软件变体的能力
文献[11]方案	使用蜜罐网络系统安全属性检测网络层和应用层攻击	蠕虫程序及网络流量	√	×	检测网络层和应用层攻击
本文方案	使用指令聚类挖掘，执行模板执行，变形技术利用协议隐形攻击行为	协议程序及网络消息	√	√	挖掘出隐形攻击行为指令序列，并能够防范和利用隐形攻击行为

网络协议隐形攻击行为的挖掘和利用

Mining and utilization of network protocol’s stealth attack behavior

在线阅读

PDF下载

可视化

摘要/Abstract

引用本文

使用本文

图/表 7

参考文献 18

相关文章 2

Metrics

推荐阅读 0

[1]	胡燕京,裴庆祺. 网络协议隐形攻击行为的聚类感知挖掘[J]. 通信学报, 2017, 38(6): 39-48.
[2]	胡燕京，裴庆祺，庞辽军. 消息和指令分析相结合的网络协议异常行为分析[J]. 通信学报, 2015, 36(11): 147-155.