网络协议隐形攻击行为的聚类感知挖掘

doi:10.11959/j.issn.1000-436x.2017123

Abstract

Abstract:

Deep stealth attack behavior in the network protocol becomes a new challenge to network security.In view of the shortcomings of the existing protocol reverse methods in the analysis of protocol behavior,especially the stealth attack behavior mining,a novel instruction clustering perception mining algorithm was proposed.By extracting the protocol's behavior instruction sequences，and clustering analysis of all the behavior instruction sequences using the instruction clustering algorithm,the stealth attack behavior instruction sequences can be mined quickly and accurately from a large number of unknown protocol programs according to the calculation results of the behavior distance.Combining dynamic taint analysis with instruction clustering analysis,1 297 protocol samples were analyzed in the virtual analysis platform hidden disc which was developed independently，and 193 stealth attack behaviors were successfully mined，the results of automatic analysis and manual analysis were completely consistent.Experimental results show that，the solution is ideal for perception mining the protocol's stealth attack behavior in terms of efficiency and accuracy.

Key words: protocol reverse analysis, stealth attack behavior, instruction clustering

CLC Number:

TP393

Yan-jing HU,Qing-qi PEI. Clustering perception mining of network protocol’s stealth attack behavior[J]. Journal on Communications, 2017, 38(6): 39-48.

Figures/Tables 9

References 15

[1]	CUI B , WANG F , HAO Y ,et al. A taint based approach for automatic reverse engineering of gray-box file formats[J]. Soft Computing, 2015: 1-16.
[2]	BOSSERT G , GUIHéRY F , HIET G . Towards automated protocol reverse engineering using semantic information[C]// Proceedings of the 9th ACM Symposium on Information,Computer and Communications Security. 2014.
[3]	NARAYAN J , SHUKLA S K , CLANCY T C . A survey of automatic protocol reverse engineering tools[J]. ACM Comput Surv, 2015,48: 1-26.
[4]	LI X D , . A survey on methods of automatic protocol reverse engineering[C]// Proceedings of the 2011 Seventh International Conference on Computational Intelligence and Security. 2011: 685-689.
[5]	CABALLERO D S J . Automatic protocol reverse-engineering:message format extraction and field semantics inference[J]. Computer Networks, 2012,54(2): 451-474.
[6]	JO?O A N N , . Automatically complementing protocol specifications from network traces[C]// European Workshop on Dependable Computer, 2011: 87-92.
[7]	MENG F Z , LIU Y , ZHANG C R ,et al. Inferring protocol state machine for binary communication protocol[C]// Advanced Research and Technology in Industry Applications (WARTIA). 2014: 870-874.
[8]	HAN K , LIM J H , IM E G . Malware analysis method using visualization of binary files[C]// Proceedings of the 2013 Research in Adaptive and Convergent Systems,Montreal,Quebec,Canada, 2013.
[9]	苏璞睿, 杨轶 . 基于可执行文件静态分析的入侵检测模型[J]. 计算机学报, 2006,29: 1572-1578.
	SU P R , YANG Y . Intrusion detection model based on executable static analysis[J]. Chinese Journal of Computers, 2006,29: 1572-1578.
[10]	胡燕京, 裴庆祺, 庞辽军 . 消息和指令分析相结合的网络协议异常行为分析[J]. 通信学报, 2015,36(11): 147-155.
	HU Y J , PEI Q Q , PANG L J . Message combined with instruction analysis for network protocol’s abnormal behavior[J]. Journal on Communications, 2015,36(11): 147-155.
[11]	LIN W , ZHU Y F , SHI X L . A method of multiple encryption and sectional encryption protocol reverse engineering[C]// 2014 Tenth International Conference on Computational Intelligence and Security (CIS). 2014: 420-424.
[12]	RAHIMIAN A , ZIARATI R , PREDA S ,et al. On the reverse engineering of the citadel botnet[J]. Foundations and Practice of Security, 2014: 408-425.
[13]	COMPARETTI P M , SALVANESCHI G , KIRDA E ,et al. Identifying dormant functionality in malware programs[C]// IEEE Symposium on Security ＆Privacy, 2010: 61-76.
[14]	KANG B , KIM T , KWON H ,et al. Malware classification method via binary content comparison[C]// ACM Research in Applied Computation Symposium. 2012: 316-321.
[15]	NATANI P , VIDYARTHI D . An overview of detection techniques for metamorphic malware[J]. Intelligent Computing,Networking,and Informatics, 2014: 637-643.

Metrics

Recommended 0

No Suggested Reading articles found!

行为聚类	标记后的行为指令序列	是否隐形攻击行为
行为1	FDDFFFD FDFFD CC FDF FF DFDF D FFFDFF	否
行为2	FDDFFFD DFFFD CC FDF FF DDDD CC FDFDFFD DFFFDF DFCC FDF D FFFDFF	否
行为3	DFDFFFCF DDDDDDDD DFDFDFFCF	是

协议程序	公开：隐形基本块数	公开行为分布向量distrib_pub(F₁,D₁,C₁)	隐形行为分布向量distrib_dorm(F₂,D₂,C₂)	行为距离	运行安全性
聚类1 (121)	5 200：110	(0.25,0.25,0.50)	(0.25,0.25,0.50)	0	安全
聚类2(356)	4 430：100	(0.40,0.30,0.30)	(0.40,0.20,0.40)	0.02	安全
聚类3(818)	4 690：90	(0.20,0.20,0.60)	(0.30,0.30,0.40)	0.06	安全
聚类4(Cbot-3280)	2 750：1 330	(0.10,0.10,0.80)	(1.00,1.00,2.00)	5.34	不安全
聚类5(http-hidden)	5 000：1 990	(0.20,0.40,0.40)	(1.70,1.10,2.20)	5.94	不安全

方案名称	解决方案	分析对象	可否抵御加密/混淆技术	可否识别隐形行为	识别率
推断协议状态机^[7]	监听网络消息流	网络消息	否	否	0
动态污点分析^[1,11]	抽取协议程序处理输入数据的一些特征	协议程序	可	可	10%～20%
堡垒逆向工程^[12]	识别堡垒中来自其他恶意软件的恶意代码片断及其开源应用	僵尸程序和网络消息	可	可	＜50%
识别隐匿功能^[13]	根据观察到的行为抽取和建模部分新的恶意软件二进制代码	恶意程序	否	可	20%～40%
恶意软件分类^[14]	分析恶意软件的相似性来划分恶意软件类别	恶意程序	可	可	约20%
探究多执行路径进行恶意软件分析^[15]	识别仅当特定条件满足时执行的恶意动作	恶意程序	可	可	约60%
僵尸网络组活动探测器^[12]	使用DNS流量检测僵尸网络	僵尸网络消息(DNS流量)	可	可	约30%
HiddenDisc	使用指令聚类挖掘协议隐匿行为	协议程序和网络消息	可	可	≥80%

Clustering perception mining of network protocol’s stealth attack behavior

RichHTML

PDF

Knowledge

Abstract

Cite this article

share this article

Figures/Tables 9

References 15

Related Articles 2

Metrics

Recommended 0

[1]	Yan-jing HU,Qing-qi PEI. Mining and utilization of network protocol’s stealth attack behavior [J]. Journal on Communications, 2017, 38(Z1): 118-126.
[2]	. Message combined with instruction analysis for network protocol’s abnormal behavior [J]. Journal on Communications, 2015, 36(11): 147-155.