基于状态标注的协议状态机逆向方法

2013-06-132013-08-19。9732011CB311801114200510001。1989－、1963－、1981－1980－。1001-9081201312-3486-04doi10．11772/j．issn．1001-9081．2013．12．3486*，，，(，450004)(*eileen0908@qq．com)。。。TP393AProtocolstatemachinereversemethodbasedonlabelingstateHUANGXiaoyan*，CHENXingyuan，ZHUNing，TANGHuilin(InformationEngineeringUniversity，ZhengzhouHenan450004，China)Abstract:Protocolstatemachinecandescribethebehaviorofaprotocol，whichcanhelptounderstandthebehaviorlogicofprotocol．Orientedtowardstextprotocols，astatisticalmethodwasfirstlyusedtoextractthesemantickeywordofrepresentativemessagetype，andanadjacencymatrixwasusedtodescribethesequentialrelationshipbetweenthemessagetypes，basedonwhichtheprotocolstateswerelabeledandastatetransitiondiagramwasbuilt．Theexperimentalresultsshowthatthemethodcanaccuratelydescribethesequentialrelationshipbetweenthemessagetypesandabstractstatemachinemodelaccurately．Keywords:protocolreverse;protocolsemantic;protocolsession;protocolstatemachine;adjacencymatrix0。12、3。MicroSoftSMBServerMessageBlock4、OracleTNS5、IPTV6。。7、8。。。19。。。。。2007Shevertalov10PEXT。PEXTIDID。2009Trifilo11JournalofComputerApplications，2013，33(12):3486－3489，3498ISSN1001-9081CODENJYIIDU2013-12-01．joca．cn。2011Wang12ProbabilisticProtocolStateMachinePPSM。PPSMPartitioningAroundMedoidsPAM。2009Comparetti13Prospex。AugmentedPrefixTreeAcceptorAPTAAPTAExbarAPTA。Trifilo11Wang12。。。。1。122．11。。ASCII3tokenIP、、UＲL14tokentoken。。。2．1．1。token。SM|S||M|。t|Mt|tt|St|tt。1δttδt=|Mt|/|M|0＜δt＜101。δt≥1δt≈0δt≥1|Mt|≥|M|tδt≈0|Mt||M|ttoken。2φttφt=|Mt|/|St|φt1。φt=1t。2．1．22．1．1。2pos_permanenttt。PFmttmPFmt=Nmt/|Mt|。Nmtttokenmpos_permanentt=maxPFmt。3pos_permanentt=maxPFmt≥tmm。2．1．1。2．23。。。。784312。。2．2．1。nn×nVvij11aiaj20aiaj。。2．2．24ABAB。5ABBCABC。。4vij0vji0aiajaiaj。aiaj〈aiaj〉ajai。2．2．36。。1。K=GAIGAIG×AGA。g∈Ga∈Aga∈Iga。2。VrrVVr=vrij。vrijaiajr。3。nec_loada1amSr//a1am//Sra1amStrassenVrifvr1m=0r++nec_loada1amSrelseload=shortest_loada1amr//a1amM=g∈G|ga∈Ia∈load//MifM=S//returnnec_loadelseS=S－Mr++nec_loada1amSrshortest_loada1ayr//a1ayH=ai|vr－11i*viy≠0//aia1ayForeachhinHAddhtoloadn//addhtoa1ayr－－ifr＞1shortest_loada1ayhrelsereturnload//vn1i*vim=0n＜r－14。a11am。。S=UUr=1nec_loada1amSr//a1am2．2．4atagat→agTatag。T。7abab。8ABa∈Ab∈Bab。9ABBCA、B、C。。5Vvij0vji0aiaj。a、b、c、da→ca→bb→dc→da→bc→d。2．32．2。2．2．32．2．4。3WindowsXPPython2．7SMTPFTP。WindowsXPWebMailSMTPServ-UFTP。。8843333．1150SMTP432SMTP2100FTP2500FTP。1SMTP1EHLO6ＲESET2HELO7EMPTYCONTENT3MAILFＲOM8CONTENT4ＲCPTTO9QUIT5DATA2FTP1USEＲ8POＲT2PASS9LIST3QUIT10XMKD4CMD11TYPE5CDUP12STOＲ6ＲNFＲ13ＲETＲ7ＲNTO14DELE3．2———。3．2．1。NITPIＲecallFSM=TP/N。。SMTP855FTP642。2SMTP。SMTP30094．1%SMTP803FTP52SSL。3SMTP200SMTPHELOEHLO3。2SMTP4FTP。FTP200091．7%FTP589FTP531241SSL。5FTP1500FTP。3SMTP4FTP5FTP3．2．2MCPPrecisionFSM=CP/M。0．1。SMTP786SMTP78。FTP489FTP64。SMTPSMTP708FTPFTP473。FTPFTP100%。4。。。。34989843123Code-ＲedII。6antMSA。antMSA。。［1］KIMH-A，KAＲPB．Autograph:towardautomated，distributedwormsignaturedetection［C］//SSYM'04:Proceedingsofthe13thConferenceonUSENIXSecuritySymposium．Berkeley:USENIXAssociation，2004，13:271－286．［2］NEWSOMEJ，SONGD．Dynamictaintanalysisforautomaticdetec-tion，analysis，andsignaturegenerationofexploitsoncommoditysoftware［C］//NDSS2005:Proceedingsofthe12thAnnualNet-workandDistributedSystemSecuritySymposium．SanDiego:Bib-Sonomy，2005:1－38．［3］NEWSOMEJ，KAＲPB，SONGD．Polygraph:automaticallygener-atingsignaturesforpolymorphicworms［C］//SP'05:Proceedingsofthe2005IEEESymposiumonSecurityandPrivacy．Washington，DC:IEEEComputerSociety，2005:226－241．［4］，，，．［J］．，2006，29(9):1533－1541．［5］TANGY，XIAOB，LUXC．Usingabioinformaticsapproachtogenerateaccurateexploit-basedsignaturesforpolymorphicworms［J］．Computers＆Security，2009，28(8):827－842．［6］TANGY，CHENS．DefendingagainstInternetworms:asignature-basedapproach［C］//ProceedingsoftheINFOCOM2005．Piscat-away:IEEE，2005:1384－1394．［7］CＲANDALLJＲ，WUSF，CHONGFT．Experiencesusingminosasatoolforcapturingandanalyzingnovelwormsforunknownvul-nerabilities［C］//DIMVA'05:ProceedingsoftheSecondInterna-tionalConferenceonDetectionofIntrusionsandMalware，andVul-nerabilityAssessment，LNCS3548．Berlin:Springer-Verlag，2005:32－50．［8］NEEDLEMANSB，WUNSCHCD．Ageneralmethodapplicabletothesearchforsimilaritiesintheaminoacidsequenceoftwoproteins［J］．JournalofMolecularBiology，1970，48(3):443－453．［9］DOＲIGOM，MANIEZZOV，COLOMIA．AntsystemoptimizationbyacolonyofcoorperatingAgents［J］．IEEETransactionsonSys-tems，ManandCybernetics，PartB:Cybernetics，1996，26(1):29－41．［10］，．［J］．，2005，22(1):100－106．［11］，，．［J］．，2008，23(2):225－228．［12］，，．［J］．，2010，30(12):3349－3353．［13］OLUSOLAAA，OLADELEAS，ABOSEDEDO．AnalysisofKDD'99intrusiondetectiondatasetforselectionofrelev-vancefea-tures［C］//WCECS2010:ProceedingsoftheWorldCongressonEngineeringandComputerScience．SanFrancisco:［s．n．］，2010．［14］UCIknowledgediscoveryindatabasesarchive［EB/OL］．［2013－03－20］．．ics．uci．edu/databases/kddcup99/kddcup．data．gz．3489［1］KＲUEGEＲT，KＲMEＲN，ＲIECKK．ASAP:automaticseman-tics-awareanalysisofnetworkpayloads［C］//Proceedingsofthe2011InternationalECML/PKDDConferenceonPrivacyandSecurityIssuesinDataMiningandMachineLearning，LNCS6549．Berlin:Springer-Verlag，