基于主动交互式学习的工控协议逆向分析  被引量：2

作　　者：付安民[1] 毛安 黄涛 胡超 刘莹 张晓明[3] 王占丰 FU Anmin;MAO An;HUANG Tao;HU Chao;LIU Ying;ZHANG Xiaoming;WANG Zhanfeng(School of Computer Science and Engineering,Nanjing University of Science and Technology,Nanjing 210094,China;College of Command Control Engineering,Army Engineering University of PLA,Nanjing 210007,China;National Computer Network and Information Security Management Center,Beijing 100029,China;Nanjing Lexbell Information Technology Company Limited,Nanjing 210014,China)

机构地区：[1]南京理工大学计算机科学与工程学院,江苏南京210094 [2]中国人民解放军陆军工程大学指挥控制工程学院,江苏南京210007 [3]国家计算机网络与信息安全管理中心,北京100029 [4]南京莱克贝尔信息技术有限公司,江苏南京210014

出　　处：《西安电子科技大学学报》2023年第4期22-33,共12页Journal of Xidian University

基　　金：国家重点研发计划(2022YFB3104002);国家自然科学基金(62072239);江苏省重点研发计划(BE2022081);未来网络科研基金(FNSRFP-2021-ZD-05)。

摘　　要：作为工业控制系统信息交互的重要基础,工控协议在设计和实现上的规范与完备直接关系到整个工业控制系统的安全运行。针对未知工业控制协议逆向,基于流量样本的协议逆向方法因其无需分析系统固件等优点而受到越来越多的关注。但是该类方法也存在过于依赖样本多样性等缺点,特别是样本多样性不足容易导致字段划分错误、状态识别错误、分析只得到协议规范子集等问题。为此提出一种基于主动交互式学习的工控协议逆向分析方法,在流量样本逆向结果的基础上,依据初始逆向结果构建数据包集合,与真实设备进行交互学习,探测未知协议字段与状态机。与工控模拟软件的交互学习仿真实验结果显示,该方法能有效地验证字段语义、扩充字段取值、扩充异常样本类型,并解决因样本多样性不足而导致的伪长静态字段问题,同时还能有效探测新的状态和状态变迁,极大提高了未知协议逆向的准确性。As an important basis for information exchange in industrial control systems,the standardization and completeness of the design and implementation of industrial control protocols involve the security of the entire industrial control system.For the reverse of unknown industrial control protocols,although the protocol reverse method based on traffic samples has attracted more and more attention because it does not need to analyze the system firmware and other advantages,this type of method also has the disadvantage of relying too much on sample diversity.Especially,insufficient sample diversity can easily lead to problems such as field division errors,state identification errors,and only a subset of protocol specifications can be obtained from analysis.For this reason,this paper proposes an industrial control protocol reverse analysis method based on active interactive learning.On the basis of the reverse results of traffic samples,a data packet set is constructed according to the initial reverse results,and interactive learning is carried out with real devices to detect unknown protocol fields and state machines.Simulation experimental results of interactive learning with industrial control simulation software show that this method can effectively verify field semantics,expand field values,expand abnormal sample types,and solve the problem of pseudo-long static fields caused by insufficient sample diversity and that it can detect new states and state transitions,greatly improving the accuracy of unknown protocol reverse.

关 键 词：工控协议 协议逆向 交互式学习 协议状态机 

分 类 号：TP393.0[自动化与计算机技术—计算机应用技术]