未知二进制协议的报文分割方法  

作　　者：徐魁 海洋[1] 李晓辉 朱承才 陶军 XU Kui;HAI Yang;LI Xiao-hui;ZHU Cheng-cai;TAO Jun(Communication Office of Baoji Public Security Bureau,Baoji 721014,China;School of Cyber Science and Engineering,Southeast University,Nanjing 211189,China;The Key Laboratory of Computer Networks and Information Integration,Ministry of Education,Southeast University,Nanjing 211189,China)

机构地区：[1]宝鸡市公安局通信处,陕西宝鸡721014 [2]东南大学网络空间安全学院,江苏南京211189 [3]计算机网络和信息集成教育部重点实验室(东南大学),江苏南京211189

出　　处：《计算机技术与发展》2023年第11期119-125,共7页Computer Technology and Development

基　　金：中国高校产学研创新基金-阿里云高校数字化创新专项(2021ALA03006)。

摘　　要：基于网络轨迹的协议逆向工程使用捕获的数据包进行分析,进而逆向未知协议的格式等信息。该文提出了一种利用二进制协议在网络通信过程中使用报文序列数据集来推断消息字段划分的新方法HV。该方法首先利用定义的测度分析各条消息中的值分布,分析报文的内部结构,对字段边界初次划分。接着利用消息序列之间所隐藏的统计信息对字段边界再次划分。最后将两次划分的结果结合,生成最终的字段划分结果。此前的研究很少利用每个消息内部的结构特征,而是通过比较多条消息得出结论。对于消息之间的统计特征,该文仅仅比较相邻的消息,而不是相互比较多条消息。此外,该文还定义了格式匹配分数,用于消息字段划分的质量的度量。将格式匹配分数应用于HV和以前的方法的对比实验中,进而验证HV字段划分的质量。由于HV在水平分析上利用了消息的内部结构,并且在垂直分析中只比较相邻消息之间的异同,因此HV不仅具有较好的字段划分效果,而且只有线性复杂度。Protocol reverse engineering based on network trajectory uses captured data packets to analyze and reverse information such as the format of unknown protocols.A new method,HV,is proposed to infer the division of message fields by using the message sequence data set used by binary protocol in network communication.HV uses the defined measure to analyze the value distribution in each message and then analyze the internal structure of the message,so that the field boundary can be divided for the first time.Then HV uses the hidden statistical information between message sequences to divide the field boundaries again.Finally,the results of the two divisions are combined to generate the final field division result.Previous studies rarely use the internal structural features of each message,but draw conclusions by comparing multiple messages.For the statistical characteristics between messages,we only compare adjacent messages,rather than comparing multiple messages with each other.In addition,we also define the format matching score,which is used to measure the quality of message field division.Applying the format matching score to the comparison experiment between HV and previous methods,the quality of HV field division is verified.Because HV uses the internal structure of messages in horizontal analysis and only compares the similarities and differences between adjacent messages in vertical analysis,HV not only has good field division effect,but also has linear complexity.

关 键 词：二进制协议 协议逆向 字段划分 报文格式 内在结构 

分 类 号：TP393[自动化与计算机技术—计算机应用技术]