基于信息熵与闭合频繁序列的密码协议逆向方法  

作　　者：梁晨[1] 洪征 吴礼发 吉庆兵[3] LIANG Chen;HONG Zheng;WU Lifa;JI Qingbing(School of Cybersecurity,Nanjing University of Posts and Telecommunications,Nanjing 210023,China;College of Command and Control Engineering,Army Engineering University,Nanjing 210007,China;No.30 Institute of CETC,Chengdu 610041,China)

机构地区：[1]南京邮电大学网络空间安全学院,南京210023 [2]陆军工程大学指挥控制工程学院,南京210007 [3]中国电子科技集团公司第三十研究所,成都610041

出　　处：《计算机科学》2024年第3期326-334,共9页Computer Science

基　　金：国家重点研发计划(2019YFB2101704)。

摘　　要：未知密码协议被广泛用于敏感信息的安全传输,对其进行逆向分析对攻防双方都具有重要意义。为从网络流量中推断结构复杂的密码协议格式,提出了一种基于信息熵与闭合频繁序列的密码协议逆向方法。利用字节信息熵划分报文的明文域与密文域,使用BIDE算法挖掘闭合频繁序列,划分报文的动态域和静态域;设计了一种长度域识别算法,对报文进行字节片切,将片切后的字段值与长度域取值集合进行循环比对,实现了密码协议中多种形式的长度域识别;设计了启发策略,用于对加密套件、加密算法等密码协议特有的关键字段进行语义识别。实验结果表明,该方法可以有效地对密码协议进行域划分,提取密码协议的格式,并且在长度域识别和密码协议特有关键字段的语义识别上优于现有方法。Unknown cryptographic protocols are widely used for the secure transmission of sensitive information,and reversing cryptographic protocol is of great significance to both attackers and defenders.In order to efficiently reverse complex cryptographic protocols,a cryptographic protocol reverse method based on information entropy and closed frequent sequences is proposed.The information entropy is used to distinguish the plaintext and ciphertext,and the closed frequent sequences mined by BIDE algorithm are used to identify dynamic fields and static fields in the messages.A length field identification algorithm is proposed.It slices the message,and compares the sliced field values with the set of length field values to achieve various forms of length field recognition in cryptographic protocols.Heuristic strategies are proposed to recognize the semantics of key fields including the fields specific to cryptographic protocols such as encryption suites and encryption algorithms.Experimental results show that the method can effectively identity fields and extract the formats of cryptographic protocols,outperforms the existing me-thods in various length fields identification and semantic recognition of key fields specific to cryptographic protocols as well.

关 键 词：协议逆向 密码协议 信息熵 闭合频繁序列 网络流量 语义分析 

分 类 号：TP393[自动化与计算机技术—计算机应用技术]