本文選題：協(xié)議逆向工程　切入點(diǎn)：TLV報(bào)文結(jié)構(gòu)　出處：《北京郵電大學(xué)》2014年碩士論文

【摘要】：挖掘未知協(xié)議報(bào)文格式是一項(xiàng)提高網(wǎng)絡(luò)安全的非常有效的技術(shù),尤其在提高網(wǎng)絡(luò)Fuzz測(cè)試的準(zhǔn)確率方面。然而目前大部分逆向未知協(xié)議的工作是基于人工的分析的,這樣不僅非常的耗時(shí)而且很低效。本文中,我們提出了一個(gè)推斷未知協(xié)議的報(bào)文格式的新方法。通過這種方法可以在較低的時(shí)間消耗下解析TLV格式的報(bào)文最終得到其報(bào)文結(jié)構(gòu)。 本論文基于長(zhǎng)度漸進(jìn)算法做一些改進(jìn),將原來只能進(jìn)行兩兩比對(duì)的方法,改進(jìn)到同時(shí)識(shí)別多個(gè)序列中相似的字段,使其更加適應(yīng)報(bào)文特征的提取,同時(shí)又解決了原始方法效率較低且容易出錯(cuò)的問題。該方法分為Tag字段閾值假設(shè),TLV結(jié)構(gòu)推斷,確定最優(yōu)結(jié)構(gòu),域類型確定這四個(gè)部分。Tag字段閾值根據(jù)經(jīng)驗(yàn)假設(shè)一組報(bào)文Tag字段的類型數(shù)目,然后在此域值下推斷的TLV結(jié)構(gòu),用此TLV結(jié)構(gòu)解析在不同參數(shù)環(huán)境下的樣本數(shù)據(jù),計(jì)算其中結(jié)構(gòu)最接近的一種TLV結(jié)構(gòu),最后在這個(gè)結(jié)構(gòu)基礎(chǔ)上進(jìn)行域類型判斷。這種方法可以用于自動(dòng)分析一個(gè)沒有文檔描述的報(bào)文格式,為網(wǎng)絡(luò)Fuzz測(cè)試提供一些依據(jù)。 為了驗(yàn)證我們算法的性能,我們?nèi)∮肧NMP v1協(xié)議中的get-request報(bào)文作為樣本數(shù)據(jù)進(jìn)行測(cè)試,將實(shí)驗(yàn)結(jié)果和標(biāo)準(zhǔn)協(xié)議文檔進(jìn)行比對(duì)。通過實(shí)驗(yàn)證明此方法能夠在更低時(shí)間消耗的情況下得到原始報(bào)文的結(jié)構(gòu)信息,能為網(wǎng)絡(luò)Fuzz測(cè)試和網(wǎng)絡(luò)安全應(yīng)用提供依據(jù),有一定的應(yīng)用價(jià)值。
[Abstract]:Mining unknown protocol packet format is a very effective technique to improve network security, especially in improving the accuracy of network Fuzz testing.However, most of the work of reverse unknown protocols is based on manual analysis, which is not only time-consuming but also inefficient.In this paper, we propose a new method to infer the packet format of unknown protocols.By using this method, the packet structure of TLV format can be obtained at a lower time consumption.Based on the incremental length algorithm, this paper improves the method of pairwise alignment to identify the similar fields in multiple sequences at the same time, so as to make it more suitable for the extraction of message features.At the same time, it solves the problem that the original method is inefficient and error-prone.The method is divided into two parts: the threshold of Tag field is assumed to be TLV structure inference, the optimal structure is determined, and the field type is determined. The threshold value of tag field assumes the number of Tag fields in a set of packets according to experience, and then inferred the TLV structure under this field value.The TLV structure is used to analyze the sample data in different parameter environments, and the nearest TLV structure is calculated. Finally, the domain type is determined on the basis of this structure.This method can be used to automatically analyze a packet format without a document description and provide some basis for network Fuzz testing.In order to verify the performance of our algorithm, we use the get-request packets in SNMP v1 protocol as sample data to test and compare the experimental results with the standard protocol documents.It is proved by experiments that this method can obtain the structure information of the original message under the condition of lower time consumption and can provide the basis for network Fuzz testing and network security application, and has certain application value.
【學(xué)位授予單位】：北京郵電大學(xué)
【學(xué)位級(jí)別】：碩士
【學(xué)位授予年份】：2014
【分類號(hào)】：TP393.08

【參考文獻(xiàn)】

相關(guān)期刊論文 前5條

1 張釗;唐文;溫巧燕;;一種基于長(zhǎng)度語義約束的報(bào)文格式挖掘方法[J];北京郵電大學(xué)學(xué)報(bào);2012年06期

2 劉立芳;霍紅衛(wèi);王寶樹;;PHGA-COFFEE:多序列比對(duì)問題的并行混合遺傳算法求解[J];計(jì)算機(jī)學(xué)報(bào);2006年05期

3 李偉明;張愛芳;劉建財(cái);李之棠;;網(wǎng)絡(luò)協(xié)議的自動(dòng)化模糊測(cè)試漏洞挖掘方法[J];計(jì)算機(jī)學(xué)報(bào);2011年02期

4 吳志勇;王紅川;孫樂昌;潘祖烈;劉京菊;;Fuzzing技術(shù)綜述[J];計(jì)算機(jī)應(yīng)用研究;2010年03期

5 潘t，

本文編號(hào)：1715106