基于主动交互式学习的工控协议逆向分析

付安民; 毛安; 黄涛; 胡超; 刘莹; 张晓明; 王占丰

doi:10.19665/j.issn1001-2400.2023.04.003

您当前的位置：

首页 >

文章列表页 >

基于主动交互式学习的工控协议逆向分析

网络空间安全专栏 | 更新时间：2023-10-18

- 基于主动交互式学习的工控协议逆向分析
- 暂无标题
- 西安电子科技大学学报 2023年50卷第4期页码：22-33
- 作者机构：
  
  1. 南京理工大学计算机科学与工程学院,江苏南京 210094
  2. 中国人民解放军陆军工程大学指挥控制工程学院,江苏南京 210007
  3. 国家计算机网络与信息安全管理中心,北京 100029
  4. 南京莱克贝尔信息技术有限公司,江苏南京 210014
- 作者简介：
  
  [ "付安民(1981—),男,教授,E-mail:[email protected];" ]
  [ "毛安(1998—),男,南京理工大学硕士研究生,E-mail:[email protected];" ]
  [ "黄涛(1988—),男,南京理工大学博士研究生,E-mail:[email protected];" ]
  [ "胡超(1984—),男,副教授,E-mail:[email protected];" ]
  [ "刘莹(1987—),女,讲师,E-mail:[email protected];" ]
  [ "张晓明(1980—),男,高级工程师,E-mail:[email protected];" ]
  [ "王占丰(1982—),男,博士后,E-mail:[email protected]" ]
- 基金信息：
  
  国家重点研发计划(2022YFB3104002);国家自然科学基金(62072239);江苏省重点研发计划(BE2022081);未来网络科研基金(FNSRFP-2021-ZD-05)
- DOI：10.19665/j.issn1001-2400.2023.04.003
  中图分类号：
扫描看全文
付安民, 毛安, 黄涛, 等. 基于主动交互式学习的工控协议逆向分析[J]. 西安电子科技大学学报, 2023,50(4):22-33.
付安民, 毛安, 黄涛, 等. 基于主动交互式学习的工控协议逆向分析[J]. 西安电子科技大学学报, 2023,50(4):22-33. DOI： 10.19665/j.issn1001-2400.2023.04.003.

DOI：

摘要

作为工业控制系统信息交互的重要基础,工控协议在设计和实现上的规范与完备直接关系到整个工业控制系统的安全运行。针对未知工业控制协议逆向,基于流量样本的协议逆向方法因其无需分析系统固件等优点而受到越来越多的关注。但是该类方法也存在过于依赖样本多样性等缺点,特别是样本多样性不足容易导致字段划分错误、状态识别错误、分析只得到协议规范子集等问题。为此提出一种基于主动交互式学习的工控协议逆向分析方法,在流量样本逆向结果的基础上,依据初始逆向结果构建数据包集合,与真实设备进行交互学习,探测未知协议字段与状态机。与工控模拟软件的交互学习仿真实验结果显示,该方法能有效地验证字段语义、扩充字段取值、扩充异常样本类型,并解决因样本多样性不足而导致的伪长静态字段问题,同时还能有效探测新的状态和状态变迁,极大提高了未知协议逆向的准确性。

Abstract

As an important basis for information exchange in industrial control systems,the standardization and completeness of the design and implementation of industrial control protocols involve the security of the entire industrial control system.For the reverse of unknown industrial control protocols,although the protocol reverse method based on traffic samples has attracted more and more attention because it does not need to analyze the system firmware and other advantages,this type of method also has the disadvantage of relying too much on sample diversity.Especially,insufficient sample diversity can easily lead to problems such as field division errors,state identification errors,and only a subset of protocol specifications can be obtained from analysis.For this reason,this paper proposes an industrial control protocol reverse analysis method based on active interactive learning.On the basis of the reverse results of traffic samples,a data packet set is constructed according to the initial reverse results,and interactive learning is carried out with real devices to detect unknown protocol fields and state machines.Simulation experimental results of interactive learning with industrial control simulation software show that this method can effectively verify field semantics,expand field values,expand abnormal sample types,and solve the problem of pseudo-long static fields caused by insufficient sample diversity and that it can detect new states and state transitions,greatly improving the accuracy of unknown protocol reverse.

关键词

工控协议协议逆向交互式学习协议状态机

Keywords

industrial control protocolprotocol reverseinteractive learningprotocol state machine

references

郝文涛, 鲁晔, 水永莉. 工业控制网络入侵检测技术研究[J]. 工业控制计算机, 2022, 35(4):1-6.

HAO Wentao, LU Ye, SHUI Yongli. Research on Intrusion Detection Technology of Industrial Control Network[J]. Industrial Control Computer, 2022, 35(4):1-6.

LUO Z, ZUO F, SHEN Y, et al. ICS Protocol Fuzzing:Coverage Guided Packet Crack and Generation[C]// 2020 57th ACM/IEEE Design Automation Conference.Piscataway:IEEE, 2020:1-6.

柴艳娜, 李坤伦, 宋焕生. 智能汽车的入侵检测系统安全研究[J]. 西安电子科技大学学报, 2021, 48(3):31-39.

CHAI Yanna, LI Kunlun, SONG Huansheng. Research on the Security of Intrusion Detection System for Intelligent Vehicles[J]. Journal of Xidian University, 2021, 48(3):31-39.

杨欣, 毛雅淇, 王伶. 无人机辅助通信的密集无线网络MAC协议[J]. 西安电子科技大学学报, 2022, 49(3):10-20.

YANG Xin, MAO Yaqi, WANG Ling. MAC Protocol of Dense Wireless Network for UAV Auxiliary Communication[J]. Journal of Xidian University, 2022, 49(3):10-20.

CABALLERO J, YIN H, LIANG Z, et al. Polyglot:Automatic Extraction of Protocol Message Format Using Dynamic Binary Analysis[C]// Proceedings of the 14th ACM Conference on Computer and Communications Security. New York: ACM, 2007:317-329.

JI Y, HUANG T, MA C, et al. IMCSA:Providing Better Sequence Alignment Space for Industrial Control Protocol Reverse Engineering (2022)[J/OL].[2022-12-31]. https://www.hindawi.com/journals/scn/2022/8026280/. https://www.hindawi.com/journals/scn/2022/8026280/https://www.hindawi.com/journals/scn/2022/8026280/

YE Y, ZHANG Z, WANG F, et al. NETPLIER:Probabilistic Network Protocol Reverse Engineering from Message Traces(2021)[C/OL].[2021-03-01]. https://www.ndss-symposium.org/wp-content/uploads/ndss2021_4A-5_24531_paper.pdf. https://www.ndss-symposium.org/wp-content/uploads/ndss2021_4A-5_24531_paper.pdfhttps://www.ndss-symposium.org/wp-content/uploads/ndss2021_4A-5_24531_paper.pdf

WANG Q, SUN Z, WANG W, et al. A Practical Format and Semantic Reverse Analysis Approach for Industrial Control Protocols[J]. Security and Communication Networks, 2021, 2021:1-11.

王占丰, 程光, 马玮骏, 等. 基于网络轨迹的协议逆向技术研究进展[J]. 软件学报, 2022, 33(1):254-273.

WANG Zhanfeng, CHENG Guang, MA Weijun, et al. Research Progress of Protocol Reverse Technology Based on Network Trajectory[J]. Software Journal, 2022, 33(1):254-273.

JIANG D, LI C, MA L, et al. ABInfer:A Novel Field Boundaries Inference Approach for Protocol Reverse Engineering[C]// 2020 IEEE 6th International Conference on Big Data Security on Cloud.Piscataway:IEEE, 2020:19-23.

HUANG Y, SHU H, KANG F, et al. Protocol Reverse-Engineering Methods and Tools:A Survey.Computer Communications[J]. Computer Communications, 2022, 182:238-254. DOI:10.1016/j.comcom.2021.11.009http://doi.org/10.1016/j.comcom.2021.11.009https://linkinghub.elsevier.com/retrieve/pii/S0140366421004382https://linkinghub.elsevier.com/retrieve/pii/S0140366421004382

黄涛, 付安民, 季宇凯, 等. 工控协议逆向分析技术研究进展与挑战[J]. 计算机研究与发展, 2022, 59(5):1015-1034.

HUANG Tao, FU Anmin, JI Yukai, et al. Research and Challenges of Reverse Analysis Technology of Industrial Control Protocol[J]. Computer Research and Development, 2022, 59(5):1015-1034.

FOWZE F, TIAN D, HERNANDEZ G, et al. ProXray:Protocolmodel Learning and Guided Firmware Analysis[J]. IEEE Transactions on Software Engineering, 2021, 47(9):1907-1928.

BOSSERT G, GUIHÉRY F, HIET G, et al. Towards Automated Protocol Reverse Engineering Using Semantic Information[C]// Proceedings of the 9th ACM Symposium on Information,Computer and Communications Security. New York: ACM, 2014:51-62.

KOO H, CHEN Y, LU L, et al. Compiler-Assisted Code Randomization[C]// Proceedings of 2018 IEEE Symposium on Security and Privacy.Piscataway:IEEE, 2018:461-477.

YOU W, LIANG B, SHI W, et al. TaintMan:An Art-Compatible Dynamic Taint Analysis Framework on Unmodified and Non-Rooted Android Devices[J]. IEEE Transactions on Dependable & Secure Computing, 2020, 17(1):209-222.

魏骁, 刘仁辉, 许凤凯. 基于静态二进制分析的工控协议逆向解析[J]. 计算机技术与应用, 2018, 44(3):126-130.

WEI Xiao, LIU Renhui, XU Fengkai. Reverse Analysis of Industria Control Protocol Based on Static Binary Analysis[J]. Computer Technology and Its Applications, 2018, 44(3):126-130.

CHEN K, ZHANG N, WANG L, et al. Automatic Identification of Industrial Control Network Protocol Field Boundary Using Memory Propagation Tree[C]// Proceeding International Conference on Information and Communications Security.Berlin:Springer, 2018:551-565

LIU K, YANG M, LING Z, et al. On Manually Reverse Engineering Communication Protocols of Linux Based IoT Systems[J]. IEEE Internet of Things Journal, 2021, 8(8):6815-6827. DOI:10.1109/JIOT.2020.3036232http://doi.org/10.1109/JIOT.2020.3036232https://ieeexplore.ieee.org/document/9249434/https://ieeexplore.ieee.org/document/9249434/

ZHANG W, MENG X, ZHANG Y. Dual-Track Protocol Reverse Analysis Based on Share Learning[C]// International Conference on Computer Communications.Piscataway:IEEE, 2022:51-60.

张蔚瑶, 张磊, 毛建瓴, 等. 未知协议的逆向分析与自动化测试[J]. 计算机学报, 2020, 43(4):653-667.

ZHANG Weiyao, ZHANG Lei, MAO Jianling, et al. Reverse Analysis and Automated Testing of Unknown Protocols[J]. Journal of Computer Science, 2020, 43(4):653-667.

BEDDOE M. The Protocol Informatics Project (2020)[R/OL].[2020-12-31]. http://www.phreakocious.net/PI/PI_Toorcon.pdf. http://www.phreakocious.net/PI/PI_Toorcon.pdfhttp://www.phreakocious.net/PI/PI_Toorcon.pdf

CUI W, KANNAN J, WANG H. Discoverer:Automatic Protocol Reverse Engineering from Network Traces[C]// USENIX Security Symposium.Berkeley:USENIX, 2007:1-14.

SHEVERTALOV M, MANCORIDIS S. A Reverse Engineering Tool for Extracting Protocols of Networked Applications[C]// 14th Working Conference on Reverse Engineering.Piscataway:IEEE, 2007:229-238.

ANTUNES J, NEVES N, VERISSIMO P. Reverse Engineering of Protocols from Network Traces[C]// 2011 18th Working Conference on Reverse Engineering.Piscataway:IEEE, 2011:169-178.

KRUEGER T, KRAMER N, RIECK K. ASAP:Automatic Semantics-Aware Analysis of Network Payloads[C]// Proceedings of International Workshop on Privacy and Security Issues in Data Mining and Machine Learning.Berlin:Springer: 2010:50-63.

浏览量

下载量

CSCD

文章被引用时，请邮件提醒。

提交

工具集

关联资源

暂无数据