报文格式挖掘的研究与设计

发布时间：2018-04-05 14:12

本文选题：协议逆向工程　切入点：TLV报文结构　出处：《北京邮电大学》2014年硕士论文

【摘要】：挖掘未知协议报文格式是一项提高网络安全的非常有效的技术,尤其在提高网络Fuzz测试的准确率方面。然而目前大部分逆向未知协议的工作是基于人工的分析的,这样不仅非常的耗时而且很低效。本文中,我们提出了一个推断未知协议的报文格式的新方法。通过这种方法可以在较低的时间消耗下解析TLV格式的报文最终得到其报文结构。本论文基于长度渐进算法做一些改进,将原来只能进行两两比对的方法,改进到同时识别多个序列中相似的字段,使其更加适应报文特征的提取,同时又解决了原始方法效率较低且容易出错的问题。该方法分为Tag字段阈值假设,TLV结构推断,确定最优结构,域类型确定这四个部分。Tag字段阈值根据经验假设一组报文Tag字段的类型数目,然后在此域值下推断的TLV结构,用此TLV结构解析在不同参数环境下的样本数据,计算其中结构最接近的一种TLV结构,最后在这个结构基础上进行域类型判断。这种方法可以用于自动分析一个没有文档描述的报文格式,为网络Fuzz测试提供一些依据。为了验证我们算法的性能,我们取用SNMP v1协议中的get-request报文作为样本数据进行测试,将实验结果和标准协议文档进行比对。通过实验证明此方法能够在更低时间消耗的情况下得到原始报文的结构信息,能为网络Fuzz测试和网络安全应用提供依据,有一定的应用价值。
[Abstract]:Mining unknown protocol packet format is a very effective technique to improve network security, especially in improving the accuracy of network Fuzz testing.However, most of the work of reverse unknown protocols is based on manual analysis, which is not only time-consuming but also inefficient.In this paper, we propose a new method to infer the packet format of unknown protocols.By using this method, the packet structure of TLV format can be obtained at a lower time consumption.Based on the incremental length algorithm, this paper improves the method of pairwise alignment to identify the similar fields in multiple sequences at the same time, so as to make it more suitable for the extraction of message features.At the same time, it solves the problem that the original method is inefficient and error-prone.The method is divided into two parts: the threshold of Tag field is assumed to be TLV structure inference, the optimal structure is determined, and the field type is determined. The threshold value of tag field assumes the number of Tag fields in a set of packets according to experience, and then inferred the TLV structure under this field value.The TLV structure is used to analyze the sample data in different parameter environments, and the nearest TLV structure is calculated. Finally, the domain type is determined on the basis of this structure.This method can be used to automatically analyze a packet format without a document description and provide some basis for network Fuzz testing.In order to verify the performance of our algorithm, we use the get-request packets in SNMP v1 protocol as sample data to test and compare the experimental results with the standard protocol documents.It is proved by experiments that this method can obtain the structure information of the original message under the condition of lower time consumption and can provide the basis for network Fuzz testing and network security application, and has certain application value.
【学位授予单位】：北京邮电大学
【学位级别】：硕士
【学位授予年份】：2014
【分类号】：TP393.08

【参考文献】