WO2020155045A1 - Method and device for establishing communication model of network device - Google Patents

Method and device for establishing communication model of network device Download PDF

Info

Publication number
WO2020155045A1
WO2020155045A1 PCT/CN2019/074251 CN2019074251W WO2020155045A1 WO 2020155045 A1 WO2020155045 A1 WO 2020155045A1 CN 2019074251 W CN2019074251 W CN 2019074251W WO 2020155045 A1 WO2020155045 A1 WO 2020155045A1
Authority
WO
WIPO (PCT)
Prior art keywords
binary
message
network device
sequence
binary sequences
Prior art date
Application number
PCT/CN2019/074251
Other languages
French (fr)
Chinese (zh)
Inventor
李锐
万朔
Original Assignee
西门子股份公司
西门子(中国)有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 西门子股份公司, 西门子(中国)有限公司 filed Critical 西门子股份公司
Priority to CN201980085228.6A priority Critical patent/CN113243014A/en
Priority to PCT/CN2019/074251 priority patent/WO2020155045A1/en
Publication of WO2020155045A1 publication Critical patent/WO2020155045A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1491Countermeasures against malicious traffic using deception as countermeasure, e.g. honeypots, honeynets, decoys or entrapment
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/14Network analysis or design
    • H04L41/145Network analysis or design involving simulating, designing, planning or modelling of a network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Definitions

  • This application relates to the field of communications, and in particular to a method and device for establishing a communication model of network equipment.
  • Network devices may include devices that access various communication networks.
  • the controlled devices such as various sensors, servers, actuators, etc.
  • various industrial control networks communicate with the controller through the industrial bus to realize automatic control and management;
  • the communication model of a network device refers to a collection of a series of data used to describe how the network device responds to received network request information.
  • the communication model of network equipment has important application value in many occasions.
  • the honeypot system can use the communication model of the network device to imitate the communication behavior of the network device, respond to the message from the attacker, make the attacker mistake it for the real system, and induce the attacker to carry out the attack to collect the attack. Behavior is used for analysis. At present, the analysis of device communication behavior is done manually by technicians, which requires a lot of time and manpower, high cost, long cycle, and low efficiency.
  • this application proposes a method and device for establishing a device communication model to automatically analyze the communication behavior of the device and establish a communication model.
  • an embodiment of the present application provides a method for establishing a communication model of a network device, which may include:
  • the communication model of the network device is established according to the rule.
  • an embodiment of the present application provides an apparatus for establishing a communication model of a network device, which may include:
  • a request determination module for determining a plurality of different first binary sequences, where each first binary sequence corresponds to a request message
  • a sending module configured to send the determined plurality of the first binary sequences to the network device
  • a response obtaining module configured to obtain a plurality of response messages of the request message corresponding to the first binary sequence from the network device, wherein each response message corresponds to a second binary sequence;
  • a model building module is used to determine the law of the change of each of the second binary sequences with each of the first binary sequences, and establish the communication model of the network device according to the law.
  • the embodiment of the present application also provides another apparatus for establishing a communication model of a network device, which may include a processor and a memory, wherein:
  • Computer-readable instructions are stored in the memory, and the instructions can be executed by the processor to implement the method for establishing a communication model of a network device of each embodiment.
  • an embodiment of the present application also provides a computer-readable storage medium storing computer-readable instructions, which may be used to make a processor execute the method for establishing a communication model of a network device in each embodiment.
  • each embodiment try to use a plurality of binary sequences as request messages to communicate with the network device, and establish the communication model of the network device according to the response of the network device, which can be unaware of the communication mechanism of the network device.
  • the communication model of network equipment is established to provide important reference data for related application scenarios. This process can be executed by a computing device without human involvement, and a communication model can be established in a relatively short time. The establishment of the communication model is based on the analysis of a large number of binary sequences, so the communication model can more comprehensively and accurately reflect the communication behavior of network devices.
  • the aforementioned communication model may include at least one of the following:
  • the inferred message type of the request message is the inferred message type of the request message
  • the inferred message type of the response message is the inferred message type of the response message
  • each embodiment can determine the content of the communication model according to the specific situation, which can include multiple aspects of information, so as to give as much information as possible to the communication behavior of the network device, and help related application scenarios to better understand the network device's performance. Communication behavior logic.
  • the correspondence between the request message and the response message may include at least one of the following:
  • One said first binary sequence corresponds to a plurality of said second binary sequences
  • a plurality of said first binary sequences corresponds to one said second binary sequence
  • One said first binary sequence corresponds to one said second binary sequence
  • One said first binary sequence corresponds to zero said second binary sequence
  • a plurality of the first binary sequences corresponds to zero of the second binary sequences.
  • the communication model can simply and intuitively reflect the message sending and receiving logic of the network device, and the corresponding relationship can facilitate the search of messages and apply it to the honeypot.
  • the system can improve the response speed of the honeypot system and simplify the message processing of the honeypot system.
  • the communication model established according to the law can reflect the response logic of network devices to field-level information, so the communication model is more Meticulous and accurate.
  • Each of the first binary sequences and/or each of the second binary sequences is determined according to the law that each of the second binary sequences changes with the components in each of the first binary sequences The inferred meaning of each component in the
  • the communication model is established according to the inferred meaning of each component.
  • each second binary sequence changing with each component in each first binary sequence it may be performed in at least one of the following ways:
  • the inferred meaning of the first component is determined as the message length and time , Check code, one or more of the values;
  • the first The inferred meaning of a component is determined as a numerical value
  • the first composition The meaning of part of the speculation is determined to be one or more of version information and type information
  • the inferred meaning of the second component is determined as Counting information.
  • the speculation process has better clarity and operability, and the speculation result is accurate and reliable.
  • the determined plurality of the first binary sequences when the determined plurality of the first binary sequences are sent to the network device, they may be sent according to at least one of the following:
  • the communication model is established according to the inferred message type.
  • the communication model can reflect the macro characteristics of the request message and/or response message through the message type, thereby making the communication model more accurate.
  • each of the first binary sequences and/or each of the second binary sequences is determined according to the law that each of the second binary sequences changes with each of the first binary sequences
  • the step of inferring the message type may include at least one of the following:
  • the plurality of first binary sequences corresponds to The request message is determined to be an invalid request message
  • the response message corresponding to the second binary sequence is determined as a status response message, and the request corresponding to the corresponding first binary sequence
  • the message is determined to be a process request message
  • the request message corresponding to the first binary sequence is a request message related to time or status ;
  • the request message corresponding to the first binary sequence is determined as a message that triggers an unknown failure of the network device.
  • the communication model can also be verified by sending several request messages, and the communication model can be further adjusted to make the communication model more accurate and reliable.
  • FIG. 1 is a schematic diagram of a scenario in which an analysis apparatus 20 in an embodiment of the application communicates with a network device.
  • Fig. 2 is a flowchart of a method for establishing a communication model of a network device according to an embodiment of the application.
  • Fig. 3A is a schematic diagram of an apparatus for establishing a communication model of a network device according to an embodiment of the application.
  • FIG. 3B is a schematic diagram of an apparatus for establishing a communication model of a network device according to an embodiment of the application.
  • FIG. 4 is a schematic diagram of the correspondence between request messages and response messages in an embodiment of the application.
  • Fig. 5 is a schematic diagram of a message field parsing principle according to an embodiment of the application.
  • Fig. 6 is a schematic diagram of a speculative message structure according to an embodiment of the application.
  • Fig. 7 is a schematic diagram of a honeypot system according to an embodiment of the application.
  • Model building module 250 processor 260 Memory 261 Request determination module 262 Send module 263 Response acquisition module 264 Model building module 51 Root node 521, 522 ⁇ 52n Child node 5n1 ⁇ 5n2 ⁇ 5nn Leaf node 61 Field 62 news 63 Inferred meaning of the field 71 Traffic distributor 72 Flow analyzer 73 Physical equipment 74 Virtual device
  • FIG. 1 is a schematic diagram of a scenario in which an analysis apparatus in an embodiment of the application communicates with a network device.
  • the analysis device 20 and the network device 10 communicate through a communication connection 30.
  • the communication connection 30 can be any wired or wireless connection; it can be a direct connection, or an indirect connection through a certain network or other equipment.
  • the network device 10 may be a device connected to any communication network.
  • the communication network may include but is not limited to: industrial control network, Internet of Things, Internet of Vehicles, local area network, Internet, cellular communication network, etc.
  • the network device 10 can access a communication network through a certain type of communication interface.
  • the analysis device 20 can communicate with the network device 10 through the same type of communication interface.
  • the analysis device 20 is also a network device 10 in the network that can communicate with it.
  • the analysis device 20 may access the communication network to which the network device 10 belongs, and communicate with the network device 10 as a device in the communication network.
  • the analysis device 20 may communicate with the network device 10 through different types of communication interfaces.
  • the network device 10 can access a communication network through a Wi-Fi interface, and the analysis device 20 can communicate with the network device 10 through a Bluetooth interface of the network device 10.
  • this application does not limit the communication medium and network protocol used by the analysis device 20 to communicate with the network device 10, that is, according to the OSI seven-layer communication model, the communication mechanisms of the physical layer, the data link layer, and the network layer are important to this application. , Is only a channel for message transmission, and this application does not limit the type of this channel.
  • FIG. 2 is a flowchart of a method 200 for establishing a communication model of a network device 10 according to an embodiment of the application.
  • the method 200 may be executed by a device, such as the analysis device 20 in FIG. 1. As shown in Figure 2, the method may include the following steps.
  • Step S11 Determine a plurality of different first binary sequences, where each first binary sequence corresponds to a request message.
  • Step S12 sending the determined plural first binary sequences to the network device 10.
  • Step S13 Obtain a plurality of response messages of the request message corresponding to the first binary sequence from the network device 10, where each response message corresponds to a second binary sequence.
  • Step S14 Determine the law of each second binary sequence changing with each first binary sequence.
  • Step S15 establishing a communication model of the network device 10 according to the law.
  • the plurality of first binary sequences may have the same or different lengths.
  • One or more designated lengths may be determined according to pre-configured information, and a plurality of binary sequences may be determined for each designated length as the first binary sequence.
  • the analysis device 20 may pre-configure the default length value of the request message, or may receive the length value input through the human-machine interface.
  • These length values can be multiple discrete values, such as 16, 32, 64, etc., and the unit can default to bits or bytes.
  • These length values can also be a length range (such as 8-64), or a maximum length (such as 128).
  • the analysis device 20 can determine each possible length of the request message that needs to be tried to be sent according to the default length value and the length value input by the human-machine interface.
  • the analysis device 20 may determine the first binary sequence with the specified length according to preset configuration information. In some embodiments, the analysis device 20 may regard each binary sequence with the specified length as a first binary sequence according to the default configuration. For example, when the specified length is 16 bits, the analysis device 20 may regard each binary number from 0x0000 to 0xFFFF as a first binary sequence. In some embodiments, the analysis device 20 may determine a binary sequence having the specified length and conforming to the characteristic as the first binary sequence according to the characteristic of the pre-configured request message. For example, if the feature of the request message is that the nth bit cannot be 0, the analysis device 20 may regard each binary sequence with the specified length and the nth bit not being 0 as a first binary sequence.
  • the analysis device 20 may receive a response message fed back by the network device 10, and each response message is also a binary sequence, which is referred to herein as a second binary sequence.
  • the analysis device 20 may record the correspondence between the first binary sequence and the second binary sequence of the corresponding response message. In some cases, the analysis device 20 may not receive a response message from the network device 10 for certain first binary sequences. At this time, the analysis device 20 may record the second binary sequence corresponding to the first binary sequence.
  • An empty sequence that is, a sequence without any elements.
  • the analysis device 20 can establish a communication model of the network device 10 according to the law of the change of each second binary sequence with each first binary sequence.
  • the law that each second binary sequence changes with each first binary sequence refers to the various differences between a plurality of first binary sequences as a request message and a plurality of second binary sequences as a response message.
  • the relationship includes the relationship between each request message and its response message, and the relationship between the response messages corresponding to multiple request messages, etc.
  • the communication model of the network device 10 refers to a collection of a series of data used to describe the manner in which the network device 10 responds to a received request message.
  • the communication model can include any information related to the request message and/or the response message.
  • FIG. 3A is a schematic diagram of an apparatus for establishing a communication model of the network device 10 (that is, the analysis apparatus 20 in FIG. 1) according to an embodiment of the application.
  • the device 20 may include: a request determining module 210, a sending module 220, a response obtaining module 230, and a model building module 240.
  • the request determination module 210 may determine a plurality of different first binary sequences, where each first binary sequence corresponds to a request message.
  • the sending module 220 may send the determined plural first binary sequences to the network device 10.
  • the response obtaining module 230 may obtain a plurality of response messages of the request message corresponding to the first binary sequence from the network device 10, wherein each response message corresponds to a second binary sequence.
  • the model establishment module 240 can determine the law of each second binary sequence changing with each of the first binary sequences, and establish a communication model of the network device 10 according to the law.
  • FIG. 3B is a schematic diagram of another apparatus for establishing a communication model of the network device 10 (that is, the analyzing apparatus 20 in FIG. 1) according to an embodiment of the application.
  • the apparatus 20 may include a processor 250 and a memory 260.
  • the memory 260 may store a request determination module 261, a sending module 262, a response obtaining module 263, and a model building module 264 implemented by computer-readable instructions.
  • the computer-readable instructions corresponding to the request determining module 261, the sending module 262, the response acquiring module 263, and the model establishing module 264 can be executed by the processor 250 to implement the same as the request determining module 210 and the sending module 220 shown in FIG. 3A.
  • the similar functions of the response acquisition module 230 and the model establishment module 240 are not repeated here.
  • each embodiment try to use a plurality of binary sequences as request messages to communicate with the network device 10, and establish a communication model of the network device 10 according to the response of the network device 10, which can be used in the communication mechanism of the network device 10.
  • the communication model of the network device 10 is established without knowledge to provide important reference data for related application scenarios. This process can be executed by a computing device without human involvement, and a communication model can be established in a relatively short time. The establishment of the communication model is based on the analysis of a large number of binary sequences, so the communication model can more comprehensively and accurately reflect the communication behavior of the network device 10.
  • some first binary sequences may be sent to the network device 10 more than once. For example, in order to detect whether the response message of a request message is related to the sending timing of the request message, or whether the response message is related to the number of times the request message is sent, the analysis device 20 may send a first binary sequence to the network device 10 multiple times. , And obtain the response message corresponding to each request message. For another example, in order to detect whether the response messages of several request messages are related to the sending order of these request messages, the analysis device 20 may send a plurality of different first binary sequences to the network device 10 multiple times in different orders, and A group of response messages corresponding to each group of the first binary sequence are obtained respectively. At this time, when determining the law of each second binary sequence changing with each first binary sequence, the analysis device 20 can determine the change of multiple response messages corresponding to multiple transmissions of the same first binary sequence As part of the law.
  • the communication model of the network device 10 may include various information related to the request message and/or the response message.
  • the communication model may include, but is not limited to, at least one of the following:
  • the analysis device 20 can determine the content of the communication model according to specific conditions, thereby giving as much detailed information as possible to the communication behavior of the network device 10, and helping related application scenarios better Understand the communication behavior logic of the network device 10.
  • the correspondence between the request message and the response message may include, but is not limited to, at least one of the following: a first binary sequence corresponds to multiple second binary sequences, and multiple first binary sequences correspond to one second binary sequence.
  • Binary sequence a first binary sequence corresponds to a second binary sequence
  • a first binary sequence corresponds to an empty sequence
  • multiple first binary sequences correspond to an empty sequence
  • an empty sequence indicates that the analysis device 20 has not received a response message from the network device 10.
  • the analysis device 20 After the analysis device 20 tries to send each first binary sequence and obtains the corresponding response message, it can summarize the relationship between each first binary sequence and its response message to obtain the first binary sequence.
  • the corresponding relationship between the sequence and the second binary sequence For example, FIG.
  • request message 1 corresponds to response messages 1-1 and 1-2
  • request messages 2, 3, and 4 all correspond to the same response message 2-1
  • request message N corresponds to response message N-1, where N is a positive integer, and many more.
  • request message and each response message are a binary sequence, and the binary sequence corresponding to the response message may include an empty sequence.
  • the communication model can simply and intuitively reflect the message sending and receiving logic of the network device 10, and the corresponding relationship can facilitate the search of messages.
  • the honeypot system can improve the response speed of the honeypot system and simplify the message processing of the honeypot system.
  • the communication model may include a speculative message type of the request message and/or a speculative message type of the response message.
  • the analysis device 20 can determine the inferred message type of each first binary sequence and/or each second binary sequence according to the law of the change of each second binary sequence with each first binary sequence, and according to the guess The type of message to establish a communication model. In this way, by analyzing the request message and its response message to obtain the message type of the request message or response message, the communication model can reflect the macro characteristics of the request message and/or response message through the message type, thereby making the communication model more accurate.
  • the analysis device 20 may be preset with features of multiple preset message types, and the analysis device 20 These features can be used to infer the message type of the request message and/or response message.
  • the characteristics of the preset message types may include the characteristics of general message types, the characteristics of request message types, and the characteristics of response message types. Among them, the characteristics of the message type corresponding to the request message may include not only the characteristics of the request message itself, but also the characteristics of the response message corresponding to the request message, and the characteristics of the relationship between the request message and its response message, and so on.
  • the characteristics of the response message may include not only the characteristics of the response message itself, but also the characteristics of the request message corresponding to the response message, and the characteristics of the relationship between the response message and its request message, and so on.
  • the analysis device 20 can determine each first binary sequence and/or second binary sequence according to the obtained second binary sequence corresponding to each first binary sequence The guessed message type.
  • the method for determining the message type may include, but is not limited to at least one of the following:
  • the request messages corresponding to the plurality of first binary sequences are determined to be invalid Request message
  • the response message corresponding to the plurality of second binary sequences is determined as an echo message (Echo);
  • the response message corresponding to the second binary sequence is determined as the status response message, and the request message corresponding to the corresponding first binary sequence is determined as the process Request message
  • the request message corresponding to the first binary sequence is determined as a message that triggers an unknown failure of the network device 10.
  • a certain second binary sequence can be determined as an error message in various ways.
  • the analysis device 20 may preset a characteristic of a response message for prompting an error, and a certain second binary sequence may be determined as an error prompt message based on the characteristic.
  • the second binary sequence whose number of occurrences exceeds a preset threshold in the received second binary sequence may be determined as an error prompt message.
  • the characteristics of the request message can be preset in the analysis device 20, and one or several first binary sequences that do not meet the characteristics of the request message can be sent to the network device 10, and the response message fed back by the network device 10 is determined as an error. Prompt message.
  • the analysis device 20 may preset a characteristic of a response message for prompting an error, and a certain second binary sequence may be determined as an error prompt message based on the characteristic.
  • the second binary sequence whose number of occurrences exceeds a preset threshold in the received second binary sequence may be determined as an error prompt message.
  • the characteristics of the request message can be preset in the
  • the echo message means that the network device 10 sends back the received message content intact as a response message.
  • the analysis device 20 may record the second binary sequence completely consistent with the corresponding first binary sequence as an echo message, and record the corresponding first binary sequence as a request message that triggers the echo message.
  • the process request message refers to a request message for requesting the network device 10 to perform a certain preset process. At this time, the network device 10 will feed back a status response message.
  • the content of the status response message is whether the process is successfully executed, so it is a Boolean value. Therefore, when a certain second binary sequence is a Boolean value, the second binary sequence can be inferred as a status response message, and the corresponding first binary sequence can be inferred as a process request message.
  • the inferred message type determined in the above process can be used as a part of the communication model, and can also be used as an intermediate result in the subsequent analysis process to generate more detailed analysis results. For example, when it is determined that the request message is a request message related to time or status, various components of the request message can be analyzed in the subsequent process, so as to determine that the request message and/or the corresponding response message are related to time. Or state-related components.
  • the communication model may include the inferred meaning of at least one field in the request message and/or the response message.
  • the analysis device 20 can determine each first binary sequence and/or each component in each second binary sequence according to the law of each second binary sequence changing with each component in each first binary sequence Part of the inferred meaning, and build a communication model based on the inferred meaning of each component. By analyzing the relationship between the various components of the request message and the response message, the inferred meaning of the various components of the request message and/or response message can be determined. This information can make the communication model reflect the message processing logic of the network device 10. The multiple details facilitate a more detailed and accurate analysis or imitation of the communication behavior of the network device 10.
  • the requirements for establishing a communication model are based on a situation where the communication mechanism of the network device 10 is completely unknown, that is, there is no known information about the format and content of the messages sent and received by the network device 10. Therefore, when determining the inferred meaning of a field in the request message, the analysis device 20 needs to complete two tasks. One is to determine the length of each field in the request message, and the other is to analyze the inferred meaning of each field.
  • the analysis device 20 can respectively intercept binary fragments of a specified length from the specified positions in the plurality of first binary sequences as a component, and determine that the response message of the request message corresponding to the plurality of first binary sequences changes with the binary fragments The law. If the change rule of the response message with a binary segment can be found, the binary segment is determined to be a field.
  • a message can include fixed-length fields as well as variable-length fields.
  • the length of the field in each message is a preset length.
  • a preset boundary value is usually used to indicate the end of the field.
  • the analysis device 20 may be pre-configured with one or more designated lengths, which may be a common designated length for each field, or may be respective designated lengths of different fields.
  • the analysis device 20 can be pre-configured with a default length value, or can receive a length value input through a human-machine interface.
  • These length values can be multiple discrete values, such as 1, 2, 8, etc., and the unit can default to bits or bytes.
  • These length values can also be a length range (such as 1-16), or a maximum length (such as 32).
  • the analysis device 20 can determine all possible lengths of the binary fragments that need to be intercepted according to the default length value and the length value input by the human-machine interface, and respectively try to intercept the binary fragments corresponding to each possible length from the request message, and analyze whether they are A field.
  • a plurality of predefined templates may be pre-configured in the analysis device 20.
  • a predefined template refers to a predefined message structure, including the length and/or meaning of each field.
  • the analysis device 20 may sequentially intercept binary fragments corresponding to the length of each field from the request message according to a predefined template, and analyze whether it is a field.
  • the analysis device 20 may also detect the boundary value of a preset field in the binary sequence of the message, so as to determine a possible boundary of a field. For example, when the analysis device 20 detects a predetermined value in the message, such as " ⁇ n", " ⁇ 0" and other corresponding binary fragments, it can be considered as a field boundary.
  • the request message can be regarded as a binary sequence composed of multiple binary segments. Therefore, a tree similar to an analysis model can be used to analyze the structure of the request message and the relationship between the request message and the response message.
  • Fig. 5 is a schematic diagram of a message field parsing principle according to an embodiment of the application. As shown in Fig. 5, the request message can be parsed block by block starting from one end (for example, the starting position) of the request message. For the first block to be parsed, binary fragments (also called fields, blocks) of specified lengths can be intercepted from one end of the message according to different specified lengths to analyze the possible length of the first block and its inferred meaning .
  • a parse tree can be established with the first block of each possible length as the root node 51, and the length and the length of the first block are recorded in the parse tree.
  • the analysis device 20 can start from the end position of the first block, repeat the above analysis process, obtain various possible lengths and inferred meanings of the second block, and use the various possibilities of the second block as the root node 51
  • Each child node 521, 522 ⁇ 52n of. Repeat the above process until all the content of the request message is parsed, and it will reach the leaf nodes 5n1, 5n2 ⁇ 5nn of the tree.
  • Each leaf node 5n1, 5n2-5nn can correspond to one or more response messages, where n is a positive integer.
  • the analyzing device 20 can use other one or more first binary sequences and the information of their response messages.
  • the network device 10 may adopt more than one request message structure.
  • the analyzing device 20 determines that the structural feature of another first binary sequence does not conform to the structural feature of the first binary sequence currently analyzed, it can be considered that the other first binary sequence
  • the binary sequence adopts a different message structure and re-analyzes it in the above-mentioned manner to obtain one or more message structures corresponding to the other first binary sequence.
  • the message structure of one or more possible request messages can be obtained, including the length of each field and one or more inferred meanings.
  • One or more speculative message structures obtained and the first binary sequence and/or the second binary sequence of each message structure can be added to the created communication model.
  • the analysis device 20 may perform similar parsing on the response message, and the parsing process may use the parsing result of the corresponding request message to obtain the inferred message structure of the response message And the inferred meaning of the fields in it.
  • the communication model established according to the law can reflect the response logic of the network device 10 to field-level information. Therefore, the communication model More detailed and accurate.
  • the analysis device 20 can determine the inferred field type of each block (that is, the binary segment, the component part of the message) according to the characteristics of various preset field types configured in advance.
  • the method for inferring the field type may include, but is not limited to, at least one of the following:
  • the meaning of the guess of the first component is determined as the message length, time, check code, and value
  • the guess of the first component The meaning is determined as a numerical value
  • the inferred meaning of the first component is determined as the version One or more of information and type information
  • the inferred meaning of the first component is determined as the session identifier or value
  • the inferred meaning of the second component is determined as counting information.
  • the inferred meaning of the first component can be determined as the message length ; If the value of the first component meets the preset time pattern, the inferred meaning of the first component can be determined as time; if the value of the first component is equal to a certain value obtained by performing a preset algorithm on the request message When a checksum is selected, the inferred meaning of the first component can be determined as the check code; otherwise, the inferred meaning of the first component can be determined as a numerical value.
  • the inferred meaning of the first component may be determined as a numerical value.
  • the first threshold may refer to the number of bits in the second binary sequence, or the percentage of the changed number of bits in the total length of the second binary sequence, etc.
  • the analysis device 20 can determine the meaning of a plurality of speculations in a recognition step.
  • the analysis device 20 can record the meaning of all possible guesses of the block, and can exclude some of the guesses in the subsequent identification step.
  • the speculative meaning of a block includes version information and type information; in a subsequent recognition step, the speculative meaning of the component can be determined as version information according to the position of the block.
  • the analysis device 20 may preset: when a block is located in the first 30% of the sequence, the speculative meaning of the block may be version information, message length, etc., and the speculative meaning of the block does not include a check code, etc. . In this way, the meaning of the block speculation can be identified one by one according to each preset judgment condition.
  • Fig. 6 is a schematic diagram of a speculative message structure according to an embodiment of the application. As shown in FIG. 6, the speculative message structure includes the position and length of each field 61 in the message in the message 62, and at least one speculative meaning 63.
  • the speculation process has better clarity and operability, and the speculation result is accurate and reliable.
  • the above-mentioned message type determination process and field analysis process can be performed at any time.
  • the message type and the fields in the first binary sequence can be analyzed.
  • the message types of each first binary sequence and the fields therein may be parsed.
  • the message type and the fields in the first binary sequence can be parsed, and during the parsing process, the relevant one or more first binary sequences can be analyzed.
  • the control sequence is sent multiple times. After analyzing the message types and field meanings of these first binary sequences, try to send another first binary sequence that has not been sent, and analyze the message types and fields. For example, in the above-mentioned message type determination process and field analysis process, other related first binary sequences can be sent as needed. For example, when it is detected that the response messages obtained from two transmissions of a certain first binary sequence are different, the preset processing method for this situation can be used for the first binary sequence and the related multiple first and second sequences.
  • the base sequence performs multiple rounds of transmission for a preset number of times, and in different rounds, the transmission order of each sequence can also be adjusted.
  • the content of the first binary sequence except for the block can be unchanged according to a preset method, and only the block is assigned With different values, a plurality of binary sequences are obtained, these binary sequences are sent to the network device 10, and the corresponding response message is obtained, based on which it can be obtained whether the block is a field or the inferred meaning of the field.
  • the specific sending and parsing process can be determined according to needs, and there is no restriction here.
  • the analysis device 20 may also send a plurality of different third binary sequences to the network device 10 based on the established communication model of the network device 10, and according to the received The response message corresponding to the third binary sequence adjusts the communication model.
  • This adjustment process can be performed by an adjustment module (not shown) in the analysis device 20.
  • the third binary sequence and The related sequence (for example, the sequence of several request messages related to its sending order in response, etc.) is sent to the network device 10 again (or multiple times), and the communication model is adjusted according to the received response message.
  • the corresponding relationship between request messages with the same control sequence and their response messages is sent to the network device 10 again (or multiple times), and the communication model is adjusted according to the received response message.
  • the message type of the third binary sequence is derived from the message type corresponding to the request message that is the same as the third binary sequence in the communication model
  • the third binary sequence and its related sequences can be sent to the network device 10 again (or multiple times), according to the received
  • the received response message adjusts the message type of the request message that is the same as the third binary sequence in the communication model.
  • a third binary sequence constructed according to the inferred meaning of at least one field of the request message in the communication model, and when the received response message is inconsistent with the inferred response message according to the communication model, the A plurality of fourth binary sequences are constructed based on the inferred meaning of at least one field of the request message, and the network device 10 adjusts at least one of the request messages in the communication model for these response messages of the fourth binary sequence.
  • the inferred meaning of the field is the inferred meaning of the field.
  • the communication model can also be verified by sending several request messages, and the communication model can be further adjusted to make the communication model more accurate and reliable.
  • the analysis device 20 may provide the established communication model to a computing device for use.
  • the computing device can use the communication model to find errors and loopholes in the device, or use the communication model to establish a honeypot system, etc.
  • Honeypot systems are designed to collect information about attackers by imitating vulnerable systems.
  • Fig. 7 is a schematic diagram of a honeypot system according to an embodiment of the application.
  • the honeypot system may include a traffic distributor 71, a traffic analyzer 72, and at least one physical device 73 and/or virtual device 74 for simulating the network device 10 to generate a response message.
  • the traffic distributor 71 may distribute the received network traffic to each physical device 73 and/or virtual device 74 according to a preset distribution principle.
  • the physical device 73 and/or the virtual device 74 can use the communication model established in each embodiment to determine the response message corresponding to each request message in the received network traffic, and send the response message to the network.
  • the traffic analyzer 72 can analyze the request messages in the received network traffic, the response messages sent by the physical device 73 and/or the virtual device 74, and the further message interaction operations made by the external device on these response messages to obtain the attack Information about the party’s attack methods and methods.
  • the honeypot system can respond to external attacks, can confuse the attacker and make it think that the honeypot system is a real device, and can also get the attacker’s response to the device. Further attack operations, so as to obtain richer information of the attacker.
  • the technical solutions of the embodiments can construct a communication model of the network device 10.
  • a communication model as the description information of various messages processed by the network device 10
  • information about the communication behavior pattern of the network device 10 can be obtained. This process is completed by computing equipment, which reduces labor costs, and is fast and efficient.
  • this solution can establish a communication model of the network device 10 without any known information about the format and content of the messages sent and received by the network device 10, and is especially suitable for the analysis and modeling of new devices.
  • the embodiment of the present application also provides a readable storage medium.
  • the readable storage medium stores machine-readable instructions.
  • the machine-readable instructions When executed by a machine, the machine executes the method for establishing the communication model of the network device 10 described in any of the foregoing embodiments.
  • the readable medium stores machine-readable instructions, and when the machine-readable instructions are executed by the processor, the processor executes any of the foregoing methods.
  • a system or device equipped with a readable storage medium may be provided, and the software program code for realizing the function of any one of the above embodiments is stored on the readable storage medium, and the computer or device of the system or device The processor reads out and executes the machine-readable instructions stored in the readable storage medium.
  • the program code itself read from the readable medium can realize the function of any one of the above embodiments, so the machine readable code and the readable storage medium storing the machine readable code constitute the present application a part of.
  • Examples of readable storage media include floppy disks, hard disks, magneto-optical disks, optical disks (such as CD-ROM, CD-R, CD-RW, DVD-ROM, DVD-RAM, DVD-RW, DVD+RW), magnetic tape, Volatile memory card and ROM.
  • the program code can be downloaded from the server computer or the cloud via the communication network.
  • the device structure described in the foregoing embodiments may be a physical structure or a logical structure. That is, some units may be implemented by the same physical entity, or some units may be implemented by multiple physical entities, or may be implemented by multiple physical entities. Some components in independent devices are implemented together.
  • the hardware unit can be implemented mechanically or electrically.
  • a hardware unit or processor may include a permanent dedicated circuit or logic (such as a dedicated processor, FPGA or ASIC) to complete the corresponding operation.
  • the hardware unit or processor may also include programmable logic or circuits (such as general-purpose processors or other programmable processors), which may be temporarily set by software to complete corresponding operations.
  • the specific implementation mode mechanical means, or dedicated permanent circuit, or temporarily set circuit

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

Provided in embodiments of the present application are a method and a device for establishing a communication model of a network device. The method comprises: determining a plurality of different first binary sequences, wherein each of the first binary sequences corresponds to a request message; sending the determined plurality of the first binary sequences to the network device; obtaining response messages to the request messages corresponding to the plurality of the first binary sequences from the network device, wherein each of the response messages corresponds to one second binary sequence; determining a rule that each of the second binary sequences varies with each of the first binary sequences; and establishing the communication model of the network device according to the rule. The technical solutions of the embodiments can establish the communication model of the network device without knowing the communication mechanism of the network device, and provide important reference data for relevant application scenarios.

Description

网络设备的通信模型的建立方法及装置Method and device for establishing communication model of network equipment 技术领域Technical field
本申请涉及通信领域,特别涉及一种网络设备的通信模型的建立方法及装置。This application relates to the field of communications, and in particular to a method and device for establishing a communication model of network equipment.
背景技术Background technique
随着技术的发展,越来越多的设备需要通过通信网络与其它设备进行通信。本文中,将这些设备统称为网络设备。网络设备可以包括接入各种通信网络的设备。例如,各种工业控制网络中的被控设备(如各种传感器、伺服器、执行器,等),通过工业总线与控制器通信,从而实现自动化控制和管理;各种智能化的设备或设施通过各种无线和/或有线的通信网络进行信息交换,以实现设备或设施的智能化识别和管理;车辆通过车联网与网络平台进行信息交互,实现智能化交通管理、智能动态信息服务和车辆智能化控制,等。很多情况下,需要对设备的实际通信行为进行分析以获得能够反映设备通信行为的一个通信模型。网络设备的通信模型是指,用于描述网络设备对收到的网络请求信息进行响应的方式的一系列数据的集合。网络设备的通信模型在很多场合有重要的应用价值。例如,蜜罐系统可以利用网络设备的通信模型来模仿网络设备的通信行为,对来自攻击方的消息进行响应,使攻击方误认为它是真实的系统,从而诱使攻击方实施攻击以收集攻击行为用于分析。目前,设备通信行为的解析工作由技术人员手动完成,需要耗费大量时间和人力,成本高,周期长,效率低下。With the development of technology, more and more devices need to communicate with other devices through communication networks. In this article, these devices are collectively referred to as network devices. Network devices may include devices that access various communication networks. For example, the controlled devices (such as various sensors, servers, actuators, etc.) in various industrial control networks communicate with the controller through the industrial bus to realize automatic control and management; various intelligent equipment or facilities Information exchange through various wireless and/or wired communication networks to realize intelligent identification and management of equipment or facilities; vehicles interact with network platforms through the Internet of Vehicles to realize intelligent traffic management, intelligent dynamic information services and vehicles Intelligent control, etc. In many cases, it is necessary to analyze the actual communication behavior of the device to obtain a communication model that can reflect the communication behavior of the device. The communication model of a network device refers to a collection of a series of data used to describe how the network device responds to received network request information. The communication model of network equipment has important application value in many occasions. For example, the honeypot system can use the communication model of the network device to imitate the communication behavior of the network device, respond to the message from the attacker, make the attacker mistake it for the real system, and induce the attacker to carry out the attack to collect the attack. Behavior is used for analysis. At present, the analysis of device communication behavior is done manually by technicians, which requires a lot of time and manpower, high cost, long cycle, and low efficiency.
技术内容Technical content
有鉴于此,本申请提出了一种设备通信模型的建立方法及装置,用以自动分析设备的通信行为并建立通信模型。In view of this, this application proposes a method and device for establishing a device communication model to automatically analyze the communication behavior of the device and establish a communication model.
一方面,本申请实施例提供了一种网络设备的通信模型的建立方法,可以包括:On the one hand, an embodiment of the present application provides a method for establishing a communication model of a network device, which may include:
确定复数个不同的第一二进制序列,其中每一个第一二进制序列对应于一个请求消息;Determine a plurality of different first binary sequences, where each first binary sequence corresponds to a request message;
将确定的复数个所述第一二进制序列发送至所述网络设备;Sending the determined plurality of the first binary sequences to the network device;
从所述网络设备获取复数个所述第一二进制序列对应的请求消息的响应消息,其中每一个响应消息对应于一个第二二进制序列;Acquiring, from the network device, a plurality of response messages of the request message corresponding to the first binary sequence, where each response message corresponds to a second binary sequence;
确定各个所述第二二进制序列随各个所述第一二进制序列变化的规律;Determining the law of each said second binary sequence changing with each said first binary sequence;
根据所述规律建立所述网络设备的通信模型。The communication model of the network device is established according to the rule.
另一方面,本申请实施例提供了一种网络设备的通信模型的建立装置,可以包括:On the other hand, an embodiment of the present application provides an apparatus for establishing a communication model of a network device, which may include:
一个请求确定模块,用于确定复数个不同的第一二进制序列,其中每一个第一二进制序列对应于一个请求消息;A request determination module for determining a plurality of different first binary sequences, where each first binary sequence corresponds to a request message;
一个发送模块,用于将确定的复数个所述第一二进制序列发送至所述网络设备;A sending module, configured to send the determined plurality of the first binary sequences to the network device;
一个响应获取模块,用于从所述网络设备获取复数个所述第一二进制序列对应的请求消息的响应消息,其中每一个响应消息对应于一个第二二进制序列;A response obtaining module, configured to obtain a plurality of response messages of the request message corresponding to the first binary sequence from the network device, wherein each response message corresponds to a second binary sequence;
一个模型建立模块,用于确定各个所述第二二进制序列随各个所述第一二进制序列变化的规律,根据所述规律建立所述网络设备的通信模型。A model building module is used to determine the law of the change of each of the second binary sequences with each of the first binary sequences, and establish the communication model of the network device according to the law.
再一方面,本申请实施例还提供了另一种网络设备的通信模型的建立装置,可以包括:处理器和存储器,其中:In another aspect, the embodiment of the present application also provides another apparatus for establishing a communication model of a network device, which may include a processor and a memory, wherein:
所述存储器中存储有计算机可读指令,所述指令可以由所述处理器执行,用于实现各实施例的网络设备的通信模型的建立方法。Computer-readable instructions are stored in the memory, and the instructions can be executed by the processor to implement the method for establishing a communication model of a network device of each embodiment.
又一方面,本申请实施例还提供一种计算机可读存储介质,存储有计算机可读指令,该指令可以用于使处理器执行各实施例的网络设备的通信模型的建立方法。In another aspect, an embodiment of the present application also provides a computer-readable storage medium storing computer-readable instructions, which may be used to make a processor execute the method for establishing a communication model of a network device in each embodiment.
可见,各实施例的技术方案通过尝试使用复数个二进制序列作为请求消息与网络设备进行通信,并根据网络设备的响应建立网络设备的通信模型,能够在对网络设备的通信机制一无所知的情况下建立网络设备的通信模型,为相关的应用场景提供重要的参考数据。该过程可以由一计算设备执行,不需要人工参与,可以在较短时间内建立通信模型。该通信模型的建立过程基于对大量的二进制序列的分析,因此通信模型能够比较全面和准确地体现网络设备的通信行为方式。It can be seen that the technical solutions of each embodiment try to use a plurality of binary sequences as request messages to communicate with the network device, and establish the communication model of the network device according to the response of the network device, which can be ignorant of the communication mechanism of the network device. Under the circumstances, the communication model of network equipment is established to provide important reference data for related application scenarios. This process can be executed by a computing device without human involvement, and a communication model can be established in a relatively short time. The establishment of the communication model is based on the analysis of a large number of binary sequences, so the communication model can more comprehensively and accurately reflect the communication behavior of network devices.
各实施例中,上述通信模型可以包括以下中的至少一个:In various embodiments, the aforementioned communication model may include at least one of the following:
所述请求消息和所述响应消息的对应关系;The corresponding relationship between the request message and the response message;
所述请求消息的推测的消息类型;The inferred message type of the request message;
所述响应消息的推测的消息类型;The inferred message type of the response message;
所述请求消息中至少一个字段的推测的含义;The inferred meaning of at least one field in the request message;
所述响应消息中至少一个字段的推测的含义。The inferred meaning of at least one field in the response message.
这样,各实施例可以根据具体情况确定通信模型的内容,可以包括多个方面的信息, 从而对网络设备的通信行为给出尽可能详细的信息,帮助相关的应用场景更好地了解网络设备的通信行为逻辑。In this way, each embodiment can determine the content of the communication model according to the specific situation, which can include multiple aspects of information, so as to give as much information as possible to the communication behavior of the network device, and help related application scenarios to better understand the network device's performance. Communication behavior logic.
各实施例中,请求消息和响应消息的对应关系可以包括以下中的至少一个:In each embodiment, the correspondence between the request message and the response message may include at least one of the following:
一个所述第一二进制序列对应多个所述第二二进制序列;One said first binary sequence corresponds to a plurality of said second binary sequences;
多个所述第一二进制序列对应一个所述第二二进制序列;A plurality of said first binary sequences corresponds to one said second binary sequence;
一个所述第一二进制序列对应一个所述第二二进制序列;One said first binary sequence corresponds to one said second binary sequence;
一个所述第一二进制序列对应零个所述第二二进制序列;One said first binary sequence corresponds to zero said second binary sequence;
多个所述第一二进制序列对应零个所述第二二进制序列。A plurality of the first binary sequences corresponds to zero of the second binary sequences.
这样,通过在通信模型中给出各请求消息与网络设备的响应之间的对应关系,通信模型可以简单、直观地体现网络设备的消息收发逻辑,对应关系可以便于消息的查找,应用在蜜罐系统时,可以提高蜜罐系统的响应速度,简化蜜罐系统的消息处理。In this way, by giving the corresponding relationship between each request message and the response of the network device in the communication model, the communication model can simply and intuitively reflect the message sending and receiving logic of the network device, and the corresponding relationship can facilitate the search of messages and apply it to the honeypot. The system can improve the response speed of the honeypot system and simplify the message processing of the honeypot system.
各实施例中,确定各个所述第二二进制序列随各个所述第一二进制序列变化的规律时,可以:In each embodiment, when determining the law of each of the second binary sequences changing with each of the first binary sequences, it is possible to:
从复数个所述第一二进制序列中的指定位置分别截取指定长度的二进制片段;Respectively intercepting a binary segment of a designated length from designated positions in a plurality of the first binary sequences;
确定所述复数个第一二进制序列对应的请求消息的响应消息随所述二进制片段变化的规律。Determine the rule that the response message of the request message corresponding to the plurality of first binary sequences changes with the binary segment.
这样,通过从多个请求消息中截取二进制片段来分析相应的响应消息随该片段变化的规律,使得根据该规律建立的通信模型能够体现网络设备对于字段级别的信息的响应逻辑,因此通信模型更加细致和准确。In this way, by intercepting binary fragments from multiple request messages to analyze the law of the corresponding response message changing with the fragments, the communication model established according to the law can reflect the response logic of network devices to field-level information, so the communication model is more Meticulous and accurate.
各实施例中,根据所述规律建立所述网络设备的通信模型时,可以:In each embodiment, when the communication model of the network device is established according to the rule, it is possible to:
根据各个所述第二二进制序列随各个所述第一二进制序列中的各个组成部分变化的规律确定各个所述第一二进制序列和/或各个所述第二二进制序列中每一组成部分的推测的含义;Each of the first binary sequences and/or each of the second binary sequences is determined according to the law that each of the second binary sequences changes with the components in each of the first binary sequences The inferred meaning of each component in the
根据所述每一组成部分的推测的含义建立所述通信模型。The communication model is established according to the inferred meaning of each component.
可见,通过分析请求消息中各个组成部分与响应消息之间的关系,可以确定请求消 息和/或响应消息的各组成部分的推测的含义,这些信息可以使得通信模型体现网络设备的消息处理逻辑的更多细节,便于对网络设备的通信行为进行更细致准确的分析或模仿。It can be seen that by analyzing the relationship between each component in the request message and the response message, the inferred meaning of each component of the request message and/or response message can be determined. This information can make the communication model reflect the message processing logic of the network device More details facilitate more detailed and accurate analysis or imitation of the communication behavior of network devices.
各实施例中,确定各个所述第二二进制序列随各个所述第一二进制序列中的各个组成部分变化的规律时,可以按照以下中的至少一个方式进行:In each embodiment, when determining the law of each second binary sequence changing with each component in each first binary sequence, it may be performed in at least one of the following ways:
当复数个所述第二二进制序列不随对应的复数个所述第一二进制序列中的第一组成部分变化时,将所述第一组成部分的推测的含义确定为消息长度、时间、校验码、数值中的一个或多个;When the plurality of the second binary sequences do not change with the first component in the corresponding plurality of the first binary sequences, the inferred meaning of the first component is determined as the message length and time , Check code, one or more of the values;
当复数个所述第二二进制序列随对应的复数个所述第一二进制序列中的第一组成部分变化、且变化的程度不超过预设的第一阈值时,将所述第一组成部分的推测的含义确定为数值;When the plurality of the second binary sequences change with the corresponding first components in the plurality of the first binary sequences, and the degree of change does not exceed the preset first threshold, the first The inferred meaning of a component is determined as a numerical value;
当复数个所述第二二进制序列随对应的复数个所述第一二进制序列中的第一组成部分变化、且变化的程度超过所述第一阈值时,将所述第一组成部分的推测的含义确定为版本信息、类型信息中的一个或多个;When the plurality of the second binary sequences change with the corresponding first components in the plurality of the first binary sequences, and the degree of change exceeds the first threshold, the first composition The meaning of part of the speculation is determined to be one or more of version information and type information;
当复数个所述第一二进制序列中的第一组成部分出现在相应的第二二进制序列中时,将所述第一组成部分的推测的含义确定为会话标识或数值;When a plurality of first components of the first binary sequence appear in the corresponding second binary sequence, determine the inferred meaning of the first component as a session identifier or a value;
当连续发送的复数个所述第一二进制序列对应的复数个所述第二二进制序列中的第二组成部分的值递增时,将所述第二组成部分的推测的含义确定为计数信息。When the value of the second component in the plurality of the second binary sequences corresponding to the plurality of the first binary sequences continuously sent increases, the inferred meaning of the second component is determined as Counting information.
这样,通过利用预设的字段特征来推测请求消息或响应消息的某个组成部分的是否为预设的字段类型,推测过程具有较好的明确性和可操作性,推测结果准确、可靠。In this way, by using the preset field characteristics to speculate whether a certain component of the request message or the response message is a preset field type, the speculation process has better clarity and operability, and the speculation result is accurate and reliable.
各实施例中,将确定的复数个所述第一二进制序列发送至所述网络设备时,可以按照以下中的至少一个进行发送:In each embodiment, when the determined plurality of the first binary sequences are sent to the network device, they may be sent according to at least one of the following:
将一个所述第一二进制序列多次发送至所述网络设备;Sending one of the first binary sequences to the network device multiple times;
将复数个所述第一二进制序列按照不同的顺序多次发送至所述网络设备;Sending a plurality of the first binary sequences to the network device multiple times in different orders;
其中,确定各个所述第二二进制序列随各个所述第一二进制序列变化的规律时,可以:Wherein, when determining the law of each second binary sequence changing with each of the first binary sequences, it is possible to:
确定同一个所述第一二进制序列的多次发送对应的多个响应消息的变化情况。Determine changes in multiple response messages corresponding to multiple transmissions of the same first binary sequence.
通过将请求消息多次或以不同的顺序发送至网络设备,可以检测出同一请求消息对 应不同响应消息的情况,从而使得对消息类型或消息结构的推测更加完善、准确。By sending the request message multiple times or in different order to the network device, it is possible to detect that the same request message corresponds to different response messages, so that the estimation of the message type or message structure is more complete and accurate.
各实施例中,根据所述规律建立所述网络设备的通信模型时,可以:In each embodiment, when the communication model of the network device is established according to the rule, it is possible to:
根据各个所述第二二进制序列随各个所述第一二进制序列变化的规律确定各个所述第一二进制序列和/或各个所述第二二进制序列的推测的消息类型;Determine the inferred message type of each of the first binary sequence and/or each of the second binary sequence according to the law of each of the second binary sequences changing with each of the first binary sequences ;
根据所述推测的消息类型建立所述通信模型。The communication model is established according to the inferred message type.
这样,通过对请求消息及其响应消息进行分析从而得到请求消息或响应消息的消息类型,使得通信模型可以通过消息类型来体现请求消息和/或响应消息的宏观上的特点,从而使通信模型更加准确。In this way, by analyzing the request message and its response message to obtain the message type of the request message or response message, the communication model can reflect the macro characteristics of the request message and/or response message through the message type, thereby making the communication model more accurate.
各实施例中,根据各个所述第二二进制序列随各个所述第一二进制序列变化的规律确定各个所述第一二进制序列和/或各个所述第二二进制序列的推测的消息类型的步骤可以包括以下中的至少一个:In each embodiment, each of the first binary sequences and/or each of the second binary sequences is determined according to the law that each of the second binary sequences changes with each of the first binary sequences The step of inferring the message type may include at least one of the following:
当复数个所述第一二进制序列对应同一个第二二进制序列、且确定所述第二二进制序列为错误提示消息时,将所述复数个第一二进制序对应的请求消息确定为无效的请求消息;When a plurality of the first binary sequences correspond to the same second binary sequence, and it is determined that the second binary sequence is an error prompt message, the plurality of first binary sequences corresponds to The request message is determined to be an invalid request message;
当复数个所述第二二进制序列与相应的所述第一二进制序列中的一部分相同,将所述复数个第二二进制序列对应的响应消息确定为回声消息;When the plurality of second binary sequences are the same as a part of the corresponding first binary sequence, determining the response message corresponding to the plurality of second binary sequences as echo messages;
当一个所述第二二进制序列的值为布尔型数值时,将所述第二二进制序列对应的响应消息确定为状态响应消息,将相应的第一二进制序列所对应的请求消息确定为过程请求消息;When a value of the second binary sequence is a Boolean value, the response message corresponding to the second binary sequence is determined as a status response message, and the request corresponding to the corresponding first binary sequence The message is determined to be a process request message;
当多次发送一个所述第一二进制序列后收到的多个第二二进制序列不同时,确定所述第一二进制序列对应的请求消息为与时间或状态有关的请求消息;When multiple second binary sequences received after sending one of the first binary sequences are different, it is determined that the request message corresponding to the first binary sequence is a request message related to time or status ;
当发送一个所述第一二进制序列后没有收到响应消息时,将所述第一二进制序列对应的请求消息确定为触发所述网络设备的未知故障的消息。When no response message is received after sending the first binary sequence, the request message corresponding to the first binary sequence is determined as a message that triggers an unknown failure of the network device.
可见,通过识别无效的请求消息、回声消息、过程请求消息等消息类型,从而识别出无法用消息结构来描述的一些特殊消息,因此,建立的通信模型更加全面和准确。It can be seen that by identifying invalid request messages, echo messages, process request messages and other message types, some special messages that cannot be described by the message structure are identified. Therefore, the established communication model is more comprehensive and accurate.
各实施例的技术方案还可以包括:The technical solutions of the embodiments may further include:
基于建立的所述网络设备的通信模型将复数个不同的第三二进制序列发送至所述网络设备;Sending a plurality of different third binary sequences to the network device based on the established communication model of the network device;
根据收到的所述第三二进制序列对应的响应消息调整所述通信模型。Adjusting the communication model according to the received response message corresponding to the third binary sequence.
可见,在建立通信模型后,还可以通过发送若干请求消息来对通信模型进行验证,并进一步调整通信模型,使得通信模型更准确、可靠。It can be seen that after the communication model is established, the communication model can also be verified by sending several request messages, and the communication model can be further adjusted to make the communication model more accurate and reliable.
附图说明Description of the drawings
下面将通过参照附图详细描述本申请的优选实施例,使本领域的普通技术人员更清楚本申请的上述及其它特征和优点,附图中:Hereinafter, the preferred embodiments of the application will be described in detail with reference to the accompanying drawings, so that those of ordinary skill in the art will more clearly understand the above and other features and advantages of the application. In the accompanying drawings:
图1为本申请实施例的分析装置20与网络设备进行通信的场景示意图。FIG. 1 is a schematic diagram of a scenario in which an analysis apparatus 20 in an embodiment of the application communicates with a network device.
图2为本申请实施例的一种网络设备的通信模型的建立方法的流程图。Fig. 2 is a flowchart of a method for establishing a communication model of a network device according to an embodiment of the application.
图3A为本申请实施例的网络设备的通信模型的建立装置的示意图。Fig. 3A is a schematic diagram of an apparatus for establishing a communication model of a network device according to an embodiment of the application.
图3B为本申请实施例的网络设备的通信模型的建立装置的示意图。FIG. 3B is a schematic diagram of an apparatus for establishing a communication model of a network device according to an embodiment of the application.
图4为本申请实施例的请求消息和响应消息的对应关系的示意图。FIG. 4 is a schematic diagram of the correspondence between request messages and response messages in an embodiment of the application.
图5为本申请实施例的一种消息字段的解析原理示意图。Fig. 5 is a schematic diagram of a message field parsing principle according to an embodiment of the application.
图6为本申请实施例的一种推测的消息结构的示意图。Fig. 6 is a schematic diagram of a speculative message structure according to an embodiment of the application.
图7为本申请实施例的蜜罐系统的示意图。Fig. 7 is a schematic diagram of a honeypot system according to an embodiment of the application.
其中,附图标记如下:Among them, the reference signs are as follows:
序号Serial number 含义meaning
1010 网络设备 Network equipment
2020 分析装置20 Analysis device 20
3030 通信连接 Communication connection
200200 方法method
S11~S15S11~S15 步骤step
210210 请求确定模块 Request determination module
220220 发送模块 Send module
230230 响应获取模块Response acquisition module
240240 模型建立模块 Model building module
250250 处理器 processor
260260 存储器Memory
261261 请求确定模块Request determination module
262262 发送模块Send module
263263 响应获取模块Response acquisition module
264264 模型建立模块 Model building module
5151 根节点 Root node
521、522~52n521, 522~52n 子节点Child node
5n1、5n2~5nn5n1、5n2~5nn 叶节点Leaf node
6161 字段 Field
6262 消息 news
6363 字段的推测的含义Inferred meaning of the field
7171 流量分发器 Traffic distributor
7272 流量分析器 Flow analyzer
7373 物理设备 Physical equipment
7474 虚拟设备Virtual device
具体实施方式detailed description
为使本申请的目的、技术方案和优点更加清楚,以下举实施例对本申请进一步详细说明。In order to make the purpose, technical solutions, and advantages of this application clearer, the following examples will further illustrate this application in detail.
各种通信网络中的网络设备都有可能受到来自通信网络的攻击或者可能有技术人员需要分析其通信行为,因此需要为这样的网络设备建立通信模型。为此,本申请各实施例提供一种对网络设备的通信行为进行分析,进而建立其通信模型的装置(以下简称分析装置)。图1为本申请实施例的分析装置与网络设备进行通信的场景示意图。如图1所示,分析装置20与网络设备10通过通信连接30进行通信。通信连接30可以是任意有线或无线的连接;可以是直接连接,也可以是通过某种网络或其它设备进行中转的间 接连接。The network devices in various communication networks may be attacked from the communication network or there may be technicians who need to analyze their communication behaviors. Therefore, it is necessary to establish a communication model for such network devices. To this end, each embodiment of the present application provides a device (hereinafter referred to as the analysis device) for analyzing the communication behavior of a network device, and then establishing its communication model. FIG. 1 is a schematic diagram of a scenario in which an analysis apparatus in an embodiment of the application communicates with a network device. As shown in FIG. 1, the analysis device 20 and the network device 10 communicate through a communication connection 30. The communication connection 30 can be any wired or wireless connection; it can be a direct connection, or an indirect connection through a certain network or other equipment.
网络设备10可以是接入任意通信网络的设备。该通信网络可以包括但不限于:工业控制网络、物联网、车联网、局域网、互联网、蜂窝通信网络,等。The network device 10 may be a device connected to any communication network. The communication network may include but is not limited to: industrial control network, Internet of Things, Internet of Vehicles, local area network, Internet, cellular communication network, etc.
网络设备10可以通过某种类型的通信接口接入通信网络。一些实施例中,分析装置20可以通过相同类型的通信接口与网络设备10进行通信,对于网络设备10而言,分析装置20也是一个网络中可与其通信的网络设备10。例如,分析装置20可以接入网络设备10所属的通信网络,作为该通信网络中的设备与网络设备10通信。另一些实施例中,分析装置20可以通过不同类型的通信接口与网络设备10进行通信。例如,网络设备10可以通过Wi-Fi接口接入通信网络,而分析装置20可以通过网络设备10的蓝牙接口与网络设备10通信。因此,本申请不限定分析装置20与网络设备10通信所使用的通信媒介和网络协议,也即,根据OSI七层通信模型,物理层、数据链路层和网络层的通信机制对本申请来说,仅仅是消息传递的通道,本申请不限定该通道的类型。The network device 10 can access a communication network through a certain type of communication interface. In some embodiments, the analysis device 20 can communicate with the network device 10 through the same type of communication interface. For the network device 10, the analysis device 20 is also a network device 10 in the network that can communicate with it. For example, the analysis device 20 may access the communication network to which the network device 10 belongs, and communicate with the network device 10 as a device in the communication network. In other embodiments, the analysis device 20 may communicate with the network device 10 through different types of communication interfaces. For example, the network device 10 can access a communication network through a Wi-Fi interface, and the analysis device 20 can communicate with the network device 10 through a Bluetooth interface of the network device 10. Therefore, this application does not limit the communication medium and network protocol used by the analysis device 20 to communicate with the network device 10, that is, according to the OSI seven-layer communication model, the communication mechanisms of the physical layer, the data link layer, and the network layer are important to this application. , Is only a channel for message transmission, and this application does not limit the type of this channel.
各实施例中,分析装置20可以尝试向网络设备10发送一些二进制序列作为请求消息,并获得网络设备10针对这些请求消息的响应情况,据此建立网络设备10的通信模型。图2为本申请实施例的一种网络设备10的通信模型的建立方法200的流程图。该方法200可以由一设备,例如图1中分析装置20,执行。如图2所示,该方法可以包括以下步骤。In various embodiments, the analysis device 20 may try to send some binary sequences as request messages to the network device 10, and obtain the response of the network device 10 to these request messages, and establish a communication model of the network device 10 accordingly. FIG. 2 is a flowchart of a method 200 for establishing a communication model of a network device 10 according to an embodiment of the application. The method 200 may be executed by a device, such as the analysis device 20 in FIG. 1. As shown in Figure 2, the method may include the following steps.
步骤S11,确定复数个不同的第一二进制序列,其中每一个第一二进制序列对应于一个请求消息。Step S11: Determine a plurality of different first binary sequences, where each first binary sequence corresponds to a request message.
步骤S12,将确定的复数个第一二进制序列发送至网络设备10。Step S12, sending the determined plural first binary sequences to the network device 10.
步骤S13,从网络设备10获取复数个第一二进制序列对应的请求消息的响应消息,其中每一个响应消息对应于一个第二二进制序列。Step S13: Obtain a plurality of response messages of the request message corresponding to the first binary sequence from the network device 10, where each response message corresponds to a second binary sequence.
步骤S14,确定各个第二二进制序列随各个第一二进制序列变化的规律。Step S14: Determine the law of each second binary sequence changing with each first binary sequence.
步骤S15,根据规律建立网络设备10的通信模型。Step S15, establishing a communication model of the network device 10 according to the law.
其中,复数个第一二进制序列可以具有相同或者不同的长度。可以根据预先配置的信息确定一个或多个指定长度,并分别针对各指定长度确定多个二进制序列作为第一二进制序列。例如,分析装置20中可以预配置默认的请求消息的长度值,也可以接收通过人机接口输入的长度值。这些长度值可以是离散的多个值,例如16、32、64,等,单位可以默认为比特或字节。这些长度值也可以是一个长度范围(如8-64),或者是一个长度的最大值(如128)。分析装置20可以根据默认的长度值和人机接口输入的长度值确 定需要尝试发送的请求消息的每个可能的长度。Wherein, the plurality of first binary sequences may have the same or different lengths. One or more designated lengths may be determined according to pre-configured information, and a plurality of binary sequences may be determined for each designated length as the first binary sequence. For example, the analysis device 20 may pre-configure the default length value of the request message, or may receive the length value input through the human-machine interface. These length values can be multiple discrete values, such as 16, 32, 64, etc., and the unit can default to bits or bytes. These length values can also be a length range (such as 8-64), or a maximum length (such as 128). The analysis device 20 can determine each possible length of the request message that needs to be tried to be sent according to the default length value and the length value input by the human-machine interface.
对于某个指定长度,分析装置20可以根据预设的配置信息确定具有该指定长度的第一二进制序列。一些实施例中,分析装置20可以根据默认配置将具有该指定长度的每个二进制序列作为一个第一二进制序列。例如,当指定长度为16比特时,分析装置20可以将0x0000至0xFFFF的每个二进制数作为一个第一二进制序列。一些实施例中,分析装置20可以根据预先配置的请求消息的特征确定具有该指定长度、且符合该特征的二进制序列作为第一二进制序列。例如,请求消息的特征为第n位不可以为0,则分析装置20可以将具有该指定长度、且第n位不为0的每个二进制序列作为一个第一二进制序列。For a certain specified length, the analysis device 20 may determine the first binary sequence with the specified length according to preset configuration information. In some embodiments, the analysis device 20 may regard each binary sequence with the specified length as a first binary sequence according to the default configuration. For example, when the specified length is 16 bits, the analysis device 20 may regard each binary number from 0x0000 to 0xFFFF as a first binary sequence. In some embodiments, the analysis device 20 may determine a binary sequence having the specified length and conforming to the characteristic as the first binary sequence according to the characteristic of the pre-configured request message. For example, if the feature of the request message is that the nth bit cannot be 0, the analysis device 20 may regard each binary sequence with the specified length and the nth bit not being 0 as a first binary sequence.
当各第一二进制序列发送至网络设备10后,分析装置20可能会收到网络设备10反馈的响应消息,每个响应消息也是一个二进制序列,这里称为第二二进制序列。分析装置20可以记录该第一二进制序列与对应的响应消息的第二二进制序列的对应关系。有些情况下,分析装置20可能收不到网络设备10针对某些第一二进制序列的响应消息,此时,分析装置20可以记录该第一二进制序列对应的第二二进制序列为空序列,即没有任何元素的序列。After each first binary sequence is sent to the network device 10, the analysis device 20 may receive a response message fed back by the network device 10, and each response message is also a binary sequence, which is referred to herein as a second binary sequence. The analysis device 20 may record the correspondence between the first binary sequence and the second binary sequence of the corresponding response message. In some cases, the analysis device 20 may not receive a response message from the network device 10 for certain first binary sequences. At this time, the analysis device 20 may record the second binary sequence corresponding to the first binary sequence. An empty sequence, that is, a sequence without any elements.
分析装置20可以根据各第二二进制序列随各第一二进制序列变化的规律,建立网络设备10的通信模型。各个第二二进制序列随各个第一二进制序列变化的规律是指作为请求消息的复数个第一二进制序列与作为响应消息的复数个第二二进制序列之间的各种关系,包括各个请求消息与其响应消息之间的关系,以及多个请求消息对应的响应消息之间的关系,等。网络设备10的通信模型是指,用于描述网络设备10对收到的请求消息进行响应的方式的一系列数据的集合。通信模型可以包括任何与请求消息和/或响应消息有关的信息。The analysis device 20 can establish a communication model of the network device 10 according to the law of the change of each second binary sequence with each first binary sequence. The law that each second binary sequence changes with each first binary sequence refers to the various differences between a plurality of first binary sequences as a request message and a plurality of second binary sequences as a response message. The relationship includes the relationship between each request message and its response message, and the relationship between the response messages corresponding to multiple request messages, etc. The communication model of the network device 10 refers to a collection of a series of data used to describe the manner in which the network device 10 responds to a received request message. The communication model can include any information related to the request message and/or the response message.
一些实施例中,分析装置20可以由硬件实现,例如FPGA、ASIC等。图3A为本申请实施例的网络设备10的通信模型的建立装置(也即图1的分析装置20)的示意图。如图3A所示,该装置20可以包括:一个请求确定模块210、一个发送模块220、一个响应获取模块230和一个模型建立模块240。In some embodiments, the analysis device 20 may be implemented by hardware, such as FPGA, ASIC, and so on. FIG. 3A is a schematic diagram of an apparatus for establishing a communication model of the network device 10 (that is, the analysis apparatus 20 in FIG. 1) according to an embodiment of the application. As shown in FIG. 3A, the device 20 may include: a request determining module 210, a sending module 220, a response obtaining module 230, and a model building module 240.
请求确定模块210可以确定复数个不同的第一二进制序列,其中每一个第一二进制序列对应于一个请求消息。The request determination module 210 may determine a plurality of different first binary sequences, where each first binary sequence corresponds to a request message.
发送模块220可以将确定的复数个第一二进制序列发送至网络设备10。The sending module 220 may send the determined plural first binary sequences to the network device 10.
响应获取模块230可以从网络设备10获取复数个第一二进制序列对应的请求消息的响应消息,其中每一个响应消息对应于一个第二二进制序列。The response obtaining module 230 may obtain a plurality of response messages of the request message corresponding to the first binary sequence from the network device 10, wherein each response message corresponds to a second binary sequence.
模型建立模块240可以确定各个第二二进制序列随各个第一二进制序列变化的规律,根据该规律建立网络设备10的通信模型。The model establishment module 240 can determine the law of each second binary sequence changing with each of the first binary sequences, and establish a communication model of the network device 10 according to the law.
一些实施例中,分析装置20也可以由通用处理器运行指令实现。图3B为本申请实施例的另一种网络设备10的通信模型的建立装置(也即图1的分析装置20)的示意图。如图3B所示,该装置20可以包括:处理器250和存储器260。In some embodiments, the analysis device 20 may also be implemented by a general-purpose processor running instructions. FIG. 3B is a schematic diagram of another apparatus for establishing a communication model of the network device 10 (that is, the analyzing apparatus 20 in FIG. 1) according to an embodiment of the application. As shown in FIG. 3B, the apparatus 20 may include a processor 250 and a memory 260.
其中,存储器260中可以存储由计算机可读指令实现的请求确定模块261、发送模块262、响应获取模块263和模型建立模块264。其中,请求确定模块261、发送模块262、响应获取模块263和模型建立模块264对应的计算机可读指令可以由处理器250执行,用于实现与图3A所示的请求确定模块210、发送模块220、响应获取模块230和模型建立模块240相似的功能,这里不再赘述。The memory 260 may store a request determination module 261, a sending module 262, a response obtaining module 263, and a model building module 264 implemented by computer-readable instructions. The computer-readable instructions corresponding to the request determining module 261, the sending module 262, the response acquiring module 263, and the model establishing module 264 can be executed by the processor 250 to implement the same as the request determining module 210 and the sending module 220 shown in FIG. 3A. The similar functions of the response acquisition module 230 and the model establishment module 240 are not repeated here.
可见,各实施例的技术方案通过尝试使用复数个二进制序列作为请求消息与网络设备10进行通信,并根据网络设备10的响应建立网络设备10的通信模型,能够在对网络设备10的通信机制一无所知的情况下建立网络设备10的通信模型,为相关的应用场景提供重要的参考数据。该过程可以由一计算设备执行,不需要人工参与,可以在较短时间内建立通信模型。该通信模型的建立过程基于对大量的二进制序列的分析,因此通信模型能够比较全面和准确地体现网络设备10的通信行为方式。It can be seen that the technical solutions of each embodiment try to use a plurality of binary sequences as request messages to communicate with the network device 10, and establish a communication model of the network device 10 according to the response of the network device 10, which can be used in the communication mechanism of the network device 10. The communication model of the network device 10 is established without knowledge to provide important reference data for related application scenarios. This process can be executed by a computing device without human involvement, and a communication model can be established in a relatively short time. The establishment of the communication model is based on the analysis of a large number of binary sequences, so the communication model can more comprehensively and accurately reflect the communication behavior of the network device 10.
一些实施例中,分析装置20发送各第一二进制序列作为请求消息时,一些第一二进制序列可以不止一次被发送至网络设备10。例如,为了检测一个请求消息的响应消息是否与请求消息的发送时机有关,或者响应消息是否与请求消息的发送次数有关,分析装置20可以将一个第一二进制序列多次发送至网络设备10,并分别获取每次请求消息对应的响应消息。又例如,为了检测若干个请求消息的响应消息是否与这些请求消息的发送顺序有关,分析装置20可以将复数个不同的第一二进制序列按照不同的顺序多次发送至网络设备10,并分别获取每一组第一二进制序列对应的一组响应消息。此时,确定各个第二二进制序列随各个第一二进制序列变化的规律时,分析装置20可以确定同一个第一二进制序列的多次发送对应的多个响应消息的变化情况作为该规律的一部分。In some embodiments, when the analysis device 20 sends each first binary sequence as a request message, some first binary sequences may be sent to the network device 10 more than once. For example, in order to detect whether the response message of a request message is related to the sending timing of the request message, or whether the response message is related to the number of times the request message is sent, the analysis device 20 may send a first binary sequence to the network device 10 multiple times. , And obtain the response message corresponding to each request message. For another example, in order to detect whether the response messages of several request messages are related to the sending order of these request messages, the analysis device 20 may send a plurality of different first binary sequences to the network device 10 multiple times in different orders, and A group of response messages corresponding to each group of the first binary sequence are obtained respectively. At this time, when determining the law of each second binary sequence changing with each first binary sequence, the analysis device 20 can determine the change of multiple response messages corresponding to multiple transmissions of the same first binary sequence As part of the law.
这样,通过将请求消息多次或以不同的顺序发送至网络设备10,可以检测出同一请求消息对应不同响应消息的情况,例如响应是否与时间或网络设备10的状态有关,从而使得对消息类型或消息结构的推测更加完善、准确。In this way, by sending request messages to the network device 10 multiple times or in different orders, it can be detected that the same request message corresponds to different response messages, such as whether the response is related to time or the state of the network device 10, so that the message type Or the prediction of the message structure is more complete and accurate.
各实施例中,网络设备10的通信模型可以包括各种与请求消息和/或响应消息有关的信息。例如,通信模型可以包括,但不限于,以下中的至少一个:In various embodiments, the communication model of the network device 10 may include various information related to the request message and/or the response message. For example, the communication model may include, but is not limited to, at least one of the following:
请求消息和响应消息的对应关系,The correspondence between the request message and the response message,
请求消息的推测的消息类型,Speculative message type of request message,
响应消息的推测的消息类型,The inferred message type of the response message,
请求消息中至少一个字段的推测的含义,The inferred meaning of at least one field in the request message,
响应消息中至少一个字段的推测的含义,等。The inferred meaning of at least one field in the response message, etc.
可见,通过允许通信模型包括多个方面的信息,分析装置20可以根据具体情况确定通信模型的内容,从而对网络设备10的通信行为给出尽可能详细的信息,帮助相关的应用场景更好地了解网络设备10的通信行为逻辑。It can be seen that by allowing the communication model to include multiple aspects of information, the analysis device 20 can determine the content of the communication model according to specific conditions, thereby giving as much detailed information as possible to the communication behavior of the network device 10, and helping related application scenarios better Understand the communication behavior logic of the network device 10.
确定请求消息和响应消息的对应关系Determine the correspondence between the request message and the response message
请求消息和响应消息的对应关系可以包括,但不限于,以下中的至少一个:一个第一二进制序列对应多个第二二进制序列,多个第一二进制序列对应一个第二二进制序列,一个第一二进制序列对应一个第二二进制序列,一个第一二进制序列对应一个空序列,多个第一二进制序列对应一个空序列,等。这里,空序列表示分析装置20没有收到来自网络设备10的响应消息。分析装置20尝试发送了各第一二进制序列,并获得了相应的响应消息后,就可以对各第一二进制序列及其响应消息之间的关系进行归纳,得到第一二进制序列和第二二进制序列的对应关系。例如,图4为本申请实施例的请求消息和响应消息的对应关系的示意图。其中,请求消息1对应响应消息1-1和1-2,请求消息2、3、4均对应同一个响应消息2-1,请求消息N对应响应消息N-1,其中,N为正整数,等等。每个请求消息和每个响应消息均为一个二进制序列,响应消息对应的二进制序列中可以包括空序列。The correspondence between the request message and the response message may include, but is not limited to, at least one of the following: a first binary sequence corresponds to multiple second binary sequences, and multiple first binary sequences correspond to one second binary sequence. Binary sequence, a first binary sequence corresponds to a second binary sequence, a first binary sequence corresponds to an empty sequence, multiple first binary sequences correspond to an empty sequence, etc. Here, an empty sequence indicates that the analysis device 20 has not received a response message from the network device 10. After the analysis device 20 tries to send each first binary sequence and obtains the corresponding response message, it can summarize the relationship between each first binary sequence and its response message to obtain the first binary sequence. The corresponding relationship between the sequence and the second binary sequence. For example, FIG. 4 is a schematic diagram of the correspondence between request messages and response messages in an embodiment of the application. Among them, request message 1 corresponds to response messages 1-1 and 1-2, request messages 2, 3, and 4 all correspond to the same response message 2-1, and request message N corresponds to response message N-1, where N is a positive integer, and many more. Each request message and each response message are a binary sequence, and the binary sequence corresponding to the response message may include an empty sequence.
这样,通过在通信模型中给出各请求消息与网络设备10的响应之间的对应关系,通信模型可以简单、直观地体现网络设备10的消息收发逻辑,对应关系可以便于消息的查找,应用在蜜罐系统时,可以提高蜜罐系统的响应速度,简化蜜罐系统的消息处理。In this way, by giving the corresponding relationship between each request message and the response of the network device 10 in the communication model, the communication model can simply and intuitively reflect the message sending and receiving logic of the network device 10, and the corresponding relationship can facilitate the search of messages. The honeypot system can improve the response speed of the honeypot system and simplify the message processing of the honeypot system.
消息类型的解析Analysis of message types
一些实施例中,通信模型可以包括请求消息的推测的消息类型和/或响应消息的推测 的消息类型。分析装置20可以根据各个第二二进制序列随各个第一二进制序列变化的规律确定各个第一二进制序列和/或各个第二二进制序列的推测的消息类型,并根据推测的消息类型建立通信模型。这样,通过对请求消息及其响应消息进行分析从而得到请求消息或响应消息的消息类型,使得通信模型可以通过消息类型来体现请求消息和/或响应消息的宏观上的特点,从而使通信模型更加准确。In some embodiments, the communication model may include a speculative message type of the request message and/or a speculative message type of the response message. The analysis device 20 can determine the inferred message type of each first binary sequence and/or each second binary sequence according to the law of the change of each second binary sequence with each first binary sequence, and according to the guess The type of message to establish a communication model. In this way, by analyzing the request message and its response message to obtain the message type of the request message or response message, the communication model can reflect the macro characteristics of the request message and/or response message through the message type, thereby making the communication model more accurate.
各实施例中,为了确定各个第一二进制序列和/或各个第二二进制序列的推测的消息类型,分析装置20中可以预先设置有多种预设消息类型的特征,分析装置20可以利用这些特征推测请求消息和/或响应消息的消息类型。预设的消息类型的特征可以包括通用消息类型的特征、请求消息类型的特征,以及响应消息类型的特征。其中,请求消息对应的消息类型的特征不仅可以包括请求消息自身的特征,也可以包括请求消息对应的响应消息的特征,还可以包括请求消息与其响应消息之间的关系的特征,等。响应消息的特征不仅可以包括响应消息自身的特征,也可以包括响应消息对应的请求消息的特征,还可以包括响应消息与其请求消息之间的关系的特征,等。利用这些预设的消息类型的特征,分析装置20可以根据获得的各第一二进制序列对应的第二二进制序列,确定各第一二进制序列和/或第二二进制序列的推测的消息类型。例如,确定消息类型的方法可以包括,但不限于以下中的至少一个:In each embodiment, in order to determine the inferred message type of each first binary sequence and/or each second binary sequence, the analysis device 20 may be preset with features of multiple preset message types, and the analysis device 20 These features can be used to infer the message type of the request message and/or response message. The characteristics of the preset message types may include the characteristics of general message types, the characteristics of request message types, and the characteristics of response message types. Among them, the characteristics of the message type corresponding to the request message may include not only the characteristics of the request message itself, but also the characteristics of the response message corresponding to the request message, and the characteristics of the relationship between the request message and its response message, and so on. The characteristics of the response message may include not only the characteristics of the response message itself, but also the characteristics of the request message corresponding to the response message, and the characteristics of the relationship between the response message and its request message, and so on. Using the characteristics of these preset message types, the analysis device 20 can determine each first binary sequence and/or second binary sequence according to the obtained second binary sequence corresponding to each first binary sequence The guessed message type. For example, the method for determining the message type may include, but is not limited to at least one of the following:
当复数个第一二进制序列对应同一个第二二进制序列、且确定第二二进制序列为错误提示消息时,将复数个第一二进制序对应的请求消息确定为无效的请求消息;When a plurality of first binary sequences correspond to the same second binary sequence, and the second binary sequence is determined to be an error prompt message, the request messages corresponding to the plurality of first binary sequences are determined to be invalid Request message
当复数个第二二进制序列与相应的第一二进制序列中的一部分相同,将复数个第二二进制序列对应的响应消息确定为回声消息(Echo);When the plurality of second binary sequences are the same as a part of the corresponding first binary sequence, the response message corresponding to the plurality of second binary sequences is determined as an echo message (Echo);
当一个第二二进制序列的值为布尔型数值时,将第二二进制序列对应的响应消息确定为状态响应消息,将相应的第一二进制序列所对应的请求消息确定为过程请求消息;When the value of a second binary sequence is a Boolean value, the response message corresponding to the second binary sequence is determined as the status response message, and the request message corresponding to the corresponding first binary sequence is determined as the process Request message
当多次发送一个第一二进制序列后收到的多个第二二进制序列不同时,确定第一二进制序列对应的请求消息为与时间或状态有关的请求消息;When multiple second binary sequences received after sending a first binary sequence multiple times are different, determining that the request message corresponding to the first binary sequence is a request message related to time or status;
当发送一个第一二进制序列后没有收到响应消息时,将第一二进制序列对应的请求消息确定为触发网络设备10的未知故障的消息。When no response message is received after sending a first binary sequence, the request message corresponding to the first binary sequence is determined as a message that triggers an unknown failure of the network device 10.
其中,可以通过多种方式确定某个第二二进制序列为错误消息。例如,分析装置20中可以预先设置用于提示错误的响应消息的特征,可以根据该特征确定某个第二二进制序列为错误提示消息。又例如,当尝试大量第一二进制序列作为请求消息时,可以将收到的第二二进制序列中,出现次数超过预设阈值的第二二进制序列确定为错误提示消息。 再例如,分析装置20中可以预先设置请求消息的特征,可以发送一个或若干个不符合该请求消息特征的第一二进制序列至网络设备10,将网络设备10反馈的响应消息确定为错误提示消息。这里仅为几个简单的例子,其它实施例还可以利用其它方法实现。Among them, a certain second binary sequence can be determined as an error message in various ways. For example, the analysis device 20 may preset a characteristic of a response message for prompting an error, and a certain second binary sequence may be determined as an error prompt message based on the characteristic. For another example, when a large number of first binary sequences are tried as the request message, the second binary sequence whose number of occurrences exceeds a preset threshold in the received second binary sequence may be determined as an error prompt message. For another example, the characteristics of the request message can be preset in the analysis device 20, and one or several first binary sequences that do not meet the characteristics of the request message can be sent to the network device 10, and the response message fed back by the network device 10 is determined as an error. Prompt message. Here are just a few simple examples, and other embodiments can also be implemented by other methods.
回声消息是指网络设备10将收到的消息内容原封不动地作为响应消息发送回去。分析装置20可以将与相应的第一二进制序列完全一致的第二二进制序列记录为回声消息,并将相应的第一二进制序列记录为引发回声消息的请求消息。The echo message means that the network device 10 sends back the received message content intact as a response message. The analysis device 20 may record the second binary sequence completely consistent with the corresponding first binary sequence as an echo message, and record the corresponding first binary sequence as a request message that triggers the echo message.
过程请求消息是指请求网络设备10执行某预设过程的请求消息,此时,网络设备10将反馈状态响应消息,该状态响应消息的内容是该过程是否成功执行,因此为布尔型数值。因此,当某个第二二进制序列为布尔型数值时,可以将该第二二进制序列推测为状态响应消息,相应的第一二进制序列推测为过程请求消息。The process request message refers to a request message for requesting the network device 10 to perform a certain preset process. At this time, the network device 10 will feed back a status response message. The content of the status response message is whether the process is successfully executed, so it is a Boolean value. Therefore, when a certain second binary sequence is a Boolean value, the second binary sequence can be inferred as a status response message, and the corresponding first binary sequence can be inferred as a process request message.
上述过程中确定的推测的消息类型可以作为通信模型的一部分,也可以作为中间结果用在后续的分析过程中,用于产生更细致的分析结果。例如,当确定请求消息为与时间或状态有关的请求消息时,可以在后续过程中对该请求消息的各组成部分进行分析,从而确定出该请求消息和/或相应的响应消息中,与时间或状态有关的组成部分。The inferred message type determined in the above process can be used as a part of the communication model, and can also be used as an intermediate result in the subsequent analysis process to generate more detailed analysis results. For example, when it is determined that the request message is a request message related to time or status, various components of the request message can be analyzed in the subsequent process, so as to determine that the request message and/or the corresponding response message are related to time. Or state-related components.
可见,通过识别无效的请求消息、回声消息、过程请求消息等消息类型,从而识别出无法用消息结构来描述的一些特殊消息,因此,建立的通信模型更加全面和准确。It can be seen that by identifying invalid request messages, echo messages, process request messages and other message types, some special messages that cannot be described by the message structure are identified. Therefore, the established communication model is more comprehensive and accurate.
字段的解析Field analysis
一些实施例中,通信模型可以包括请求消息和/或响应消息中至少一个字段的推测的含义。分析装置20可以根据各个第二二进制序列随各个第一二进制序列中的各个组成部分变化的规律确定各个第一二进制序列和/或各个第二二进制序列中每一组成部分的推测的含义,并根据每一组成部分的推测的含义建立通信模型。通过分析请求消息中各个组成部分与响应消息之间的关系,可以确定请求消息和/或响应消息的各组成部分的推测的含义,这些信息可以使得通信模型体现网络设备10的消息处理逻辑的更多细节,便于对网络设备10的通信行为进行更细致准确的分析或模仿。In some embodiments, the communication model may include the inferred meaning of at least one field in the request message and/or the response message. The analysis device 20 can determine each first binary sequence and/or each component in each second binary sequence according to the law of each second binary sequence changing with each component in each first binary sequence Part of the inferred meaning, and build a communication model based on the inferred meaning of each component. By analyzing the relationship between the various components of the request message and the response message, the inferred meaning of the various components of the request message and/or response message can be determined. This information can make the communication model reflect the message processing logic of the network device 10. The multiple details facilitate a more detailed and accurate analysis or imitation of the communication behavior of the network device 10.
通常情况下,通信模型建立的需求是基于对网络设备10的通信机制完全不了解的情况的,也即,没有关于网络设备10的收发消息的格式及内容的任何已知信息。因此,在确定请求消息中一个字段的推测的含义时,分析装置20需要完成两方面的工作,一是确定请求消息中各字段的长度,二是分析各字段的推测的含义。Generally, the requirements for establishing a communication model are based on a situation where the communication mechanism of the network device 10 is completely unknown, that is, there is no known information about the format and content of the messages sent and received by the network device 10. Therefore, when determining the inferred meaning of a field in the request message, the analysis device 20 needs to complete two tasks. One is to determine the length of each field in the request message, and the other is to analyze the inferred meaning of each field.
分析装置20可以从复数个第一二进制序列中的指定位置分别截取指定长度的二进 制片段作为一个组成部分,并确定复数个第一二进制序列对应的请求消息的响应消息随二进制片段变化的规律。如果能够找到响应消息随一个二进制片段的变化规律,则确定该二进制片段为一个字段。The analysis device 20 can respectively intercept binary fragments of a specified length from the specified positions in the plurality of first binary sequences as a component, and determine that the response message of the request message corresponding to the plurality of first binary sequences changes with the binary fragments The law. If the change rule of the response message with a binary segment can be found, the binary segment is determined to be a field.
通常,消息可以包括定长的字段,以及可变长度的字段。对于定长字段,则各消息中该字段的长度均为预设的长度。对于可变长度的字段,则通常利用预设的边界值来表示该字段结束。Generally, a message can include fixed-length fields as well as variable-length fields. For a fixed-length field, the length of the field in each message is a preset length. For a variable-length field, a preset boundary value is usually used to indicate the end of the field.
一些实施例中,分析装置20中可以预先配置有一个或多个指定长度,可以是各字段通用的指定长度,也可以是不同字段各自的指定长度。例如,分析装置20中可以预配置默认的长度值,也可以接收通过人机接口输入的长度值。这些长度值可以是离散的多个值,例如1、2、8,等,单位可以默认为比特或字节。这些长度值也可以是一个长度范围(如1-16),或者是一个长度的最大值(如32)。分析装置20可以根据默认的长度值和人机接口输入的长度值确定需要截取的二进制片段的所有可能的长度,并分别尝试从请求消息中截取各可能的长度对应的二进制片段,分析其是否为一个字段。又例如,分析装置20中可以预配置复数个预定义模板。预定义模板是指预定义的消息结构,包括其中各字段的长度和/或含义。分析装置20可以根据一个预定义模板,依次从请求消息中截取各字段长度相应的二进制片段,分析其是否为一个字段。In some embodiments, the analysis device 20 may be pre-configured with one or more designated lengths, which may be a common designated length for each field, or may be respective designated lengths of different fields. For example, the analysis device 20 can be pre-configured with a default length value, or can receive a length value input through a human-machine interface. These length values can be multiple discrete values, such as 1, 2, 8, etc., and the unit can default to bits or bytes. These length values can also be a length range (such as 1-16), or a maximum length (such as 32). The analysis device 20 can determine all possible lengths of the binary fragments that need to be intercepted according to the default length value and the length value input by the human-machine interface, and respectively try to intercept the binary fragments corresponding to each possible length from the request message, and analyze whether they are A field. For another example, a plurality of predefined templates may be pre-configured in the analysis device 20. A predefined template refers to a predefined message structure, including the length and/or meaning of each field. The analysis device 20 may sequentially intercept binary fragments corresponding to the length of each field from the request message according to a predefined template, and analyze whether it is a field.
一些实施例中,分析装置20也可以在消息的二进制序列中检测预设的字段的边界值,从而确定一个字段可能的边界。例如,当分析装置20在消息中检测到预设值,例如“\n”,“\0”等对应的二进制片段,则可以认为这里是一个字段的边界。In some embodiments, the analysis device 20 may also detect the boundary value of a preset field in the binary sequence of the message, so as to determine a possible boundary of a field. For example, when the analysis device 20 detects a predetermined value in the message, such as "\n", "\0" and other corresponding binary fragments, it can be considered as a field boundary.
一些实施例中,请求消息可以被视为多个二进制片段组成的二进制序列,因此可以利用一个类似于解析模型的树来分析请求消息的结构及其与响应消息之间的关系。图5为本申请实施例的一种消息字段的解析原理示意图。如图5所示,可以从请求消息的一端(例如起始位置)开始,逐块地对请求消息进行解析。对于解析的第一个块,可以根据不同的指定长度从消息的一端分别截取各指定长度的二进制片段(这里也称为字段、块),来分析第一个块的可能长度及其推测的含义。当确定第一个块具有多于一种可能的长度时,可以分别以每种可能长度的第一个块为根节点51建立一个解析树,在该解析树中记录第一个块的长度及其一个或多个推测的含义。分析装置20可以从第一个块的结束位置开始,重复上面的解析过程,得到第二个块的各种可能的长度及推测的含义,并将第二个块的各种可能作为根节点51的各个子节点521、522~52n。重复上述过程,直到解析完请求消息的所有内容,将到达树的叶节点5n1、5n2~5nn。每个叶节点5n1、 5n2~5nn可以对应一个或多个响应消息,其中,n为正整数。In some embodiments, the request message can be regarded as a binary sequence composed of multiple binary segments. Therefore, a tree similar to an analysis model can be used to analyze the structure of the request message and the relationship between the request message and the response message. Fig. 5 is a schematic diagram of a message field parsing principle according to an embodiment of the application. As shown in Fig. 5, the request message can be parsed block by block starting from one end (for example, the starting position) of the request message. For the first block to be parsed, binary fragments (also called fields, blocks) of specified lengths can be intercepted from one end of the message according to different specified lengths to analyze the possible length of the first block and its inferred meaning . When it is determined that the first block has more than one possible length, a parse tree can be established with the first block of each possible length as the root node 51, and the length and the length of the first block are recorded in the parse tree. One or more speculative meanings. The analysis device 20 can start from the end position of the first block, repeat the above analysis process, obtain various possible lengths and inferred meanings of the second block, and use the various possibilities of the second block as the root node 51 Each child node 521, 522~52n of. Repeat the above process until all the content of the request message is parsed, and it will reach the leaf nodes 5n1, 5n2~5nn of the tree. Each leaf node 5n1, 5n2-5nn can correspond to one or more response messages, where n is a positive integer.
分析装置20在解析一个第一二进制序列时,可以利用其它的一个或多个第一二进制序列及其响应消息的信息。一些实施例中,网络设备10可能采用多于一种请求消息的结构。分析装置20在解析一个第一二进制序列时,确定另一个第一二进制序列的结构特点不符合当前解析的第一二进制序列的结构特点时,可以认为该另一个第一二进制序列采用了不同的消息结构,并对其按照上述方式重新进行解析,得到该另一个第一二进制序列对应的一个或多个消息结构。When analyzing a first binary sequence, the analyzing device 20 can use other one or more first binary sequences and the information of their response messages. In some embodiments, the network device 10 may adopt more than one request message structure. When analyzing a first binary sequence, the analyzing device 20 determines that the structural feature of another first binary sequence does not conform to the structural feature of the first binary sequence currently analyzed, it can be considered that the other first binary sequence The binary sequence adopts a different message structure and re-analyzes it in the above-mentioned manner to obtain one or more message structures corresponding to the other first binary sequence.
当解析完所有可能的请求消息的所有可能的消息结构的集合后,可以获得一个或复数个可能的请求消息的消息结构,其中包括各字段的长度及其一种或多种推测的含义。可以将得到的一个或复数个推测的消息结构及采用每种消息结构的第一二进制序列和/或第二二进制序列加入创建的通信模型中。在上述的请求消息的解析过程中,或者解析过程结束后,分析装置20可以对响应消息进行类似的解析,解析过程可能会利用相应的请求消息的解析结果,从而获得响应消息的推测的消息结构及其中字段的推测的含义。After parsing the set of all possible message structures of all possible request messages, the message structure of one or more possible request messages can be obtained, including the length of each field and one or more inferred meanings. One or more speculative message structures obtained and the first binary sequence and/or the second binary sequence of each message structure can be added to the created communication model. In the above-mentioned parsing process of the request message, or after the parsing process ends, the analysis device 20 may perform similar parsing on the response message, and the parsing process may use the parsing result of the corresponding request message to obtain the inferred message structure of the response message And the inferred meaning of the fields in it.
这样,通过从多个请求消息中截取二进制片段来分析相应的响应消息随该片段变化的规律,使得根据该规律建立的通信模型能够体现网络设备10对于字段级别的信息的响应逻辑,因此通信模型更加细致和准确。In this way, by intercepting binary fragments from multiple request messages to analyze the law of the corresponding response message changing with the fragments, the communication model established according to the law can reflect the response logic of the network device 10 to field-level information. Therefore, the communication model More detailed and accurate.
各实施例的字段解析过程中,分析装置20可以根据预先配置的各种预设字段类型的特点,确定各个块(即二进制片段、消息的组成部分)的推测的字段类型。例如,字段类型的推测方法可以包括,但不限于,以下中的至少一个:In the field analysis process of each embodiment, the analysis device 20 can determine the inferred field type of each block (that is, the binary segment, the component part of the message) according to the characteristics of various preset field types configured in advance. For example, the method for inferring the field type may include, but is not limited to, at least one of the following:
当复数个第二二进制序列不随对应的复数个第一二进制序列中的第一组成部分变化时,将第一组成部分的推测的含义确定为消息长度、时间、校验码、数值中的一个或多个;When the plural second binary sequences do not change with the first component of the corresponding plural first binary sequences, the meaning of the guess of the first component is determined as the message length, time, check code, and value One or more of
当复数个第二二进制序列随对应的复数个第一二进制序列中的第一组成部分变化、且变化的程度不超过预设的第一阈值时,将第一组成部分的推测的含义确定为数值;When the plurality of second binary sequences changes with the first component in the corresponding plurality of first binary sequences, and the degree of change does not exceed the preset first threshold, the guess of the first component The meaning is determined as a numerical value;
当复数个第二二进制序列随对应的复数个第一二进制序列中的第一组成部分变化、且变化的程度超过第一阈值时,将第一组成部分的推测的含义确定为版本信息、类型信息中的一个或多个;When the plural second binary sequences change with the first component in the corresponding plural first binary sequences, and the degree of change exceeds the first threshold, the inferred meaning of the first component is determined as the version One or more of information and type information;
当复数个第一二进制序列中的第一组成部分出现在相应的第二二进制序列中时,将第一组成部分的推测的含义确定为会话标识或数值;When the first component of the plurality of first binary sequences appears in the corresponding second binary sequence, the inferred meaning of the first component is determined as the session identifier or value;
当连续发送的复数个第一二进制序列对应的复数个第二二进制序列中的第二组成部分的值递增时,将第二组成部分的推测的含义确定为计数信息。When the value of the second component in the plurality of second binary sequences corresponding to the plurality of consecutive first binary sequences increases, the inferred meaning of the second component is determined as counting information.
其中,当请求消息中第一组成部分的变化不会引起响应消息的变化时,若第一组成部分的值等于该请求消息的长度,则可以将第一组成部分的推测的含义确定为消息长度;若第一组成部分的值符合预设的时间模式时,则可以将第一组成部分的推测的含义确定为时间;若第一组成部分的值等于对该请求消息执行预设算法得到的某种校验和时,则可以将第一组成部分的推测的含义确定为校验码;否则,可以将第一组成部分的推测的含义确定为数值。Among them, when the change of the first component in the request message does not cause a change in the response message, if the value of the first component is equal to the length of the request message, the inferred meaning of the first component can be determined as the message length ; If the value of the first component meets the preset time pattern, the inferred meaning of the first component can be determined as time; if the value of the first component is equal to a certain value obtained by performing a preset algorithm on the request message When a checksum is selected, the inferred meaning of the first component can be determined as the check code; otherwise, the inferred meaning of the first component can be determined as a numerical value.
当响应消息的变化程度不超过预设的第一阈值时,可以将第一组成部分的推测的含义确定为数值。这里,第一阈值可以是指第二二进制序列中的位数,也可以是变化的位数占第二二进制序列全长的百分比,等。When the degree of change of the response message does not exceed the preset first threshold, the inferred meaning of the first component may be determined as a numerical value. Here, the first threshold may refer to the number of bits in the second binary sequence, or the percentage of the changed number of bits in the total length of the second binary sequence, etc.
针对一个块,分析装置20在一个识别步骤中可以确定出复数种推测的含义。分析装置20可以记录该块的所有可能的推测的含义,并可以在后续的识别步骤中排除其中的部分推测。例如,当在一个识别步骤中,确定一个块的推测的含义包括版本信息和类型信息;在后面的一个识别步骤中,可以根据该块的位置确定该组成部分的推测的含义为版本信息。例如,分析装置20中可以预设:当块位于序列的前30%时,该块的推测的含义可以为版本信息、消息长度,等,且该块的推测的含义不包括校验码,等。这样,就可以逐个按照各个预设的判断条件对块的推测的含义进行识别。For a block, the analysis device 20 can determine the meaning of a plurality of speculations in a recognition step. The analysis device 20 can record the meaning of all possible guesses of the block, and can exclude some of the guesses in the subsequent identification step. For example, in a recognition step, it is determined that the speculative meaning of a block includes version information and type information; in a subsequent recognition step, the speculative meaning of the component can be determined as version information according to the position of the block. For example, the analysis device 20 may preset: when a block is located in the first 30% of the sequence, the speculative meaning of the block may be version information, message length, etc., and the speculative meaning of the block does not include a check code, etc. . In this way, the meaning of the block speculation can be identified one by one according to each preset judgment condition.
图6为本申请实施例的一种推测的消息结构的示意图。如图6所示,该推测的消息结构包括消息中各个字段61在消息62中的位置、长度,以及至少一种推测的含义63。Fig. 6 is a schematic diagram of a speculative message structure according to an embodiment of the application. As shown in FIG. 6, the speculative message structure includes the position and length of each field 61 in the message in the message 62, and at least one speculative meaning 63.
这样,通过利用预设的字段特征来推测请求消息或响应消息的某个组成部分的是否为预设的字段类型,推测过程具有较好的明确性和可操作性,推测结果准确、可靠。In this way, by using the preset field characteristics to speculate whether a certain component of the request message or the response message is a preset field type, the speculation process has better clarity and operability, and the speculation result is accurate and reliable.
上述消息类型的确定过程和字段解析过程可以在任意时机进行。The above-mentioned message type determination process and field analysis process can be performed at any time.
例如,可以在一个第一二进制序列发送后就开始对该第一二进制序列的消息类型及其中的字段进行解析。For example, after a first binary sequence is sent, the message type and the fields in the first binary sequence can be analyzed.
又例如,可以在发送了所有轮的第一二进制序列之后对各第一二进制序列的消息类型及其中的字段进行解析。For another example, after sending the first binary sequences of all rounds, the message types of each first binary sequence and the fields therein may be parsed.
再例如,可以在一个第一二进制序列发送后就开始对该第一二进制序列的消息类型及其中的字段进行解析,并在解析过程中对相关的一个或多个第一二进制序列进行多次 发送。在解析出这些第一二进制序列的消息类型和字段含义后,再尝试发送另一个没有发送过的第一二进制序列,并对其进行消息类型及字段的解析。例如,上述消息类型的确定过程和字段解析过程中,可以根据需要发送相关的其它第一二进制序列。例如,当检测到某一第一二进制序列的两次发送得到的响应消息不同时,可以针对该情况的预设处理方法,对该第一二进制序列及相关的多个第一二进制序列进行预设次数的多轮发送,在不同的轮中,还可以调整各序列的发送顺序。又例如,为了解析第一二进制序列某个块的是否为一个字段时,可以按照预设的方法,对第一二进制序列中除该块外的内容不变,仅将该块赋予不同的值,得到复数个二进制序列,将这些二进制序列发送至网络设备10,并获取相应的响应消息,据此得出该块是否为一个字段或者该字段的推测的含义。For another example, after a first binary sequence is sent, the message type and the fields in the first binary sequence can be parsed, and during the parsing process, the relevant one or more first binary sequences can be analyzed. The control sequence is sent multiple times. After analyzing the message types and field meanings of these first binary sequences, try to send another first binary sequence that has not been sent, and analyze the message types and fields. For example, in the above-mentioned message type determination process and field analysis process, other related first binary sequences can be sent as needed. For example, when it is detected that the response messages obtained from two transmissions of a certain first binary sequence are different, the preset processing method for this situation can be used for the first binary sequence and the related multiple first and second sequences. The base sequence performs multiple rounds of transmission for a preset number of times, and in different rounds, the transmission order of each sequence can also be adjusted. For another example, in order to analyze whether a certain block of the first binary sequence is a field, the content of the first binary sequence except for the block can be unchanged according to a preset method, and only the block is assigned With different values, a plurality of binary sequences are obtained, these binary sequences are sent to the network device 10, and the corresponding response message is obtained, based on which it can be obtained whether the block is a field or the inferred meaning of the field.
具体的发送和解析过程可以根据需要来确定,这里不进行限制。The specific sending and parsing process can be determined according to needs, and there is no restriction here.
各实施例中,在建立网络设备10的通信模型后,分析装置20还可以基于建立的网络设备10的通信模型将复数个不同的第三二进制序列发送至网络设备10,并根据收到的第三二进制序列对应的响应消息调整通信模型。该调整过程可以由分析装置20中的调整模块(未示出)执行。In each embodiment, after the communication model of the network device 10 is established, the analysis device 20 may also send a plurality of different third binary sequences to the network device 10 based on the established communication model of the network device 10, and according to the received The response message corresponding to the third binary sequence adjusts the communication model. This adjustment process can be performed by an adjustment module (not shown) in the analysis device 20.
基于建立的所述网络设备的通信模型将复数个不同的第三二进制序列发送至所述网络设备;Sending a plurality of different third binary sequences to the network device based on the established communication model of the network device;
根据从所述网络设备获取的所述第三二进制序列对应的响应消息调整所述通信模型。Adjusting the communication model according to the response message corresponding to the third binary sequence obtained from the network device.
例如,当收到的针对某个第三二进制序列的响应消息与通信模型中与第三二进制序列相同的请求消息对应的响应消息不一致时,可以将该第三二进制序列及其相关的序列(如,响应与其发送顺序有关的若干个作为请求消息的序列,等)再次(或多次)发送至网络设备10,根据接收到的响应消息调整通信模型中与第三二进制序列相同的请求消息与其响应消息的对应关系。For example, when the received response message for a certain third binary sequence is inconsistent with the response message corresponding to the request message that is the same as the third binary sequence in the communication model, the third binary sequence and The related sequence (for example, the sequence of several request messages related to its sending order in response, etc.) is sent to the network device 10 again (or multiple times), and the communication model is adjusted according to the received response message. The corresponding relationship between request messages with the same control sequence and their response messages.
又例如,根据收到的针对某个第三二进制序列的响应消息得出该第三二进制序列的消息类型与通信模型中与第三二进制序列相同的请求消息对应的消息类型不一致时,可以将该第三二进制序列及其相关的序列(如,响应与其发送顺序有关的若干个作为请求消息的序列,等)再次(或多次)发送至网络设备10,根据接收到的响应消息调整通信模型中与第三二进制序列相同的请求消息的消息类型。For another example, according to a received response message for a third binary sequence, the message type of the third binary sequence is derived from the message type corresponding to the request message that is the same as the third binary sequence in the communication model When they are inconsistent, the third binary sequence and its related sequences (for example, a sequence that responds to several related to its sending order as the request message, etc.) can be sent to the network device 10 again (or multiple times), according to the received The received response message adjusts the message type of the request message that is the same as the third binary sequence in the communication model.
再例如,根据通信模型中的请求消息的至少一个字段的推测的含义构造的某个第三二进制序列,接收到的响应消息与根据通信模型推测的响应消息不一致时,可以根据通 信模型中的请求消息的至少一个字段的推测的含义构造的复数个第四二进制序列,并获得网络设备10针对这些将该第四二进制序列的响应消息调整通信模型中该请求消息的至少一个字段的推测的含义。For another example, a third binary sequence constructed according to the inferred meaning of at least one field of the request message in the communication model, and when the received response message is inconsistent with the inferred response message according to the communication model, the A plurality of fourth binary sequences are constructed based on the inferred meaning of at least one field of the request message, and the network device 10 adjusts at least one of the request messages in the communication model for these response messages of the fourth binary sequence. The inferred meaning of the field.
这样,在建立通信模型后,还可以通过发送若干请求消息来对通信模型进行验证,并进一步调整通信模型,使得通信模型更准确、可靠。In this way, after the communication model is established, the communication model can also be verified by sending several request messages, and the communication model can be further adjusted to make the communication model more accurate and reliable.
一些实施例中,分析装置20可以将建立的通信模型提供给一个计算设备使用。例如,该计算设备可以利用该通信模型来查找设备的错误与漏洞,或者利用该通信模型建立蜜罐系统,等。蜜罐系统旨在通过模仿易受攻击的系统来收集攻击者的信息。图7为本申请实施例的蜜罐系统的示意图。该蜜罐系统可以包括流量分发器71、流量分析器72,以及至少一个物理设备73和/或虚拟设备74用于模拟网络设备10生成响应消息。In some embodiments, the analysis device 20 may provide the established communication model to a computing device for use. For example, the computing device can use the communication model to find errors and loopholes in the device, or use the communication model to establish a honeypot system, etc. Honeypot systems are designed to collect information about attackers by imitating vulnerable systems. Fig. 7 is a schematic diagram of a honeypot system according to an embodiment of the application. The honeypot system may include a traffic distributor 71, a traffic analyzer 72, and at least one physical device 73 and/or virtual device 74 for simulating the network device 10 to generate a response message.
其中,流量分发器71可以将收到的网络流量按照预设的分发原则分发给各物理设备73和/或虚拟设备74。Wherein, the traffic distributor 71 may distribute the received network traffic to each physical device 73 and/or virtual device 74 according to a preset distribution principle.
物理设备73和/或虚拟设备74可以利用各实施例建立的通信模型,确定收到的网络流量中各请求消息对应的响应消息,并将响应消息发送至网络。The physical device 73 and/or the virtual device 74 can use the communication model established in each embodiment to determine the response message corresponding to each request message in the received network traffic, and send the response message to the network.
流量分析器72可以对收到的网络流量中的请求消息、物理设备73和/或虚拟设备74发出的响应消息,以及外部设备对这些响应消息作出的进一步的消息交互操作进行分析,得出攻击方的攻击途径、手段等信息。The traffic analyzer 72 can analyze the request messages in the received network traffic, the response messages sent by the physical device 73 and/or the virtual device 74, and the further message interaction operations made by the external device on these response messages to obtain the attack Information about the party’s attack methods and methods.
可见,通过利用各实施例建立的通信模型,蜜罐系统可以对外接的攻击作出反应,可以迷惑攻击方,使其认为蜜罐系统是真实的设备,还可以得到攻击方针对设备的回应进行的进一步的攻击操作,从而得到更丰富的攻击方的信息。It can be seen that by using the communication model established in each embodiment, the honeypot system can respond to external attacks, can confuse the attacker and make it think that the honeypot system is a real device, and can also get the attacker’s response to the device. Further attack operations, so as to obtain richer information of the attacker.
从以上例子可以看出,各实施例的技术方案可以构建网络设备10的通信模型。通过建立通信模型作为网络设备10处理的各种消息的描述信息,可以获得网络设备10的通信行为模式的信息。该过程由计算设备完成,减少了人力成本,且速度快、效率高。此外,该方案可以在没有关于网络设备10的收发消息的格式及内容的任何已知信息的前提下建立网络设备10的通信模型,尤其适用于对新设备的分析和建模。It can be seen from the above examples that the technical solutions of the embodiments can construct a communication model of the network device 10. By establishing a communication model as the description information of various messages processed by the network device 10, information about the communication behavior pattern of the network device 10 can be obtained. This process is completed by computing equipment, which reduces labor costs, and is fast and efficient. In addition, this solution can establish a communication model of the network device 10 without any known information about the format and content of the messages sent and received by the network device 10, and is especially suitable for the analysis and modeling of new devices.
本申请的实施例还提供一种可读存储介质。该可读存储介质中存储有机器可读指令,机器可读指令当被一个机器执行时,机器执行前述任意实施例所描述的网络设备10的通信模型的建立方法。The embodiment of the present application also provides a readable storage medium. The readable storage medium stores machine-readable instructions. When the machine-readable instructions are executed by a machine, the machine executes the method for establishing the communication model of the network device 10 described in any of the foregoing embodiments.
该可读介质上存储有机器可读指令,该机器可读指令在被处理器执行时,使处理器执行前述的任一种方法。具体地,可以提供配有可读存储介质的系统或者装置,在该可读存储介质上存储着实现上述实施例中任一实施例的功能的软件程序代码,且使该系统或者装置的计算机或处理器读出并执行存储在该可读存储介质中的机器可读指令。The readable medium stores machine-readable instructions, and when the machine-readable instructions are executed by the processor, the processor executes any of the foregoing methods. Specifically, a system or device equipped with a readable storage medium may be provided, and the software program code for realizing the function of any one of the above embodiments is stored on the readable storage medium, and the computer or device of the system or device The processor reads out and executes the machine-readable instructions stored in the readable storage medium.
在这种情况下,从可读介质读取的程序代码本身可实现上述实施例中任何一项实施例的功能,因此机器可读代码和存储机器可读代码的可读存储介质构成了本申请的一部分。In this case, the program code itself read from the readable medium can realize the function of any one of the above embodiments, so the machine readable code and the readable storage medium storing the machine readable code constitute the present application a part of.
可读存储介质的实施例包括软盘、硬盘、磁光盘、光盘(如CD-ROM、CD-R、CD-RW、DVD-ROM、DVD-RAM、DVD-RW、DVD+RW)、磁带、非易失性存储卡和ROM。可选择地,可以由通信网络从服务器计算机上或云上下载程序代码。Examples of readable storage media include floppy disks, hard disks, magneto-optical disks, optical disks (such as CD-ROM, CD-R, CD-RW, DVD-ROM, DVD-RAM, DVD-RW, DVD+RW), magnetic tape, Volatile memory card and ROM. Alternatively, the program code can be downloaded from the server computer or the cloud via the communication network.
本领域技术人员应当理解,上面公开的各个实施例可以在不偏离申请实质的情况下做出各种变形和修改。因此,本申请的保护范围应当由所附的权利要求书来限定。Those skilled in the art should understand that the various embodiments disclosed above can be modified and modified without departing from the essence of the application. Therefore, the protection scope of this application should be defined by the appended claims.
需要说明的是,上述各流程和各系统结构图中不是所有的步骤和单元都是必须的,可以根据实际的需要忽略某些步骤或单元。各步骤的执行顺序不是固定的,可以根据需要进行调整。上述各实施例中描述的装置结构可以是物理结构,也可以是逻辑结构,即,有些单元可能由同一物理实体实现,或者,有些单元可能分由多个物理实体实现,或者,可以由多个独立设备中的某些部件共同实现。It should be noted that not all steps and units in the above-mentioned processes and system structure diagrams are necessary, and some steps or units can be ignored according to actual needs. The order of execution of each step is not fixed and can be adjusted as needed. The device structure described in the foregoing embodiments may be a physical structure or a logical structure. That is, some units may be implemented by the same physical entity, or some units may be implemented by multiple physical entities, or may be implemented by multiple physical entities. Some components in independent devices are implemented together.
以上各实施例中,硬件单元可以通过机械方式或电气方式实现。例如,一个硬件单元或处理器可以包括永久性专用的电路或逻辑(如专门的处理器,FPGA或ASIC)来完成相应操作。硬件单元或处理器还可以包括可编程逻辑或电路(如通用处理器或其它可编程处理器),可以由软件进行临时的设置以完成相应操作。具体的实现方式(机械方式、或专用的永久性电路、或者临时设置的电路)可以基于成本和时间上的考虑来确定。In the above embodiments, the hardware unit can be implemented mechanically or electrically. For example, a hardware unit or processor may include a permanent dedicated circuit or logic (such as a dedicated processor, FPGA or ASIC) to complete the corresponding operation. The hardware unit or processor may also include programmable logic or circuits (such as general-purpose processors or other programmable processors), which may be temporarily set by software to complete corresponding operations. The specific implementation mode (mechanical means, or dedicated permanent circuit, or temporarily set circuit) can be determined based on cost and time considerations.
以上仅为本申请的较佳实施例而已,并不用以限制本申请,凡在本申请的精神和原则之内,所作的任何修改、等同替换、改进等,均应包含在本申请的保护范围之内。The above are only preferred embodiments of this application, and are not intended to limit this application. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of this application shall be included in the protection scope of this application within.

Claims (20)

  1. 一个网络设备(10)的通信模型的建立方法,其特征在于,包括:A method for establishing a communication model of a network device (10) is characterized in that it includes:
    确定复数个不同的第一二进制序列,其中每一个第一二进制序列对应于一个请求消息;Determine a plurality of different first binary sequences, where each first binary sequence corresponds to a request message;
    将确定的复数个所述第一二进制序列发送至所述网络设备(10);Sending the determined plurality of the first binary sequences to the network device (10);
    从所述网络设备(10)获取复数个所述第一二进制序列对应的请求消息的响应消息,其中每一个响应消息对应于一个第二二进制序列;Acquiring, from the network device (10), response messages of a plurality of request messages corresponding to the first binary sequence, wherein each response message corresponds to a second binary sequence;
    确定各个所述第二二进制序列随各个所述第一二进制序列变化的规律;Determining the law of each said second binary sequence changing with each said first binary sequence;
    根据所述规律建立所述网络设备(10)的通信模型。The communication model of the network device (10) is established according to the rule.
  2. 根据权利要求1所述的方法,其特征在于,所述通信模型包括以下中的至少一个:The method according to claim 1, wherein the communication model includes at least one of the following:
    请求消息和响应消息的对应关系;Correspondence between request message and response message;
    请求消息的推测的消息类型;Speculative message type of request message;
    响应消息的推测的消息类型;The inferred message type of the response message;
    请求消息中至少一个字段的推测的含义;The inferred meaning of at least one field in the request message;
    响应消息中至少一个字段的推测的含义。The inferred meaning of at least one field in the response message.
  3. 根据权利要求2所述的方法,其特征在于,所述请求消息和所述响应消息的对应关系包括以下中的至少一个:The method according to claim 2, wherein the correspondence between the request message and the response message comprises at least one of the following:
    一个所述第一二进制序列对应多个所述第二二进制序列;One said first binary sequence corresponds to a plurality of said second binary sequences;
    多个所述第一二进制序列对应一个所述第二二进制序列;A plurality of said first binary sequences corresponds to one said second binary sequence;
    一个所述第一二进制序列对应一个所述第二二进制序列;One said first binary sequence corresponds to one said second binary sequence;
    一个所述第一二进制序列对应一个空序列;One of the first binary sequences corresponds to an empty sequence;
    多个所述第一二进制序列对应一个空序列。A plurality of the first binary sequences corresponds to an empty sequence.
  4. 根据权利要求1~3中任一项所述的方法,其特征在于,确定各个所述第二二进制序列随各个所述第一二进制序列变化的规律,包括:The method according to any one of claims 1 to 3, wherein determining the law of the change of each of the second binary sequences with each of the first binary sequences comprises:
    从复数个所述第一二进制序列中的指定位置分别截取指定长度的二进制片段;Respectively intercepting a binary segment of a designated length from designated positions in a plurality of the first binary sequences;
    确定所述复数个第一二进制序列对应的请求消息的响应消息随所述二进制片段变化的规律。Determine the rule that the response message of the request message corresponding to the plurality of first binary sequences changes with the binary segment.
  5. 根据权利要求1~4任一项所述的方法,其特征在于,根据所述规律建立所述网络设备(10)的通信模型,包括:The method according to any one of claims 1 to 4, characterized in that establishing a communication model of the network device (10) according to the rule comprises:
    根据各个所述第二二进制序列随各个所述第一二进制序列中的各个组成部分变化的规律, 确定各个所述第一二进制序列和/或各个所述第二二进制序列中每一组成部分的推测的含义;Determine each of the first binary sequence and/or each of the second binary sequence according to the law of the change of each of the second binary sequences with the components in each of the first binary sequences The inferred meaning of each component in the sequence;
    根据所述每一组成部分的推测的含义建立所述通信模型。The communication model is established according to the inferred meaning of each component.
  6. 根据权利要求5所述的方法,其特征在于,确定各个所述第一二进制序列和/或各个所述第二二进制序列中每一组成部分的推测的含义,包括以下中的至少一个:The method according to claim 5, wherein determining the inferred meaning of each component in each of the first binary sequence and/or each of the second binary sequence includes at least the following: One:
    当复数个所述第二二进制序列不随对应的复数个所述第一二进制序列中的第一组成部分变化时,将所述第一组成部分的推测的含义确定为消息长度、时间、校验码、数值中的至少一个;When the plurality of the second binary sequences do not change with the first component in the corresponding plurality of the first binary sequences, the inferred meaning of the first component is determined as the message length and time , At least one of check code and value;
    当复数个所述第二二进制序列随对应的复数个所述第一二进制序列中的第一组成部分变化、且变化的程度不超过预设的第一阈值时,将所述第一组成部分的推测的含义确定为数值;When the plurality of the second binary sequences change with the corresponding first components in the plurality of the first binary sequences, and the degree of change does not exceed the preset first threshold, the first The inferred meaning of a component is determined as a numerical value;
    当复数个所述第二二进制序列随对应的复数个所述第一二进制序列中的第一组成部分变化、且变化的程度超过所述第一阈值时,将所述第一组成部分的推测的含义确定为版本信息、类型信息中的一个或多个;When the plurality of the second binary sequences change with the corresponding first components in the plurality of the first binary sequences, and the degree of change exceeds the first threshold, the first composition The meaning of part of the speculation is determined to be one or more of version information and type information;
    当复数个所述第一二进制序列中的第一组成部分出现在相应的第二二进制序列中时,将所述第一组成部分的推测的含义确定为会话标识或数值;When a plurality of first components of the first binary sequence appear in the corresponding second binary sequence, determine the inferred meaning of the first component as a session identifier or a value;
    当连续发送的复数个所述第一二进制序列对应的复数个所述第二二进制序列中的第二组成部分的值递增时,将所述第二组成部分的推测的含义确定为计数信息。When the value of the second component in the plurality of the second binary sequences corresponding to the plurality of the first binary sequences continuously sent increases, the inferred meaning of the second component is determined as Counting information.
  7. 根据权利要求1~6任一项所述的方法,其特征在于,将确定的复数个所述第一二进制序列发送至所述网络设备(10)包括以下中的至少一个:The method according to any one of claims 1 to 6, wherein sending the determined plurality of the first binary sequences to the network device (10) comprises at least one of the following:
    将一个所述第一二进制序列多次发送至所述网络设备(10);Sending one of the first binary sequences to the network device (10) multiple times;
    将确定的复数个所述第一二进制序列按照不同的顺序多次发送至所述网络设备(10);Sending the determined plurality of the first binary sequences to the network device (10) multiple times in different orders;
    其中,确定各个所述第二二进制序列随各个所述第一二进制序列变化的规律,包括:Wherein, determining the law of each second binary sequence changing with each of the first binary sequences includes:
    确定同一个所述第一二进制序列的多次发送对应的多个响应消息的变化情况。Determine changes in multiple response messages corresponding to multiple transmissions of the same first binary sequence.
  8. 根据权利要求1~7任一项所述的方法,其特征在于,根据所述规律建立所述网络设备(10)的通信模型,包括:The method according to any one of claims 1-7, characterized in that, establishing a communication model of the network device (10) according to the rule comprises:
    根据各个所述第二二进制序列随各个所述第一二进制序列变化的规律确定各个所述第一二进制序列和/或各个所述第二二进制序列的推测的消息类型;Determine the inferred message type of each of the first binary sequence and/or each of the second binary sequence according to the law of each of the second binary sequences changing with each of the first binary sequences ;
    根据所述推测的消息类型建立所述通信模型。The communication model is established according to the inferred message type.
  9. 根据权利要求8所述的方法,其特征在于,根据各个所述第二二进制序列随各个所述第一二进制序列变化的规律确定各个所述第一二进制序列和/或各个所述第二二进制序列的 推测的消息类型,包括:8. The method according to claim 8, wherein each of the first binary sequences and/or each of the first binary sequences is determined according to the law that each of the second binary sequences changes with each of the first binary sequences The inferred message type of the second binary sequence includes:
    以下中的至少一个:At least one of the following:
    当复数个所述第一二进制序列对应同一个第二二进制序列、且确定所述第二二进制序列为错误提示消息时,将所述复数个第一二进制序对应的请求消息确定为无效的请求消息;When a plurality of the first binary sequences correspond to the same second binary sequence, and it is determined that the second binary sequence is an error prompt message, the plurality of first binary sequences corresponds to The request message is determined to be an invalid request message;
    当复数个所述第二二进制序列与相应的所述第一二进制序列相同,将所述复数个第二二进制序列对应的响应消息确定为回声消息;When the plurality of second binary sequences are the same as the corresponding first binary sequence, determining the response message corresponding to the plurality of second binary sequences as echo messages;
    当一个所述第二二进制序列的值为布尔型数值时,将所述第二二进制序列对应的响应消息确定为状态响应消息,将相应的第一二进制序列所对应的请求消息确定为过程请求消息;When a value of the second binary sequence is a Boolean value, the response message corresponding to the second binary sequence is determined as a status response message, and the request corresponding to the corresponding first binary sequence The message is determined to be a process request message;
    当多次发送一个所述第一二进制序列后收到的多个第二二进制序列不同时,确定所述第一二进制序列对应的请求消息为与时间或状态有关的请求消息;When multiple second binary sequences received after sending one of the first binary sequences are different, it is determined that the request message corresponding to the first binary sequence is a request message related to time or status ;
    当一个所述第一二进制序列对应的请求消息的响应消息为空序列时,将所述第一二进制序列对应的请求消息确定为触发所述网络设备(10)的未知故障的消息。When a response message of a request message corresponding to the first binary sequence is an empty sequence, the request message corresponding to the first binary sequence is determined as a message that triggers an unknown failure of the network device (10) .
  10. 根据权利要求1~9任一项所述的方法,其特征在于,进一步包括:The method according to any one of claims 1-9, further comprising:
    基于建立的所述网络设备的通信模型将复数个不同的第三二进制序列发送至所述网络设备(10);Sending a plurality of different third binary sequences to the network device (10) based on the established communication model of the network device;
    根据收到的所述第三二进制序列对应的响应消息调整所述通信模型。Adjusting the communication model according to the received response message corresponding to the third binary sequence.
  11. 一个网络设备(10)的通信模型的建立装置(20),其特征在于,包括:A device (20) for establishing a communication model of a network device (10) is characterized in that it includes:
    一个请求确定模块(210),用于确定复数个不同的第一二进制序列,其中每一个第一二进制序列对应于一个请求消息;A request determination module (210), configured to determine a plurality of different first binary sequences, where each first binary sequence corresponds to a request message;
    一个发送模块(220),用于将确定的复数个所述第一二进制序列发送至所述网络设备(10);A sending module (220), configured to send the determined plurality of the first binary sequences to the network device (10);
    一个响应获取模块(230),用于从所述网络设备(10)获取复数个所述第一二进制序列对应的请求消息的响应消息,其中每一个响应消息对应于一个第二二进制序列;A response acquisition module (230), configured to acquire a plurality of response messages of the request message corresponding to the first binary sequence from the network device (10), wherein each response message corresponds to a second binary sequence sequence;
    一个模型建立模块(240),用于确定各个所述第二二进制序列随各个所述第一二进制序列变化的规律,根据所述规律建立所述网络设备(10)的通信模型。A model building module (240) is used to determine the law of each of the second binary sequences changing with each of the first binary sequences, and establish a communication model of the network device (10) according to the law.
  12. 根据权利要求11所述的装置(20),其特征在于,所述模型建立模块(240),用于:The device (20) according to claim 11, characterized in that the model establishment module (240) is configured to:
    从复数个所述第一二进制序列中的指定位置分别截取指定长度的二进制片段;Respectively intercepting a binary segment of a designated length from designated positions in a plurality of the first binary sequences;
    确定所述复数个第一二进制序列对应的请求消息的响应消息随所述二进制片段变化的规 律。Determine the rule that the response message of the request message corresponding to the plurality of first binary sequences changes with the binary segment.
  13. 根据权利要求11~12中任一项所述的装置(20),其特征在于,所述模型建立模块(240),用于:The device (20) according to any one of claims 11-12, wherein the model establishment module (240) is configured to:
    根据各个所述第二二进制序列随各个所述第一二进制序列中的各个组成部分变化的规律,确定各个所述第一二进制序列和/或各个所述第二二进制序列中每一组成部分的推测的含义;Determine each of the first binary sequence and/or each of the second binary sequence according to the law that each of the second binary sequence changes with each component in each of the first binary sequence The inferred meaning of each component in the sequence;
    根据所述每一组成部分的推测的含义建立所述通信模型。The communication model is established according to the inferred meaning of each component.
  14. 根据权利要求13所述的装置(20),其特征在于,所述模型建立模块(240),用于以下中的至少一个:The device (20) according to claim 13, wherein the model establishment module (240) is used for at least one of the following:
    当复数个所述第二二进制序列不随对应的复数个所述第一二进制序列中的第一组成部分变化时,将所述第一组成部分的推测的含义确定为消息长度、时间、校验码、数值中的至少一个;When the plurality of the second binary sequences do not change with the first component in the corresponding plurality of the first binary sequences, the inferred meaning of the first component is determined as the message length and time , At least one of check code and value;
    当复数个所述第二二进制序列随对应的复数个所述第一二进制序列中的第一组成部分变化、且变化的程度不超过预设的第一阈值时,将所述第一组成部分的推测的含义确定为数值;When the plurality of the second binary sequences change with the corresponding first components in the plurality of the first binary sequences, and the degree of change does not exceed the preset first threshold, the first The inferred meaning of a component is determined as a numerical value;
    当复数个所述第二二进制序列随对应的复数个所述第一二进制序列中的第一组成部分变化、且变化的程度超过所述第一阈值时,将所述第一组成部分的推测的含义确定为版本信息、类型信息中的一个或多个;When the plurality of the second binary sequences change with the corresponding first components in the plurality of the first binary sequences, and the degree of change exceeds the first threshold, the first composition The meaning of part of the speculation is determined to be one or more of version information and type information;
    当复数个所述第一二进制序列中的第一组成部分出现在相应的第二二进制序列中时,将所述第一组成部分的推测的含义确定为会话标识或数值;When a plurality of first components of the first binary sequence appear in the corresponding second binary sequence, determine the inferred meaning of the first component as a session identifier or a value;
    当连续发送的复数个所述第一二进制序列对应的复数个所述第二二进制序列中的第二组成部分的值递增时,将所述第二组成部分的推测的含义确定为计数信息。When the value of the second component in the plurality of the second binary sequences corresponding to the plurality of the first binary sequences continuously sent increases, the inferred meaning of the second component is determined as Counting information.
  15. 根据权利要求11~14中任一项所述的装置(20),其特征在于,所述发送模块(220),用于以下中的至少一个:The device (20) according to any one of claims 11 to 14, wherein the sending module (220) is used for at least one of the following:
    将一个所述第一二进制序列多次发送至所述网络设备(10);Sending one of the first binary sequences to the network device (10) multiple times;
    将确定的复数个所述第一二进制序列按照不同的顺序多次发送至所述网络设备(10);Sending the determined plurality of the first binary sequences to the network device (10) multiple times in different orders;
    其中,所述模型建立模块,用于:Wherein, the model establishment module is used for:
    确定同一个所述第一二进制序列的多次发送对应的多个响应消息的变化情况。Determine changes in multiple response messages corresponding to multiple transmissions of the same first binary sequence.
  16. 根据权利要求11~15中任一项所述的装置(20),其特征在于,所述模型建立模块(240),用于:The device (20) according to any one of claims 11-15, wherein the model establishment module (240) is configured to:
    根据各个所述第二二进制序列随各个所述第一二进制序列变化的规律确定各个所述第一 二进制序列和/或各个所述第二二进制序列的推测的消息类型;Determine the inferred message type of each of the first binary sequence and/or each of the second binary sequence according to the law of the change of each of the second binary sequences with each of the first binary sequences ;
    根据所述推测的消息类型建立所述通信模型。The communication model is established according to the inferred message type.
  17. 根据权利要求16所述的装置(20),其特征在于,所述模型建立模块(240),用于以下中的至少一个:The device (20) according to claim 16, wherein the model establishment module (240) is used for at least one of the following:
    当复数个所述第一二进制序列对应同一个第二二进制序列、且确定所述第二二进制序列为错误消息时,将所述复数个第一二进制序对应的请求消息确定为无效的请求消息;When a plurality of the first binary sequences correspond to the same second binary sequence, and it is determined that the second binary sequence is an error message, the request corresponding to the plurality of first binary sequences The message is determined to be an invalid request message;
    当复数个所述第二二进制序列与相应的所述第一二进制序列相同,将所述复数个第二二进制序列对应的响应消息确定为回声消息;When the plurality of second binary sequences are the same as the corresponding first binary sequence, determining the response message corresponding to the plurality of second binary sequences as echo messages;
    当一个所述第二二进制序列的值为布尔型数值时,将所述第二二进制序列对应的响应消息确定为状态响应消息,将相应的第一二进制序列所对应的请求消息确定为过程请求消息;When a value of the second binary sequence is a Boolean value, the response message corresponding to the second binary sequence is determined as a status response message, and the request corresponding to the corresponding first binary sequence The message is determined to be a process request message;
    当多次发送一个所述第一二进制序列后收到的多个第二二进制序列不同时,确定所述第一二进制序列对应的请求消息为与时间或状态有关的请求消息;When multiple second binary sequences received after sending one of the first binary sequences are different, it is determined that the request message corresponding to the first binary sequence is a request message related to time or status ;
    当一个所述第一二进制序列对应的请求消息的响应消息为空序列时,将所述第一二进制序列对应的请求消息确定为触发所述网络设备(10)的未知故障的消息。When a response message of a request message corresponding to the first binary sequence is an empty sequence, the request message corresponding to the first binary sequence is determined as a message that triggers an unknown failure of the network device (10) .
  18. 根据权利要求11~17中任一项所述的装置(20),其特征在于,进一步包括:调整模块,用于The device (20) according to any one of claims 11-17, further comprising: an adjustment module for
    基于建立的所述网络设备(10)的通信模型将复数个不同的第三二进制序列发送至所述网络设备(10);Sending a plurality of different third binary sequences to the network device (10) based on the established communication model of the network device (10);
    根据从所述网络设备(10)获取的所述第三二进制序列对应的响应消息调整所述通信模型。The communication model is adjusted according to the response message corresponding to the third binary sequence obtained from the network device (10).
  19. 一个网络设备的通信模型的建立装置(20),其特征在于,包括:处理器(250)和存储器(260),其中:An apparatus (20) for establishing a communication model of a network device is characterized by comprising: a processor (250) and a memory (260), wherein:
    所述存储器(260)中存储有计算机可读指令,所述指令可以由所述处理器(250)执行,用于实现如权利要求1至10中任一项所述的网络设备(10)的通信模型的建立方法。Computer readable instructions are stored in the memory (260), and the instructions can be executed by the processor (250) for implementing the network device (10) according to any one of claims 1 to 10 The establishment method of communication model.
  20. 计算机可读存储介质,存储有计算机可读指令,其特征在于,所述指令用于使处理器执行如权利要求1-10中任一权利要求所述的网络设备(10)的通信模型的建立方法。A computer-readable storage medium storing computer-readable instructions, wherein the instructions are used to make the processor execute the establishment of the communication model of the network device (10) according to any one of claims 1-10 method.
PCT/CN2019/074251 2019-01-31 2019-01-31 Method and device for establishing communication model of network device WO2020155045A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN201980085228.6A CN113243014A (en) 2019-01-31 2019-01-31 Method and device for establishing communication model of network equipment
PCT/CN2019/074251 WO2020155045A1 (en) 2019-01-31 2019-01-31 Method and device for establishing communication model of network device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2019/074251 WO2020155045A1 (en) 2019-01-31 2019-01-31 Method and device for establishing communication model of network device

Publications (1)

Publication Number Publication Date
WO2020155045A1 true WO2020155045A1 (en) 2020-08-06

Family

ID=71840782

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2019/074251 WO2020155045A1 (en) 2019-01-31 2019-01-31 Method and device for establishing communication model of network device

Country Status (2)

Country Link
CN (1) CN113243014A (en)
WO (1) WO2020155045A1 (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101399708A (en) * 2007-09-28 2009-04-01 华为技术有限公司 Method and device for establishing network performance model
US20160277242A1 (en) * 2015-03-18 2016-09-22 Citrix Systems, Inc. Conducting online meetings using user behavior models based on predictive analytics
CN106126804A (en) * 2016-06-21 2016-11-16 上海无线电设备研究所 The behavioral scaling modeling of a kind of power amplifier bottom circuit and verification method
CN107408178A (en) * 2015-03-24 2017-11-28 高通股份有限公司 The method and system of Malware are identified for the difference by cloud and client behavior
CN107766940A (en) * 2017-11-20 2018-03-06 北京百度网讯科技有限公司 Method and apparatus for generation model

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
TWI376919B (en) * 2004-07-30 2012-11-11 Qualcomm Inc Fast link establishment for network access
US20060050684A1 (en) * 2004-09-07 2006-03-09 First Data Corporation Message analysis systems and methods
ES2426192T3 (en) * 2006-11-30 2013-10-21 Cassis International Pte Ltd. Communication procedure between a device running Java ME and an airborne server with SOAP messages under APDU from / to an operator on a host, and corresponding system
CN104506530B (en) * 2014-12-23 2018-02-06 方正宽带网络服务有限公司 A kind of network data processing method and device, data transmission method for uplink and device

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101399708A (en) * 2007-09-28 2009-04-01 华为技术有限公司 Method and device for establishing network performance model
US20160277242A1 (en) * 2015-03-18 2016-09-22 Citrix Systems, Inc. Conducting online meetings using user behavior models based on predictive analytics
CN107408178A (en) * 2015-03-24 2017-11-28 高通股份有限公司 The method and system of Malware are identified for the difference by cloud and client behavior
CN106126804A (en) * 2016-06-21 2016-11-16 上海无线电设备研究所 The behavioral scaling modeling of a kind of power amplifier bottom circuit and verification method
CN107766940A (en) * 2017-11-20 2018-03-06 北京百度网讯科技有限公司 Method and apparatus for generation model

Also Published As

Publication number Publication date
CN113243014A (en) 2021-08-10

Similar Documents

Publication Publication Date Title
CN105103494B (en) The network switch emulates
RU2608464C2 (en) Device, method and network server for detecting data structures in data stream
EP2512163A1 (en) Method, system for defining message in machine-to-machine platform, and machine-to-machine platform
KR101831604B1 (en) Method for transmitting data, method for authentication, and server for executing the same
CN102420765B (en) Method and device for determining physical link between switchboard and terminal
CN111404768A (en) DPI recognition realization method and equipment
CN112822199A (en) OTA (over the air) upgrading method and system based on protocol conversion
CN115484047A (en) Method, device, equipment and storage medium for identifying flooding attack in cloud platform
CN113839882B (en) Message flow splitting method and device
CN110401658A (en) A kind of data interactive method and interaction platform
WO2020010906A1 (en) Method and device for operating system (os) batch installation, and network device
Choi et al. Dissecting customized protocols: automatic analysis for customized protocols based on IEEE 802.15. 4
CN108460044B (en) Data processing method and device
WO2016101600A1 (en) Line card determination, determination processing method and device, and line card determination system
WO2020155045A1 (en) Method and device for establishing communication model of network device
CN112448963A (en) Method, device, equipment and storage medium for analyzing automatic attack industrial assets
CN109587121B (en) Security policy control method and device
CN102480503B (en) P2P (peer-to-peer) traffic identification method and P2P traffic identification device
CN108880913B (en) traffic characteristic management method and device and central node server
CN108306757B (en) Programmable data plane virtual layer construction method and storage medium
CN112887178B (en) Terminal network access method, device, equipment and storage medium of LoRaWAN server
CN113114465B (en) Method and device for processing attribution authority, storage medium and electronic device
US20160126976A1 (en) Methods, systems, and computer readable media for optimized message decoding
CN107005433A (en) A kind of Timing Processing method and device of flow table item
CN106936651B (en) Determination method and controller for data streams

Legal Events

Date Code Title Description
NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 19912276

Country of ref document: EP

Kind code of ref document: A1