CN103441990A - Protocol state machine automatic inference method based on state fusion - Google Patents
Protocol state machine automatic inference method based on state fusion Download PDFInfo
- Publication number
- CN103441990A CN103441990A CN2013103481367A CN201310348136A CN103441990A CN 103441990 A CN103441990 A CN 103441990A CN 2013103481367 A CN2013103481367 A CN 2013103481367A CN 201310348136 A CN201310348136 A CN 201310348136A CN 103441990 A CN103441990 A CN 103441990A
- Authority
- CN
- China
- Prior art keywords
- state
- protocol
- input
- character string
- message
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 230000004927 fusion Effects 0.000 title claims abstract description 48
- 238000000034 method Methods 0.000 title claims abstract description 44
- 230000008569 process Effects 0.000 claims abstract description 14
- 238000010276 construction Methods 0.000 claims abstract description 9
- 238000012360 testing method Methods 0.000 claims description 39
- 230000004044 response Effects 0.000 claims description 11
- 230000007246 mechanism Effects 0.000 claims description 8
- 239000000284 extract Substances 0.000 claims description 5
- 238000006243 chemical reaction Methods 0.000 claims description 4
- 239000012141 concentrate Substances 0.000 claims description 3
- 238000000605 extraction Methods 0.000 abstract description 3
- 230000003993 interaction Effects 0.000 abstract 1
- 238000005516 engineering process Methods 0.000 description 7
- 230000007704 transition Effects 0.000 description 7
- 230000006854 communication Effects 0.000 description 5
- 238000012546 transfer Methods 0.000 description 5
- 238000004891 communication Methods 0.000 description 4
- 238000012545 processing Methods 0.000 description 3
- 230000005540 biological transmission Effects 0.000 description 2
- 230000035800 maturation Effects 0.000 description 2
- 238000011160 research Methods 0.000 description 2
- 238000012549 training Methods 0.000 description 2
- 230000009471 action Effects 0.000 description 1
- 230000032683 aging Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000000205 computational method Methods 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 230000004069 differentiation Effects 0.000 description 1
- 238000007499 fusion processing Methods 0.000 description 1
- 230000000977 initiatory effect Effects 0.000 description 1
- 230000005012 migration Effects 0.000 description 1
- 238000013508 migration Methods 0.000 description 1
- 239000000203 mixture Substances 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000006855 networking Effects 0.000 description 1
- 238000007500 overflow downdraw method Methods 0.000 description 1
- 238000005728 strengthening Methods 0.000 description 1
- 238000012038 vulnerability analysis Methods 0.000 description 1
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides a protocol state machine automatic inference method based on state fusion. The method comprises the following steps of message format extraction, message classification, session abstraction and original state machine construction and the state fusion based on output messages. An extended prefix tree transducer EPTT is adopted in the protocol state machine automatic inference method to describe the session process of a protocol entity, the output messages of a protocol are focused on, the same states in a state machine are fused, testability interaction is carried out on the protocol entity to verify the feasibility of protocol state fusion, the automation of the inference of the protocol state machine is guaranteed, and the accuracy of an inference result is improved.
Description
Technical field
The present invention relates to networking technology area, in particular to a kind of network message that receives and send according to the protocol entity program, the method for the protocol state machine of corresponding network agreement is inferred in automation.
Background technology
Procotol is the support the key element that network communicating function is realized, is also the primary study object of network safety filed.A large amount of network security technologys such as intrusion detection, fuzz testing, agreement are reused, agreement vulnerability analysis all be take detailed protocol specification information as basis.
In network, used a large amount of shortages to describe the proprietary protocol of document, this makes all kinds of network security technologys that depend on the information standard be extremely restricted on range of application.For the problem of resolution protocol information the unknown, the researcher starts to adopt the reverse method of agreement to obtain unknown protocol specification.Agreement is reverse to be referred to and is monitored and analyze by network input and output, system action and instruction execution flow to protocol entity in the situation that do not rely on protocol description, extracts the process of procotol concrete norm information.
Network protocol standard mainly comprises protocol format and protocol state machine two parts.What protocol format was paid close attention to is the Nomenclature Composition and Structure of Complexes of each protocol domain in communication message.Protocol state machine is paid close attention to is that protocol status quantity in protocol system and protocol system are in the situation that receive the rules of different inputs from a protocol status to the another one transferring protocol state.
The reverse employing manual type of traditional agreement, process is tediously long consuming time, and accuracy depends on analyst's technical merit and practical experience.Along with the expansion of network size and increasing of protocol type, more and more higher to conversed analysis accuracy and ageing requirement, the agreement conversed analysis of Traditional Man mode can not meet the needs of practical application.The agreement automatic reversal, to can significantly reducing manual analysis, improves the analysis efficiency of proprietary protocol, has obtained increasing attention.
Current most of agreement automatic reversal concentrates on the extraction of protocol format to research, lack the protocol status machine information in analysis result, has restricted the practical application of the reverse result of agreement.In recent years, along with the maturation relatively of protocol format extractive technique, some researchers start to attempt protocol state machine is carried out to conversed analysis.Current protocol state machine is inferred the following problem that mainly exists: (1) existing state fusion method (as the Prospex system) is for the consideration of simplicity, for state machine model be the finite state machine of no-output.In this finite state machine, only there is the message input, and do not consider message output, ignored the inner link between protocol system input and output message.Protocol system is the state transition system of band output, and there are larger difference in the state machine that the processing of this simplification makes state fusion obtain and actual agreements system.(2) in order to solve the incomplete problem of sample set, often need constantly to produce new samples in protocol state machine deduction process, and whether be under the jurisdiction of protocol state machine according to new samples, implement further to infer.New samples is positive example or counter-example for protocol state machine, depends on artificial judgement.The artificial processing mode of judging is difficult to guarantee accuracy on the one hand, and on the other hand, this processing mode automaticity is low, has restricted the efficiency of conversed analysis.
Summary of the invention
For problems of the prior art, the present invention aims to provide the automatic estimating method of protocol state machine that a kind of state-based merges, protocol state machine inference problems for unknown protocol, on the basis of existing message protocol form inference technologies, strengthen prefix trees transducer EPTT (Extended Prefix Tree Transducer) according to the message sample architecture of collecting and describe the input that protocol entity relates at conversation procedure, the abstract symbol string that outgoing message forms, and the feasibility merged by the mutual decision state of the testability with protocol entity, guaranteed the automation that state machine is inferred, improved the accuracy of inferred results.
For reaching above-mentioned purpose, the technical solution adopted in the present invention is as follows:
The automatic estimating method of protocol state machine that a kind of state-based merges comprises the following steps:
(1) message format extracts and message classification: obtain the input that the protocol entity program is relevant, the concrete format information of outgoing message, and respectively input, outgoing message are classified according to message format, the message sample that structure is identical is classified as a class, with the classification information of abstract symbol presentation class;
(2) session is abstract builds with initial condition mechanism: the class categories meaned based on abstract symbol, take session as unit, to the network service behavior, carry out abstract, input and output sequence of message in the session process is described as to abstract input/output symbol string, and then, according to the session sample set, build the initial condition machine consistent with the input/output symbol set of strings;
(3) state fusion based on outgoing message: candidate state is merged according to the similarity height, and generation test symbol string, again by the test of automation, relatively the state machine after protocol entity and fusion is receiving the output response of making after the test symbol string, the feasibility that proofing state merges;
(4) repeat above-mentioned steps (3) until no longer include the state that meets fusion conditions in state machine;
Aforementioned session is abstract, and with initial condition mechanism, to build the workflow in stage as follows: the deduction of state machine be take the session sample set as fundamental construction, by in session the input, with its place classification, corresponding abstract symbol means outgoing message, thereby the input and output sequence of message of complete session is converted into to abstract input/output symbol string; On this basis, according to the session sample set, adopt the formal construction initial condition machine that strengthens prefix trees transducer EPTT, comprised all strings of the input/output symbol as the session sample in the initial condition machine;
The workflow in the aforementioned state fusion stage based on outgoing message is as follows: on the basis of initial condition machine, height according to similarity carries out state fusion to two similar states at every turn, the selection of similar state be take Blue Fringe algorithm as basis, selects two states that similarity is the highest as candidate state to be merged, whether the fusion of candidate state is feasible, to be judged according to the test character string generated, judge whether two candidate state can merge, wherein: character string prefix and the character string suffix of test character string based on arriving two candidate state in the reset condition machine builds, the mode of splicing by intersection, by arriving all character string prefixes of some candidate state and all character string suffix of another one candidate state, splice successively, the character string generated forms the test string assemble, if judge that all output strings are all consistent with the protocol state machine after fusion, think that state fusion is feasible, otherwise the judgement state fusion is infeasible, add session sample set Extended Protocol state machine using test result as new samples, and continue to attempt other states are merged.
Further, in preceding method, in protocol state machine, select when the candidate state that merges, take Blue Fringe algorithm as basis, the public input of character string suffix of the basis protocol status of similarity, public input of character string suffix reflection protocol entity is in two different agreement states the time, state conversion while receiving identical incoming message and output response condition, wherein: the input of character string suffix refers to that protocol entity is from a certain protocol status, receive a series of incoming message, these incoming messages are represented as the input of character string suffix in state machine, public input of character string suffix refers to that two different conditions receive identical a series of incoming messages, the calculating of similarity will be considered the length of the public input of character string suffix of protocol status, and whether protocol entity produces identical Output rusults when receiving identical input, if two protocol statuss, the length of their public input of character string suffix is the longest, and for identical input, identical output is arranged, two such protocol statuss will preferentially be attempted merging.
Further, in preceding method, utilize the test string assemble to carry out the process of state fusion and feasibility judgement, comprise the following steps: at first according to test character string and known message protocol form, generate the incoming message sequence as test case; The incoming message sequence is sent to the protocol entity program, obtains the outgoing message sequence as response; The outgoing message sequence is carried out abstract, it is expressed as to the output character string sequence; Protocol state machine after merging for candidate state, judge that the output symbol whether output character in the output character string sequence all is present in the protocol state machine corresponding states concentrates: if all output strings are all consistent with the protocol state machine after fusion, think that state fusion is feasible, otherwise the judgement state fusion is infeasible.
From the above technical solution of the present invention shows that, beneficial effect of the present invention is protocol system is considered as the state transition system of band output, being conceived to the inner link between the input and output message in protocol system implements to merge to the state in protocol state machine, strengthen prefix trees transducer EPTT (Extended Prefix Tree Transducer) by employing and describe the input that protocol entity relates at conversation procedure, the abstract symbol string that outgoing message forms, and the feasibility merged by the mutual decision state of the testability with protocol entity, contribute to guarantee that the protocol state machine and the actual agreements system height that build coincide, guaranteed the automation that state machine is inferred, improve the accuracy of inferred results, and produce the input sample of auxiliary judgement for candidate state automation to be merged, and then grasp the output response of protocol entity for the input sample by the automatic operating of protocol entity program, avoid the poor efficiency of artificial judgement, improved accuracy and the whole efficiency of the reverse deduction of state machine.
The accompanying drawing explanation
The whole realization flow schematic diagram that Fig. 1 is automatic estimating method of the present invention.
Fig. 2 builds the example of EPTT state machine based on abstract character string sequence in the present invention.
Fig. 3 is the example in the present invention, candidate state merged.
Embodiment
In order more to understand technology contents of the present invention, especially exemplified by specific embodiment and coordinate accompanying drawing to be described as follows.
As shown in Figure 1, according to preferred embodiment of the present invention, the automatic estimating method of protocol state machine that state-based merges comprises the following steps:
(1) message format extracts and message classification: collect at first in a large number the input and output sequence of message, and then adopt existing message format extracting method, obtain the input that the protocol entity program is relevant, the concrete format information of outgoing message, on this basis, according to message format, respectively input, outgoing message are classified, the message sample that structure is identical is classified as a class, with the classification information of abstract symbol presentation class;
(2) session is abstract builds with initial condition mechanism: on the basis of message classification, take session as unit, to the network service behavior, carry out abstract, input and output sequence of message in the session process is described as to abstract input/output symbol string, and then, according to the session sample set, build the initial condition machine consistent with the input/output symbol set of strings;
(3) state fusion based on outgoing message: candidate state is merged according to the similarity height, and generation test symbol string, again by the test of automation, relatively the state machine after protocol entity and fusion is receiving the output response of making after the test symbol string, the feasibility that proofing state merges;
(4) repeat above-mentioned steps (3) until no longer include the state that meets fusion conditions in state machine.
Wherein, aforementioned session is abstract, and with initial condition mechanism, to build the workflow in stage as follows: the deduction of state machine be take the session sample set as fundamental construction, by in session the input, with its place classification, corresponding abstract symbol means outgoing message, thereby the input and output sequence of message of complete session is converted into to abstract input/output symbol string; On this basis, according to the session sample set, adopt the formal construction initial condition machine that strengthens prefix trees transducer EPTT, comprised all strings of the input/output symbol as the session sample in the initial condition machine;
The workflow in the aforementioned state fusion stage based on outgoing message is as follows: on the basis of initial condition machine, height according to similarity carries out state fusion to two similar states at every turn, the selection of similar state be take Blue Fringe algorithm as basis, selects two states that similarity is the highest as candidate state to be merged, whether the fusion of candidate state is feasible, to be judged according to the test character string generated, judge whether two candidate state can merge, wherein: character string prefix and the character string suffix of test character string based on arriving two candidate state in the reset condition machine builds, the mode of splicing by intersection, by arriving all character string prefixes of some candidate state and all character string suffix of another one candidate state, splice successively, the character string generated forms the test string assemble, if judge that all output strings are all consistent with the protocol state machine after fusion, think that state fusion is feasible, otherwise the judgement state fusion is infeasible, add session sample set Extended Protocol state machine using test result as new samples, and continue to attempt other states are merged.
With reference to the whole realization flow shown in figure 1 and in conjunction with shown in Fig. 2,3, the automatic estimating method of the protocol state machine of the present embodiment comprises message format extraction and message classification, session is abstract builds and three parts of the state fusion based on outgoing message with initial condition mechanism, explanation respectively below concrete execution mode.
(1) message format extracts and message classification
The embodiment of the present invention is collected the input and output sequence of message that the communication of protocol entity program network produces at first in a large number, and the message format extracting method of employing PI project (Protocol Information Project) is obtained the concrete format information of input and output message.On this basis, according to message format, respectively incoming message and outgoing message are classified, if several message sample has identical message structure, they are classified as to a class.For each classification, use unique Arabic numerals (as 1,2,3) to be identified.
(2) session is abstract builds with initial condition mechanism
On the basis of message classification, take session as unit, to the network service behavior, carry out abstract.
Partial data exchange that session means to communicate by letter and carries out between the participant, can be reflected in the migration situation of protocol status in communication process.The procotol research field, had the method for the recognition network session of many maturations.The service that upper layer application is used lower-layer protocols to provide.If the network application based on Transmission Control Protocol, a session is often started by the three-way handshake of Transmission Control Protocol, when the TCP disconnecting, stops; If the network application based on udp protocol, a session is often distinguished by the interval time of communication, if communicating pair stops the time of communication, surpasses specific duration, infers that a session completes.
In session, in abstract process, adopt input and output message classification to replace concrete message information, and the sequential occurred according to message build character string sequence.
For example, certain session be represented as character string sequence (<1,2,5 >,<1,3,6 >), wherein<1,2,5 > mean the input character string sequence, the meaning of the Arabic numerals 1 in this sequence is that first incoming message belongs to incoming message classification 1, and the meaning of numeral 2 is that second incoming message belongs to incoming message classification 2;<1,3,6 > mean the output character string sequence, wherein the meaning of numeral 1 is that first outgoing message belongs to outgoing message classification 1, and the meaning of numeral 3 is that second outgoing message belongs to outgoing message classification 3, by that analogy.The implication of this session is protocol entity while receiving the message that some classifications (incoming message classification) are 1, has exported the message that some classifications (outgoing message classification) are 1, enters a new protocol status simultaneously; When the protocol status in new, protocol entity receives the message that some classifications (incoming message classification) are 2, has exported the message that some classifications (outgoing message classification) are 3, has entered the another one protocol status; At this protocol status, protocol entity receives again the message that some classifications (incoming message classification) are 5, has exported the message that some classifications (outgoing message classification) are 6, has again carried out the state conversion.
That input and output message sample is carried out to session is abstract, after being converted into the character string sequence set, start to build initial protocol state machine.The present invention adopts the formal construction state machine that strengthens prefix trees transducer EPTT, it is advantageous that can the accurate description protocol entity State-output information, protocol state machine and the real network agreement situation of the band of constructing output are more pressed close to.
The protocol state machine of EPTT form is defined as 6 tuple (Q
e, I, O, δ
e, λ
e, q
λ), Q wherein
erepresent state set, I represents the incoming symbol set, and O represents output symbol set, δ
erepresent state transition function, λ
erepresent output function, q
λrepresent initial protocol status.
During structure EPTT protocol state machine, successively the session sample is added to state machine.Fig. 2 builds an example of EPTT state machine based on abstract character string sequence in the present invention.For the character string sequence of a certain session, adopt the form of traversal, by the analysis that combines of input character string sequence and output character string sequence.For example,, for first session sample in Fig. 2, input character string sequence<1,2,5 > and output character string sequence<1,3,6 > in connection with Synchronization Analysis together, reflect the corresponding relation of input character and output character.
To, based on input of character string sequence structure prefix sign string, the input character traveled through be described in the process of traversal.Initial condition is set to state 0, and protocol state machine starts to receive input by initial condition.The prefix sign string is set to λ when initial, means that the prefix sign string is empty at present.Character in the input character string sequence adds the prefix sign string successively.If the state that the prefix sign string arrives does not have in the previous status machine, create a new state, with the Arabic numerals unique identification.If corresponding state transitions information does not exist in the previous status machine, extended mode transfer function and output function; If comprised corresponding state transitions information in the previous status machine, will further judge whether to need to expand output information.
For example, for first session sample in Fig. 2, first input character that ergodic process runs into is 1, forms prefix sign string λ 1, needs to create a new protocol status, with numeral 1 this state of sign.Extended mode transfer function (protocol entity, in state 0 time, receives input character 1, transfers to state 1), and output function simultaneously (protocol entity, in state 0 time, receives input character 1, produces output character 1).Second input character that ergodic process runs into is 2, form prefix sign string λ 12, create a new state with numeral 2 signs, (protocol entity is in state 1 time for the extended mode transfer function simultaneously, receive input character 2, transfer to state 2), and output function (protocol entity is in state 1 time, receive input character 2, produce output character 3).For second session sample in Fig. 2, because the state transitions related to is identical with first session sample, therefore can not produce new state.But according to second session sample, protocol entity receives input character 2 in state 1 time, and the output character of generation is 4.This output information will extend in former protocol state machine, and protocol entity receives input character 2 in state 1 time, and the output character of generation is under the jurisdiction of output character set { 3,4}.
After having traveled through all session samples, initial protocol state machine will be obtained.The construction method of initiation protocol state machine is that all session samples are directly added, do not carry out any differentiation and examination, therefore, the state machine result that structure obtains has often comprised a large amount of redundant states, need in addition abbreviation of method by merging similar state, the protocol state machine obtained just more has practical value.
(3) state fusion based on outgoing message
After having built the initial condition machine, will, according to the height of similarity, attempt the similar state in state machine is carried out to state fusion.In the present embodiment, the selection of similar state be take Blue Fringe algorithm as basis, but the computational methods of similarity are wherein improved.Estimate the similarity of two protocol statuss, the foundation of employing is public input of character string suffix.The input of character string suffix refers to protocol entity from a certain protocol status, receives a series of incoming message, and these incoming messages are represented as the input of character string suffix in state machine.What " public " in public input of character string suffix emphasized is that two different agreement states receive identical a series of incoming messages.Public input of character string suffix can reflect that protocol entity is in two different agreement states the time, the state conversion while receiving identical incoming message and output response condition.When similarity is calculated, the length of the public input of character string suffix of protocol status will be considered, and, for the identical input received, whether protocol entity there is identical Output rusults.If two protocol statuss, the length of their public input of character string suffix is the longest, and for identical input, identical output is arranged, and two such protocol statuss will preferentially be attempted merging as candidate state.
Whether two candidate state can merge, and need to further judge.Because protocol state machine is based on training sample and builds, and training sample is difficult to guarantee comprehensively, and this makes infers that the protocol state machine produced may there are differences with real protocol state machine.For the fusion that judges two candidate state whether feasible, needing further to generate targetedly the test character string is tested, the protocol entity program of performance by to(for) the test character string comes certainly or the fusion of negative candidate state, thereby guarantees that the protocol state machine result of inferring is identical with real protocol state machine.
With reference to figure 3, the state machine before the test character string merges based on candidate state produces, and Main Basis is character string prefix and the character string suffix of two candidate state in state machine.The mode that the generation of test character string is spliced by intersection, splice successively by arriving all character string prefixes of some candidate state and all character string suffix of another one candidate state, and the character string of generation forms the test string assemble.For example, for the state machine before state fusion in Fig. 3, the similarity of state 1 and state 3 is the highest, will preferentially attempt merging.When structure test character string, known by analyzing, the character string prefix sets of state 1 is {<1 > }, the character string prefix sets of state 3<1,7 > }.Due to character string prefix<1,7 > comprised<1, in fusion process, will be conceived to the suffix set {<7,2,5,14 > } of state 1 and the suffix set {<2 of state 3,5,14 > }, the test string assemble of generation comprise 2 elements<1,2,5,14 >,<1,7,7,2,5,14 > }.
In the process that utilization test character string is tested, at first, according to test character string and known message protocol form, will test character string and be instantiated as the incoming message sequence.The incoming message sequence is sent to the protocol entity program, obtains the outgoing message sequence as response.The outgoing message sequence is carried out abstract, it is expressed as to the output character string sequence.Protocol state machine after merging for candidate state, the output character in judgement output character string sequence, the output symbol that whether all is present in the protocol state machine corresponding states is concentrated.If all output strings are consistent with in state machine all, think that state fusion is feasible, otherwise the judgement state fusion is infeasible, adds sample set Extended Protocol state machine using test result as new samples, continue to select other candidate state to implement to merge in state machine.
The mixing operation of state will carry out repeatedly, until there is no the state that can merge in state machine.
From the above technical solution of the present invention shows that, the automatic estimating method of protocol state machine that state-based of the present invention merges, on the basis of existing message protocol form inference technologies, strengthen the prefix trees transducer according to the message sample architecture of collecting, merged the protocol state machine that obtains simplifying by the similar state to strengthening in the prefix trees transducer.Adopt the method need to obtain the protocol entity program, and run entity program as required, send specific sequence of message to it, and observe corresponding message output, using this basis of inferring as protocol state machine.
In sum, the automatic estimating method of protocol state machine that state-based of the present invention merges is considered as protocol system the state transition system of band output, being conceived to the inner link between the input and output message in protocol system implements to merge to the state in protocol state machine, strengthen prefix trees transducer EPTT by employing and describe the input that protocol entity relates at conversation procedure, the abstract symbol string that outgoing message forms, and the feasibility merged by the mutual decision state of the testability with protocol entity, contribute to guarantee that the protocol state machine and the actual agreements system height that build coincide, guaranteed the automation that state machine is inferred, improve the accuracy of inferred results, and produce the input sample of auxiliary judgement for candidate state automation to be merged, and then grasp the output response of protocol entity for the input sample by the automatic operating of protocol entity program, avoid the poor efficiency of artificial judgement, improved accuracy and the whole efficiency of the reverse deduction of state machine.
Although the present invention discloses as above with preferred embodiment, so it is not in order to limit the present invention.The persond having ordinary knowledge in the technical field of the present invention, without departing from the spirit and scope of the present invention, when being used for a variety of modifications and variations.Therefore, protection scope of the present invention is as the criterion when looking claims person of defining.
Claims (3)
1. the automatic estimating method of protocol state machine that state-based merges, is characterized in that, comprises the following steps:
(1) message format extracts and message classification: obtain the input that the protocol entity program is relevant, the concrete format information of outgoing message, and respectively input, outgoing message are classified according to message format, the message sample that structure is identical is classified as a class, with the classification information of abstract symbol presentation class;
(2) session is abstract builds with initial condition mechanism: the class categories meaned based on abstract symbol, take session as unit, to the network service behavior, carry out abstract, input and output sequence of message in the session process is described as to abstract input/output symbol string, and then, according to the session sample set, build the initial condition machine consistent with the input/output symbol set of strings;
(3) state fusion based on outgoing message: candidate state is merged according to the similarity height, and generation test symbol string, again by the test of automation, relatively the state machine after protocol entity and fusion is receiving the output response of making after the test symbol string, the feasibility that proofing state merges;
(4) repeat above-mentioned steps (3) until no longer include the state that meets fusion conditions in state machine;
Aforementioned session is abstract, and with initial condition mechanism, to build the workflow in stage as follows: the deduction of state machine be take the session sample set as fundamental construction, by in session the input, with its place classification, corresponding abstract symbol means outgoing message, thereby the input and output sequence of message of complete session is converted into to abstract input/output symbol string; On this basis, according to the session sample set, adopt the formal construction initial condition machine that strengthens prefix trees transducer EPTT, comprised all strings of the input/output symbol as the session sample in the initial condition machine;
The workflow in the aforementioned state fusion stage based on outgoing message is as follows: on the basis of initial condition machine, height according to similarity carries out state fusion to two similar states at every turn, the selection of similar state be take Blue Fringe algorithm as basis, selects two states that similarity is the highest as candidate state to be merged, whether the fusion of candidate state is feasible, to be judged according to the test character string generated, judge whether two candidate state can merge, wherein: character string prefix and the character string suffix of test character string based on arriving two candidate state in the reset condition machine builds, the mode of splicing by intersection, by arriving all character string prefixes of some candidate state and all character string suffix of another one candidate state, splice successively, the character string generated forms the test string assemble, if judge that all output strings are all consistent with the protocol state machine after fusion, think that state fusion is feasible, otherwise the judgement state fusion is infeasible, add session sample set Extended Protocol state machine using test result as new samples, and continue to attempt other states are merged.
2. method according to claim 1, it is characterized in that, in preceding method, in protocol state machine, select when the candidate state that merges, take Blue Fringe algorithm as basis, the public input of character string suffix of the basis protocol status of similarity, public input of character string suffix reflection protocol entity is in two different agreement states the time, state conversion while receiving identical incoming message and output response condition, wherein: the input of character string suffix refers to that protocol entity is from a certain protocol status, receive a series of incoming message, these incoming messages are represented as the input of character string suffix in state machine, public input of character string suffix refers to that two different conditions receive identical a series of incoming messages, the calculating of similarity will be considered the length of the public input of character string suffix of protocol status, and whether protocol entity produces identical Output rusults when receiving identical input, if two protocol statuss, the length of their public input of character string suffix is the longest, and for identical input, identical output is arranged, two such protocol statuss will preferentially be attempted merging.
3. method according to claim 1, it is characterized in that, in preceding method, utilize the test string assemble to carry out the process of state fusion and feasibility judgement, comprise the following steps: at first according to test character string and known message protocol form, generate the incoming message sequence as test case; The incoming message sequence is sent to the protocol entity program, obtains the outgoing message sequence as response; The outgoing message sequence is carried out abstract, it is expressed as to the output character string sequence; Protocol state machine after merging for candidate state, judge that the output symbol whether output character in the output character string sequence all is present in the protocol state machine corresponding states concentrates: if all output strings are all consistent with the protocol state machine after fusion, think that state fusion is feasible, otherwise the judgement state fusion is infeasible.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201310348136.7A CN103441990B (en) | 2013-08-09 | 2013-08-09 | The automatic estimating method of protocol state machine based on state fusion |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201310348136.7A CN103441990B (en) | 2013-08-09 | 2013-08-09 | The automatic estimating method of protocol state machine based on state fusion |
Publications (2)
Publication Number | Publication Date |
---|---|
CN103441990A true CN103441990A (en) | 2013-12-11 |
CN103441990B CN103441990B (en) | 2016-03-30 |
Family
ID=49695655
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201310348136.7A Expired - Fee Related CN103441990B (en) | 2013-08-09 | 2013-08-09 | The automatic estimating method of protocol state machine based on state fusion |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN103441990B (en) |
Cited By (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104767744A (en) * | 2015-03-25 | 2015-07-08 | 中国人民解放军理工大学 | Protocol state machine active inference method based on protocol knowledge |
CN110191019A (en) * | 2019-05-28 | 2019-08-30 | 北京百度网讯科技有限公司 | Test method, device, computer equipment and the storage medium of vehicle CAN bus |
CN112019403A (en) * | 2020-08-24 | 2020-12-01 | 杭州弈鸽科技有限责任公司 | Cross-platform automatic mining method and system for message protocol state machine of Internet of things |
CN112039196A (en) * | 2020-04-22 | 2020-12-04 | 广东电网有限责任公司 | Power monitoring system private protocol analysis method based on protocol reverse engineering |
CN113852605A (en) * | 2021-08-29 | 2021-12-28 | 北京工业大学 | Protocol format automatic inference method and system based on relational reasoning |
CN114172972A (en) * | 2021-11-11 | 2022-03-11 | 中国工程物理研究院计算机应用研究所 | Unknown protocol behavior reverse inference method based on optimized stochastic converter model |
CN115174441A (en) * | 2022-09-06 | 2022-10-11 | 中国汽车技术研究中心有限公司 | State machine based TCP fuzzy test method, equipment and storage medium |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6119187A (en) * | 1995-11-30 | 2000-09-12 | Excel Switching Corp. | Telecommunication system with universal API using generic messages having user functionality associated with predetermined functions, primitives and logical states for defining PPL component state machines |
US6765881B1 (en) * | 2000-12-06 | 2004-07-20 | Covad Communications Group, Inc. | Virtual L2TP/VPN tunnel network and spanning tree-based method for discovery of L2TP/VPN tunnels and other layer-2 services |
CN1741482A (en) * | 2005-09-27 | 2006-03-01 | 清华大学 | Protocol interoperation characteristic test generating method based on communication multi-port finite state machine |
CN1937613A (en) * | 2005-10-14 | 2007-03-28 | 康佳集团股份有限公司 | Method for realizing real-time flow protocol control utilizing state machine |
CN101068244A (en) * | 2007-06-07 | 2007-11-07 | 中兴通讯股份有限公司 | Metod for tracing protocol stack state machine switching |
CN102404167A (en) * | 2011-11-03 | 2012-04-04 | 清华大学 | Protocol test generating method of parallel expansion finite-state machine based on variable dependence |
-
2013
- 2013-08-09 CN CN201310348136.7A patent/CN103441990B/en not_active Expired - Fee Related
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6119187A (en) * | 1995-11-30 | 2000-09-12 | Excel Switching Corp. | Telecommunication system with universal API using generic messages having user functionality associated with predetermined functions, primitives and logical states for defining PPL component state machines |
US6765881B1 (en) * | 2000-12-06 | 2004-07-20 | Covad Communications Group, Inc. | Virtual L2TP/VPN tunnel network and spanning tree-based method for discovery of L2TP/VPN tunnels and other layer-2 services |
CN1741482A (en) * | 2005-09-27 | 2006-03-01 | 清华大学 | Protocol interoperation characteristic test generating method based on communication multi-port finite state machine |
CN1937613A (en) * | 2005-10-14 | 2007-03-28 | 康佳集团股份有限公司 | Method for realizing real-time flow protocol control utilizing state machine |
CN101068244A (en) * | 2007-06-07 | 2007-11-07 | 中兴通讯股份有限公司 | Metod for tracing protocol stack state machine switching |
CN102404167A (en) * | 2011-11-03 | 2012-04-04 | 清华大学 | Protocol test generating method of parallel expansion finite-state machine based on variable dependence |
Non-Patent Citations (1)
Title |
---|
田园,等: "一种逆向分析协议状态机模型的有效方法", 《计算机工程与应用》, vol. 47, no. 19, 1 July 2011 (2011-07-01) * |
Cited By (13)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104767744B (en) * | 2015-03-25 | 2018-05-15 | 中国人民解放军理工大学 | Protocol state machine active estimating method based on protocol knowledge |
CN104767744A (en) * | 2015-03-25 | 2015-07-08 | 中国人民解放军理工大学 | Protocol state machine active inference method based on protocol knowledge |
CN110191019B (en) * | 2019-05-28 | 2021-05-28 | 北京百度网讯科技有限公司 | Vehicle CAN bus test method and device, computer equipment and storage medium |
CN110191019A (en) * | 2019-05-28 | 2019-08-30 | 北京百度网讯科技有限公司 | Test method, device, computer equipment and the storage medium of vehicle CAN bus |
CN112039196A (en) * | 2020-04-22 | 2020-12-04 | 广东电网有限责任公司 | Power monitoring system private protocol analysis method based on protocol reverse engineering |
CN112019403B (en) * | 2020-08-24 | 2021-10-01 | 杭州弈鸽科技有限责任公司 | Cross-platform automatic mining method and system for message protocol state machine of Internet of things |
CN112019403A (en) * | 2020-08-24 | 2020-12-01 | 杭州弈鸽科技有限责任公司 | Cross-platform automatic mining method and system for message protocol state machine of Internet of things |
CN113852605A (en) * | 2021-08-29 | 2021-12-28 | 北京工业大学 | Protocol format automatic inference method and system based on relational reasoning |
CN113852605B (en) * | 2021-08-29 | 2023-09-22 | 北京工业大学 | Protocol format automatic inference method and system based on relation reasoning |
CN114172972A (en) * | 2021-11-11 | 2022-03-11 | 中国工程物理研究院计算机应用研究所 | Unknown protocol behavior reverse inference method based on optimized stochastic converter model |
CN114172972B (en) * | 2021-11-11 | 2023-08-15 | 中国工程物理研究院计算机应用研究所 | Unknown protocol behavior reverse inference method based on optimized random converter model |
CN115174441A (en) * | 2022-09-06 | 2022-10-11 | 中国汽车技术研究中心有限公司 | State machine based TCP fuzzy test method, equipment and storage medium |
CN115174441B (en) * | 2022-09-06 | 2022-12-13 | 中国汽车技术研究中心有限公司 | State machine based TCP fuzzy test method, equipment and storage medium |
Also Published As
Publication number | Publication date |
---|---|
CN103441990B (en) | 2016-03-30 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN103441990B (en) | The automatic estimating method of protocol state machine based on state fusion | |
CN106817363B (en) | Intelligent ammeter abnormity detection method based on neural network | |
CN103036730B (en) | A kind of method and device protocol realization being carried out to safety test | |
Cavalli et al. | New approaches for passive testing using an extended finite state machine specification | |
CN107896160B (en) | A kind of data center network flowmeter factor method based on distributed system | |
CN112800428B (en) | Method and device for judging safety state of terminal equipment | |
CN112632046A (en) | Cloud rule engine implementation method, system, device and medium | |
CN110674503B (en) | Intelligent contract endless loop detection method based on graph convolution neural network | |
CN104935570A (en) | Network flow connection behavior characteristic analysis method based on network flow connection graph | |
CN103488683B (en) | Microblog data management system and implementation method thereof | |
CN111092775A (en) | Network protocol security test evaluation method based on model learning | |
CN104767744A (en) | Protocol state machine active inference method based on protocol knowledge | |
CN113660241A (en) | Automatic penetration testing method based on deep reinforcement learning | |
CN113347060B (en) | Method, device and system for detecting power network fault based on process automation | |
CN101674205B (en) | Method and device for generating network communication protocol test sequence based on finite-state machine | |
CN107493299A (en) | A kind of user behavior source tracing method based on three-tier architecture | |
CN111625474B (en) | Automatic testing method of alliance chain | |
CN104063227B (en) | A kind of instruction learning method based on Internet of Things | |
CN106326096A (en) | Formalized modeling method for warship equipment software interface protocol | |
CN108121796A (en) | Electric energy metering device failure analysis methods and device based on confidence level | |
Wang et al. | An Intent-based Network Empowered by Knowledge Graph: Enhancement of Intent Translation and Management Function for Vertical Industry | |
CN110457897A (en) | A kind of database security detection method based on communication protocol and SQL syntax | |
CN112579436B (en) | Micro-service software architecture identification and measurement method | |
CN111008872B (en) | User portrait construction method and system suitable for Ether house | |
Kumar et al. | Machine learning based traffic classification using low level features and statistical analysis |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
C14 | Grant of patent or utility model | ||
GR01 | Patent grant | ||
CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20160330 |
|
CF01 | Termination of patent right due to non-payment of annual fee |