CN111092775A - Network protocol security test evaluation method based on model learning - Google Patents
Network protocol security test evaluation method based on model learning Download PDFInfo
- Publication number
- CN111092775A CN111092775A CN201911395953.1A CN201911395953A CN111092775A CN 111092775 A CN111092775 A CN 111092775A CN 201911395953 A CN201911395953 A CN 201911395953A CN 111092775 A CN111092775 A CN 111092775A
- Authority
- CN
- China
- Prior art keywords
- model
- target protocol
- learner
- protocol
- character string
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/18—Protocol analysers
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/14—Network analysis or design
- H04L41/145—Network analysis or design involving simulating, designing, planning or modelling of a network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/16—Implementing security features at a particular protocol layer
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Electrically Operated Instructional Devices (AREA)
Abstract
The invention belongs to the technical field of network protocol security testing, and particularly relates to a network protocol security testing and evaluating method based on model learning, which specifically comprises the following two steps: (1) under a classical MAT framework, a model learning algorithm is used for automatically deducing a finite-state machine model of a target protocol, and finally the finite-state machine model of the target protocol is obtained; (2) and defining a safety criterion according to the safety requirement of the target protocol, and analyzing the safety of the finite-state machine model of the target protocol by using a model detection analysis method. The invention automatically learns the internal implementation logic of the network protocol of the test object without depending on the source code and the system document, and efficiently tests and evaluates the safety of the system by comparing the model with the relevant specifications.
Description
Technical Field
The invention belongs to the technical field of network protocol security testing, and particularly relates to a network protocol security testing and evaluating method based on model learning.
Background
In recent years, with the continuous development of global informatization, a large number of network security protocols are applied to secure and confidential communication, while the network service function is continuously expanded, the security vulnerabilities of information systems are also in the endlessly, the information security situation is increasingly severe, and the vulnerability analysis of the network security protocols becomes a hot spot concerned in the information security field. Among many network security problems, some vulnerabilities are caused by the wrong execution of relevant protocol specifications, such as OpenSSL Early CCS vulnerabilities, OpenSSH user enumeration vulnerabilities, and the like, and these subtle logic vulnerabilities are often difficult to find, but seriously threaten the security of communication and services, and therefore, have important significance for the security test evaluation analysis of network protocols.
At present, the security test evaluation of the network protocol not only needs debugging personnel to master the network protocol specification and information security knowledge, but also needs great efforts of manpower.
Disclosure of Invention
The invention aims to provide a network protocol safety test evaluation method based on model learning, which is high in efficiency by deducing a target protocol model through a model learning method and analyzing the safety of a target protocol by using a model detection method.
Based on the purpose, the invention adopts the following technical scheme: the network protocol safety test evaluation method based on model learning comprises the following steps:
(1) obtaining a finite state machine model of a target protocol: automatically deducing a finite-state machine model of a target protocol by using a model learning algorithm under a classic minimum equivalent weights Teachers (MAT for short); the method comprises the steps that a learner generates an input character string for testing according to a model learning algorithm, the input character string is translated into an actual message through a mapper and interacts with a system, so that an output character string corresponding to the input character string is obtained, the input character string and the corresponding output character string are obtained for multiple times, so that an input and output observation table for the target protocol is obtained, and the input and output observation table is mapped into a finite state machine model of the target protocol through the mapper.
(2) Analyzing the security of the finite state machine model of the target protocol: defining a safety criterion according to the safety requirement of the target protocol, screening whether each interaction path in a state machine model of the target protocol meets the safety criterion by using a model detection analysis method, and if all the interaction paths meet the safety criterion, determining that the target protocol has no security hole; and if the paths which do not meet the safety criterion exist and counter examples can be given, determining that the target protocol has a security vulnerability.
Further, in the step (1), during the process of obtaining the finite state machine model of the target protocol, the following assumptions need to be made:
①, operating the model learning algorithm to obtain a finite-state machine model finally;
②. valid inputs and outputs for all of the learner's known target protocols;
③ the target protocol is able to answer either query and give a deterministic answer to each query.
Further, in the step (1), the classical MAT framework is composed of a learner and a language predicting machine, wherein the language predicting machine is used as an interface for executing the target protocol; the learner in the learner only inputs and outputs symbol sets 1 and 0, and the learner can request the predictive agent to reset the target protocol to the start state.
Further, the model learning algorithm comprises the steps of:
I. membership query: when the target protocol is reset to the starting state by the language predicting machine, the learner sends a character string sigma epsilon I to the language predicting machine*As a query to the target protocol, the predictive engine uses the corresponding outstring AM(σ) responding; and after each round of complete inquiry, a reset inquiry is carried out to ensure the consistency of operation; through membership inquiry, a learner establishes an assumed Mealy machine H for a state machine in a predictive machine;
equivalent query: the learner asks the predictive engine whether the hypothetical Mealy machine H is equivalent to the Mealy machine of the real target agreement, i.e., aH(σ)=AM(σ); if the answer of the prediction machine is yes, the learning algorithm is terminated, and a state diagram H is output; otherwise the prediction opportunity returns a counter-example at σ ∈ I*Under the conditions of (A) to obtainH(σ)≠AM(σ); the learner refines the hypothesis using counterexamples and continues the learning process until an acceptable hypothesis is obtained.
Further, the specific analysis process of the model detection analysis method in the step (2) is as follows:
i. the learner transmits the input character string to the mapper and learns and revises the model according to the output character string returned by the mapper;
a mapper converts the abstract message of the input character string into a concrete message which can be sent to the target protocol, and simultaneously converts the response fed back by the target protocol into an output character string which can be recognized by a learner;
and iii, the target protocol is a model obtained by the learner through learning and correction, and the vulnerability of the target protocol is analyzed through analyzing the model.
Compared with the prior art, the invention has the following technical effects:
compared with the traditional manual methods such as source code reading, static modeling analysis and the like, the model learning-based network protocol security test evaluation method provided by the invention automatically learns the internal implementation logic of the network protocol of the test object under the condition of not depending on source codes and system documents, and efficiently tests and evaluates the security of the system by comparing a model with relevant specifications.
Drawings
FIG. 1 is a schematic view of an MAT frame;
fig. 2 is a flow chart of a network protocol test analysis based on model learning.
Detailed Description
Example 1
A network protocol security test evaluation method based on model learning belongs to a dynamic black box test method, a target protocol model is deduced by depending on a model learning method, and the security of the target protocol is analyzed by utilizing a model detection method, and the specific process is as follows:
(1) under the classic MAT framework, a finite state machine model of the target protocol is automatically derived using a model learning algorithm.
The classic MAT framework is shown in FIG. 1 and comprises a learner and a language predictive machine, wherein the language predictive machine is used as an interface for executing a target protocol; the learner in the learner only inputs and outputs symbol sets 1 and 0, and the learner can request the predictive agent to reset the target protocol to the start state.
The participants of the model learning algorithm comprise a learner, a mapper and a target protocol; and target protocols, namely network security protocols which need to be deduced to realize a state machine model and further analyze vulnerability.
The model learning algorithm comprises a state machine inference algorithm and a consistency detection algorithm.
The derivation of the target protocol state diagram is realized based on a state machine inference algorithm so as to restore the real operating condition of the protocol, generally, three reasonable assumptions need to be made, namely ①, a finite state machine is finally obtained, ②, all effective input and output of the target system are known by a learner, ③, the target system can answer any query and give a deterministic answer to each query, and the three assumptions ensure that a final target protocol state machine model can be obtained through model learning.
The consistency detection algorithm under the MAT framework comprises the following two steps:
I. membership query: when the target protocol is reset to the starting state by the language predicting machine, the learner sends an input character string sigma epsilon I to the language predicting machine*As a query to the target protocol, the predictive engine uses the corresponding outstring AM(σ) responding; and after each round of complete inquiry, a reset inquiry is carried out to ensure the consistency of operation; through membership inquiry, a learner establishes an assumed Mealy machine H for a state machine in a predictive machine;
equivalent query: the learner asks the predictive engine whether the hypothetical Mealy machine H is equivalent to the Mealy machine of the real target agreement, i.e., aH(σ)=AM(σ); if the answer of the prediction machine is yes, the algorithm is terminated, and a state diagram H is output; otherwise the prediction opportunity returns a counter-example at σ ∈ I*Under the conditions of (A) to obtainH(σ)≠AM(σ); the learner refines the hypothesis using counterexamples and continues the learning process until an acceptable hypothesis is obtained.
(2) And detecting the finite-state machine model of the target protocol by using a model detection analysis method, and analyzing the safety of the target protocol, which is specifically as follows.
Defining a safety criterion according to the safety requirement of the target protocol, screening whether each interaction path in a state machine model of the target protocol meets the safety criterion by using a model detection analysis method, and if all the interaction paths meet the safety criterion, determining that the target protocol has no security hole; and if the paths which do not meet the safety criterion exist and counter examples can be given, determining that the target protocol has a security vulnerability.
The process of security test analysis of a target protocol is shown in fig. 2, where the learning engine, i.e., the learner, provides a list of messages, i.e., input strings, that can be sent to test the target protocol; the learner may also receive a list of target protocol response messages, i.e., a list of outstrings.
The state machine inference algorithm in the learner is any one of learning algorithms such as L, TTT, LN + and the like, and the consistency detection algorithm in the learner is any one of algorithms such as Wmethod, MWmethod, Random and the like. And in the process of model inference and model correction according to requirements, selecting symbols from an input symbol table by using a corresponding state machine inference algorithm and a corresponding consistency detection algorithm, transmitting the symbols to a mapper, and learning and correcting the model according to output symbols returned by the mapper, wherein the whole process is realized automatically.
The mapper converts the abstract message in the input character string list into a concrete message which can be sent to the target protocol, and simultaneously converts the response fed back by the target protocol into an abstract message which can be recognized by the learning engine, namely an output character string. Thus, the mapper acts as a bridge for translation transformations between the learning engine and the prediction engine.
Finally, a finite-state machine model reflecting the target protocol is obtained through the flow, and the safety of the obtained finite-state machine model reflecting the target protocol is checked by using model detection based on formal analysis.
In this embodiment, temporal logic specifications, such as computational tree logic and linear temporal logic, may be set on a specified model, so as to test a model path according to the specifications, if a certain interaction path does not meet the specifications, a counter-example will be provided, and a protocol interaction flow in the counter-example will become a specific attack scheme.
Claims (5)
1. The network protocol safety test evaluation method based on model learning is characterized by comprising the following steps:
(1) obtaining a finite state machine model of a target protocol: under a classical MAT framework, a finite-state machine model of a target protocol is automatically deduced by using a model learning algorithm; the method comprises the steps that a participant of a model learning algorithm comprises a learner, a mapper and a target protocol, the learner generates an input character string for testing according to the model learning algorithm, the input character string is translated into an actual message through the mapper to interact with a system, so that an output character string corresponding to the input character string is obtained, the input character string and the corresponding output character string are obtained for multiple times, so that an input and output observation table aiming at the target protocol is obtained, and the input and output observation table is mapped into a finite state machine model of the target protocol through the mapper;
(2) analyzing the security of the finite state machine model of the target protocol: defining a safety criterion according to the safety requirement of the target protocol, screening whether each interaction path in a state machine model of the target protocol meets the safety criterion by using a model detection analysis method, and if all the interaction paths meet the safety criterion, determining that the target protocol has no security hole; and if the paths which do not meet the safety criterion exist and counter examples can be given, determining that the target protocol has a security vulnerability.
2. The method as claimed in claim 1, wherein in the step (1), during the finite-state machine model of the target protocol is obtained, the assumptions required before the learner generates the input character string for testing according to the model learning algorithm are as follows:
①, operating the model learning algorithm to obtain a finite-state machine model finally;
②. valid inputs and outputs for all of the learner's known target protocols;
③ the target protocol is able to answer either query and give a deterministic answer to each query.
3. The method for evaluating the security test of the network protocol based on the model learning of claim 2, wherein in the step (1), the classical MAT framework is composed of a learner and a language-predicting machine, and the language-predicting machine is used as an interface for executing the target protocol; the learner in the learner only inputs and outputs symbol sets 1 and 0, and the learner can request the predictive agent to reset the target protocol to the start state.
4. The model learning-based network protocol security test evaluation method of claim 3, wherein the model learning algorithm comprises the following steps:
I. membership query: when the target protocol is reset to the starting state by the language predicting machine, the learner sends a character string sigma epsilon I to the language predicting machine*As a query to the target protocol, the predictive engine uses the corresponding outstring AM(σ) responding; and after each round of complete inquiry, a reset inquiry is carried out to ensure the consistency of operation; through membership inquiry, a learner establishes an assumed Mealy machine H for a state machine in a predictive machine;
equivalent query: the learner asks the predictive engine whether the hypothetical Mealy machine H is equivalent to the Mealy machine of the real target agreement, i.e., aH(σ)=AM(σ); if the answer of the prediction machine is yes, the learning algorithm is terminated, and a state diagram H is output; otherwise the prediction opportunity returns a counter-example at σ ∈ I*Under the conditions of (A) to obtainH(σ)≠AM(σ); the learner refines the hypothesis using counterexamples and continues the learning process until an acceptable hypothesis is obtained.
5. The model learning-based network protocol security test evaluation method according to claim 4, wherein the specific analysis process of the model detection analysis method in the step (2) is as follows:
i. the learner transmits the input character string to the mapper and learns and revises the model according to the output character string returned by the mapper;
a mapper converts the abstract message of the input character string into a concrete message which can be sent to the target protocol, and simultaneously converts the response fed back by the target protocol into an output character string which can be recognized by a learner;
and iii, the target protocol is a model obtained by the learner through learning and correction, and the vulnerability of the target protocol is analyzed through analyzing the model.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911395953.1A CN111092775A (en) | 2019-12-30 | 2019-12-30 | Network protocol security test evaluation method based on model learning |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911395953.1A CN111092775A (en) | 2019-12-30 | 2019-12-30 | Network protocol security test evaluation method based on model learning |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN111092775A true CN111092775A (en) | 2020-05-01 |
Family
ID=70397795
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201911395953.1A Pending CN111092775A (en) | 2019-12-30 | 2019-12-30 | Network protocol security test evaluation method based on model learning |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111092775A (en) |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112019403A (en) * | 2020-08-24 | 2020-12-01 | 杭州弈鸽科技有限责任公司 | Cross-platform automatic mining method and system for message protocol state machine of Internet of things |
| CN112152795A (en) * | 2020-08-11 | 2020-12-29 | 中国人民解放军战略支援部队信息工程大学 | Security protocol code vulnerability mining method based on state machine consistency detection |
| CN112422515A (en) * | 2020-10-27 | 2021-02-26 | 锐捷网络股份有限公司 | Protocol vulnerability testing method and device and storage medium |
| CN112733155A (en) * | 2021-01-28 | 2021-04-30 | 中国人民解放军国防科技大学 | Software forced safety protection method based on external environment model learning |
| CN113852620A (en) * | 2021-09-22 | 2021-12-28 | 中国人民解放军战略支援部队信息工程大学 | Security protocol host name verification module vulnerability analysis method based on model learning |
| CN118113728A (en) * | 2024-04-30 | 2024-05-31 | 浪潮电子信息产业股份有限公司 | Data query method, system, device, equipment and readable storage medium |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109379329A (en) * | 2018-09-05 | 2019-02-22 | 中国人民解放军战略支援部队信息工程大学 | Network security protocol fuzz testing method and system based on LSTM |
-
2019
- 2019-12-30 CN CN201911395953.1A patent/CN111092775A/en active Pending
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109379329A (en) * | 2018-09-05 | 2019-02-22 | 中国人民解放军战略支援部队信息工程大学 | Network security protocol fuzz testing method and system based on LSTM |
Non-Patent Citations (3)
| Title |
|---|
| 刘湘辉等: "利用有限状态机分析TCP协议握手过程的安全问题", 《计算机工程与科学》 * |
| 宋宇波等: "802.11i认证协议可验安全性形式化分析", 《中国工程科学》 * |
| 申莹珠等: "基于模型学习的OpenVPN系统脆弱性分析", 《软件学报》 * |
Cited By (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112152795A (en) * | 2020-08-11 | 2020-12-29 | 中国人民解放军战略支援部队信息工程大学 | Security protocol code vulnerability mining method based on state machine consistency detection |
| CN112152795B (en) * | 2020-08-11 | 2023-02-03 | 中国人民解放军战略支援部队信息工程大学 | Security protocol code vulnerability mining method based on state machine consistency detection |
| CN112019403A (en) * | 2020-08-24 | 2020-12-01 | 杭州弈鸽科技有限责任公司 | Cross-platform automatic mining method and system for message protocol state machine of Internet of things |
| CN112019403B (en) * | 2020-08-24 | 2021-10-01 | 杭州弈鸽科技有限责任公司 | Cross-platform automatic mining method and system for message protocol state machine of Internet of things |
| CN112422515A (en) * | 2020-10-27 | 2021-02-26 | 锐捷网络股份有限公司 | Protocol vulnerability testing method and device and storage medium |
| CN112422515B (en) * | 2020-10-27 | 2023-03-21 | 锐捷网络股份有限公司 | Protocol vulnerability testing method and device and storage medium |
| CN112733155A (en) * | 2021-01-28 | 2021-04-30 | 中国人民解放军国防科技大学 | Software forced safety protection method based on external environment model learning |
| CN112733155B (en) * | 2021-01-28 | 2024-04-16 | 中国人民解放军国防科技大学 | Software forced safety protection method based on external environment model learning |
| CN113852620A (en) * | 2021-09-22 | 2021-12-28 | 中国人民解放军战略支援部队信息工程大学 | Security protocol host name verification module vulnerability analysis method based on model learning |
| CN113852620B (en) * | 2021-09-22 | 2023-07-18 | 中国人民解放军战略支援部队信息工程大学 | Safety protocol host name verification module vulnerability analysis method based on model learning |
| CN118113728A (en) * | 2024-04-30 | 2024-05-31 | 浪潮电子信息产业股份有限公司 | Data query method, system, device, equipment and readable storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111092775A (en) | Network protocol security test evaluation method based on model learning | |
| Lo et al. | SMArTIC: Towards building an accurate, robust and scalable specification miner | |
| CN112818351B (en) | Industrial control system-oriented vulnerability priority analysis method, system, equipment and storage medium | |
| CN102624574B (en) | Security testing method and device for protocol implementation | |
| CN112910859B (en) | Internet of things equipment monitoring and early warning method based on C5.0 decision tree and time sequence analysis | |
| CN113723623B (en) | Federal learning auditing device, system and method | |
| CN111522746B (en) | Data processing method, device, equipment and computer readable storage medium | |
| CN107220539B (en) | Demand-based IMA security verification analysis method | |
| CN113704328B (en) | User behavior big data mining method and system based on artificial intelligence | |
| CN105677574A (en) | Android application vulnerability detection method and system based on function control flow | |
| CN105653935B (en) | Based on PPTL3Social networking system personal secrets run time verification method | |
| Qin et al. | Association analysis-based cybersecurity risk assessment for industrial control systems | |
| Xiong et al. | A method for assigning probability distributions in attack simulation languages | |
| CN116827656A (en) | Network information safety protection system and method thereof | |
| CN112019403B (en) | Cross-platform automatic mining method and system for message protocol state machine of Internet of things | |
| Wang et al. | Nlp-based cross-layer 5g vulnerabilities detection via fuzzing generated run-time profiling | |
| CN113537765A (en) | Intelligent supervision acceptance management system for intelligent building | |
| CN104731705B (en) | A kind of dirty data propagation path based on complex network finds method | |
| JI et al. | Log Anomaly Detection Through GPT-2 for Large Scale Systems | |
| CN117729027A (en) | Abnormal behavior detection method, device, electronic equipment and storage medium | |
| CN114968750A (en) | Test case generation method, device, equipment and medium based on artificial intelligence | |
| CN115499164A (en) | Multi-feature fusion block chain intelligent contract vulnerability detection method and device based on graph neural network, computer and storage medium | |
| CN113836539A (en) | Power engineering control system leak full-flow disposal system and method based on precise test | |
| CN111385253B (en) | Vulnerability detection system for network security of power distribution automation system | |
| CN118036019B (en) | Vulnerability positioning method and system based on code automatic detection |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20200501 |
|
| WD01 | Invention patent application deemed withdrawn after publication |