CN112422515A - Protocol vulnerability testing method and device and storage medium - Google Patents

Protocol vulnerability testing method and device and storage medium Download PDF

Info

Publication number
CN112422515A
CN112422515A CN202011162203.2A CN202011162203A CN112422515A CN 112422515 A CN112422515 A CN 112422515A CN 202011162203 A CN202011162203 A CN 202011162203A CN 112422515 A CN112422515 A CN 112422515A
Authority
CN
China
Prior art keywords
interaction
interactive
session
equipment
historical
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202011162203.2A
Other languages
Chinese (zh)
Other versions
CN112422515B (en
Inventor
欧阳靖
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Ruijie Networks Co Ltd
Original Assignee
Ruijie Networks Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Ruijie Networks Co Ltd filed Critical Ruijie Networks Co Ltd
Priority to CN202011162203.2A priority Critical patent/CN112422515B/en
Publication of CN112422515A publication Critical patent/CN112422515A/en
Application granted granted Critical
Publication of CN112422515B publication Critical patent/CN112422515B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/18Protocol analysers
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Debugging And Monitoring (AREA)

Abstract

The invention discloses a method, a device and a storage medium for testing protocol loopholes, which are used for solving the technical problems of low speed and inaccuracy in protocol loophole testing in the prior art, and the testing method comprises the following steps: establishing a session process with equipment to be tested; in the conversation process, the process controls interactive logic interacting with the equipment to be tested according to feedback information of the finite-state machine and the equipment to be tested, generates corresponding interactive messages and sends the interactive messages to the equipment to be tested for vulnerability testing; the finite state machine is obtained by learning through interaction history in captured history conversation; and monitoring the running state of the application corresponding to the session in the equipment to be detected, and determining that the equipment to be detected has a bug when the running state of the application is interrupted.

Description

Protocol vulnerability testing method and device and storage medium
Technical Field
The present invention relates to the field of data communications, and in particular, to a method and an apparatus for testing protocol vulnerabilities, and a storage medium.
Background
In a communication network, from an application end internet to a hardware end device, a large number of network services and corresponding protocols exist, and the robustness and the safety of the network services and the protocols thereof are very important.
For example, errors and attack traffic are ubiquitous in real-world networks, and meanwhile, a protocol stack usually has software coding bugs and design bugs of a protocol, so that corresponding device bugs occur in a device using the protocol stack, such as: buffer overflow, character string overflow, formatted character strings, pointer coverage holes and the like, and further cause a hole or defect occurring in the process of processing network traffic by a protocol stack process when the device performs network communication, which all lead to serious consequences such as process crash, network traffic forwarding interruption and the like.
Generally, the testing and discovering work of the protocol bugs can be carried out by adopting a manual protocol fuzzing test or a random data fuzzing test.
The manual protocol fuzzy test is adopted, after a protocol is understood manually, a message attack protocol stack is manually constructed correspondingly aiming at each state so as to search for a bug. The method has the advantages that the method can enter each state based on the protocol state, random data is sent to each state, the accuracy is high, and if the knowledge and skill reserve of personnel is sufficient, the test can be accurately performed; the method has the defects of strong dependence on the skill of the personnel, manual reading protocol for acquiring the early protocol state, numerous protocol types, difficult quick expansion, high cost, low output and difficult large-scale implementation.
The random data fuzzy test is adopted to completely abandon the protocol, the message is completely randomly generated, and the protocol stack is smashed according to the port only to search for the loophole. The method has the advantages that data are randomly generated and sent, and the dependence on personnel is low; the method has the defects of low efficiency, protocol invariable fields are also tampered because the messages are completely randomly generated, and meanwhile, most of the messages are discarded by a protocol state processing layer because the messages are not sent according to a protocol state machine, deep protocol states cannot enter, and most of bugs cannot be triggered.
In view of this, how to quickly and accurately test the bug in the protocol becomes a technical problem to be solved urgently.
Disclosure of Invention
The invention provides a method and a device for testing protocol vulnerabilities and a storage medium, which are used for solving the technical problems that in the prior art, the protocol vulnerability testing speed is low and the protocol vulnerability testing is not accurate enough.
In a first aspect, to solve the above technical problem, a technical solution of a method for testing a protocol vulnerability provided in an embodiment of the present invention is as follows:
establishing a session process with equipment to be tested;
in the conversation process, the process controls interactive logic interacting with the equipment to be tested according to the feedback information of the finite-state machine and the equipment to be tested, generates corresponding interactive messages and sends the interactive messages to the equipment to be tested for vulnerability testing; the finite state machine is obtained by learning through interaction history in captured history conversation;
and monitoring the running state of the application corresponding to the session in the equipment to be detected, and determining that the equipment to be detected has a bug when the running state of the application is interrupted.
In a possible implementation manner, before the process controls an interaction logic interacting with the device to be tested according to the feedback information of the finite state machine and the device to be tested, the process further includes:
capturing a plurality of history messages communicated with the equipment to be detected;
obtaining a history message included in each history session from the plurality of history messages, and obtaining an interaction history of each history session determined according to the history session messages;
and learning interactive histories corresponding to all historical conversations belonging to the same application protocol to obtain the finite-state machine.
One possible implementation manner, in which interaction histories corresponding to all history sessions belonging to the same application protocol are learned to obtain the finite-state machine, includes:
constructing an interaction track of each historical conversation according to the interaction history corresponding to each historical conversation;
determining a similar track set with the similarity being more than or equal to a set threshold value and a non-similar track set with the similarity being less than the set threshold value from all the interactive tracks;
learning the content of the history message corresponding to each interactive point in the similar track set to obtain the data interactive format of each interactive point;
combining the same interaction points in all the interaction tracks in the non-similar track set to obtain the interaction logic;
and constructing the data interaction format and the interaction logic of each interaction point into the finite-state machine.
One possible implementation manner, in which an interaction trajectory of each history session is constructed according to an interaction history corresponding to each history session, includes:
abstracting each historical session message in the interaction history into an interaction point;
and serially connecting according to the sequence of the interactive time of the historical conversation messages to obtain the interactive track of each historical conversation.
One possible implementation manner, which learns the content of the history packet corresponding to each interaction point in the similar track set to obtain the data interaction format of each interaction point, includes:
analyzing the field of the historical session message corresponding to each interactive point, and determining the basic components of the historical session message; wherein the basic components comprise a general message part and a data bearing part;
determining fields corresponding to positions with unchanged message length in all historical session messages as first fields where the general message parts are placed, and determining all different historical values appearing in the first fields as effective value-taking sets of the general message parts;
determining a field corresponding to the position of the message length change in the historical session message as a second field for placing the data bearing part;
determining the value range of the data length of the data bearing part according to the historical change condition of the data length in the second field;
determining the first field and the effective value set as a data format of an invariant part in the data interaction format; and determining the second field and the value range as the data format of the variable part in the data interaction format.
One possible implementation manner, generating a corresponding interactive message and sending the interactive message to the device to be detected, includes:
fuzzy data filling is carried out on the variable part in the interactive data corresponding to the session, and the interactive message is obtained;
and sending the interactive message to the equipment to be detected.
One possible implementation manner of monitoring the operating state of the application corresponding to the session in the device to be detected includes:
performing keep-alive monitoring on the process;
or monitoring the protocol stack of the equipment to be detected.
In a second aspect, an embodiment of the present invention provides a device for testing a protocol vulnerability, including:
the device comprises a creating unit, a processing unit and a processing unit, wherein the creating unit is used for creating a session process with the device to be tested;
the interaction unit is used for controlling interaction logic interacting with the equipment to be tested according to the finite-state machine and feedback information of the equipment to be tested in the session process, generating corresponding interaction messages and sending the interaction messages to the equipment to be tested for vulnerability testing; the finite state machine is obtained by learning through interaction history in captured history conversation;
and the monitoring unit is used for monitoring the running state of the application corresponding to the session in the equipment to be detected, and determining that the equipment to be detected has a bug when the running state of the application is interrupted.
In a possible embodiment, the testing device further comprises a training unit, the training unit being configured to:
capturing a plurality of history messages communicated with the equipment to be detected;
obtaining a historical conversation message included in each historical conversation from the plurality of historical messages, and determining the interaction history of each historical conversation according to the historical conversation messages;
and learning interactive histories corresponding to all historical conversations belonging to the same application protocol to obtain the finite-state machine.
In one possible embodiment, the training unit is further configured to:
constructing an interaction track of each historical conversation according to the interaction history corresponding to each historical conversation;
determining a similar track set with the similarity being more than or equal to a set threshold value and a non-similar track set with the similarity being less than the set threshold value from all the interactive tracks;
learning the content of the history message corresponding to each interactive point in the similar track set to obtain the data interactive format of each interactive point;
combining the same interaction points in all the interaction tracks in the non-similar track set to obtain the interaction logic;
and constructing the data interaction format and the interaction logic of each interaction point into the finite-state machine.
In one possible embodiment, the training unit is further configured to:
abstracting each historical session message in the interaction history into an interaction point;
and serially connecting according to the sequence of the interactive time of the historical conversation messages to obtain the interactive track of each historical conversation.
In one possible embodiment, the training unit is further configured to:
analyzing the field of the historical session message corresponding to each interactive point, and determining the basic components of the historical session message; wherein the basic components comprise a general message part and a data bearing part;
determining fields corresponding to positions with unchanged message length in all historical session messages as first fields where the general message parts are placed, and determining all different historical values appearing in the first fields as effective value-taking sets of the general message parts;
determining a field corresponding to the position of the message length change in the historical session message as a second field for placing the data bearing part;
determining the value range of the data length of the data bearing part according to the historical change condition of the data length in the second field;
determining the first field and the effective value set as a data format of an invariant part in the data interaction format; and determining the second field and the value range as the data format of the variable part in the data interaction format.
In one possible implementation, the interaction unit is further configured to:
fuzzy data filling is carried out on the variable part in the interactive data corresponding to the session, and the interactive message is obtained;
and sending the interactive message to the equipment to be detected.
In one possible embodiment, the monitoring unit is configured to:
performing keep-alive monitoring on the process;
or monitoring the protocol stack of the equipment to be detected.
In a third aspect, an embodiment of the present invention further provides a device for testing a protocol vulnerability, including:
at least one processor, and
a memory coupled to the at least one processor;
wherein the memory stores instructions executable by the at least one processor, and the at least one processor performs the method according to the first aspect by executing the instructions stored by the memory.
In a fourth aspect, an embodiment of the present invention further provides a computer-readable storage medium, including:
a memory for storing a plurality of data to be transmitted,
the memory is for storing instructions that, when executed by the processor, cause an apparatus comprising the readable storage medium to perform the method as described in the first aspect above.
Through the technical solutions in one or more of the above embodiments of the present invention, the embodiments of the present invention have at least the following technical effects:
in the embodiment provided by the invention, a process of conversation with the equipment to be tested is established; because the finite state machine is obtained by learning interactive history in captured historical conversation, in the conversation process, a process can automatically generate correct interactive logic and interactive messages to interact with the equipment to be tested to test the vulnerability according to feedback information of the finite state machine and the equipment to be tested, and the defect that in the prior art, a test environment needs to be manually designed or the automatically generated test messages are shielded and cannot be tested due to the fact that the test messages do not meet interactive requirements is overcome; and monitoring the running state of the application corresponding to the session in the equipment to be detected in the interactive process, and determining that the equipment to be detected has a bug when the running state of the application is interrupted. Therefore, the interactive messages required by the test protocol loopholes can be automatically generated without manual intervention, and the loopholes can be found in time, so that the test efficiency is improved.
Drawings
Fig. 1 is a flowchart of a method for testing a protocol vulnerability according to an embodiment of the present invention;
FIG. 2 is a schematic diagram of an interaction trajectory of a history session according to an embodiment of the present invention;
FIG. 3 is a schematic diagram of a similar interaction trajectory provided by an embodiment of the present invention;
FIG. 4 is a schematic diagram of non-similar interaction tracks provided by an embodiment of the present invention;
FIG. 5 is a schematic diagram of interaction logic provided by an embodiment of the present invention;
fig. 6 is a schematic structural diagram of a device for testing a protocol vulnerability according to an embodiment of the present invention.
Detailed Description
The embodiment of the invention provides a method and a device for testing protocol vulnerabilities and a storage medium, which are used for solving the technical problems that in the prior art, the vulnerability testing speed of a protocol is low and the protocol vulnerability testing is not accurate enough.
In order to solve the technical problems, the general idea of the embodiment of the present application is as follows:
a method for testing protocol vulnerabilities is provided, which comprises the following steps: establishing a session process with equipment to be tested; in the conversation process, the process controls interactive logic interacting with the equipment to be tested according to the feedback information of the finite-state machine and the equipment to be tested, generates corresponding interactive messages and sends the interactive messages to the equipment to be tested for vulnerability testing; the finite state machine is obtained by learning through interaction history in captured history conversation; and monitoring the running state of the application corresponding to the session in the equipment to be detected, and determining that the equipment to be detected has a bug when the running state of the application is interrupted.
In the scheme, a session process with the equipment to be tested is established; because the finite state machine is obtained by learning interactive history in captured historical conversation, in the conversation process, a process can automatically generate correct interactive logic and interactive messages to interact with the equipment to be tested to test the vulnerability according to feedback information of the finite state machine and the equipment to be tested, and the defect that in the prior art, a test environment needs to be manually designed or the automatically generated test messages are shielded and cannot be tested due to the fact that the test messages do not meet interactive requirements is overcome; and monitoring the running state of the application corresponding to the session in the equipment to be detected in the interactive process, and determining that the equipment to be detected has a bug when the running state of the application is interrupted. Therefore, the interactive messages required by the test protocol loopholes can be automatically generated without manual intervention, and the loopholes can be found in time, so that the test efficiency is improved.
In order to better understand the technical solutions of the present invention, the following detailed descriptions of the technical solutions of the present invention are provided with the accompanying drawings and the specific embodiments, and it should be understood that the specific features in the embodiments and the examples of the present invention are the detailed descriptions of the technical solutions of the present invention, and are not limitations of the technical solutions of the present invention, and the technical features in the embodiments and the examples of the present invention may be combined with each other without conflict.
Referring to fig. 1, an embodiment of the invention provides a method for testing a protocol vulnerability, and the processing procedure of the method is as follows.
Step 101: a process of conducting a session with a device under test is created.
Step 102: in the conversation process, the process controls interactive logic interacting with the equipment to be tested according to feedback information of the finite-state machine and the equipment to be tested, generates corresponding interactive messages and sends the interactive messages to the equipment to be tested for vulnerability testing; the finite state machine is obtained by learning through interaction history in the captured history session.
Before the finite-state machine is used for controlling interactive logic and interactive messages which are interacted with equipment to be detected, the finite-state machine also needs to be trained, and the finite-state machine can be obtained through the following training modes:
firstly, a plurality of historical messages communicated with equipment to be detected are captured.
For example, when the local device communicates with the device to be detected, packet capturing software (such as Tcpdump, wireshark, etc.) may be used to sniff corresponding process characteristic analysis software packet (PCAP) protocol packets in the capture network, and the captured PCAP protocol packets are history packets.
In addition, when capturing a message, the total number of captured messages may be dynamically set according to the capturing accuracy, a finite state machine corresponding to an application protocol is usually trained, and at least 10 messages corresponding to historical sessions with a variance of difference abundance approaching 30% need to be acquired.
It should be noted that the packet grabbed by the packet grabbing software may also be in other formats, which is not necessarily in the PCAP format, that is, the history packet is not limited to the PCAP protocol packet.
And secondly, acquiring the historical session message included by each historical session from the plurality of historical messages, and acquiring the interaction history of each historical session.
For example, after capturing the history messages, a session identifier may be marked for each history message, and if no new message is received within the concurrence rate of the history messages, it is determined that the history session is ended, the session is marked to be terminated, and an identifier of the next history session is started. And determining the history messages with the same session identifier as the history session messages of the history session, and further forming the interactive history of the history session.
And finally, learning interactive histories corresponding to all historical sessions belonging to the same application protocol to obtain the finite-state machine.
The interaction history can be learned to obtain a finite state machine of the application protocol by:
and constructing an interaction track of each historical conversation according to the interaction history corresponding to each historical conversation.
Specifically, the construction can be carried out in the following manner: abstracting each historical session message in the interaction history into an interaction point; and (4) performing series connection according to the sequence of the interactive time of the historical conversation messages to obtain the interactive track of each historical conversation.
For example, the plurality of historical session messages of session 1 may be abbreviated as: FTP 3.14USER anon 331USER anon OK, the session may be abstracted as an interaction trace as shown in fig. 2, and fig. 2 is an interaction trace schematic diagram of a history session provided by the embodiment of the present invention. In fig. 2, FTP is understood as an application protocol used by an application at a terminal to be detected, and circles except for FTP are provided, and each circle represents an interaction point.
It should be noted that, because there is much data corresponding to an actual historical session message, and a session is composed of a plurality of historical session messages, for saving space, a historical session is abbreviated as the form shown in session 1.
After the interactive tracks of each historical conversation are obtained, a similar track set with the similarity being larger than or equal to a set threshold value and a non-similar track set with the similarity being smaller than the set threshold value can be determined from all the interactive tracks.
For example, there are several sessions as follows:
session 1: FTP 3.14USER anon 331USER anon OK;
and 2, session 2: FTP 3.12USER ren 331USER ren OK;
and 3, session 3: FTP2.0 USER liz 331USER liz OK.
The history tracks of the 3 sessions are shown in fig. 3, and fig. 3 is a schematic diagram of a similar interaction track provided by an embodiment of the present invention. In practical application, the similarity between the session 1 and the session 3 can be determined to be greater than a set threshold value by calling a prism application NMF clustering algorithm, and then the session 1 to the session 3 are determined to be similar tracks, that is, the session 1 to the session 3 can be determined to be a similar track set.
It should be noted that, the similarity calculation may adopt other calculation methods besides the distance algorithm, which is not described herein.
Please refer to fig. 4, which is a diagram illustrating non-similar interaction tracks according to an embodiment of the present invention. By performing similarity calculation on the session 1 and the session 4, it can be determined that the similarity of the session 1 and the session 4 is smaller than a set threshold, and usually the historical trajectories of the session 1 and the session 4 are in the form as shown in the session 1 and the session 4 in fig. 4, such as different numbers of interaction points, different locations of the interaction points, different results of the interaction points, and the like.
After the non-similar track set is obtained, the same interactive nodes in all the interactive tracks in the non-similar track set can be merged to obtain interactive logic.
Referring to fig. 5, which is a schematic view of an interaction logic provided in an embodiment of the present invention, fig. 5 is obtained by combining the history tracks in fig. 4, and in an actual application, the more history sessions of the same application protocol are obtained, the greater the difference is, the more different history tracks are obtained, and the determined interaction logic of the application protocol is closer to a real interaction logic.
After the similar track set is determined, the content of the historical session message corresponding to each interactive point in the similar track set can be learned, and the data interactive format of each interactive point can be obtained. The following can be adopted:
analyzing the field of the historical session message corresponding to each interactive point, and determining the basic components of the historical session message; wherein, the basic component part comprises a general message part and a data bearing part; determining fields corresponding to positions with unchanged message length in all historical session messages as first fields in which the universal message parts are placed, and determining all different historical values appearing in the first fields as effective value sets of the universal message parts; determining a field corresponding to the position of the message length change in the history session message as a second field for placing the data bearing part; determining the value range of the data length of the data bearing part according to the historical change condition of the data length in the second field; determining the first field and the effective value set as a data format of an invariant part in a data interaction format; and determining the position and the value range of the second field as the data format of the variable part in the data interaction format.
For example, taking the sessions 1 to 3 shown in fig. 3 as an example, by analyzing the fields of the history session messages corresponding to the interaction points (FTP) at the same position in the sessions 1 to 3, it can be determined that 3.14 in the session 1, 3.12 in the session 2, and 2.0 in the session 3 correspond to the interaction points at the same position (the position is the second field) in the history messages, but the lengths of the fields occupied by them are different, so that the part is determined as a data carrying part, and assuming that the lengths of the data occupied by the sessions 3.14, 3.12, and 2.0 are 10 bytes, 8 bytes, and 5 bytes in sequence, the value range of the length of the data carrying part can be determined as 5 to 10 bytes, and of course, the value range of the length of the data occupied by the position may also change as the sessions increase.
331 in sessions 1 to 3 correspond to an interaction point (USER) at the same position (the position is the first field) in the history session message, and the length of the occupied fields is the same, so that this part is determined as a general message part, 331 is one of the effective values of this general message part, and a plurality of effective values can form an effective value set of this message part. Determining each first field and the corresponding effective value set as a data format of an invariant part in a data interaction format; and determining each second field and the value range of the corresponding data length as the data format of the variable part in the data interaction format.
After the interactive logic of the application protocol and the data interactive format of each interactive point in the interactive logic are determined in the above way, the interactive logic and the data interactive format can be constructed into a finite-state machine.
When the vulnerability test is performed on the terminal to be detected, the finite state machine can be used for controlling the interactive logic interacting with the equipment to be detected according to the feedback information of the equipment to be detected, generating a corresponding interactive message and sending the interactive message to the equipment to be detected, and determining the vulnerability possibly existing in the equipment to be detected through the step 103.
The finite state machine generates a corresponding interactive message and sends the interactive message to the equipment to be detected, fuzzy data filling can be carried out on a variable part in interactive data corresponding to the session, and the interactive message is obtained; and sending the interactive message to the equipment to be tested for vulnerability testing.
For example, data filling is performed according to a data interaction format, that is, a data value is optionally written into a constant part (i.e., each common message part) from an effective data set, and fuzzy data filling is performed on a variable part, so that an interaction message interacting with a device to be detected can be generated.
Step 103: and monitoring the running state of the application corresponding to the session in the equipment to be detected, and determining that the equipment to be detected has a bug when the running state of the application is interrupted.
Monitoring whether the application in the device to be tested is interrupted can be carried out in the following manner:
and performing keep-alive monitoring on the process, or monitoring the protocol stack of the device to be detected.
If the application is disconnected or abnormally interrupted (coredump) is found, the application is determined to be interrupted, and further, the device to be detected can be determined to have a bug.
When it is determined that the device to be tested may have a bug, the interactive messages causing the bug to appear may be stored and the related information may be collected for analysis by a tester.
Based on the same inventive concept, an embodiment of the present invention provides a device for testing a protocol vulnerability, and the specific implementation of the method for testing a protocol vulnerability of the testing device can be described in the method embodiment, and repeated descriptions are omitted, please refer to fig. 6, and the testing device includes:
a creating unit 601, configured to create a session process with a device to be tested;
an interaction unit 602, configured to control, by the process according to the finite state machine and the feedback information of the device to be tested, an interaction logic interacting with the device to be tested, generate a corresponding interaction packet, and send the interaction packet to the device to be tested in the session process; the finite state machine is obtained by learning through interaction history in captured history conversation;
and the monitoring unit 603 is configured to monitor an operation state of the application in the device to be detected corresponding to the session, and determine that a bug exists in the device to be detected when the operation state of the application is interrupted.
In a possible implementation, the testing apparatus further includes a training unit 604, where the training unit 604 is configured to:
capturing a plurality of history messages communicated with the equipment to be detected;
obtaining historical conversation messages included in each historical conversation from the plurality of historical messages, and obtaining interaction history of each historical conversation;
and learning interactive histories corresponding to all historical conversations belonging to the same application protocol to obtain the finite-state machine.
In a possible implementation, the training unit 604 is further configured to:
constructing an interaction track of each historical conversation according to the interaction history corresponding to each historical conversation;
determining a similar track set with the similarity being more than or equal to a set threshold value and a non-similar track set with the similarity being less than the set threshold value from all the interactive tracks;
learning the content of the history message corresponding to each interactive point in the similar track set to obtain the data interactive format of each interactive point;
combining the same interaction points in all the interaction tracks in the non-similar track set to obtain the interaction logic;
and constructing the data interaction format and the interaction logic of each interaction point into the finite-state machine.
In a possible implementation, the training unit 604 is further configured to:
abstracting each historical session message in the interaction history into an interaction point;
and serially connecting according to the sequence of the interactive time of the historical conversation messages to obtain the interactive track of each historical conversation.
In a possible implementation, the training unit 604 is further configured to:
analyzing the field of the historical session message corresponding to each interactive point, and determining the basic components of the historical session message; wherein the basic components comprise a general message part and a data bearing part;
determining fields corresponding to positions with unchanged message length in all historical session messages as first fields where the general message parts are placed, and determining all different historical values appearing in the first fields as effective value-taking sets of the general message parts;
determining a field corresponding to the position of the message length change in the historical session message as a second field for placing the data bearing part;
determining the value range of the data length of the data bearing part according to the historical change condition of the data length in the second field;
determining the first field and the effective value set as a data format of an invariant part in the data interaction format; and determining the second field and the value range as the data format of the variable part in the data interaction format.
In a possible implementation, the interaction unit 602 is further configured to:
fuzzy data filling is carried out on the variable part in the interactive data corresponding to the session, and the interactive message is obtained;
and sending the interactive message to the equipment to be detected.
In a possible implementation, the monitoring unit 603 is configured to:
performing keep-alive monitoring on the process;
or monitoring the protocol stack of the equipment to be detected.
Based on the same inventive concept, the embodiment of the invention provides a device for testing protocol vulnerabilities, which comprises: at least one processor, and
a memory coupled to the at least one processor;
wherein the memory stores instructions executable by the at least one processor, and the at least one processor executes the method for testing the protocol vulnerability by executing the instructions stored in the memory.
Based on the same inventive concept, an embodiment of the present invention further provides a computer-readable storage medium, including:
a memory for storing a plurality of data to be transmitted,
the memory is configured to store instructions that, when executed by the processor, cause the apparatus comprising the readable storage medium to perform a method of testing for a protocol vulnerability as described above.
As will be appreciated by one skilled in the art, embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, embodiments of the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, embodiments of the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
Embodiments of the present invention are described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
It will be apparent to those skilled in the art that various changes and modifications may be made in the present invention without departing from the spirit and scope of the invention. Thus, if such modifications and variations of the present invention fall within the scope of the claims of the present invention and their equivalents, the present invention is also intended to include such modifications and variations.

Claims (10)

1. A method for testing protocol vulnerabilities is characterized by comprising the following steps:
establishing a session process with equipment to be tested;
in the conversation process, the process controls interactive logic interacting with the equipment to be tested according to the feedback information of the finite-state machine and the equipment to be tested, generates corresponding interactive messages and sends the interactive messages to the equipment to be tested for vulnerability testing; the finite state machine is obtained by learning through interaction history in captured history conversation;
and monitoring the running state of the application corresponding to the session in the equipment to be detected, and determining that the equipment to be detected has a bug when the running state of the application is interrupted.
2. The method as claimed in claim 1, wherein before the process controls an interaction logic interacting with the device under test according to the feedback information of the finite state machine and the device under test, the method further comprises:
capturing a plurality of history messages communicated with the equipment to be detected;
obtaining a historical conversation message included in each historical conversation from the plurality of historical messages, and determining the interaction history of each historical conversation according to the historical conversation messages;
and learning interactive histories corresponding to all historical conversations belonging to the same application protocol to obtain the finite-state machine.
3. The method according to claim 2, wherein learning interaction histories corresponding to all history sessions belonging to the same application protocol to obtain the finite state machine comprises:
constructing an interaction track of each historical conversation according to the interaction history corresponding to each historical conversation;
determining a similar track set with the similarity being more than or equal to a set threshold value and a non-similar track set with the similarity being less than the set threshold value from all the interactive tracks;
learning the content of the history message corresponding to each interactive point in the similar track set to obtain the data interactive format of each interactive point;
combining the same interaction points in all the interaction tracks in the non-similar track set to obtain the interaction logic;
and constructing the data interaction format and the interaction logic of each interaction point into the finite-state machine.
4. The testing method of claim 3, wherein constructing an interaction trajectory for each historical session according to the interaction history corresponding to each historical session comprises:
abstracting each historical session message in the interaction history into an interaction point;
and serially connecting according to the sequence of the interactive time of the historical conversation messages to obtain the interactive track of each historical conversation.
5. The testing method of claim 3, wherein learning the content of the history packet corresponding to each interaction point in the similar trace set to obtain the data interaction format of each interaction point comprises:
analyzing the field of the historical session message corresponding to each interactive point, and determining the basic components of the historical session message; wherein the basic components comprise a general message part and a data bearing part;
determining fields corresponding to positions with unchanged message length in all historical session messages as first fields where the general message parts are placed, and determining all different historical values appearing in the first fields as effective value-taking sets of the general message parts;
determining a field corresponding to the position of the message length change in the historical session message as a second field for placing the data bearing part;
determining the value range of the data length of the data bearing part according to the historical change condition of the data length in the second field;
determining the first field and the effective value set as a data format of an invariant part in the data interaction format; and determining the second field and the value range as the data format of the variable part in the data interaction format.
6. The testing method of claim 5, wherein generating a corresponding interaction message to be sent to the device under test comprises:
fuzzy data filling is carried out on the variable part in the interactive data corresponding to the session, and the interactive message is obtained;
and sending the interactive message to the equipment to be detected.
7. The test method according to claim 1, wherein monitoring the operating state of the application corresponding to the session in the device to be tested comprises:
performing keep-alive monitoring on the process;
or monitoring the protocol stack of the equipment to be detected.
8. An apparatus for testing a protocol vulnerability, comprising:
the device comprises a creating unit, a processing unit and a processing unit, wherein the creating unit is used for creating a session process with the device to be tested;
the interaction unit is used for controlling interaction logic interacting with the equipment to be tested according to the finite-state machine and feedback information of the equipment to be tested in the session process, generating corresponding interaction messages and sending the interaction messages to the equipment to be tested for vulnerability testing; the finite state machine is obtained by learning through interaction history in captured history conversation;
and the monitoring unit is used for monitoring the running state of the application corresponding to the session in the equipment to be detected, and determining that the equipment to be detected has a bug when the running state of the application is interrupted.
9. An apparatus for testing a protocol vulnerability, comprising:
at least one processor, and
a memory coupled to the at least one processor;
wherein the memory stores instructions executable by the at least one processor, the at least one processor performing the method of any one of claims 1-7 by executing the instructions stored by the memory.
10. A computer-readable storage medium, comprising a memory,
the memory is for storing instructions that, when executed by the processor, cause an apparatus comprising the readable storage medium to perform the method of any of claims 1-7.
CN202011162203.2A 2020-10-27 2020-10-27 Protocol vulnerability testing method and device and storage medium Active CN112422515B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011162203.2A CN112422515B (en) 2020-10-27 2020-10-27 Protocol vulnerability testing method and device and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011162203.2A CN112422515B (en) 2020-10-27 2020-10-27 Protocol vulnerability testing method and device and storage medium

Publications (2)

Publication Number Publication Date
CN112422515A true CN112422515A (en) 2021-02-26
CN112422515B CN112422515B (en) 2023-03-21

Family

ID=74841131

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011162203.2A Active CN112422515B (en) 2020-10-27 2020-10-27 Protocol vulnerability testing method and device and storage medium

Country Status (1)

Country Link
CN (1) CN112422515B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115733635A (en) * 2021-08-27 2023-03-03 海信集团控股股份有限公司 Vulnerability positioning method, device, equipment and medium

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101482847A (en) * 2009-01-19 2009-07-15 北京邮电大学 Detection method based on safety bug defect mode
US20110126288A1 (en) * 2009-11-24 2011-05-26 Honeywell International Inc. Method for software vulnerability flow analysis, generation of vulnerability-covering code, and multi-generation of functionally-equivalent code
CN103312851A (en) * 2013-05-31 2013-09-18 南京大学 Intelligent cellphone application interaction interface program usability testing method
KR20190107373A (en) * 2018-03-12 2019-09-20 주식회사 아이오티큐브 Fuzzing method and device for network protocol vulnerability detection
CN111092775A (en) * 2019-12-30 2020-05-01 河南省云迈瀚海电子科技有限公司 Network protocol security test evaluation method based on model learning
CN111723181A (en) * 2020-06-17 2020-09-29 国家计算机网络与信息安全管理中心 Industrial control protocol reverse analysis method based on active learning

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101482847A (en) * 2009-01-19 2009-07-15 北京邮电大学 Detection method based on safety bug defect mode
US20110126288A1 (en) * 2009-11-24 2011-05-26 Honeywell International Inc. Method for software vulnerability flow analysis, generation of vulnerability-covering code, and multi-generation of functionally-equivalent code
CN103312851A (en) * 2013-05-31 2013-09-18 南京大学 Intelligent cellphone application interaction interface program usability testing method
KR20190107373A (en) * 2018-03-12 2019-09-20 주식회사 아이오티큐브 Fuzzing method and device for network protocol vulnerability detection
CN111092775A (en) * 2019-12-30 2020-05-01 河南省云迈瀚海电子科技有限公司 Network protocol security test evaluation method based on model learning
CN111723181A (en) * 2020-06-17 2020-09-29 国家计算机网络与信息安全管理中心 Industrial control protocol reverse analysis method based on active learning

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
张亚丰 等: "基于状态的工控协议Fuzzing测试技术", 《计算机科学》 *

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115733635A (en) * 2021-08-27 2023-03-03 海信集团控股股份有限公司 Vulnerability positioning method, device, equipment and medium

Also Published As

Publication number Publication date
CN112422515B (en) 2023-03-21

Similar Documents

Publication Publication Date Title
Gascon et al. Pulsar: Stateful black-box fuzzing of proprietary network protocols
US8041996B2 (en) Method and apparatus for time-based event correlation
CN102087631B (en) Method for realizing fuzzing of software on the basis of state protocol
CN113542299A (en) Industrial internet vulnerability mining method and system based on fuzzy test
CN111818069B (en) Method, device, medium and computer equipment for presenting security event processing flow
CN111488577A (en) Vulnerability exploiting method and device based on artificial intelligence
CN113708995A (en) Network fault diagnosis method, system, electronic equipment and storage medium
CN112422515B (en) Protocol vulnerability testing method and device and storage medium
KR102325258B1 (en) Method for an autonomic or ai-assisted validation or decision making regarding network performance of a telecommunications network and/or for an autonomic or ai-assisted troubleshooting or performance enhancement within a telecommunications network, telecommunications network, system, machine intelligence entity, visualization interface, computer program and computer-readable medium
CN116248337A (en) Protocol fuzzy test method and device based on test case automatic generation
KR20120082415A (en) Supervision of a communication session comprising several flows over a data network
CN116094850B (en) Network protocol vulnerability detection method and system based on system state tracking graph guidance
CN116097226A (en) Apparatus and method for injecting faults into a distributed system
EP4072066A1 (en) Method for automatic derivation of attack paths in a network
Whalen et al. Hidden markov models for automated protocol learning
Biao et al. FFUZZ: A Fast Fuzzing Test Method for Stateful Network Protocol Implementation
CN112118156B (en) Filtering method and device for Ethernet protocol test
CN113472739B (en) Vulnerability discovery method and device for control equipment private protocol
CN116455798B (en) Automatic generation method and device for protocol program test model
CN111064637A (en) NetFlow data duplicate removal method and device
CN115086016B (en) Method, device, equipment and storage medium for detecting network abnormal behavior
CN112348202B (en) Method for establishing rule model in machine learning
CN115277260B (en) Method and system for detecting vulnerability of cloud platform of Internet of things
CN117499280A (en) Industrial protocol fuzzy test method
CN115577365A (en) Industrial control system protocol fuzzy test method based on state conversion

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant