CN116016690A - Automatic reverse analysis method and system for industrial private protocol - Google Patents
Automatic reverse analysis method and system for industrial private protocol Download PDFInfo
- Publication number
- CN116016690A CN116016690A CN202211539365.2A CN202211539365A CN116016690A CN 116016690 A CN116016690 A CN 116016690A CN 202211539365 A CN202211539365 A CN 202211539365A CN 116016690 A CN116016690 A CN 116016690A
- Authority
- CN
- China
- Prior art keywords
- message
- private protocol
- industrial
- protocol
- industrial private
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000004458 analytical method Methods 0.000 title claims abstract description 67
- 238000000034 method Methods 0.000 claims abstract description 33
- 230000011218 segmentation Effects 0.000 claims abstract description 29
- 238000001914 filtration Methods 0.000 claims abstract description 21
- 238000012545 processing Methods 0.000 claims abstract description 14
- 238000004891 communication Methods 0.000 claims description 13
- 238000000605 extraction Methods 0.000 claims description 11
- 238000010586 diagram Methods 0.000 description 4
- 239000000284 extract Substances 0.000 description 4
- 230000006399 behavior Effects 0.000 description 3
- 230000000694 effects Effects 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 3
- 238000012360 testing method Methods 0.000 description 3
- 230000006870 function Effects 0.000 description 2
- 238000009499 grossing Methods 0.000 description 2
- 238000003058 natural language processing Methods 0.000 description 2
- 238000005457 optimization Methods 0.000 description 2
- 238000011160 research Methods 0.000 description 2
- 108091028043 Nucleic acid sequence Proteins 0.000 description 1
- 241000700605 Viruses Species 0.000 description 1
- 230000002159 abnormal effect Effects 0.000 description 1
- 238000013473 artificial intelligence Methods 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 238000010801 machine learning Methods 0.000 description 1
- 238000005192 partition Methods 0.000 description 1
- 230000008447 perception Effects 0.000 description 1
- 230000002265 prevention Effects 0.000 description 1
- 230000000750 progressive effect Effects 0.000 description 1
- 108090000623 proteins and genes Proteins 0.000 description 1
- 238000002864 sequence alignment Methods 0.000 description 1
Images
Classifications
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02P—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN THE PRODUCTION OR PROCESSING OF GOODS
- Y02P90/00—Enabling technologies with a potential contribution to greenhouse gas [GHG] emissions mitigation
- Y02P90/02—Total factory control, e.g. smart factories, flexible manufacturing systems [FMS] or integrated manufacturing systems [IMS]
Landscapes
- Communication Control (AREA)
Abstract
The invention relates to an automatic reverse analysis method and system of an industrial private protocol. Belonging to the field of industrial control systems. The method comprises the following steps: filtering a message of an industrial private protocol in session traffic to be analyzed in an industrial private protocol processing stage, and extracting an application layer data segment of the industrial private protocol; in the industrial private protocol message analysis stage, determining segmentation points in the filtered message according to similarity characteristics among the application layer data segments; in the industrial private protocol message analysis stage, the filtered message is divided into a plurality of message fields according to the position of the dividing point, and the value range of each message field is extracted to complete the automatic reverse analysis process of the industrial private protocol. The invention can improve the efficiency and performance of the automatic reverse analysis of the industrial private protocol.
Description
Technical Field
The invention relates to the field of industrial control systems, in particular to an automatic reverse analysis method and system of an industrial private protocol.
Background
The increasingly frequent industrial internet security events indicate that the industrial control system ICS has a large number of security holes and hidden hazards, such as banks, power and communication systems of multiple countries in the year 2017, ukraine, etc., all suffer from Petya luxo virus attacks, venezuela in the year 2019 suffers from grid attacks, and the railway system in the year 2021 in the Iran country suffers from network intrusion, etc. The internet of things equipment in the industrial control system adopts an industrial private protocol for communication, so that the mutual coordination among all components in the system is realized. However, most industrial private protocols do not disclose specific contents of the protocol, including message format of the protocol, length and value range set of each field, and corresponding semantic relationship, etc. for business or other reasons, so that a great deal of trouble is caused to security analysts in performing security analysis on an industrial control system.
The protocol reverse engineering (protocol reverse engineering, PRE) only analyzes the communication traffic of both captured communication entities, extracts relevant contents such as protocol message format and the like, and deduces the message format of an unknown protocol and the process of a state machine model. In the related field, many researches have been performed to explore and improve the protocol reverse method, so as to improve the accuracy of the reverse result, and in recent years, the protocol reverse technology is used in various related security fields, including fuzzy test, network intrusion detection, intrusion prevention, and other aspects, and the prior knowledge of the unknown protocol is obtained by using the protocol reverse direction, so as to improve the analysis working efficiency.
Because the industrial private protocol is limited by the processing capacity and the memory of the industrial Internet of things equipment in use, in order to reduce the overhead of the industrial control equipment in communication, the industrial private protocol mostly adopts a binary protocol for communication. Therefore, there is a need for an automated reverse analysis method for industrial proprietary protocols that increases the efficiency and performance of the automated reverse analysis of industrial proprietary protocols.
The earliest protocol reverse technology was item Protocol Informatics (PI for short). The PI project references an algorithm that searches for specific genes from DNA sequences, and analogizes to the reverse protocol domain, i.e., searches for specific types of messages from captured traffic message data. PI items provide guidance for many subsequent works, and later researchers have improved on methods, such as the Leita et al protocol state machine automatic extraction tool ScriptGen, which is guided by PI items, completes extraction of part of semantics, but does not cluster message sequences before deducing state machines, and has a great difference in performance from today's tools. Another important and classical tool is discover, proposed by Cui et al, which enables the selection of a suitable method for different types of messages to be analyzed, improving the analysis performance. After that, with the rise of artificial intelligence technology, algorithms in the fields of machine learning and natural language processing are applied to the field of protocol reverse, protocol reverse engineering is rapidly developed in a short time, research objects are expanded from a common text protocol to a binary protocol, the method types are continuously enriched, the accuracy and reliability are greatly improved, for example, netZob and the like use a sequence alignment algorithm to align various fields of a message and cluster and extract keywords, autoRegine proposes an unsupervised learning method to extract a message format and a protocol state machine based on a frequent set and a priori algorithm, and ReFSM proposes an Extended Finite State Machine (EFSM) behavior model consisting of data flow and control flow information.
The existing protocol reverse method is designed for the text protocol mostly, even if the text protocol and the binary protocol can be oriented at the same time, the recall rate and the accuracy rate of the protocol reverse method are lower than those of the protocol reverse method when the binary protocol is oriented to the automatic protocol. This is because these methods work well on protocols that use ASCII encoded keywords to construct their messages when reversing the text protocol, and the separator clearly separates the keywords and data fields. Binary protocols can pack data more densely and do not separate fields by delimiters or by explicit key label fields so that these features cannot be displayed; however, the display of these messages is essential for natural language processing. These methods are not inherently suitable for analyzing binary protocols. Therefore, there is a need for an automated reverse analysis method for industrial proprietary protocols that increases the efficiency and performance of the automated reverse analysis of industrial proprietary protocols.
Disclosure of Invention
The invention aims to provide an automatic reverse analysis method and system for an industrial private protocol, so as to improve the efficiency and performance of the automatic reverse analysis of the industrial private protocol.
In order to achieve the above object, the present invention provides the following solutions:
an automated reverse analysis method of an industrial proprietary protocol, comprising:
filtering a message of an industrial private protocol in session traffic to be analyzed in an industrial private protocol processing stage, and extracting an application layer data segment of the industrial private protocol;
in the industrial private protocol message analysis stage, determining segmentation points in the filtered message according to similarity characteristics among the application layer data segments;
in the industrial private protocol message analysis stage, the filtered message is divided into a plurality of message fields according to the position of the dividing point, and the value range of each message field is extracted to complete the automatic reverse analysis process of the industrial private protocol.
Optionally, filtering the message of the industrial private protocol in the session traffic to be analyzed, and extracting an application layer data segment of the industrial private protocol, which specifically includes:
filtering incomplete messages, repeated messages and messages which do not belong to the conversation flow to be analyzed in the messages of the industrial private protocol, and generating filtered messages;
and cutting off the bottom field of the filtered message according to the characteristics of the bottom communication protocol layer, and extracting the application layer data segment of the industrial private protocol.
Optionally, determining the segmentation point in the filtered message according to the similarity feature between the application layer data segments specifically includes:
applying bit congruence to every two continuous bytes in the application layer data segments, taking the smooth radius of a Gaussian filter as a convolution kernel of bit value congruence increment values of the continuous bytes, and determining similarity characteristics among the application layer data segments;
obtaining inflection points of the similarity features; and the position of the inflection point is a segmentation point in the filtered message.
Optionally, the bit congruence is:
wherein ,
for byte b and byte->
Is a bit congruence of (2);
Is the number of bits having the same value.
Optionally, the bit value congruence increment value is:
ΔBC=(BC(m k ,m k+1 )-BC(m k-1 ,m k )) 0<k<n
wherein Δbc is a bit value congruence delta value; BC (m) k ,m k+1 ) For bytes m k And byte m k+1 Is a bit congruence of (2); BC (m) k-1 ,m k ) For bytes m k-1 And byte m k Is a bit congruence of (2); k is the byte position and n is the total number of bytes.
Optionally, the dividing the filtered message into a plurality of message fields according to the position of the dividing point, extracting a value range of each message field, and completing an automatic reverse analysis process of the industrial private protocol, and then further including:
and optimizing the message field to generate an optimized message field.
An automated reverse analysis system of an industrial proprietary protocol, comprising:
the application layer data segment extraction module is used for filtering the messages of the industrial private protocol in the session flow to be analyzed in the industrial private protocol processing stage and extracting the application layer data segments of the industrial private protocol;
the division point determining module is used for determining division points in the filtered message according to the similarity characteristics among the application layer data segments in the industrial private protocol message analysis stage;
and the message segment segmentation module is used for segmenting the filtered message into a plurality of message fields according to the position of the segmentation point in the industrial private protocol message analysis stage, extracting the value range of each message field and completing the automatic reverse analysis process of the industrial private protocol.
Optionally, the application layer data segment extraction module specifically includes:
the message filtering unit is used for filtering incomplete messages, repeated messages and messages which do not belong to the session flow to be analyzed in the industrial private protocol messages in the session flow to be analyzed, and generating filtered messages;
and the application layer data segment extraction unit is used for cutting off the bottom field of the filtered message according to the characteristics of the bottom communication protocol layer and extracting the application layer data segment of the industrial private protocol.
According to the specific embodiment provided by the invention, the invention discloses the following technical effects: according to the similarity characteristics among the data segments of each application layer, a prompt for the structural characteristics of each application layer data segment is found out from each application layer data segment, the segmentation points in the filtered message are determined, the message segmentation is carried out, for the binary protocol message, the calculation is simple, the efficiency of the binary protocol reverse analysis is improved, and the message format of the unknown industrial private protocol, the position and the value range of each field can be obtained.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings that are needed in the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a schematic diagram of an industrial proprietary protocol automated reverse analysis system according to the present invention;
FIG. 2 is a schematic diagram of a test result of DNS protocol by using the automatic reverse analysis method of industrial private protocol provided by the invention;
FIG. 3 is a flow chart of an automated reverse analysis method of an industrial proprietary protocol provided by the present invention;
fig. 4 is a block diagram of an automated reverse analysis system for industrial proprietary protocols provided by the present invention.
Detailed Description
The following description of the embodiments of the present invention will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present invention, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
The invention aims to provide an automatic reverse analysis method and system for an industrial private protocol, which can improve the efficiency and performance of the automatic reverse analysis of the industrial private protocol.
In order that the above-recited objects, features and advantages of the present invention will become more readily apparent, a more particular description of the invention will be rendered by reference to the appended drawings and appended detailed description.
Example 1
As shown in FIG. 1, the present invention includes industry-private-protocol processing, protocol message analysis, and protocol message segmentation stages. The operation of each stage is as follows:
1) In the industrial private protocol processing stage, firstly filtering out messages which do not belong to the target industrial private protocol to be analyzed, and then extracting the protocol application program data segment.
2) In the protocol message analysis stage, the message is considered to have an inherent structure, each field of the internal structure is provided with some similarity characteristics, the message is segmented according to the characteristics of the inherent structure of the message, and the segmentation points in the message are found.
3) In the protocol message segmentation stage, the unknown pair message is segmented into message fields according to segmentation points, the value range of each field is extracted, and the automatic reverse analysis process of the industrial private protocol is completed.
The method comprises the following specific steps:
stage one: industrial private protocol processing stage:
step 1: and filtering the noise message.
Filtering incomplete and repeated messages in the protocol message flow to be analyzed, and filtering other messages which do not belong to the session flow to be analyzed, so that the interference of the messages to the protocol reverse direction is reduced.
Step 2: and extracting the protocol application data segment.
And loading the protocol flow file to be reversed into a loader, reading each message in the flow, cutting off the bottom field of the message according to the characteristics of the bottom general protocol layer, and only leaving the application layer data segment of the message and storing the application layer data segment for the next protocol reverse analysis.
Stage two: protocol message analysis phase:
since each communication protocol, including industrial proprietary protocols, is designed to be effectively split by its recipients, it may be desirable to find a specific hint for its structure in each message itself. For example, binary protocols typically use a field of common data type length, typically 32 bits. As another example, a value is a generic field data type in a protocol message. The counted numbers show a specific variance distribution from the most significant byte to the least significant byte. This observation is similar to, and even directly related to, benford's law, which predicts that an abnormal distribution of numbers is found in the real world. An observation of a protocol message may show a typical behavior of an entire sequence of values, which represents a sub-structure of the message. The present invention therefore proposes to segment the message according to the characteristics of its internal structure. Studies have shown that the similarity of consecutive message bytes is a very good feature of the native structure of the perception message and can be used to determine candidate fields.
The main similarity feature used in the present invention is the congruence increment of the bit value of consecutive bytes of a message. The present invention assumes that a message consists of multiple bytes, with bit congruence defined as the bit degree of the bytes. Bit congruence is applied to every two consecutive bytes of the message. For example, for two bytes b and
0≤i<8, their bits are denoted b i and
Having the sameThe number of bits of the value is called->
The Bit Congruence (BC) is expressed as: />
Iterating all bytes m of a message m 0 ,...,m n An increment between bit congruence of consecutive byte pairs may be determined. Which is calculated from the difference of the bit congruence in each pair of consecutive byte positions k. In an m byte length message, this increment of similarity is:
ΔBC=(BC(m k ,m k+1 )-BC(m k-1 ,m k )) 0<k<n
while the bit values of longer numerical data sequences tend to have identifiable Bit Congruence (BC) patterns in network messages, not all subsequences of bits follow this behavior alone. BC can therefore be seen as having a noise-like characteristic, Δbc, affecting it. Despite the presence of Δbc, a location in the message where the confident property attribute varies significantly between bytes can still be found, and a general trend can be found. The Δbc may be smoothed with a standard gaussian filter gσ (Δbc) with a parameter σ. It can be found that the inflection point of the smoothed curve corresponds to a segmentation point of the protocol. Thus, the method of the present invention now provides segmentation of information by approximating the inflection points of the gaussian smooth feature of the bit congruence (gσ (Δbc)).
Step 1: and extracting the partition points.
The message segment is defined entirely by the message it produces, the byte offset, the byte length, and the type of signature analysis performed on the message. This encapsulates the message with the analysis method and allows the message to be segmented according to the extracted features. Features are one or more analysis values that serve as a basis for detecting field boundaries.
The only parameter of the invention is the smoothing radius of the gaussian filter, denoted sigma. Sigma is the standard deviation of the gaussian distribution, which acts as a convolution kernel for the bit value congruence delta values of successive bytes of the message. In the application of the message format, the optimal value of σ depends on the field length of the protocol. The analyst may adjust the parameters to improve the accuracy of the message segmentation. For unknown protocols reasonable assumptions must be made about typical field lengths, empirical testing shows that a value of 0.9 yields the best field matching results for common protocols with field lengths of 2 to 8 bytes.
After smoothing with a gaussian filter, the inflection point of the image shown in fig. 2 can be obtained, where the position of the inflection point is a segmentation point in the protocol message format, and the ordinate in fig. 2 is a byte bit.
Stage three: message format segmentation:
step 1: and dividing the message according to the extracted dividing points to obtain each field of the message.
Step 2: and (5) field optimization processing.
After each field of the message is obtained, the segmentation result of the message field needs to be optimized simply. Typically, the character sequence is segmented into very short segments. In some cases, one or more character bytes are included before or after the character sequence, so that a contiguous set of printable character values can be incorporated into one text field. The printable character is selected to be defined as \t, \n or \r according to ASCII encoding, or to have a value between ∈0x20 and ∈0x7e. Then, it is checked whether fields adjacent to the text segment need to be split or re-split in order to keep the consecutive strings together. These operations have little effect on the pure binary protocol, but improve the reasoning of text fields in the binary protocol. And obtaining the values of all the fields of the protocol after field optimization processing.
Example two
Fig. 3 is a flowchart of an automatic reverse analysis method of an industrial private protocol provided by the present invention, and as shown in fig. 3, an automatic reverse analysis method of an industrial private protocol includes:
step 301: and in the industrial private protocol processing stage, filtering the message of the industrial private protocol in the session traffic to be analyzed, and extracting the application layer data segment of the industrial private protocol.
In practical applications, the step 301 specifically includes: filtering incomplete messages, repeated messages and messages which do not belong to the conversation flow to be analyzed in the messages of the industrial private protocol, and generating filtered messages; and cutting off the bottom field of the filtered message according to the characteristics of the bottom communication protocol layer, and extracting the application layer data segment of the industrial private protocol.
And loading the conversation flow to be analyzed (the conversation flow to be analyzed is a protocol flow file to be reversely analyzed) into a loader, reading each message in the flow, cutting off the bottom field of the message according to the characteristics of the bottom general protocol layer, and only leaving and storing the application layer data segment of the message for the next protocol reverse analysis.
Step 302: and in the industrial private protocol message analysis stage, determining the segmentation points in the filtered message according to the similarity characteristics among the application layer data segments.
In practical applications, the step 302 specifically includes: applying bit congruence to every two continuous bytes in the application layer data segments, taking the smooth radius of a Gaussian filter as a convolution kernel of bit value congruence increment values of the continuous bytes, and determining similarity characteristics among the application layer data segments; obtaining inflection points of the similarity features; and the position of the inflection point is a segmentation point in the filtered message.
The bit congruence is:
wherein ,
For byte b and byte->
Is a bit congruence of (2);
Is the number of bits having the same value.
The bit value congruence delta value is: Δbc= (BC (m) k ,m k+1 )-BC(m k-1 ,m k )) 0<k<n The method comprises the steps of carrying out a first treatment on the surface of the Wherein Δbc is a bit value congruence delta value; BC (m) k ,m k+1 ) For bytes m k And byte m k+1 Is a bit congruence of (2); BC (m) k-1 ,m k ) For bytes m k-1 And byte m k Is a bit congruence of (2); k is the byte position and n is the total number of bytes.
Step 303: in the industrial private protocol message analysis stage, the filtered message is divided into a plurality of message fields according to the position of the dividing point, and the value range of each message field is extracted to complete the automatic reverse analysis process of the industrial private protocol.
The step 303 further includes: and optimizing the message field to generate an optimized message field.
Example III
In order to execute the method corresponding to the second embodiment to achieve the corresponding functions and technical effects, an automatic reverse analysis system of the industrial private protocol is provided below.
Fig. 4 is a structural diagram of an automated reverse analysis system of an industrial private protocol according to the present invention, as shown in fig. 4, an automated reverse analysis system of an industrial private protocol includes:
the application layer data segment extraction module 401 is configured to filter a packet of an industrial private protocol in a session traffic to be analyzed in an industrial private protocol processing stage, and extract an application layer data segment of the industrial private protocol.
The segmentation point determining module 402 is configured to determine, in an industrial private protocol message analysis stage, segmentation points in the filtered message according to similarity features between the application layer data segments.
In practical application, the application layer data segment extraction module specifically includes:
the message filtering unit is used for filtering incomplete messages, repeated messages and messages which do not belong to the session flow to be analyzed in the industrial private protocol messages in the session flow to be analyzed, and generating filtered messages;
and the application layer data segment extraction unit is used for cutting off the bottom field of the filtered message according to the characteristics of the bottom communication protocol layer and extracting the application layer data segment of the industrial private protocol.
The message segment segmentation module 403 is configured to segment the filtered message into a plurality of message fields according to the position of the segmentation point in the industrial private protocol message analysis stage, and extract the value range of each message field, so as to complete the automatic reverse analysis process of the industrial private protocol.
Thus, particular embodiments of the present subject matter have been described. Other embodiments are within the scope of the following claims. In some cases, the actions recited in the claims can be performed in a different order and still achieve desirable results. In addition, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In some embodiments, multitasking and parallel processing may be advantageous.
The system, apparatus, module or unit described in the above embodiments may be implemented by an industrial control chip or an industrial control device entity, or by a product having a certain function.
In the present specification, each embodiment is described in a progressive manner, and each embodiment is mainly described in a different point from other embodiments, and identical and similar parts between the embodiments are all enough to refer to each other. For the system disclosed in the embodiment, since it corresponds to the method disclosed in the embodiment, the description is relatively simple, and the relevant points refer to the description of the method section.
The principles and embodiments of the present invention have been described herein with reference to specific examples, the description of which is intended only to assist in understanding the methods of the present invention and the core ideas thereof; also, it is within the scope of the present invention to be modified by those of ordinary skill in the art in light of the present teachings. In view of the foregoing, this description should not be construed as limiting the invention.
Claims (8)
1. An automated reverse analysis method of an industrial proprietary protocol, comprising:
filtering a message of an industrial private protocol in session traffic to be analyzed in an industrial private protocol processing stage, and extracting an application layer data segment of the industrial private protocol;
in the industrial private protocol message analysis stage, determining segmentation points in the filtered message according to similarity characteristics among the application layer data segments;
in the industrial private protocol message analysis stage, the filtered message is divided into a plurality of message fields according to the position of the dividing point, and the value range of each message field is extracted to complete the automatic reverse analysis process of the industrial private protocol.
2. The method for automatically reverse analyzing an industrial private protocol according to claim 1, wherein the filtering the packets of the industrial private protocol in the session traffic to be analyzed and extracting the application layer data segment of the industrial private protocol specifically comprises:
filtering incomplete messages, repeated messages and messages which do not belong to the conversation flow to be analyzed in the messages of the industrial private protocol, and generating filtered messages;
and cutting off the bottom field of the filtered message according to the characteristics of the bottom communication protocol layer, and extracting the application layer data segment of the industrial private protocol.
3. The method for automatic reverse analysis of industrial private protocol according to claim 1, wherein determining the segmentation point in the filtered message according to the similarity feature between the application layer data segments specifically comprises:
applying bit congruence to every two continuous bytes in the application layer data segments, taking the smooth radius of a Gaussian filter as a convolution kernel of bit value congruence increment values of the continuous bytes, and determining similarity characteristics among the application layer data segments;
obtaining inflection points of the similarity features; and the position of the inflection point is a segmentation point in the filtered message.
4. The automated reverse analysis method of an industrial private protocol according to claim 3, wherein the bit congruence is:
wherein ,
for byte b and byte->
Is a bit congruence of (2);
Is the number of bits having the same value.
5. The automated reverse analysis method of an industrial private protocol according to claim 3, wherein the bit value congruence delta value is:
ΔBC=(BC(m k ,m k+1 )-BC(m k-1 m k )) 0<k<n
wherein Δbc is a bit value congruence delta value; BC (m) k ,m k+1 ) For bytes m k And byte m k+1 Is a bit congruence of (2); BC (m) k-1 ,m k ) For bytes m k-1 And byte m k Is a bit congruence of (2); k is the byte position and n is the total number of bytes.
6. The method for automatic reverse analysis of industrial private protocol according to claim 1, wherein the steps of dividing the filtered message into a plurality of message fields according to the position of the dividing point, extracting the value range of each message field, and completing the automatic reverse analysis process of industrial private protocol further comprise:
and optimizing the message field to generate an optimized message field.
7. An automated reverse analysis system of an industrial proprietary protocol, comprising:
the application layer data segment extraction module is used for filtering the messages of the industrial private protocol in the session flow to be analyzed in the industrial private protocol processing stage and extracting the application layer data segments of the industrial private protocol;
the division point determining module is used for determining division points in the filtered message according to the similarity characteristics among the application layer data segments in the industrial private protocol message analysis stage;
and the message segment segmentation module is used for segmenting the filtered message into a plurality of message fields according to the position of the segmentation point in the industrial private protocol message analysis stage, extracting the value range of each message field and completing the automatic reverse analysis process of the industrial private protocol.
8. The automated reverse analysis system of industrial private protocol according to claim 7, wherein the application layer data segment extraction module specifically comprises:
the message filtering unit is used for filtering incomplete messages, repeated messages and messages which do not belong to the session flow to be analyzed in the industrial private protocol messages in the session flow to be analyzed, and generating filtered messages;
and the application layer data segment extraction unit is used for cutting off the bottom field of the filtered message according to the characteristics of the bottom communication protocol layer and extracting the application layer data segment of the industrial private protocol.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211539365.2A CN116016690A (en) | 2022-12-02 | 2022-12-02 | Automatic reverse analysis method and system for industrial private protocol |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211539365.2A CN116016690A (en) | 2022-12-02 | 2022-12-02 | Automatic reverse analysis method and system for industrial private protocol |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116016690A true CN116016690A (en) | 2023-04-25 |
Family
ID=86036205
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211539365.2A Pending CN116016690A (en) | 2022-12-02 | 2022-12-02 | Automatic reverse analysis method and system for industrial private protocol |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116016690A (en) |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106021361A (en) * | 2016-05-10 | 2016-10-12 | 中国空间技术研究院 | Sequence alignment-based self-adaptive application layer network protocol message clustering method |
| CN106599900A (en) * | 2015-10-20 | 2017-04-26 | 华中科技大学 | Method and device for recognizing character string in image |
| CN107665191A (en) * | 2017-10-19 | 2018-02-06 | 中国人民解放军陆军工程大学 | Private protocol message format inference method based on extended prefix tree |
| CN108632252A (en) * | 2018-04-03 | 2018-10-09 | 中国人民解放军战略支援部队信息工程大学 | A kind of private network agreement iteration conversed analysis method, apparatus and server |
| CN109951464A (en) * | 2019-03-07 | 2019-06-28 | 西安电子科技大学 | The sequence of message clustering method of unknown binary system proprietary protocol |
| CN111931482A (en) * | 2020-09-22 | 2020-11-13 | 苏州思必驰信息科技有限公司 | Text segmentation method and device |
| CN112039196A (en) * | 2020-04-22 | 2020-12-04 | 广东电网有限责任公司 | Power monitoring system private protocol analysis method based on protocol reverse engineering |
-
2022
- 2022-12-02 CN CN202211539365.2A patent/CN116016690A/en active Pending
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106599900A (en) * | 2015-10-20 | 2017-04-26 | 华中科技大学 | Method and device for recognizing character string in image |
| CN106021361A (en) * | 2016-05-10 | 2016-10-12 | 中国空间技术研究院 | Sequence alignment-based self-adaptive application layer network protocol message clustering method |
| CN107665191A (en) * | 2017-10-19 | 2018-02-06 | 中国人民解放军陆军工程大学 | Private protocol message format inference method based on extended prefix tree |
| CN108632252A (en) * | 2018-04-03 | 2018-10-09 | 中国人民解放军战略支援部队信息工程大学 | A kind of private network agreement iteration conversed analysis method, apparatus and server |
| CN109951464A (en) * | 2019-03-07 | 2019-06-28 | 西安电子科技大学 | The sequence of message clustering method of unknown binary system proprietary protocol |
| CN112039196A (en) * | 2020-04-22 | 2020-12-04 | 广东电网有限责任公司 | Power monitoring system private protocol analysis method based on protocol reverse engineering |
| CN111931482A (en) * | 2020-09-22 | 2020-11-13 | 苏州思必驰信息科技有限公司 | Text segmentation method and device |
Non-Patent Citations (2)
| Title |
|---|
| STEPHAN KLEBER, HENNING KOPP, FRANK KARGL: "NEMESYS: Network message syntax reverse engineering by analysis of the intrinsic structure of individual messages", pages 3 - 4, Retrieved from the Internet <URL:https://www.usenix.org/conference/woot18/presentation/kleber> * |
| 李峻辰; 程光; 杨刚芹: "基于网络流量的私有协议逆向技术综述", 《计算机研究与发展》 * |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107294993B (en) | WEB abnormal traffic monitoring method based on ensemble learning | |
| CN110532564B (en) | On-line identification method for application layer protocol based on CNN and LSTM hybrid model | |
| Paliwal et al. | Digitize-PID: Automatic digitization of piping and instrumentation diagrams | |
| CN114553983B (en) | Deep learning-based high-efficiency industrial control protocol analysis method | |
| CN112487033A (en) | Service visualization method and system for data flow and network topology construction | |
| Genender-Feltheimer | Visualizing high dimensional and big data | |
| CN109286622B (en) | Network intrusion detection method based on learning rule set | |
| CN109241315B (en) | Rapid face retrieval method based on deep learning | |
| CN113657443B (en) | On-line Internet of things equipment identification method based on SOINN network | |
| CN116016690A (en) | Automatic reverse analysis method and system for industrial private protocol | |
| CN114745155B (en) | Network abnormal flow detection method, device and storage medium | |
| Dhoot et al. | Efficient Dimensionality Reduction for Big Data Using Clustering Technique | |
| Dutta | Performance analysis of clustering methods for outlier detection | |
| JP2005528713A (en) | How to solve frequency, frequency distribution and sequence matching problems using multi-dimensional attractor tokens | |
| CN117155595A (en) | Malicious encryption traffic detection method and model based on visual attention network | |
| CN114519605A (en) | Advertisement click fraud detection method, system, server and storage medium | |
| Thomas et al. | Comparative analysis of dimensionality reduction techniques on datasets for zero-day attack vulnerability | |
| CN111160077A (en) | Large-scale dynamic face clustering method | |
| CN112367325B (en) | Unknown protocol message clustering method and system based on closed frequent item mining | |
| CN114722920A (en) | Deep map convolution model phishing account identification method based on map classification | |
| Ben Atitallah et al. | Strengthening network intrusion detection in iot environments with self-supervised learning and few shot learning | |
| CN107992590B (en) | Big data system beneficial to information comparison | |
| Greau-Hamard et al. | Performance analysis and comparison of sequence identification algorithms in iot context | |
| Xiao et al. | A network big data classification method based on decision tree algorithm | |
| Cao et al. | A Fast Randomized Algorithm for Finding the Maximal Common Subsequences |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20230425 |
|
| RJ01 | Rejection of invention patent application after publication |