JP6412849B2 - Communication feature extraction device, packet classification device, communication feature extraction method, packet classification method, and program - Google Patents

Description

  The present invention relates to a communication feature extraction device, a packet classification device, a communication feature extraction method, a packet classification method, and a program.

  2. Description of the Related Art Conventionally, techniques for extracting characteristics for allowing mobile network operators to separate packets flowing through their networks for each application have been studied. For example, in Non-Patent Document 1, a characteristic character string such as an ID accompanying an advertisement request included in a smartphone application is used as a communication feature to determine what application is operating in the network from the packet capture result. A method of extracting has been proposed (hereinafter referred to as “Prior Art A”).

  In addition, an application that categorizes and captures packets for each application in the smartphone is disclosed. By using this, the destination IP address of the packet for each application can be specified. By using the destination IP addresses collected in this way, packets captured in the network can be classified for each application (hereinafter referred to as “conventional technology B”).

Shuaifu Dai, Alok Tongaonkar, Xiaoyin Wang, Antonio Nucci, and Dawn Song, "NetworkProfiler: Towards Automatic Fingerprinting of Android Apps," 2013 Proceedings IEEE INFOCOM.

  However, the conventional technique A is a technique for specifying the presence / absence of an application operation, and it is not possible to extract a feature for classifying a packet capture result in which packets transmitted from a plurality of applications are mixed for each application. .

  Further, in the conventional technique B, when a plurality of applications communicate with a common server, it is difficult to classify the packet capture results for each application based on the IP address of the destination server.

  The present invention has been made in view of the above points, and an object of the present invention is to enable packet capture results to be classified for each application.

  Therefore, in order to solve the above problem, the communication feature extraction device extracts from the source code the extraction unit that extracts the calling order of communication-related methods from the source code of the program, and the setting value for each argument of the method, And a generation unit that generates feature information in which the extracted setting values are arranged based on the calling order.

  The packet capture result can be classified for each application.

It is a figure for demonstrating the outline | summary of the feature extraction apparatus in embodiment of this invention. It is a figure which shows the hardware structural example of the feature extraction apparatus in embodiment of this invention. It is a figure which shows the function structural example of the feature extraction apparatus in embodiment of this invention. It is a flowchart for demonstrating an example of the extraction process of feature information. It is a figure for demonstrating an example of the production | generation method of a call order graph. It is a figure which shows the 1st example of the description by which a context is specified. It is a figure which shows the 2nd example of the description by which a context is specified. It is a figure which shows the 3rd example of the description by which a context is specified. It is a figure which shows the 4th example of the description by which a context is specified. It is a figure for demonstrating an example of the production | generation method of a partial graph. It is a figure which shows an example of the reflection method of the communication content to a partial graph. It is a figure for demonstrating the classification method of the packet based on feature information. It is a figure which shows an example of the calculation method of a similarity degree. It is a figure which shows an example of the calculation result of similarity. It is a figure which shows an example of the combination of similarity. It is a figure for demonstrating the comparison with the prior art A and this Embodiment. It is a figure for demonstrating the comparison with the prior art B and this Embodiment.

  Hereinafter, embodiments of the present invention will be described with reference to the drawings. FIG. 1 is a diagram for explaining an outline of a feature extraction apparatus according to an embodiment of the present invention. As shown in FIG. 1, the feature extraction apparatus 10 analyzes a binary file of an application such as the application α and the application β, and each communication feature (content of communication) for each application such as the application α and the application β. And their order), information indicating the characteristics of communication of each application (hereinafter referred to as “feature information”) is generated.

  FIG. 2 is a diagram illustrating a hardware configuration example of the feature extraction device according to the embodiment of the present invention. 2 includes a drive device 100, an auxiliary storage device 102, a memory device 103, a CPU 104, an interface device 105, and the like that are mutually connected by a bus B.

  A program that realizes processing in the feature extraction apparatus 10 is provided by a recording medium 101 such as a CD-ROM. When the recording medium 101 storing the program is set in the drive device 100, the program is installed from the recording medium 101 to the auxiliary storage device 102 via the drive device 100. However, the program need not be installed from the recording medium 101 and may be downloaded from another computer via a network. The auxiliary storage device 102 stores the installed program and also stores necessary files and data.

  The memory device 103 reads the program from the auxiliary storage device 102 and stores it when there is an instruction to start the program. The CPU 104 executes a function related to the feature extraction device 10 according to a program stored in the memory device 103. The interface device 105 is used as an interface for connecting to a network.

  Note that the feature extraction apparatus 10 may be realized by, for example, a plurality of computers shown in FIG. 2 and having hardware.

  FIG. 3 is a diagram illustrating a functional configuration example of the feature extraction device according to the embodiment of the present invention. 3, the feature extraction apparatus 10 includes a binary file reading unit 11, a source code generation unit 12, an order information generation unit 13, a partial graph generation unit 14, a communication content reflection unit 15, a packet classification unit 16, and the like. Each of these units is realized by processing that one or more programs installed in the feature extraction apparatus 10 cause the CPU 104 to execute. The feature extraction apparatus 10 also uses a communication-related method list storage unit 17, a feature information storage unit 18, and the like. Each of these storage units can be realized by using, for example, a storage device that can be connected to the auxiliary storage device 102 or the feature extraction device 10 via a network.

  The binary file reading unit 11 reads a binary file of an analysis target application. In the present embodiment, it is assumed that the application is an Android (registered trademark) application. Therefore, the binary file reading unit 11 reads the APK file.

  The source code generation unit 12 generates source code from the APK file read by the binary file reading unit 11.

  The order information generation unit 13 generates information indicating the order of the calling order of methods called in the source code generated by the source code generation unit 12. As the information, a graph representing the method call order (hereinafter referred to as “call order graph”) is generated.

  The subgraph generation unit 14 generates a subgraph obtained by extracting a portion related to a method related to communication (hereinafter referred to as “communication related method”) from the call order graph. Whether each method corresponds to a communication-related method can be determined with reference to the communication-related method list storage unit 17. The communication-related method list storage unit 17 stores a list of method names of communication-related methods.

  The communication content reflecting unit 15 extracts a setting value for an argument of a communication-related method included in the partial graph from the source code, and reflects the setting value as a communication content in the partial graph, whereby communication of the analysis target application is performed. And a graph structure representing the communication order as feature information. Therefore, the feature information is information in which setting values for arguments of communication-related methods are arranged based on the calling order of communication-related methods. The communication content reflecting unit 15 stores the generated feature information in the feature information storage unit 18.

  The packet classification unit 16 classifies the packet capture results based on the feature information stored in the feature information storage unit 18.

  Hereinafter, a processing procedure executed by the feature extraction apparatus 10 will be described. FIG. 4 is a flowchart for explaining an example of the feature information extraction process.

  In step S <b> 101, the binary file reading unit 11 reads a binary file of an analysis target application (hereinafter referred to as “target application”). For example, the binary application of the target application may be downloaded from Google Play (registered trademark) or the like.

  Subsequently, the source code generation unit 12 generates the source code of the target application based on the binary file of the target application (step S102). The generation of the source code may be performed using reverse engineering, for example. For reverse engineering, an analysis tool such as Soot (http://sable.github.io/soot/) may be used. If the source code of the target application can be obtained from the beginning, the source code may be acquired in step S101. In this case, step S102 does not have to be executed.

  Subsequently, the order information generation unit 13 extracts a method from the source code of the target application, and generates a call order graph indicating the call order of the extracted method (step S103).

  FIG. 5 is a diagram for explaining an example of a method for generating a call order graph. FIG. 5 shows a rectangle representing the source code of class A (Class A) constituting the target application. When the order information generation unit 13 reads each description (each line) in order from the top of the source code and finds or detects a description in which the context between the methods is known, such as calling another method, the order information generation unit 13 relates to the description. The context between the two methods is recorded as a call order graph G1.

  As shown in FIG. 5, the call order graph G1 includes a record for each of the two methods constituting the context of the call order. Each record includes items “before” and “after”. In “Previous”, a method name of a method positioned in front in the context is recorded. In “after”, a method name of a method positioned later in the context is recorded.

  FIG. 6 is a diagram illustrating a first example of a description in which the context is specified. FIG. 6 shows a case where there is a clear call relationship between two methods. As shown in FIG. 6, when calling method b from within method a, the context between methods a → b is specified.

  FIG. 7 is a diagram illustrating a second example of the description in which the context is specified. FIG. 7 shows a case where there is a calling relationship using Intent. In Android (registered trademark), since the transition of Activity (screen) is performed using Intent, the location where Intent is used is found, and the method of the next class is determined from the class name set in the Intent argument. Can be specified. FIG. 7 shows an example in which the class B method onCreate is specified as the method of the next class, and the context of a → onCreate is specified. Note that when Activity is specified in Intent, it is predetermined that the next method is onCreate.

  FIG. 8 is a diagram illustrating a third example of the description in which the context is specified. FIG. 8 shows a case where a life cycle is designated, such as Activity or AsyncTask. That is, in Android (registered trademark), methods in classes that inherit Activity and AsyncTask are called in a predetermined execution order (for example, onCreate → onStart, etc.), so the context can be specified in that order. .

  FIG. 9 is a diagram illustrating a fourth example of the description in which the context is specified. FIG. 9 shows a case where there is an event listener. When a method that is executed in response to a user operation or the like is specified, since there is a context between the method that is associated with the event and the method that is executed when the event occurs, setOn ** It is possible to specify the context between the methods of * Listener → on ***. Note that “***” is actually an event name such as “Click”.

  Subsequently, the partial graph generation unit 14 extracts the communication related method call order from the call order graph G1, and generates a partial graph indicating the communication related method call order (step S104).

  FIG. 10 is a diagram for explaining an example of a method of generating a partial graph. First, the partial graph generation unit 14 specifies the first method in the call order graph G1. The first method is the method of the “previous” item in which the method name is not recorded in the “next” item in any record of the call order graph G1. FIG. 10 shows an example in which the “previous” method of the second record is specified as the first method.

  Subsequently, the partial graph generation unit 14 traces the call order graph G1 in the forward direction, starting from the head method. That is, the “next” method of the first method record is specified, the record that includes the method in “previous” is specified, the “next” method of the record is specified, and the methods are traced in the order of calling. . In FIG. 10, the order in which they are traced is indicated by broken lines. In the process of tracing the methods in the calling order, the subgraph generating unit 14 compares the method names of the respective methods with the communication related method list L1 stored in the communication related method list storage unit 17 in the traced order. Determine whether the method is a communication-related method. If the method is a communication-related method, the method is added to the end of the subgraph G2.

  When there is a branch, the order of one of the branches is followed, and when the last method is reached in the one order, the process returns to the branch and follows the other order. Here, “branch” refers to a situation where a plurality of methods are called after one method. In branching, the subgraph generation unit 14 traces branch destinations in the order of appearance in the source code. FIG. 10 shows an example in which Class B Method bb appears first in Class B Method b.

  Subsequently, the communication content reflecting unit 15 identifies the setting value of the argument of the method included in the partial graph G2 from the source code, and reflects the setting value as the communication content in the partial graph G2, thereby allowing the communication content of the target application to be reflected. And feature information representing the communication order is generated (step S105).

  FIG. 11 is a diagram illustrating an example of a method of reflecting the communication content on the partial graph. FIG. 11 shows a method of reflecting the communication contents for the method m1 that is the first method in the subgraph G2 of FIG.

  First, the communication content reflecting unit 15 identifies a record in which the method m1 is “next” in the call order graph G1, and identifies a “previous” method of the record (S105-1 to S105-3). That is, the description d1 corresponding to the caller location of the method m1 is specified. Subsequently, the communication content reflection unit 15 specifies a value set in the argument of the method m1 in the description d1 (S105-4). When the argument is a variable, the value of the argument is specified by tracing the assignment source (assignment location) to the variable until a specific value is specified. However, when the assigned value is defined as a character string in the source code, it is only necessary to specify within a range where a specific value can be specified. For example, when the argument is determined by complicated processing, such as when a character string read from a file is substituted or when a character string is dynamically generated, the value of the argument is not specified. Also good.

  In the example of FIG. 11, in the description d1, the argument for the b method is a variable u. When the assignment source of the variable u is traced, it is specified that the value of the variable u is a character string “User-Agent: abc” ”.

  The communication content reflecting unit 15 applies (reflects) the value specified for the argument of the method m1 to the position (node) of the method m1 in the subgraph G2 (S105-5).

  In FIG. 11, a partial graph obtained by replacing each communication-related method of the partial graph G2 with the value of each argument is shown as feature information G2 ′. The characteristic information G2 ′ is information indicating the characteristics of communication by the target application (contents of each communication and their order). The feature information G2 ′ is stored in the feature information storage unit 18 in association with the identification information of the target application.

  Next, a packet classification method using the feature information G2 ′ will be described.

  FIG. 12 is a diagram for explaining a packet classification method based on feature information. FIG. 12 shows feature information G2 ′ extracted from the target application, packet capture data D1 to D5 on the network, and the like. The feature information G2 ′ includes communication contents n1 to n3.

  The packet classification unit 16 calculates the similarity for each combination of the communication contents n1 to n3 of the feature information G2 ′ and the capture data D1 to D5. It should be noted that, for the first communication content n1 in the feature information G2 ′, the similarity is calculated for all combinations with the capture data. For the communication contents n2 or n3 other than the head, the similarity is calculated for the combination with the capture data excluding the head capture data among the capture data combined with the communication contents immediately before the communication contents. Therefore, in FIG. 12, the similarity is calculated for each combination connected by the arrows.

  FIG. 13 is a diagram illustrating an example of a similarity calculation method. FIG. 13 shows a calculation example of the similarity between the communication content n1 and the capture data D1.

  First, the packet classification unit 16 divides each of the communication content n1 and the capture data D1 using “:”, “” (space), “/”, “;”, etc. as delimiters.

Subsequently, the packet classification unit 16 calculates the similarity between the communication content n1 and the capture data D1 based on the following equation.
Similarity = number of character strings that match on both sides / number of character strings included in packet of capture data Here, “character string” refers to a character string in divided units. In FIG. 13, the number of character strings that match between the character string group sn1 after the division of the communication content n1 and the character string group sD1 after the division of the capture data D1 is two. That is, two character strings surrounded by a broken line in the character string group sD1 match any character string included in the character string group sn1. The number of character strings in the character string group sD1 is 20. Therefore, the similarity in this case is 2 ÷ 20 = 0.1.

  FIG. 14 is a diagram illustrating an example of a similarity calculation result. FIG. 14 shows the calculation result of the similarity between the communication contents n1 to n3 and the capture data D1 to D5.

  Subsequently, the packet classification unit 16 selects a similarity for each combination of three similarities obtained by selecting one similarity from a set of similarities calculated for each of the communication contents n1, n2, and n3. Find the average degree. However, in a certain combination, the similarity selected for the second and subsequent communication contents is similar to the packet data after the packet data related to the similarity selected for the communication contents immediately before the communication contents. Limited to degrees.

  FIG. 15 is a diagram illustrating an example of combinations of similarities. FIG. 15 shows a tree structure in which a capture data code is assigned to each node. The highest node corresponds to the similarity between the communication content n1 and the capture data related to the code of the node. The node in the second layer corresponds to the similarity between the communication content n2 and the capture data related to the code of the node. The lowest node corresponds to the similarity between the communication content n3 and the capture data related to the code of the node.

  From FIG. 14, ten combinations of similarities shown in FIG. 15 are generated, and an average value of similarities is calculated for each combination. The packet classification unit 16 classifies the captured data packet related to the combination whose average value is equal to or greater than the threshold as the packet of the target application.

  For example, if the threshold is 0.15, the average value of the combination of “D1-D4-D5” in FIG. 15 is 0.167, and thus the packets of the capture data D1, D4, and D5 related to the combination are It is classified as a packet of the target application.

  Note that if the capture data related to the combination of the maximum average values is classified as a packet of the target application, a packet that is not actually a packet related to communication of the target application can also be classified as a packet of the target application. In this embodiment, the determination is performed based on the threshold value.

  Moreover, the packet of the target application may be detected at a plurality of locations in the capture data. On the other hand, when a packet at a specific location in the capture data is determined to be a packet of a plurality of applications, it may be determined to be a packet of an application having a high degree of similarity, or may be determined by human eyes.

  As described above, according to the present embodiment, a feature (feature information) for classifying a packet capture result in which packets of a plurality of applications are mixed for each application can be extracted from the application. Once the feature information can be used to classify packets for each application, mobile network operators can identify what applications are generating how much traffic in the networks they provide, and congestion The application that causes the problem can be identified. Thus, network congestion can be suppressed by prompting the creator of such an application to make corrections. Further, by extracting information (IP address, port number, characteristic character string) necessary for traffic control for each application from the classified packet, the traffic control can be performed.

  Note that FIG. 16 is a diagram for explaining the comparison between the prior art A and the present embodiment, and in the prior art A, it is possible to extract only the packet 2 including the characteristic character string of the advertisement of the app A. However, according to the present embodiment, it is possible to extract a packet group similar to the communication characteristics of application A, including its order.

  FIG. 17 is a diagram for explaining comparison between the related art B and the present embodiment. In the conventional technique B, when the destinations of the packets 1 to 5 are the same, each packet cannot be classified for each application. However, according to the present embodiment, the character string included in the communication, not the destination, is used. Since the portion whose order is similar to the feature information of each application is extracted, each packet can be classified for each application.

  In the present embodiment, the Android (registered trademark) application has been described. However, the present embodiment may be applied to other applications. In this case, the method for specifying the context of the method may be changed as appropriate in accordance with the development language of the other application. Further, the present embodiment may be applied to programs other than applications.

  Further, in the present embodiment, an example is shown in which the feature extraction device 10 performs packet classification of capture data, but the device that extracts feature information and the device that performs packet classification may be different. .

  In the present embodiment, the feature extraction device 10 is an example of a communication feature extraction device and a packet classification device. The order information generation unit 13 and the partial graph generation unit 14 are examples of an extraction unit. The order information generation unit 13 is an example of a first extraction unit. The partial graph generation unit 14 is an example of a second extraction unit. The communication content reflection unit 15 is an example of a generation unit. The packet classification unit 16 is an example of a classification unit.

  As mentioned above, although the Example of this invention was explained in full detail, this invention is not limited to such specific embodiment, In the range of the summary of this invention described in the claim, various deformation | transformation・ Change is possible.

DESCRIPTION OF SYMBOLS 10 Feature extraction apparatus 11 Binary file reading part 12 Source code generation part 13 Order information generation part 14 Partial graph generation part 15 Communication content reflection part 16 Packet classification part 17 Communication related method list storage part 18 Feature information storage part 100 Drive apparatus 101 Recording Medium 102 Auxiliary storage device 103 Memory device 104 CPU
105 Interface device B bus

Claims (8)

An extractor that extracts the calling order of communication-related methods from the source code of the program;
A generation unit that extracts setting values for each argument of the method from the source code, and generates feature information in which the extracted setting values are arranged based on the calling order;
A communication feature extraction apparatus characterized by comprising: The extraction unit includes:
A first extraction unit that extracts the context of the calling order from the source code for each method called in the source code of the program;
A second extraction unit that extracts a calling order of the communication-related methods from the context based on information indicating communication-related methods,
The communication feature extraction apparatus according to claim 1. The generation unit specifies, for each method extracted by the extraction unit, a call location of the method in the source code based on the context, and a variable designated as an argument of the method at the call location Identify the setting value for the argument by following the assignment source of
The communication feature extraction apparatus according to claim 2. Based on the feature information extracted by the communication feature extraction device according to any one of claims 1 to 3, a classification unit that classifies packets related to the program from packet capture data.
A packet classification device. Computer
An extraction procedure to extract the calling order of communication-related methods from the program source code;
A generation procedure for extracting setting values for each argument of the method from the source code, and generating feature information in which the extracted setting values are arranged based on the calling order;
The communication feature extraction method characterized by performing. Based on the feature information extracted by the communication feature extraction apparatus according to claim 1 to 3 any one claim, and characterized in that the procedure for classifying packets for the program from among the captured data packets computer executes Packet classification method.   The program for functioning a computer as each part as described in any one of Claims 1 thru | or 3.   The program for functioning a computer as a classification | category part of Claim 4.

Images