四川大学学报(自然科学版)2024,Vol.61Issue(3):206-217,12.DOI:10.19907/j.0490-6756.2024.033005
NetExtractor:基于网络轨迹的未知协议逆向方法
NetExtractor:Unknown protocol reverse approach based on network traces
摘要
Abstract
Network protocol reverse engineering is an important challenge in many security domains.The current mainstream approach is to compare and slice characters and tokens between network traces,but the existing work is limited by the high variance and complex state of binary protocol field values in the deriva-tion,and also suffers from the problems of format over-slicing and low accuracy of multi-state field annota-tion.To address these challenges,the authors propose the NetExtractor tool,which integrates optimization methods for format extraction and state annotation.In the format extraction phase,the spatiotemporal charac-teristics of network trajectories are extracted for coarse clustering,followed by multiple sequence alignment,by merging and optimizing using statistical characteristics to further improve the accuracy of format extrac-tion.In the state annotation phase,edit distance is introduced to measure the differences between fields,and random forest and statistical properties are combined to constrain the candidate state fields to improve the ac-curacy of multi-state field annotation.To validate the effectiveness of the proposed method,the NetExtractor tool is employed for automating the inversion of the botnet zeroaccess protocol format and state machine,Evaluation experiments are conducted on eight commonly used protocols to access the efficiency of the pro-posed method.The experiment results demonstrate that compared to the leading research work in the field,NetExtractor can enhance the accuracy of protocol format and protocol state identification,which is of great significance for network security analysis.关键词
协议逆向/网络轨迹/协议格式/状态标注Key words
Protocolreverse/Networktrace/Protocolformat/Statelabeling分类
信息技术与安全科学引用本文复制引用
王崇宇,朱宇坤,牛伟纳,宁延硕,江雅洁,张岩峰..NetExtractor:基于网络轨迹的未知协议逆向方法[J].四川大学学报(自然科学版),2024,61(3):206-217,12.基金项目
智能警务四川省重点实验室开放课题(ZNJW2023KFQN003) (ZNJW2023KFQN003)
