一种结合GAN的定向口令猜测方案

doi:10.19665/j.issn1001-2400.2022.03.015

Abstract

Abstract:

In order to improve the success rate of directional password guessing,this paper proposes a directional password guessing scheme based on the probabilistic context-free grammar (PCFG) combined with generative adversarial networks (GAN).First,this scheme matches the user’s real password with his personal information,and further divides the tags on the basis of the TarGuess-I model,and uses the divided tags to parse the real password.Second,the parsed passwords are input into the confrontation network,and an expanded rule set that follows the real password distribution is obtained after training.Finally,the guessed password set of the target user is generated according to the expanded rule set generated by training and the frequency table of the L (Letters),D (Digits),and S (Symbols) fields obtained from the user's personal information and the password parsing process.This paper adopts the method of demonstration based on the statistical results of the data to propose ideas and verification through experiments,and optimizes the innovative matching of the type-based personal identifiable information PII (Personal Identifiable Information):“numbers +letters” and “letters +special characters”.A series of studies on “numbers +special characters” (which should generally be “letters” and “numbers”) is carried out.Through guessing attack experiments on the railway 12306 data set containing users’ personal information,compared with other targeted password guessing schemes,this scheme has a higher success rate of password guessing.

Key words: password guessing, generative adversarial networks, natural language processing

CLC Number:

TP309

DU Lixuhong,CHEN Jie,YANG Xiaoxue. Targeted password guessing scheme combined with GAN[J].Journal of Xidian University, 2022, 49(3): 129-136.

Figures/Tables 8

References 19

[1]	TechWeb.com.cn.Under Armour旗下健身追踪应用遭攻击:1.5亿用户数据被泄露 (2018) [EB/OL].[2018-03-30]. http:∥www.techweb.com.cn/world/2018-03-30/2650816.shtml.
[2]	KEITH M, SHAO B, STEINBART P. The Usability of Passphrases for Authentication:An Empirical Field Study[J]. International Journal of Human-Computer Studies, 2007, 65(1):17-28. doi: 10.1016/j.ijhcs.2006.08.005
[3]	BONNEAU J. The Science of Guessing:Analyzing an Anonymized Corpus of 70 Million Passwords[C]∥2012 IEEE Symposium on Security and Privacy.Piscataway:IEEE, 2012:538-552.
[4]	KLEIN D V. Foiling the Cracker:A Survey of,and Improvements to,Password Security[C]∥1990 USENIX Security Workshop.Berkeley:USENIX, 1990:5-14.
[5]	DAS A, BONNEAU J, CAESAR M, et al. The Tangled Web of Password Reuse (2014) [C/OL]. [2014-02-22]. https:∥www.ndss-symposium.org/wp-content/uploads/2017/09/06_1_1.pdf.
[6]	刘迎风, 刘胜利. 基于口令的密钥提取[J]. 西安电子科技大学学报, 2021, 48(1):61-68.
	LIU Yingfeng, LIU Shengli. Key Distillation from Passwords[J]. Journal of Xidian University, 2021, 48(1):61-68.
[7]	MA J, YANG W, LUO M, et al. A Study of Probabilistic Password Models[C]∥2014 IEEE Symposium on Security and Privacy.Piscataway:IEEE, 2014:538-552.
[8]	WEIR M, AGGARWAL S, DE MEDEIROS B, et al. Password Cracking Using Probabilistic Context-Free Grammars[C]∥2009 30th IEEE Symposium on Security and Privacy.Piscataway:IEEE, 2009:391-405.
[9]	WANG D, WANG P, HE D, et al. Birthday,Name and Bifacial-Security:Understanding Passwords of Chinese Web Users[C]∥Proceedings of the 28th USENIX Conference on Security Symposium.New York:ACM, 2019:1537-1554.
[10]	WU Y. Nearly 80 Percent of Internet Users Suffer Identity Leaks (2015) [EB/OL]. [2015-07-24]. http:∥www.chinadaily.com.cn/china/2015-07/24/content_21400381.htm.
[11]	SHAY R, KOMANDURI S, DURITY A L, et al. Designing Password Policies for Strength and Usability[J]. ACM Transactions on Information and System Security, 2016, 18(4):1-34.
[12]	DELL’AMICO M, FILIPPONE M. Monte Carlo Strength Evaluation:Fast and Reliable Password Checking (2015) [C/OL]. [2015-10-16]. http:∥www.dcs.gla.ac.uk/~maurizio/Publications/ccs15.pdf.
[13]	XIA Z, YI P, LIU Y, et al. GENPass:A Multi-Source Deep Learning Model for Password Guessing[J]. IEEE Transactions on Multimedia, 2020, 22(5):1323-1332. doi: 10.1109/TMM.2019.2940877
[14]	汪定, 邹云开, 陶义, 等. 基于循环神经网络和生成式对抗网络的口令猜测模型研究[J]. 计算机学报, 2021, 44(8):1519-1534.
	WANG Ding, ZOU Yunkai, TAO Yi, et al. Password Guessing Based on Recursive Neural Networks and Generative Adversarial Networks[J]. Chinese Journal of Computers, 2021, 44(8):1519-1534.
[15]	汪定. 口令安全关键问题研究[D]. 北京: 北京大学, 2017.
[16]	韩锋. 基于定向猜测攻击的PSM系统研究与实现[D]. 北京: 北京邮电大学, 2020.
[17]	LI Y, WANG H, SUN K. A Study of Personal Information in Human-Chosen Passwords and Its Security Implications[C]∥IEEE INFOCOM 2016 - The 35th Annual IEEE International Conference on Computer Communications.Piscataway:IEEE, 2016:1-9.
[18]	毕红军, 谭儒, 赵建军, 等. 基于主题PCFG的口令猜测模型研究[J]. 信息网络安全, 2019, 8:1-7.
	BI Hongjun, TAN Ru, ZHAO Jianjun, et al. Research on Password Guessing Model Based on Theme PCFG[J]. Netinfo Security, 2019, 8:1-7.
[19]	HITAJ B, GASTI P, ATENIESEG, et al. PassGAN:A Deep Learning Approach for Password Guessing[C]∥International Conference on Applied Cryptography and Network Security.Heidelberg:Springer, 2019:217-237.

用户个人信息种类	标签类型	标签含义	实例
出生日期(Birth)(19970912)	B1	年月日	19970912
	B2	月日年	09121997
	B3	日月年	12091997
	B4	月日	0912
	B5	年份	1997
	B6	年份+月份	199709
	B7	月份+年份	091997
	B8	年份后两位+月日	970912
	B9	月日+年份后两位	091297
	B10	日月+年份后两位	120997
姓名(Name)(张三)	N1	姓名拼音全拼	zhangsan
	N2	姓名全称缩写	zs
	N3	姓氏	zhang
	N4	名	san
	N5	名的首字母+姓氏	szhang
	N6	姓氏+名的首字母	zhangs
	N7	姓氏首字母大写	Zhang
用户名(Username)(zhang19970912)	U1	用户名全称	zhang19970912
	U2	用户名的字母段	zhang
	U3	用户名的数字段	19970912
	X	特殊字段	Zhang1997
邮箱(Email)(zsss1234@qq.com)	E1	邮箱前缀全称	zsss1234
	E2	邮箱前缀字母段	zsss
	E3	邮箱前缀数字段	1234
身份证号(ID)	I1	身份证号后4位
	I2	身份证号前3位
	I3	身份证号前6位
手机号码(Telephone)	T1	完整手机号
	T2	手机号前3位
	T3	手机号后4位

猜测模型	猜测规模	攻击效果/%
文中模型	10²	36.70
TarGuess-I	10²	20.18
Personal-PCFG	10²	13.90

Targeted password guessing scheme combined with GAN

RichHTML

PDF (PC)

Like

Knowledge

Abstract

Cite this article

share this article

Figures/Tables 8

References 19

Related Articles 7

Metrics

Comments

Recommended 10

[1]	HU Daiwang,JIAO Yiyuan,LI Yanni. Novel and efficient algorithm for entity relation extraction with the corpus knowledge graph [J]. Journal of Xidian University, 2021, 48(6): 75-83.
[2]	SUN Yanjing,WEI Li,ZHANG Nianlong,YUN Xiao,DONG Kaiwen,GE Min,CHENG Xiaozhou,HOU Xiaofeng. Person re-identification method combining the DD-GAN and Global feature in a coal mine [J]. Journal of Xidian University, 2021, 48(5): 201-211.
[3]	WEI Ziyu,YANG Xi,WANG Nannan,YANG Dong,GAO Xinbo. Reciprocal bi-directional generative adversarial network for cross-modal pedestrian re-identification [J]. Journal of Xidian University, 2021, 48(2): 205-212.
[4]	ZHANG Zhiyuan,DIAO Yinghua. Pedestrian trajectory prediction model with social features and attention [J]. Journal of Xidian University, 2020, 47(1): 10-17.
[5]	YANG Xiaoli,LIN Suzhen. Method for multi-band image feature-level fusion based on the attention mechanism [J]. Journal of Xidian University, 2020, 47(1): 120-127.
[6]	MO Jianwen,XU Kailiang,LIN Leping,OUYANG Ning. Text-to-image generation combined with mutual information maximization [J]. Journal of Xidian University, 2019, 46(5): 180-188.
[7]	HUANG Ying,HE Ting,PEI Qingqi. Method for user interest and capability analysis in social Q&A websites [J]. Journal of Xidian University, 2019, 46(2): 119-123.