基于主动交互式学习的工控协议逆向分析

doi:10.19665/j.issn1001-2400.2023.04.003

Abstract

Abstract:

As an important basis for information exchange in industrial control systems,the standardization and completeness of the design and implementation of industrial control protocols involve the security of the entire industrial control system.For the reverse of unknown industrial control protocols,although the protocol reverse method based on traffic samples has attracted more and more attention because it does not need to analyze the system firmware and other advantages,this type of method also has the disadvantage of relying too much on sample diversity.Especially,insufficient sample diversity can easily lead to problems such as field division errors,state identification errors,and only a subset of protocol specifications can be obtained from analysis.For this reason,this paper proposes an industrial control protocol reverse analysis method based on active interactive learning.On the basis of the reverse results of traffic samples,a data packet set is constructed according to the initial reverse results,and interactive learning is carried out with real devices to detect unknown protocol fields and state machines.Simulation experimental results of interactive learning with industrial control simulation software show that this method can effectively verify field semantics,expand field values,expand abnormal sample types,and solve the problem of pseudo-long static fields caused by insufficient sample diversity and that it can detect new states and state transitions,greatly improving the accuracy of unknown protocol reverse.

Key words: industrial control protocol, protocol reverse, interactive learning, protocol state machine

CLC Number:

TP393.0

FU Anmin,MAO An,HUANG Tao,HU Chao,LIU Ying,ZHANG Xiaoming,WANG Zhanfeng. Industrial control protocol reverse analysis based on active interactive learning[J].Journal of Xidian University, 2023, 50(4): 22-33.

Figures/Tables 11

References 26

[1]	郝文涛, 鲁晔, 水永莉. 工业控制网络入侵检测技术研究[J]. 工业控制计算机, 2022, 35(4):1-6.
	HAO Wentao, LU Ye, SHUI Yongli. Research on Intrusion Detection Technology of Industrial Control Network[J]. Industrial Control Computer, 2022, 35(4):1-6.
[2]	LUO Z, ZUO F, SHEN Y, et al. ICS Protocol Fuzzing:Coverage Guided Packet Crack and Generation[C]// 2020 57th ACM/IEEE Design Automation Conference.Piscataway:IEEE, 2020:1-6.
[3]	柴艳娜, 李坤伦, 宋焕生. 智能汽车的入侵检测系统安全研究[J]. 西安电子科技大学学报, 2021, 48(3):31-39.
	CHAI Yanna, LI Kunlun, SONG Huansheng. Research on the Security of Intrusion Detection System for Intelligent Vehicles[J]. Journal of Xidian University, 2021, 48(3):31-39.
[4]	杨欣, 毛雅淇, 王伶. 无人机辅助通信的密集无线网络MAC协议[J]. 西安电子科技大学学报, 2022, 49(3):10-20.
	YANG Xin, MAO Yaqi, WANG Ling. MAC Protocol of Dense Wireless Network for UAV Auxiliary Communication[J]. Journal of Xidian University, 2022, 49(3):10-20.
[5]	CABALLERO J, YIN H, LIANG Z, et al. Polyglot:Automatic Extraction of Protocol Message Format Using Dynamic Binary Analysis[C]// Proceedings of the 14th ACM Conference on Computer and Communications Security. New York: ACM, 2007:317-329.
[6]	JI Y, HUANG T, MA C, et al. IMCSA:Providing Better Sequence Alignment Space for Industrial Control Protocol Reverse Engineering (2022)[J/OL].[2022-12-31]. https://www.hindawi.com/journals/scn/2022/8026280/.
[7]	YE Y, ZHANG Z, WANG F, et al. NETPLIER:Probabilistic Network Protocol Reverse Engineering from Message Traces(2021)[C/OL].[2021-03-01]. https://www.ndss-symposium.org/wp-content/uploads/ndss2021_4A-5_24531_paper.pdf.
[8]	WANG Q, SUN Z, WANG W, et al. A Practical Format and Semantic Reverse Analysis Approach for Industrial Control Protocols[J]. Security and Communication Networks, 2021, 2021:1-11.
[9]	王占丰, 程光, 马玮骏, 等. 基于网络轨迹的协议逆向技术研究进展[J]. 软件学报, 2022, 33(1):254-273.
	WANG Zhanfeng, CHENG Guang, MA Weijun, et al. Research Progress of Protocol Reverse Technology Based on Network Trajectory[J]. Software Journal, 2022, 33(1):254-273.
[10]	JIANG D, LI C, MA L, et al. ABInfer:A Novel Field Boundaries Inference Approach for Protocol Reverse Engineering[C]// 2020 IEEE 6^th International Conference on Big Data Security on Cloud.Piscataway:IEEE, 2020:19-23.
[11]	HUANG Y, SHU H, KANG F, et al. Protocol Reverse-Engineering Methods and Tools:A Survey.Computer Communications[J]. Computer Communications, 2022, 182:238-254. doi: 10.1016/j.comcom.2021.11.009
[12]	黄涛, 付安民, 季宇凯, 等. 工控协议逆向分析技术研究进展与挑战[J]. 计算机研究与发展, 2022, 59(5):1015-1034.
	HUANG Tao, FU Anmin, JI Yukai, et al. Research and Challenges of Reverse Analysis Technology of Industrial Control Protocol[J]. Computer Research and Development, 2022, 59(5):1015-1034.
[13]	FOWZE F, TIAN D, HERNANDEZ G, et al. ProXray:Protocolmodel Learning and Guided Firmware Analysis[J]. IEEE Transactions on Software Engineering, 2021, 47(9):1907-1928.
[14]	BOSSERT G, GUIHÉRY F, HIET G, et al. Towards Automated Protocol Reverse Engineering Using Semantic Information[C]// Proceedings of the 9th ACM Symposium on Information,Computer and Communications Security. New York: ACM, 2014:51-62.
[15]	KOO H, CHEN Y, LU L, et al. Compiler-Assisted Code Randomization[C]// Proceedings of 2018 IEEE Symposium on Security and Privacy.Piscataway:IEEE, 2018:461-477.
[16]	YOU W, LIANG B, SHI W, et al. TaintMan:An Art-Compatible Dynamic Taint Analysis Framework on Unmodified and Non-Rooted Android Devices[J]. IEEE Transactions on Dependable & Secure Computing, 2020, 17(1):209-222.
[17]	魏骁, 刘仁辉, 许凤凯. 基于静态二进制分析的工控协议逆向解析[J]. 计算机技术与应用, 2018, 44(3):126-130.
	WEI Xiao, LIU Renhui, XU Fengkai. Reverse Analysis of Industria Control Protocol Based on Static Binary Analysis[J]. Computer Technology and Its Applications, 2018, 44(3):126-130.
[18]	CHEN K, ZHANG N, WANG L, et al. Automatic Identification of Industrial Control Network Protocol Field Boundary Using Memory Propagation Tree[C]// Proceeding International Conference on Information and Communications Security.Berlin:Springer, 2018:551-565
[19]	LIU K, YANG M, LING Z, et al. On Manually Reverse Engineering Communication Protocols of Linux Based IoT Systems[J]. IEEE Internet of Things Journal, 2021, 8(8):6815-6827. doi: 10.1109/JIOT.2020.3036232
[20]	ZHANG W, MENG X, ZHANG Y. Dual-Track Protocol Reverse Analysis Based on Share Learning[C]// International Conference on Computer Communications.Piscataway:IEEE, 2022:51-60.
[21]	张蔚瑶, 张磊, 毛建瓴, 等. 未知协议的逆向分析与自动化测试[J]. 计算机学报, 2020, 43(4):653-667.
	ZHANG Weiyao, ZHANG Lei, MAO Jianling, et al. Reverse Analysis and Automated Testing of Unknown Protocols[J]. Journal of Computer Science, 2020, 43(4):653-667.
[22]	BEDDOE M. The Protocol Informatics Project (2020)[R/OL].[2020-12-31]. http://www.phreakocious.net/PI/PI_Toorcon.pdf.
[23]	CUI W, KANNAN J, WANG H. Discoverer:Automatic Protocol Reverse Engineering from Network Traces[C]// USENIX Security Symposium.Berkeley:USENIX, 2007:1-14.
[24]	SHEVERTALOV M, MANCORIDIS S. A Reverse Engineering Tool for Extracting Protocols of Networked Applications[C]// 14th Working Conference on Reverse Engineering.Piscataway:IEEE, 2007:229-238.
[25]	ANTUNES J, NEVES N, VERISSIMO P. Reverse Engineering of Protocols from Network Traces[C]// 2011 18th Working Conference on Reverse Engineering.Piscataway:IEEE, 2011:169-178.
[26]	KRUEGER T, KRAMER N, RIECK K. ASAP:Automatic Semantics-Aware Analysis of Network Payloads[C]// Proceedings of International Workshop on Privacy and Security Issues in Data Mining and Machine Learning.Berlin:Springer: 2010:50-63.

测试机	Intel(R) Core(TM) i7-6700 CPU @3.40GHz 8 192MB 2 400MH Windows10 professional
目标机	Intel(R) Core(TM) i7-6700 CPU @3.40GHz 8 192MB 2 400MH Windows10 professional
Modbus模拟器	ModSim32
IEC104模拟器	SimulateAnalyzer
MQTT服务器	broker.emqx.io

序号	字段	变异器策略	原有样本描述	实验结果
1	功能码	FuncMutator	01~03	01~24
2	请求数目	GetNMutator	验证字段语义	语义分析正确
3	请求地址	PosMutator	验证字段语义	语义分析正确
4	长静态字段	FieldSplitMutator	长静态字段划分	静态字段+动态字段+动态字段

序号	字段	变异器策略	原有样本描述	实验结果
1	控制字段	FuncMutator	启动命令、启动命令确认、测试命令、测试命令确认字段	额外探测到停止命令和停止命令确认的新控制域样本
2	数据长度	LenMutator	验证字段语义	语义分析正确
3	传送原因	SendReMutator	64,67	暂定01~67
4	请求地址	PosMutator	验证字段语义	语义分析正确

序号	字段	变异器策略	原有样本描述	实验结果
1	控制字段	FuncMutator	01,02,03,04,09	01,02,03,04,09
2	数据字段	DataNMutator	验证字段语义	语义分析正确
3	未知字段	PosMutator	探测字段语义	语义探测成功
4	长度字段	LenMutator	验证字段语义	语义分析正确

名称	描述
A	初始状态
B	连接成功状态
C	数据传输状态
D	等待测试

Industrial control protocol reverse analysis based on active interactive learning

RichHTML

PDF (PC)

Like

Knowledge

Abstract

Cite this article

share this article

Figures/Tables 11

References 26

Related Articles 15

Metrics

Comments

Recommended 10

类型	新探测结果	描述
新状态	E	在没连接成功下对服务器端传输数据传输指令,服务端不给响应报文,且后续的连接报文被判定为已有TCP连接,无法建立连接,探测出新状态E
新状态转化序列	A->E	新的状态转化序列,A->E,在A状态发送数据传输报文
	B->B	新的状态转化序列,B->B,在B的状态下,再次发送建立连接和数据传输报文,探测出B->B的状态转化序列
	B->E	新的状态序列,B->E,在B的状态下发送I格式报文,然后发送请求数据传输的报文,出现状态E
	C->C	新的状态转化,C->C,在C的状态下,发送数据传输报文命令,一直发送,响应正常,都处于C状态
	A->E	新的状态转化序列,A->E,在A状态发送测试请求报文
功能码依赖	具有一定的功能码依赖	达到D状态需要在C状态的情况下,达到C状态需要在B的状态下

类型	新探测结果	描述
新状态转化序列	A->A	新的状态转化序列,A->A,在A状态下与服务器端建立连接失败或服务端连续收到两个连接报文
	A-A	新的状态转化序列,A ->A,在A的状态下,不建立连接直接发送发布报文给服务器端
	B->C	新的状态序列,B->C,在B的状态下,一个心跳间隔内,没有收到服务器端的心跳反馈,进入C状态
控制字段依赖	具有控制字段依赖	达到B状态需要在A状态的情况下,达到C状态需要在B的状态下

[1]	ZHANG Yue,CHEN Qingwang,LIU Baoxu,YU Cunwei,TAN Ru,ZHANG Fangjiao. Research on cloud native API attack trapping technology [J]. Journal of Xidian University, 2023, 50(4): 237-248.
[2]	PAN Senshan,XU Lamei. DorChain:Utilization of dormant coins to improve the transaction verification efficiency [J]. Journal of Xidian University, 2022, 49(2): 182-189.
[3]	SHEN Lixiang,MU Dejun,CAO Guo,XIE Guangqian,SHU Fangyong. Constructing formal verification models for hardware Trojans [J]. Journal of Xidian University, 2021, 48(3): 146-153.
[4]	CHAI Yanna,LI Kunlun,SONG Huansheng. On the security of the intrusion detection system in smart vehicles [J]. Journal of Xidian University, 2021, 48(3): 31-39.
[5]	LÜ Yi,ZHU Bo,WU Dapeng. Video multipath transmission mechanism with load balancing in the FiWi network [J]. Journal of Xidian University, 2021, 48(3): 63-70.
[6]	LIU Huayuan,SU Yunfei,LI Ruilin,TANG Chaojing. Structure-statebased graybox Fuzzing technique [J]. Journal of Xidian University, 2021, 48(1): 117-123.
[7]	ZHANG Lu,MU Dejun,HU Wei,TAI Yu. High-level synthesis design flow for power side-channel security [J]. Journal of Xidian University, 2020, 47(4): 64-69.
[8]	ZHANG Shubo,REN Shuxia,WU Tao. Improved spectral clustering community detection algorithm by combining the probability matrix [J]. Journal of Xidian University, 2019, 46(3): 167-172.
[9]	DONG Shouling;SU Menghui;LIN Xiangxin;LI Jia . Auto seed selection and discovery algorithm for IPv6 campus network topology [J]. J4, 2015, 42(2): 116-121.
[10]	WANG Yequn;YE Xiangyang;QI Yunjun;HUANG Guoce;ZHANG Hengyang. Adaptive mechanism for the frequency hopping MAC [J]. J4, 2013, 40(5): 78-85.
[11]	ZHANG Changli;HOU Ronghui. Topological graph based tag semantic relatedness measure for social tagging systems [J]. J4, 2012, 39(3): 196-201.
[12]	REN Fang1;MA Jianfeng1,2;HAO Xuanwen1. Attribute-based access control scheme for the perceptive layer of the Internet of Things [J]. J4, 2012, 39(2): 66-72.
[13]	TANG Di;YANG Xiaoniu;LI Jiandong. Secure routing protocol based on probability in sensor networks [J]. J4, 2011, 38(6): 1-7.
[14]	SU Ruidan;DING Zhenguo;ZHOU Lihua. Practical Web-oriented fair non-repudiation protocol [J]. J4, 2011, 38(5): 85-89.
[15]	ZHOU Ye-jun;LI Hui;MA Jian-fen. Random network coding against the eavesdropping adversaries [J]. J4, 2009, 36(4): 696-701.