Protocol Ciphertext Field Identification by Entropy Estimating

ZHU Yuna; HAN Jihong; YUAN Lin; GU Wen; FAN Yudan

doi:10.11999/JEIT151205

Volume 38 Issue 8

Sep. 2016

Turn off MathJax

Article Contents

Article Navigation > Journal of Electronics & Information Technology > 2016 > 38(8): 1865-1871

ZHU Yuna, HAN Jihong, YUAN Lin, GU Wen, FAN Yudan. Protocol Ciphertext Field Identification by Entropy Estimating[J]. Journal of Electronics & Information Technology, 2016, 38(8): 1865-1871. doi: 10.11999/JEIT151205

Citation:

ZHU Yuna, HAN Jihong, YUAN Lin, GU Wen, FAN Yudan. Protocol Ciphertext Field Identification by Entropy Estimating[J]. Journal of Electronics & Information Technology, 2016, 38(8): 1865-1871. doi: 10.11999/JEIT151205

Citation:

PDF( 617 KB)

Protocol Ciphertext Field Identification by Entropy Estimating

doi: 10.11999/JEIT151205

Funds:

The National Natural Science Foundation of China (61309018)

Received Date: 2015-10-29
Rev Recd Date: 2016-02-25
Publish Date: 2016-08-19

Abstract

Abstract

Previous network-trace-based methods only consider the plaintext format of payload data, and are not suitable for security protocols which include a large number of ciphertext data; therefore, a novel approach named CFIA (Ciphertext Field Identification Approach) is proposed based on entropy estimation for unknown security protocols. On the basis of keywords sequences extraction, CFIA utilizes byte sample entropy and entropy estimation to pre-locate ciphertext filed, and further searches ciphertext length field to identify ciphertext field. The experimental results show that without using dynamic binary analysis, the proposed method can effectively identify ciphertext fields purely from network traces, and the inferred formats are highly accurate in identifying the protocols.
- Unknown security protocol,
- Protocol format,
- Ciphertext field,
- Entropy estimation

FullText(HTML)

References(19)

References

CABALLERO J, YIN H, LIANG Zhenkai, et al. Polyglot: automatic extraction of protocol message format using dynamic binary analysis[C]. Proceedings of the 14th ACM Conference on Computer and Communications Security, New York: 2007: 317-329. doi: 10.1145/1315245.1315286.

CUI Weidong, PEINADO M, CHEN K, et al. Automatic reverse engineering of input format[P]. USA, 8935677 B2, 2015-1-13.

WANG Zhi, JIANG Xuxian, CUI Weidong, et al. ReFormat: Automatic reverse engineering of encrypted messages[C]. European Symposium on Research in Computer Security, Berlin, 2009: 200-215. doi: 10.1007/978-3-642-04444-1_13.

CABALLERO J, POOSANKAM P, KREIBICH C, et al. Dispatcher: enabling active botnet infiltration using automatic protocol reverse-engineering[C]. Proceedings of the 16th ACM Conference on Computer and Communications Security, New York, 2009: 621-634. doi: 10.1145/1653662. 1653737.

CABALLERO J and SONG D. Automatic protocol reverse- engineering: message format extraction and field semantics inference[J]. Computer Network, 2013, 57(2): 451-474. doi: 10.1016/j.comnet.2012.08.003.

CUI Weidong, KANNAN J, and WANG H J. Discoverer: Automatic protocol reverse engineering from network traces[C]. Proceedings of the 16th USENIX Security Symposium, Berkeley, 2007: 199-212.

黎敏, 余顺争. 抗噪的未知应用层协议报文格式最佳分段方法[J]. 软件学报, 2013, 24(3): 604-617. doi: 10.3724/SP.J. 1001.2013.04243.

LI Min and YU Shunzheng. Noise-tolerant and optimal segmentation of message formats for unknown application- layer protocols[J]. Journal of Software, 2013, 24(3): 604-617. doi: 10.3724/SP.J.1001.2013.04243.

LUO Jianzhen and YU Shunzheng. Position-based automatic reverse engineering of network protocols[J]. Journal of Network and Computer Applications, 2013, 36(3): 1070-1077. doi: 10.1016/j.jnca.2013.01.013.

ZHANG Zhuo, ZHANG Zhibin, Lee P P C, et al. Toward unsupervised protocol feature Word extraction[J]. IEEE Journal on Selected Areas in Communications, 2014, 32(10): 1894-1906. doi: 10.1109/JSAC.2014.2358857.

BOSSERT G, GUIHRY F, and HIET G. Towards automated protocol reverse engineering using semantic information[C]. Proceedings of the 9th ACM Symposium on Information, Computer and Communications Security, Kyoto, 2014: 51-62. doi: 10.1145/2590296.2590346.

KUMANO Y, ATA S, NAKAMURA N, et al. Towards real- time processing for application identification of encrypted traffic[C]. International Conference on Computing, Networking and Communications, Honolulu, HI, 2014: 136-140. doi: 10.1109/ICCNC.2014.6785319.

赵博, 郭虹, 刘勤让, 等. 基于加权累积和检验的加密流量盲识别算法[J]. 软件学报, 2013, 24(6): 1334-1345. doi: 10. 3724/SP.J.1001.2013.04279.

ZHAO Bo, GUO Hong, LIU Qinrang, et al. Protocol independent identification of encrypted traffic based on weighted cumulative sum test[J]. Journal of Software, 2013, 24(6): 1334-1345. doi: 10.3724/SP.J.1001.2013.04279.

OLIVAIN J and GOUBAULT-LARRECQ J. Detecting subverted cryptographic protocols by entropy checking[R]. LSV-06-13, 2006.

BONFIGLIO D, MELLIA M, MEO M, et al. Revealing skype traffic: when randomness plays with you[C]. Proceedings of the ACM SIGCOMM Conference on Applications, Technologies, Architectures, and Protocols for Computer Communications, Kyoto, 2007: 37-48. doi: 10.1145/1282380. 1282386.

PANINSKI L. A coincidence-based test for uniformity given very sparsely sampled discrete data[J]. IEEE Transactions on Information Theory, 2008, 54(10): 4750-4755. doi: 10.1109/ TIT.2008.928987.

PIRONTI A, POZZA D, and SISTO R. Spi2Java User Manual-Version 3.1[R]. Turin: Piedmont: Italy, Polytechnic University of Turin, 2008.

ACETO G, DAINOTTI A, DONATO W, et al. PortLoad: taking the best of two worlds in traffic classification[C]. Proceedings of IEEE International Conference on Computer Communications, San Diego, CA, 2010: 1-5. doi: 10.1109/ INFCOMW.2010.5466645.

Relative Articles

Supplements(0)

Cited By

Proportional views