多通道多参与方协议的逆向工程方法研究

The multi-channel and multi-participant protocol (MCMP protocol) is the core protocol used by multi-participant application, such as social software and online game, to coordinate the concurrent spatial-temporal interaction behavior between each participant, while the reverse engineering of MCMP protocols is the key technique to reveal the network behavior and hidden security threats of unknown network application. However, existing reverse engineering methods are difficult to accurately identify the traffic of MCMP protocols, less effectively to reverse engineer the message formats of MCMP protocols and unable to analysis of the concurrent spatial-temporal interaction. In order to address this problem, we are aim to propose method for the MCMP protocol reverse engineering to reconstruct the specification of MCMP protocol. In this project, we will conduct the following researches: 1) Analyzing the group behavior of network participants to solve the problem of identifying traffic and participant of MCMP protocol. 2) Identifying message field in MCMP protocol as well as analyzing the structure relation between fields and determining the association attributes of message fields. 3) Modeling state machine of multi-participant protocol to infer a MCMP protocol state machine by proposing a spatial-temporal Hidden semi-Markov model (ST-HSMM) for spatial-temporal sequence analysis and analyzing the transition relationship of spatial-temporal state between each participant of MCMP protocol. This project provides a critical theoretical and technical basis for new generation of network security applications, such as traffic engineering and active defense in mobile internet.

多通道多参与方协议（简称“MCMP协议”）是社交软件、网络游戏等具有多参与方的网络应用所采用的最核心协议，能协调各参与者的时空并发的交互行为，而MCMP协议逆向工程是揭示未知应用网络行为、挖掘潜在安全威胁的关键技术。但现有方法存在MCMP协议识别不准确、报文格式还原效果不理想和时空交互行为分析难度大等问题。为此，本项目研究MCMP协议的逆向分析方法，实现重构其协议规范的目标。主要内容包括：1）研究参与方群体行为分析方法，解决MCMP协议流量及参与方的识别难题；2）研究MCMP协议的字段识别方法，分析字段结构关系和字段间关联属性；3）研究多方交互的协议状态机建模方法，在提出面向时空序列的时空隐半马尔可夫模型（ST-HSMM）的基础上，分析协议参与方之间的时空状态转移关系，推导MCMP协议状态机。本项目将为移动互联网流量工程和主动防御等网络与安全应用提供关键的理论依据和技术基础。

本项目围绕多通道多参与方协议(“MCMP协议”)逆向工程问题，研究了MCMP协议逆向分析的若干关键技术，以及在MCMP网络应用中的运用方法。具体研究内容包括：1）提出一种基于统计特征的报文字段划分和字段类型推断方法，自动重构协议报文格式，为协议报文的自动解析和识别提供依据；2）基于社团模型分析以信息为中心的网络(ICN)的缓存协议交互行为模型，提出基于社团角色的ICN缓存协议行为决策策略；3）研究并行服务功能链（SFC）资源需求与虚拟化服务器的服务偏好之间的交互行为，提出网络功能虚拟化资源优化配置算法，达到提高资源利用率的目的；4）研究SFC资源竞争行为建模方法及其在并发SFC资源优化配置问题中的应用，构建了基于整数线性规划的并发SFC资源竞争行为模型，并提出了基于节点瓶颈状态的协作启发式SFC部署算法。大量实验仿真表明，本项目提出的算法能有效的解决MCMP协议逆向分析、建模问题，并具有很好的应用效果。