安全协议逆向与会话实例重构关键技术研究

Security of information system depends on not only strength of cryptographic algorithm but also security protocols which the system adopts. The main subject of this proposal is the key theory and technology of security protocol reverse and session instance rebuilding, and aims to resolve the problem of security protocols online monitoring at key nods of information system. It will provide guarantee for real-time online running of security protocols. Because of existing of encrypted data domains in security protocols, the related data is dispersed, incomplete, and difficult to accurate description. To solve these problems, we intend to make an in-depth study in the following aspects. The first research direction is to propose the unification description language, and construct the ontology framework for identified feature items, which would be used to implement unified description for heterogeneous data. These data include the features of protocol's network trace, program's execution trace, and protocol entities. The second research direction refers to construct the correlative and temporal relationship between network behavior and execution behavior, by which we try to obtain and utilize the protocol related data completely. In this part, as many kinds of feature items are not mutually independent, we plan to recognize and exclude the redundant and irrelevant data in the feature items subset with optimal selection method. The third research direction is security protocol reverse methods based on grey system theory. We intend to solve the problem of security protocol reverse in the condition of uncertain, incomplete, and deficiency data.Furthermore, we will make depth study of the method on session instance rebuilding of security protocol. Obviously, it is not enough to just depend on the data from network trace for instance rebuilding of security protocol. We will adopt the method of combining protocol network data and program execution data to overcome this challenge, which will be the basis for online monitoring of security protocol.

信息系统整体的安全性不仅取决于密码算法的强度，而且与系统所采用的安全协议密切相关。本课题主要研究面向安全协议的逆向与会话实例重构关键技术，旨在解决信息系统关键节点上的安全协议在线监测问题，为安全协议的运行提供实时、在线保障。本课题拟针对该过程所面临的数据信息分散、不完整、难以精确描述等主要问题，在如下理论和技术方面做出突破： 1）研究安全协议特征项统一描述语言，构建特征项本体框架，实现协议网络轨迹特征、程序执行轨迹特征、协议实体特征等异构数据的统一描述；2）研究协议网络行为与程序执行行为之间的关联和时序关系，尽可能完整地获取各种协议相关数据信息；3）研究基于灰色系统理论的安全协议状态机逆向方法，用于在不确定、非完整和贫数据环境下系统地解决安全协议逆向问题；4）研究网络轨迹数据和执行轨迹数据相结合的安全协议会话实例重构的方法，为实现安全协议在线监测奠定理论和技术基础。

实际网络环境下的密码协议在线安全性分析成为亟待解决的一个关键问题。密码协议识别与会话实例重构是密码协议在线安全性分析的前提和基础。本课题针对密码协议识别与会话实例重构的关键技术进行了深入研究。.1．针对密码协议不同类型特征项的统一描述问题，基于Methontology方法建立密码协议特征项本体框架，为密码协议识别和会话实例重构提供基础。.2．针对密码协议的规范特征提取问题，提出一种特征项实例化方法CPSEA,主要包括3个阶段：为提取协议序列集合中具有时序关系的关键词序列特征，提出基于序列模式挖掘的关键词提取方法；为充分发掘密文信息特征，依据密文的随机性特征，提出基于熵估计的密文域识别方法；利用提取的协议消息格式特征，提出基于Prospex的密码协议时序行为特征提取算法，刻画密码协议行为关系。.3．为提高基于统计特征的识别效果，提出一种新的半监督子空间聚类统计特征加权方法（SFWA），解决统计特征的加权问题。SFWA将有标签的样本流转化为成对约束信息，获取先验约束条件；建立类簇和协议类型的映射，获取协议各个特征的权重系数。.4．针对密码协议在线识别问题，提出基于规则的密码协议识别方法，给出密码协议识别规则和识别策略，在此基础上提出密码协议识别算法。结果表明，该方法能够较好地识别已知协议、学习新类型协议，有效地解决协议识别问题。.5．针对分布在多个相关流中的多方密码协议会话重构问题，提出基于主体行为的多方密码协议会话实例重构方法，为密码协议在线安全性分析提供关键技术支持。基于给出的三个启发式的主体行为特征——邻接主机行为特征、主体角色行为特征以及主机消息行为特征，提出了多方密码协议会话实例重构算法。