Chang-Ting Lin,Chunming Wu,Min Huang,Zhenyu Wen,Qiumei Cheng

DOI: https://doi.org/10.1109/SRDSW.2016.21

2016-01-01

Abstract:IP address mutation is a proactive defense method that is used to reduce the risk of network attacks, especially to deal with the worm propagation attacks. However, previous work did not give much consideration to the negative effects that IP address mutation could bring to network performance. To be specific, there is a trade-off between network performance and security, which implies that when a security mechanism is reinforced, network performance would be impaired and vice versa. Therefore, in order to achieve the optimal balance between performance and security, an optimal solution should be provided. In this paper, we propose an adaptive IP mutation defense method which is based on temporal-dimension, to dynamically control the mutation interval according to real-time measurable metrics, assurance and avoidance. This method leverages a genetic algorithm to achieve the optimization of performance-security trade-off. We then evaluate our method in a simulated computer cluster environment, including 1024 hosts, and demonstrate that our method can successfully find the optimal solution according to the experimental results. For example, it can reduce the worm propagation significantly, while maintaining the network performance in a predefined level.

xing han,qiaoyan wen,zhao zhang

DOI: https://doi.org/10.1109/ICCSNT.2012.6526099

2012-01-01

Abstract:Mutation-based fuzz testing is a very effective approach to improve the security and reliability of protocol implementations, however, present mutation-based fuzzing technique is only effective on one field at one time, and not effective on multiple fields. What's more, there are not effective tools on fuzzing protocols based on MAC Layer. This paper presents an efficient mutation-based approach based on RATM model for multi-fields fuzzing test, which analysis the relationship among the protocol fields and the influence relationship of the fields collected. Based on these relationships, it can directly mutate corresponding testing case that might trigger the suspect vulnerabilities. And also by analyzing the results of testing, it changes the parameters of RATM to improve the quality of testing cases; besides, our methods could also fuzz protocol implementations based on MAC layer very effectively. Moreover, we design a testing framework to validate the effectiveness of RATM. We applied our approach to compare with peach on several protocol implementations and the results showed that our approach can find flaws of protocol implementation in one field and also multiple fields very effectively.

章志燮,周颢,赵保华

DOI: https://doi.org/10.3321/j.issn:0253-987x.2009.12.003

2009-01-01

Abstract:A new protocol security testing method is proposed based on a fault model.The method utilizes the mutation analysis based on the specification of constructed type algebra.Mutant operators are designed to restrict the possible fault sets in protocol;then mutants are generated and equivalent mutants are deleted;and test cases are finally constructed based on resulting mutants.Compared with existing methods,the proposed method can effectively solve several problems in current protocol security testing,such as neglecting the protocol dataflow,infinite fault sets,the lack of the mechanism to judge results,and so on.It is beneficial to the quantification and appraisal of testing to limit the possible fault sets of protocol.The method can pointedly be used to construct test cases and to judge test results,and improves testing capacity.

Shijia Gu,Weihai Li,Xin Zhao

DOI: https://doi.org/10.1109/VETECF.2011.6092833

2011-01-01

Abstract:Protocol plays a profound role among networked computers in security issues. With the development of computer network engineering, protocol has become increasingly intricate in both data format and interaction behavior, which means that more potential defects exist in protocol software implementations. These factors make protocol vulnerable to malicious attacks and raise the security requirements to an ever high level. After over ten-year progress, however, the vulnerability testing methods have not been unified to an agreement. Especially, the problems in automated test cases generation remain to be solved. This paper proposes a novel brute force vulnerability testing technique, generating test data by mutating captured protocol messages. And to formalize the perturbing process, regular expression is introduced into the approach for constructing test case templates. In addition, a multi-protocol test tool called PVD is developed to implement the test system architecture. Finally, the authors carry on a complete vulnerability testing campaign on Asterisk 1.4 SIP (Session Initiation Protocol) server, as the result, finding a number of protocol defects and achieving fairly efficient test results.

Zhao Zhang,Qiao-Yan Wen,Wen Tang

DOI: https://doi.org/10.1109/csss.2012.208

2012-01-01

Abstract:Security flaws existed in protocol implementations might be exploited by malicious attackers and the consequences can be very serious. Therefore, detecting vulnerabilities of network protocol implementations is becoming a hot research topic recently. However, protocol security test is a very complex, challenging and error-prone task, as constructing test packets manually or randomly are not practical. This paper presents an efficient mutation-based approach for detecting implementation flaws of network protocol. Compared with other protocol testing tools, our approach divides the procedure of protocol testing into many phases, and flexible design can cover many testing cases for the protocol implementations under testing, and could apply for testing various protocol implementations quite easily. Besides, this approach is more comprehensible that makes the protocol security test easier to carry out. To assess the usefulness of this approach, several experiments are performed on four FTP server implementations and the results showed that our approach can find flaws of protocol implementation very easily. The method is of the important application value and can improve the security of network protocols.

Yipeng Wang,Xiaochun Yun,Yongzheng Zhang,Liwei Chen,Tianning Zang

DOI: https://doi.org/10.1016/j.comnet.2017.09.006

IF: 5.493

2017-01-01

Computer Networks

Abstract:Protocol traffic analysis is a fundamental problem regarding a variety of networking and security applications, such as intrusion detection and prevention systems, network management systems, and protocol specification parsers. In this paper, we propose ProHacker, a nonparametric approach that extracts robust and accurate protocol keywords from the byte sequences generated by an application protocol, and effectively identifies the protocol trace from mixed Internet traffic. ProHacker is based on the key insight that the n-grams of protocol traces have highly predictable statistical nature that can be effectively captured by statistical language models and be leveraged for robust and accurate protocol identification. In ProHacker, we first extract protocol keywords using a nonparametric Bayesian statistical model, and then use the corresponding protocol keywords to classify protocol traces by a semi-supervised learning algorithm. We implement and evaluate ProHacker on real-world traces, and our experimental results show that ProHacker can accurately identify the protocol trace with an average precision of about 99.4% and an average recall of about 99.28%. We compare the results of ProHacker to one state-of-the-art approach, ProWord, and one our previous work, Securitas, using backbone traffic. We note that ProHacker provides significant improvements on precision and recall for online protocol identification.

Yipeng Wang,Xiaochun Yun,Yongzheng Zhang

DOI: https://doi.org/10.1109/icnp.2015.43

2015-01-01

Abstract:Protocol traffic analysis is important for a variety of networking and security infrastructures, such as intrusion detection and prevention systems, network management systems, and protocol specification parsers. In this paper, we propose ProHacker, a nonparametric approach that extracts robust and accurate protocol keywords from network traces and effectively identifies the protocol trace from mixed Internet traffic. ProHacker is based on the key insight that the n-grams of protocol traces have highly predictable statistical nature that can be effectively captured by statistical language models and leveraged for robust and accurate protocol identification. In ProHacker, we first extract protocol keywords using a nonparametric Bayesian statistical model, and then use the corresponding protocol keywords to classify protocol traces by a semi-supervised learning algorithm. We implement and evaluate ProHacker on real-world traces, including SMTP, FTP, PPLive, SopCast, and PPStream, and our experimental results show that ProHacker can accurately identify the protocol trace with an average precision of about 99.42% and an average recall of about 98.64%. We also compare the results of ProHacker to two state-of-the-art approaches ProWord and Securitas using backbone traffic. We show that ProHacker provides significant improvements on precision and recall for online protocol identification.

Chuanming Jing,Zhiliang Wang,Xingang Shi,Xia Yin,Jianping Wu

DOI: https://doi.org/10.1109/AINA.2008.98

2008-01-01

Abstract:The critical requirement on reliability, fault-tolerance and security of network devices highlights the necessity of protocol robustness testing. Mutation testing of protocol messages is an important part of robustness testing, but related theory and practices are not well developed. This paper builds a NFSM model for mutation testing of protocol messages and proposes two types of normal-verification sequence to enhance verdict mechanism. For single-field mutation testing of protocol messages, we propose the concept of compound anomalous test case to further simplify test sequences. As a standard test specification language, TTCN-3 reveals strong excellence in conformance testing, so we apply TTCN-3 to mutation testing and extend it according to test requirements. Using our method we test OSPFv2 sufficiently with a test system based on extended TTCN-3. The results indicate that our method has good capability of error-finding.

WANG Zhiqiang,ZHANG Yuqing,LIU Qixu,HUANG Tingpei

DOI: https://doi.org/10.3969/j.issn.1001-2400.2015.04.004

2015-01-01

Abstract:An algorithm for discovering SNMP protocol vulnerabilities is proposed , which solves several problems including single and one‐dimensional strategies of constructing test cases , lack of the exception monitor and debugger or inapplicability of the network and SNMP‐related software . First , by analyzing the SNM P RFC specification , the algorithm adopts the generation strategy for constructing test cases . Second , the mutation strategy is adopted to construct test cases on the basis of known information about SNMP vulnerabilities and the previous malformed data . According to the algorithm , a tool named tje SRPFuzzer is developed for bug hunting . Finally , an experiment is done on routers and software , including the Cisco router , wireshark and so on . Four groups of vulnerabilities are found , which verifies the SRPFuzzer's validity . Meanwhile , comparing with the PROTOS and other 3 tools , the SRPFuzzer is superior to these tools at test case construction , monitoring , debugging , bug hunting ability and so on .

Liang Hu,Kuo Tang,Yu Ku,Kuo Zhao

DOI: https://doi.org/10.4156/jcit.vol5.issue3.13

2010-01-01

Abstract:With the development of high-speed network technique and increasing volume of network traffic, traditional pattern matching method can’t adapt to the new challenges to intrusion detection. To solve this, protocol analysis is introduced into the procedure of intrusion detection, and it has advantages such as the capability of detailed command parsing, attack detection and protocol acknowledgement against fragment attacks, the lower false positives and high performance. By the integration with pattern matching, intrusion detection technology based on protocol analysis may significantly reduce the amount of computation and improve the efficiency of packet analysis as well as the detection rates.

Yuelei XIAO,Zhixiang ZHU,Yong ZHANG

DOI: https://doi.org/10.13682/j.issn.2095-6533.2015.05.003

2015-01-01

Abstract:By analyzing the process of security protocols,the definition of driving module (DM) is introduced,and then regular and penetrator DMs are formed according to the Strand Space Model (SSM).Based on this,a DM-based model checking method is proposed.Theoretical analysis indicates that this method is prefect in terms of searching breadth and depth,and can avoid the state space explosion problem.Therefore,this method can be used not only to get the attack scenarios of a flawed security protocol,but also to prove that an unflawed security protocol is secure.Moreover,the Otway-Rees protocol and the TLS protocol are analyzed based on this method.As a result,various attack scenarios of the Otway-Rees protocol are discovered and two secure improved Otway-Rees protocols are put forward,and therefore the TLS protocol is proved to be secure.

Shameng Wen,Qingkun Meng,Chao Feng,Chaojing Tang

DOI: https://doi.org/10.1371/journal.pone.0186188

IF: 3.7

2017-10-19

PLoS ONE

Abstract:Network protocol vulnerability detection plays an important role in many domains, including protocol security analysis, application security, and network intrusion detection. In this study, by analyzing the general fuzzing method of network protocols, we propose a novel approach that combines network traffic analysis with the binary reverse engineering method. For network traffic analysis, the block-based protocol description language is introduced to construct test scripts, while the binary reverse engineering method employs the genetic algorithm with a fitness function designed to focus on code coverage. This combination leads to a substantial improvement in fuzz testing for network protocols. We build a prototype system and use it to test several real-world network protocol implementations. The experimental results show that the proposed approach detects vulnerabilities more efficiently and effectively than general fuzzing methods such as SPIKE.

Kuo Zhao,Jianfeng Chu,Xilong Che,Lin,Liang Hu

DOI: https://doi.org/10.1109/iwasid.2008.4688401

2008-01-01

Abstract:With the increasing network security accidents, intrusion detection systems (IDS) have been an indispensable part of information system. As a popular light network intrusion detection system, Snort has been a focus in research field. In this paper, dynamic adjustment algorithm is applied to the improvement of rule matching based on the analysis of original mechanism of Snort. Additionally, further optimization is discussed against the problem of simple dynamic adjustment, and improved two step dynamic rule adjustment algorithm is provided. Experiment results show that this method increases the speed of rules matching and improve the detection efficiency of Snort.

杨小平,苏静

DOI: https://doi.org/10.3969/j.issn.1001-3695.2004.02.035

2004-01-01

Abstract:In this article we present a new Intrusion Detection Method using protocol analysis and command parsing technology to accurately capture the character of intrusions based on the characteristic of protocol architecture.According to our test results,the technology greatly improves the performance of IDS and reduces the misapprehensive and transudatory rates.

YANG Jin,LIU Xiao-jie,LI Tao

DOI: https://doi.org/10.3969/j.issn.1000-3428.2007.17.013

2007-01-01

Abstract:Aiming at the deficiencies of current mutation algorithm based on artificial immune system,such as fault positive is high and the efficiency is very low,an improved evolution optimization with mutation algorithm is proposed.This new algorithm introduces evolution operator into the mutation rule during the cells mutation process to improve the detection efficiency and to overcome the shortcoming of the local optimum. And the concepts and formal definitions of self/non-self are given,mature-lymphocyte lifecycle,and affinity accumulation process are presented. Experimental results show that when the k set about 40 with the parameter adapted,the TP value can be stabilized on 95%.And the algorithm greatly enhances the response rate and precision of detection and the proposed model has the features of real-time processing,self-adaptively,thus providing a promising solution for intrusion detection.

Bo Huang,Qiaoyan Wen

DOI: https://doi.org/10.1109/ICCSNT.2011.6182047

2012-01-01

Abstract:Nowadays more fuzz testing research mainly focuses on some certain phase and on some certain protocol, there is not an research on integrated system realization has been emerged. This paper presents the idea of an automated fuzz testing method for all protocols. First it adopted Finite State Machine (FSM) model in fuzz testing, and after a FSM constructed an efficient algorithm is presented for state space reduction. Last it selected every sequence for the mutation test. In this method, the FSM is created by program other than mannual work that make the fuzz testing automated and suit for all protocols.

Weiming Li,Meirong Ai,Bo Jin

DOI: https://doi.org/10.1007/978-3-319-42291-6_58

2016-01-01

Abstract:Automatic network protocol reverse engineering is very important for many network applications such as fuzz testing and intrusion detection. Since sequences alignment on network traces is limited by the lack of semantic information, recent researches focus on dynamic taint analysis. But current dynamic taint based methods need heuristics rules to handle different network protocols which make them too complex to run automatically and efficiently. Our approach is inspired by the observation that different fields of network protocol message are processed in different execution path of the binary application, while the bytes of same message field are processed by highly similar instructions sequence. After analyzing the similarity of dynamic taint propagation and adjusting boundaries according to keywords and separators, we can identify the field boundaries not only accurately but also fully automatically. Evaluated by real-world protocol implementations (FTP, HTTP, DNS, etc.), the result shows our method is more accurate and simpler than exist methods.

梁文,曹先彬,张四海,王煦法

DOI: https://doi.org/10.3969/j.issn.1000-1220.2005.01.005

2005-01-01

Abstract:Immune network intrusion system is a new approach of anomaly detection and it detects relatively infinite foreign antigens using finite detectors. Cur rent work recognizes unknown antigens by traditional evolution methods but the e xperiment result is not satisfying. This paper points that particularity of NIDS requires many detectors rather than several best ones. Inspired by affinity mut ation mechanism in the biological immune system this paper proposes an immune re cognition method, in which polymorphism is introduced. Experiments results show that this model suits NID well and has excellent ability of recognizing unknown intrusion patterns.

Wen Tang,Aifen Sui,Wolfgang H A Schmid

DOI: https://doi.org/10.1109/ICCT.2011.6157962

2011-01-01

Abstract:Our modern society is increasingly depending on information and communication systems. This demands a high level of security and robustness on the implementations of network protocols. This paper presents a model-guided approach to discover security vulnerabilities of network protocol implementations. Our approach, resulted in security tool "Styx", introduces mutation analysis and model checking into fuzz testing and provides a synthesized protocol security testing. And it not only can perform syntax testing on the input data validation component of protocol implementations, but also is able to model the behaviors of a protocol and automatically generate test traces for the verification of its internal implemented functions. To proof the concept, experiments with the open source implementation of IKE/ISAKMP have also been provided. The results show that Styx can effectively be used to discover security vulnerabilities from network protocol implementations. © 2011 IEEE.

YU Zhi-hong,ZHAO Kuo,HU Liang

DOI: https://doi.org/10.3969/j.issn.1671-5896.2008.02.009

2008-01-01

Abstract:Because there are some problems for traditional pattern matching detection technique such as high strength!computations,low detection rates and high false alarm rates an intelligent matching for intrusion detection rules based on protocol analysis is proposed.And this technique aims at detecting attacks by the means of high regularity of TCP/IP(Transmission Control Protocol/Internet Protocol),which results in obvious decrease of computational quantities of rules matching.The design and implementation of auto sorting rules base based on dynamic analysis are also presented.Experimental results show that our proposals can shorten about 20% the time of pattern matching and improve the efficiency of intrusion detection.