Routing protocol security analysis method and device, equipment and storage medium
By identifying attack points in routing protocols and reverse-engineering attack paths, detection rules are generated, solving the problem of incomplete security analysis of routing protocols in existing technologies and achieving more comprehensive vulnerability detection.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Patents(China)
- Current Assignee / Owner
- AGRICULTURAL BANK OF CHINA
- Filing Date
- 2023-01-05
- Publication Date
- 2026-07-07
AI Technical Summary
Existing routing protocol security analysis methods can only analyze known types of vulnerabilities and cannot comprehensively analyze the security of routing protocols, resulting in limited analysis results.
By acquiring the routing protocol to be analyzed, identifying attack points, reverse-engineering attack paths, generating detection rules, and analyzing the routing protocol based on these rules, the analysis can be performed.
It enables a comprehensive analysis of potential vulnerabilities in routing protocols, improving the comprehensiveness and accuracy of security analysis.
Smart Images

Figure CN116017466B_ABST
Abstract
Description
Technical Field
[0001] This application relates to the field of wireless communication technology, and more specifically, to a routing protocol security analysis method, apparatus, device, and storage medium. Background Technology
[0002] As wireless sensor networks are used more and more widely, their security issues are receiving increasing attention. The characteristics of wireless sensor nodes, such as small memory, low communication bandwidth, and susceptibility to capture, make wireless sensor networks vulnerable to attacks.
[0003] In existing technologies, the security analysis of routing protocols employs manual deduction and penetration testing methods. Manual deduction involves analysts examining the routing protocol and using experience to deduce vulnerabilities. Penetration testing involves setting up a wireless sensor network environment with nodes running the routing protocol, and analysts simulating malicious node attack behavior to attack the network and identify vulnerabilities in the routing protocol.
[0004] Both manual simulations and penetration testing rely on analysts to perform simulations or actual penetration attacks to analyze routing protocols. However, analysts can only analyze known types of vulnerabilities in routing protocols based on their own experience, and cannot analyze all types of vulnerabilities in routing protocols. Therefore, the security analysis of routing protocols is not comprehensive enough, and the analysis results are limited. Summary of the Invention
[0005] In view of this, this application provides a routing protocol security analysis method, apparatus, device and storage medium to solve the problem that existing routing protocol security analysis methods can only analyze known types of vulnerabilities and cannot comprehensively analyze the security of routing protocols, resulting in limited analysis results.
[0006] To achieve the above objectives, the following proposed solution is given:
[0007] A routing protocol security analysis method, comprising:
[0008] Obtain the routing protocol to be analyzed;
[0009] Identify the attack points in the routing protocol to be analyzed, where the attack points are the target of the attacker's attack.
[0010] Starting from the attack point, a reverse search is performed on the attack path in the routing protocol to be analyzed;
[0011] Analyze the attack path and generate detection rules;
[0012] Based on the detection rules, the routing protocol to be analyzed is analyzed.
[0013] Preferably, identifying attack points in the routing protocol to be analyzed includes:
[0014] Identify key events in the routing protocol to be analyzed;
[0015] Attack points are matched based on the pre-defined correspondence between key events and attack points.
[0016] Preferably, starting from the attack point, a reverse search is performed in the routing protocol to be analyzed, including:
[0017] Starting from the attack point, reverse search is performed on the statements in the routing protocol to be analyzed;
[0018] Determine whether the statement is a process or an event;
[0019] If the statement is a process or an event, then the statement is added to the attack path list.
[0020] Preferably, after adding the statement to the attack chain, the method further includes:
[0021] Determine whether the preset termination condition has been met;
[0022] If the preset termination condition is met, the process of reverse searching the statements in the routing protocol to be analyzed will end.
[0023] If the preset termination condition is not met, the reverse search continues in the routing protocol to be analyzed.
[0024] Preferably, before analyzing the attack path and generating detection rules, the method further includes:
[0025] The attack paths are filtered to obtain the final attack path that can complete the entire attack;
[0026] The analysis of the attack path and the generation of detection rules include:
[0027] Analyze the final attack path and generate detection rules.
[0028] Preferably, the attack path is analyzed to generate detection rules, including:
[0029] Determine whether the statements in the attack path belong to critical events or critical processes;
[0030] If it does not belong to the aforementioned key events or key processes, then an empty detection rule is generated;
[0031] If it belongs to the key event or key process, then determine whether the key event or key process contains key variables;
[0032] If the key variables are included, then a detection rule for the key variables is generated;
[0033] If the aforementioned key variables are not included, then a rule for detecting abnormal behavior is generated.
[0034] Preferably, before identifying attack points in the routing protocol to be analyzed, the method further includes:
[0035] The routing protocol to be analyzed is formally described.
[0036] A routing protocol security analysis device, comprising:
[0037] The protocol acquisition unit is used to acquire the routing protocol to be analyzed.
[0038] An attack point identification unit is used to identify attack points in the routing protocol to be analyzed, where the attack point is the target of the attacker's attack.
[0039] An attack path search unit is used to search for attack paths in the routing protocol to be analyzed from the attack point in reverse.
[0040] A detection rule generation unit is used to analyze the attack path and generate detection rules.
[0041] The protocol analysis unit is used to analyze the routing protocol to be analyzed based on the detection rules.
[0042] A routing protocol security analysis device includes: a memory and a processor;
[0043] The memory is used to store programs;
[0044] The processor is used to execute the program to implement the various steps of the aforementioned routing protocol security analysis method.
[0045] A storage medium storing a computer program, which, when executed by a processor, implements the various steps of the aforementioned routing protocol security analysis method.
[0046] As can be seen from the above technical solutions, the routing protocol analysis method provided in this application, after obtaining the routing protocol to be analyzed, identifies attack points in the routing protocol to be analyzed. These attack points represent the attacker's intended objective. Starting from the attacker's objective, the method reverse-searches the routing protocol to be analyzed to find the attack path the attacker would use to achieve their objective. Detection rules are generated for the attack path, and the routing protocol is analyzed based on these rules. By starting from the attack point, a comprehensive search is performed in the routing protocol to be analyzed to obtain the attack path. After analyzing the attack path, detection rules are obtained, and the routing protocol is analyzed according to these rules. This allows for a more comprehensive analysis of potential vulnerabilities in the routing protocol. Attached Figure Description
[0047] To more clearly illustrate the technical solutions in the embodiments of this application or the prior art, the drawings used in the description of the embodiments or the prior art will be briefly introduced below. Obviously, the drawings described below are only embodiments of this application. For those skilled in the art, other drawings can be obtained based on the provided drawings without creative effort.
[0048] Figure 1 A flowchart of a routing protocol security analysis method provided in this application embodiment;
[0049] Figure 2 A flowchart illustrating a search attack path provided in this application embodiment;
[0050] Figure 3 A flowchart for generating detection rules is provided as an embodiment of this application;
[0051] Figure 4 A flowchart providing a formal description of a routing protocol is provided for embodiments of this application;
[0052] Figure 5 A structural diagram of a routing protocol security analysis device provided in this application embodiment;
[0053] Figure 6 This is a hardware structure block diagram of a routing protocol security analysis device provided in an embodiment of this application. Detailed Implementation
[0054] The technical solutions of the embodiments of this application will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some embodiments of this application, and not all embodiments. Based on the embodiments of this application, all other embodiments obtained by those skilled in the art without creative effort are within the scope of protection of this application.
[0055] The routing protocol security analysis method provided in this application can be applied to various types of routing protocols, such as Routing Information Protocol (RIP), Interior Gateway Routing Protocol (IGRP), and Enhanced Interior Gateway Routing Protocol (EIGRP).
[0056] Next, combined Figure 1 This application describes a routing protocol security analysis method, such as... Figure 1 As shown, the method may include:
[0057] Step S1: Obtain the routing protocol to be analyzed.
[0058] Specifically, the routing protocol to be analyzed can be any type of routing protocol. The routing protocol is a network protocol that specifies the data packet forwarding method.
[0059] Step S2: Identify attack points in the routing protocol to be analyzed.
[0060] Specifically, this application provides an optional attack point classification method, which can classify attack points according to the attacker's purpose. An attacker harms the network based on a specific purpose; these purposes constitute the attacker's attack points. This application can classify attack points into five categories based on the attacker's fundamental purpose of disrupting the network. Attack points can include: breaking existing routes, preventing the establishment of new routes, penetrating routing paths, consuming network energy, and cheating other nodes.
[0061] Disrupting the original route refers to an attacker disrupting or destroying the original route between nodes in order to interfere with normal network communication and achieve the purpose of the attack.
[0062] Preventing the establishment of new routes refers to the actions taken by attackers to prevent the establishment of new routes between nodes when communication between nodes requires the establishment of new routes, thereby interfering with the creation of new routes between nodes.
[0063] Infiltrating a routing path refers to an attacker's attempt to join the routing path between nodes, thereby receiving messages during communication, listening to them, or combining this with selective forwarding, message tampering, and other attack methods to achieve the goal of attacking the network.
[0064] Network energy depletion refers to an attacker continuously sending messages to surrounding nodes, causing other nodes to forward them and thus consuming the nodes' own energy. Once a wireless sensor network node runs out of energy, it will leave the network, allowing the attacker to achieve their objective.
[0065] Deceiving other nodes refers to an attacker using attack methods to trick neighboring nodes into believing that the attacker is a normal and optimal node, thereby achieving the purpose of deception.
[0066] Step S3: Starting from the attack point, reverse search the attack path in the routing protocol to be analyzed.
[0067] Specifically, the attack point is the attacker's ultimate goal, while the attack path is the process by which the attacker achieves that goal. Starting from the attack point, the attacker reverse-engineers the attack path within the routing protocol being analyzed to achieve their objective.
[0068] Step S4: Analyze the attack path and generate detection rules.
[0069] Specifically, attack paths are analyzed from the attacker's perspective, and corresponding attack detection rules are generated for the attack behaviors that the attacker may perform.
[0070] Step S5: Analyze the routing protocol to be analyzed based on the detection rules.
[0071] Specifically, analysts can analyze the routing protocol to be analyzed based on the generated detection rules to identify vulnerabilities in the routing protocol.
[0072] The routing protocol analysis method provided in this application, after obtaining the routing protocol to be analyzed, identifies attack points in the routing protocol, which are the objectives of an attacker's attack. Starting from the attacker's objective, it reverse-searches the routing protocol to be analyzed to find the attack path the attacker intends to achieve. Detection rules are generated for the attack paths, and the routing protocol is analyzed based on these rules. By starting from the attack points, a comprehensive search is performed in the routing protocol to be analyzed to obtain attack paths. After analyzing the attack paths, detection rules are obtained, and the routing protocol is analyzed according to these rules. This allows for a more comprehensive analysis of potential vulnerabilities in the routing protocol.
[0073] Some embodiments of this application describe optional implementations of step S2, which identifies attack points in the routing protocol to be analyzed. Specifically, this step may include:
[0074] Step S21: Identify key events in the routing protocol to be analyzed.
[0075] Specifically, critical events refer to important operations and behaviors that can affect other nodes in the network, such as unicast, broadcast, groupcast, and updating routing tables.
[0076] Step S22: Match attack points based on the preset correspondence between key events and attack points.
[0077] Specifically, attackers use key events to achieve their attack objectives represented by attack points. Therefore, by identifying key events in the routing protocol and matching the attack points corresponding to the identified key events according to the preset correspondence between key events and attack points, it is possible to identify the attack points corresponding to the identified key events.
[0078] Table 1 shows the correspondence between some key events and attack points provided in the embodiments of this application.
[0079] Table 1
[0080]
[0081] In some embodiments of this application, by identifying key events in the routing protocol, the identified key events are matched with the corresponding attack points based on a preset correspondence between key events and attack points. Attackers achieve their attack objectives represented by attack points through key events; therefore, by matching attack points with key events in the routing protocol, the attacker's attack objectives can be obtained more accurately, and the routing protocol can be analyzed more precisely based on the attacker's attack objectives.
[0082] Some embodiments of this application describe optional implementations of step S3, which involves reverse searching for attack paths in the routing protocol to be analyzed, starting from the attack point. Specifically, in conjunction with... Figure 2 This step is described below and may include:
[0083] Step S31: Starting from the attack point, reverse search the statements in the routing protocol to be analyzed.
[0084] Specifically, in the routing protocol to be analyzed, starting from the location of the key event matched by the attack point, the statements in the routing protocol to be analyzed are searched backward.
[0085] Step S32: Determine whether the statement is a process or an event.
[0086] Specifically, it determines whether the statements found during the reverse search in the routing protocol are process statements or event statements. A process is the target of an attacker's attack, while an event is the condition required for the attacker to complete the attack.
[0087] If the statement is a process or an event, then proceed to step S33 below.
[0088] Step S33: Add the statement to the attack path linked list.
[0089] Specifically, process statements and event statements found in the routing protocol to be analyzed will be added to the attack path chain.
[0090] Furthermore, to facilitate reverse searching and prevent redundant searches, after adding the statement to the attack path list in step S33, step S34 can also be executed. Additionally, after determining in step S32 whether the statement is a process or an event, if the statement does not belong to a process or an event, step S34 can also be executed.
[0091] Step S34: Determine whether the preset termination condition has been met.
[0092] Specifically, the search is an iterative process, and the reverse search only ends when the termination condition is met. The termination condition can be set according to the search requirements. This application provides an optional way to set the termination condition, which can be that the search ends when a message is found; this message can be any message. For example, when a "Give me a message" instruction message sent by the previous node to the next node is found.
[0093] If the preset termination condition is met, proceed to step S35; otherwise, proceed to step S36.
[0094] Step S35 ends the process of reverse searching the statements in the routing protocol to be analyzed.
[0095] Specifically, if the preset termination condition is met, the reverse search process for statements in the routing protocol to be analyzed can end at the location of the statement that meets the termination condition found in the routing protocol.
[0096] Step S36: Continue the process of reverse searching for statements in the routing protocol to be analyzed.
[0097] Specifically, if the preset termination condition is not met, the process of reverse searching for statements in the routing protocol to be analyzed continues from the position of the currently searched statement.
[0098] In this embodiment, starting from the attack point, the statements in the routing protocol to be analyzed are searched in reverse. It is determined whether the statement belongs to a process or an event. If it is an event, it is added to the attack chain. By searching the statements in the routing protocol to be analyzed, the possible attack processes that the attacker might perform are obtained. Analyzing from the attacker's perspective allows for a more comprehensive understanding of attack types. Furthermore, the termination condition of the reverse search process can be pre-set to prevent unnecessary searches and reduce search efficiency.
[0099] Furthermore, considering that some special situations may be encountered during the reverse search of statements in the routing protocol to be analyzed, some optional solutions are proposed in the embodiments of this application. If a blocking process is encountered during the reverse search of statements in the routing protocol to be analyzed, the statement that causes the blocking condition to be met can be searched; if a branching situation is encountered during the reverse search of statements in the routing protocol to be analyzed, each branch can be searched separately.
[0100] Furthermore, in order to better disrupt the attacker's behavior when the routing protocol is attacked, this application embodiment provides an optional method. In step S32, after determining whether the statement is a process or an event, if the statement is an event, then:
[0101] Add the event to the attack condition chain.
[0102] Specifically, attack conditions are the conditions required for an attacker to complete a full attack. When the reverse search process ends, a merging rule is used to combine multiple conditions. The merging rule states that if there are two or more conditions for the same event in the attack conditions, these two conditions can be merged into one, retaining the stronger condition and merging the weaker conditions, thereby simplifying the attack conditions.
[0103] In this embodiment, events are added to an attack condition linked list. When the routing protocol is attacked, the attack conditions for the attacker can be disrupted, preventing the attacker's attack from succeeding. This provides a new method for disrupting attackers' actions. Since the attack condition linked list is known, attackers' actions can be disrupted more promptly when the routing protocol is attacked.
[0104] Some embodiments of this application describe optional implementations of step S4, analyzing attack paths and generating detection rules, specifically, in conjunction with Figure 3 This step is described below and may include:
[0105] Step S41: Determine whether the statements in the attack path belong to critical events or critical processes.
[0106] Specifically, the attack path includes process statements and event statements, which can be used to determine whether the statements in the attack path are key events or key processes for the attacker to carry out the attack.
[0107] If it does not belong to the critical event or critical process, then proceed to step S42 below; if it belongs to the critical event or critical process, then proceed to step S43 below.
[0108] Step S42: Generate empty detection rules.
[0109] Specifically, if the statement is not a critical process or event, indicating that it was not initiated by an attacker, an empty detection rule can be generated. Analysts can then omit this statement from their analysis when analyzing the routing protocol being analyzed.
[0110] Step S43: Determine whether the key event or key process contains key variables.
[0111] Specifically, if a statement pertains to a critical event or process, it can be checked for critical variables. Attackers can achieve their attack objectives by tampering with critical variables. Critical variables are important fields in the message, such as hop count, source location, and destination address.
[0112] If the key variable is included, proceed to step S44; if the key variable is not included, proceed to step S45.
[0113] Step S44: Generate detection rules for key variables.
[0114] Specifically, if an attacker achieves their attack by tampering with key variables, the detection rule could be to compare and check the key variables.
[0115] Step S45: Generate detection rules for abnormal behavior.
[0116] Specifically, if a critical event is abnormally sent, the detection rule can be to detect the abnormal behavior of the node by using statistical data.
[0117] In this embodiment, process statements and event statements added to the attack path are analyzed. Based on the different states of the statements in the attack path and the attack methods the attacker might employ, corresponding detection rules are generated. Instead of simply using the same detection rule to analyze the routing protocol under analysis, detection rules are generated for each attack method the attacker might use. This is more targeted and allows for more accurate analysis of the routing protocol under analysis.
[0118] In the attack paths found through reverse engineering of the routing protocol to be analyzed, not every attack path can complete the entire attack process. Analyzing attack paths that cannot complete the entire attack would increase the workload. To address this, this application proposes an optional solution: filtering the attack paths.
[0119] Specifically, in step S4, before analyzing the attack path and generating detection rules, the attack path is filtered to obtain the final attack path that can complete the entire attack. Therefore, the process of analyzing the attack path and generating detection rules can be changed to: analyzing the final attack path and generating detection rules.
[0120] In this embodiment, by filtering attack paths, a final attack path capable of completing the entire attack path is obtained. Finally, only the detection rules for generating the final attack path need to be analyzed, avoiding the inefficiency caused by analyzing cyclic attack paths during the analysis of attack path generation and detection rules.
[0121] Routing protocols come in a wide variety of types, and the syntax and data structures they can use are also diverse. Therefore, in order to better analyze routing protocols, before identifying attack points in the routing protocol to be analyzed in step S2, the routing protocol to be analyzed can be formally described.
[0122] Combination Figure 4 The process of formally describing the routing protocol to be analyzed is introduced as follows:
[0123] Step S61: Select the data structure for the formal routing protocol.
[0124] Specifically, select a data structure from the existing formal language's data structure library to formalize the routing protocol data structure to be analyzed.
[0125] Step S62: Determine whether the routing protocol data structure can be formalized.
[0126] Specifically, it determines whether the data structures in the existing data structure library can formalize the data structure of the routing protocol to be analyzed.
[0127] If the routing protocol data structure cannot be formalized, then proceed to step S63; if the routing protocol data structure can be formalized, then proceed to step S64.
[0128] Step S63: Expand the data structure library.
[0129] Specifically, if the existing data structure library cannot fully formally describe the routing protocol to be analyzed, the data structure library can be expanded. Based on the expanded data structure library, steps S61 and S62 described above are then executed.
[0130] Step S64: Select the syntax used by the formal routing protocol.
[0131] Specifically, if the data structures in the existing data structure library can fully formalize the data structure of the routing protocol to be analyzed, then the syntax for formalizing the syntax of the routing protocol to be analyzed can be selected from the existing language library.
[0132] Step S65: Determine whether the routing protocol syntax can be formalized.
[0133] Specifically, it determines whether the syntax in the existing language library can formalize the syntax of the routing protocol to be analyzed.
[0134] If the syntax of the routing protocol to be analyzed cannot be formalized, then proceed to step S66; if the syntax of the routing protocol to be analyzed can be formalized, then proceed to step S67.
[0135] Step S66: Expand the formal language library.
[0136] Specifically, if the existing language library cannot fully formalize the syntax of the routing protocol to be analyzed, the language library can be expanded. Based on the expanded language library, steps S64 and S65 are then executed.
[0137] Step S67: Formalize the routing protocol to be analyzed.
[0138] Specifically, if the data structure and syntax of the routing protocol to be analyzed can be fully formalized, the routing protocol to be analyzed can be formally described using the data structures and syntax in the data structure library and language library, and the routing protocol to be analyzed can be described using a formal language.
[0139] In this embodiment, the routing protocol to be analyzed is formally described by formalizing its data structure and syntax. Describing the routing protocol in a formal language allows for a more accurate and comprehensive analysis.
[0140] The routing protocol security analysis apparatus provided in the embodiments of this application is described below. The routing protocol security analysis apparatus described below can be referred to in correspondence with the routing protocol security analysis method described above.
[0141] First, combine Figure 5 This section introduces routing protocol security analysis devices, such as... Figure 5 As shown, the routing protocol security analysis device may include:
[0142] Protocol acquisition unit 100 is used to acquire the routing protocol to be analyzed;
[0143] The attack point identification unit 200 is used to identify attack points in the routing protocol to be analyzed, where the attack point is the target of the attacker's attack.
[0144] The attack path search unit 300 is used to search for attack paths in the routing protocol to be analyzed from the attack point in reverse.
[0145] The detection rule generation unit 400 is used to analyze the attack path and generate detection rules.
[0146] Protocol analysis unit 500 is used to analyze the routing protocol to be analyzed based on the detection rules.
[0147] Optionally, the attack point identification unit 200 may include:
[0148] A key event identification unit is used to identify key events in the routing protocol to be analyzed.
[0149] The attack point matching unit is used to match attack points based on the preset correspondence between key events and attack points.
[0150] Optionally, the attack path search unit 300 may include:
[0151] The statement search unit is used to reverse search for statements in the routing protocol to be analyzed, starting from the attack point.
[0152] The first statement judgment unit is used to determine whether the statement is a process or an event;
[0153] If the statement is a process or an event, then the step of retrieving the linked list unit is executed.
[0154] The linked list acquisition unit is used to add the statement to the attack path linked list.
[0155] Optionally, the attack path search unit 300 may further include:
[0156] The termination judgment unit is used to determine whether the preset termination condition has been met after the linked list acquisition unit adds the statement to the attack path linked list.
[0157] If the preset termination condition is met, the process of reverse searching the statements in the routing protocol to be analyzed will end.
[0158] If the preset termination condition is not met, the steps of the aforementioned statement search unit and statement judgment first unit are executed to continue the reverse search process of statements in the routing protocol to be analyzed.
[0159] Optionally, the routing protocol security analysis device may further include:
[0160] The attack path filtering unit is used to filter the attack path before the detection rule generation unit analyzes the attack path and generates detection rules, so as to obtain the final attack path that can complete the entire attack.
[0161] The process by which the detection rule generation unit 400 analyzes the attack path and generates detection rules includes:
[0162] Analyze the final attack path and generate detection rules.
[0163] Optionally, the detection rule generation unit 400 may include:
[0164] The second unit of statement judgment is used to determine whether the statements in the attack path belong to critical events or critical processes.
[0165] If it does not belong to the key event or key process, then execute the steps of the empty rule generation unit below; if it belongs to the key event or key process, then execute the steps of the key variable judgment unit below.
[0166] An empty rule generation unit is used to generate empty detection rules.
[0167] A key variable determination unit is used to determine whether the key event or key process contains key variables;
[0168] If the key variable is included, then the steps of the variable detection rule generation unit below are executed; if the key variable is not included, then the steps of the behavior detection rule generation unit below are executed.
[0169] The variable detection rule generation unit is used to generate detection rules for key variables;
[0170] The behavior detection rule generation unit is used to generate detection rules for abnormal behavior.
[0171] Optionally, the routing protocol security analysis device may further include:
[0172] The protocol formalization unit is used to formally describe the routing protocol to be analyzed before the attack point identification unit 200 identifies the attack points in the routing protocol to be analyzed.
[0173] The routing protocol security analysis device provided in this application embodiment can be applied to routing protocol security analysis equipment. Figure 6 The hardware structure block diagram of the routing protocol security analysis device is shown below. Figure 6 The hardware structure of the device may include: at least one processor 1, at least one communication interface 2, at least one memory 3, and at least one communication bus 4;
[0174] In this embodiment of the application, the number of processor 1, communication interface 2, memory 3, and communication bus 4 is at least one, and processor 1, communication interface 2, and memory 3 communicate with each other through communication bus 4;
[0175] Processor 1 may be a central processing unit (CPU), an application-specific integrated circuit (ASIC), or one or more integrated circuits configured to implement embodiments of the present invention.
[0176] Memory 3 may include high-speed RAM, and may also include non-volatile memory, such as at least one disk storage device;
[0177] The memory stores a program, which the processor can call to implement the various processing steps in the aforementioned routing protocol security analysis scheme.
[0178] This application embodiment also provides a storage medium that can store a program suitable for processor execution, the program being used to implement various processing flows in the aforementioned routing protocol security analysis scheme.
[0179] Finally, it should be noted that in this document, relational terms such as "first" and "second" are used only to distinguish one entity or operation from another, and do not necessarily require or imply any such actual relationship or order between these entities or operations. Furthermore, the terms "comprising," "including," or any other variations thereof are intended to cover non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements includes not only those elements but also other elements not expressly listed, or elements inherent to such a process, method, article, or apparatus. Without further limitations, an element defined by the phrase "comprising one..." does not exclude the presence of other identical elements in the process, method, article, or apparatus that includes said element.
[0180] The various embodiments in this specification are described in a progressive manner, with each embodiment focusing on the differences from other embodiments. The same or similar parts between the various embodiments can be referred to each other.
[0181] The above description of the disclosed embodiments enables those skilled in the art to make or use this application. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the general principles defined herein may be implemented in other embodiments without departing from the spirit or scope of this application. Therefore, this application is not to be limited to the embodiments shown herein, but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.
Claims
1. A method for security analysis of routing protocols, characterized in that, include: Obtain the routing protocol to be analyzed; Identify the attack points in the routing protocol to be analyzed, where the attack points are the target of the attacker's attack. Starting from the attack point, the statements in the routing protocol to be analyzed are searched in reverse. If a blocking process is encountered during the reverse search of the statements in the routing protocol to be analyzed, the statements that cause the blocking condition to be met are searched. If a branch is encountered during the reverse search of the statements in the routing protocol to be analyzed, each branch is searched. Determine whether the statement is a process or an event; If the statement is a process or event, then the statement is added to the attack path list; If the statement is an event, then the event is added to the attack condition chain list; Determine whether the preset termination condition has been met; If the preset termination condition is met, the process of reverse searching the statements in the routing protocol to be analyzed ends. If there are two or more attack conditions in the same event, the multiple attack conditions are merged. The attack conditions are the conditions required to complete a complete attack. If the preset termination condition is not met, the reverse search continues in the routing protocol to be analyzed. Analyze the attack path and generate detection rules; Based on the detection rules, the routing protocol to be analyzed is analyzed.
2. The method according to claim 1, characterized in that, The process of identifying attack points in the routing protocol to be analyzed includes: Identify key events in the routing protocol to be analyzed; Attack points are matched based on the pre-defined correspondence between key events and attack points.
3. The method according to claim 1, characterized in that, Before analyzing the attack path and generating detection rules, the process also includes: The attack paths are filtered to obtain the final attack path that can complete the entire attack; The analysis of the attack path and the generation of detection rules include: Analyze the final attack path and generate detection rules.
4. The method according to claim 1, characterized in that, Analyze the attack path and generate detection rules, including: Determine whether the statements in the attack path belong to critical events or critical processes; If it does not belong to the aforementioned key events or key processes, then an empty detection rule is generated; If it belongs to the key event or key process, then determine whether the key event or key process contains key variables; If the key variables are included, then a detection rule for the key variables is generated; If the aforementioned key variables are not included, then a rule for detecting abnormal behavior is generated.
5. The method according to any one of claims 1-4, characterized in that, Before identifying attack points in the routing protocol to be analyzed, the process also includes: The routing protocol to be analyzed is formally described.
6. A routing protocol security analysis device, characterized in that, include: The protocol acquisition unit is used to acquire the routing protocol to be analyzed. An attack point identification unit is used to identify attack points in the routing protocol to be analyzed, where the attack point is the target of the attacker's attack. An attack path search unit is used to search for attack paths in the routing protocol to be analyzed from the attack point in reverse. A detection rule generation unit is used to analyze the attack path and generate detection rules. The protocol analysis unit is used to analyze the routing protocol to be analyzed based on the detection rules. The attack path search unit includes: The statement search unit is used to reverse search the statements in the routing protocol to be analyzed starting from the attack point. If a blocking process is encountered during the reverse search of the statements in the routing protocol to be analyzed, the statement that causes the blocking condition to be met is searched. If a branch situation is encountered during the reverse search of the statements in the routing protocol to be analyzed, each branch is searched. The first statement judgment unit is used to determine whether the statement is a process or an event; If the statement is a process or an event, then the step of retrieving the linked list unit is executed; If the statement is an event, then the event is added to the attack condition chain list; The linked list acquisition unit is used to add the statement to the attack path linked list; The termination judgment unit is used to determine whether the preset termination condition has been met after the linked list acquisition unit adds the statement to the attack path linked list. If the preset termination condition is met, the process of reverse searching the statements in the routing protocol to be analyzed ends. If there are two or more attack conditions in the same event, the multiple attack conditions are merged. The attack conditions are the conditions required to complete a complete attack. If the preset termination condition is not met, the steps of the aforementioned statement search unit and statement judgment first unit are executed to continue the reverse search process of statements in the routing protocol to be analyzed.
7. A routing protocol security analysis device, characterized in that, include: Memory and processor; The memory is used to store programs; The processor is configured to execute the program to implement each step of the routing protocol security analysis method as described in any one of claims 1-5.
8. A storage medium having a computer program stored thereon, characterized in that, When the computer program is executed by a processor, it implements the various steps of the routing protocol security analysis method as described in any one of claims 1-5.