Test method, device and storage medium for stateful network protocol
By identifying new state transition events, splitting client request messages, and generating candidate field groups, the problem of inaccurate state transition trigger condition analysis in existing technologies is solved, achieving efficient and accurate positioning in fuzz testing of stateful protocols.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Applications(China)
- Current Assignee / Owner
- INSTITUTE OF INFORMATION ENGINEERING CHINESE ACADEMY OF SCIENCES
- Filing Date
- 2026-04-15
- Publication Date
- 2026-07-10
AI Technical Summary
Existing testing methods for stateful network protocols cannot accurately pinpoint the triggering conditions for state transitions, resulting in a lack of specificity in fuzz testing variations, which reduces the efficiency of state exploration and the accuracy of security testing.
By identifying new state transition events based on the response feedback of the server under test, client request messages are split into independent semantic field units, field differences are identified, candidate field groups are generated, and test cases are generated through structure-aware directed mutation.
Precisely locating the state transition trigger field improves the targeting and efficiency of fuzz testing, thereby enhancing the accuracy of security testing for stateful protocols.
Smart Images

Figure CN122372272A_ABST
Abstract
Description
Technical Field
[0001] This invention relates to the field of security testing technology, and in particular to a testing method, device and storage medium for stateful network protocols. Background Technology
[0002] Network protocols define the rules, formats, and processing procedures for message exchange between network devices, serving as the core foundation for ensuring the stable operation of communication systems and network services. Network servers must continuously interact with clients according to these protocols to complete operations such as connection establishment, capability negotiation, service processing, and session termination. However, protocol implementation involves multiple stages, including message parsing, session maintenance, state switching, and exception handling. Its logic is complex, and the interaction chain is relatively long. Implementation flaws are easily exploited by attackers, threatening the security and reliability of network systems. Therefore, conducting efficient vulnerability discovery and security testing on protocol implementations has significant engineering application value.
[0003] Existing stateful network protocol testing methods mainly revolve around test case generation, state transition observation, and high-value sample retention. They can only identify message sequences that trigger new states or state transitions, but cannot locate the specific fields, field combinations, and field value changes that contribute to state transitions. The analysis of state transition triggering conditions is relatively coarse-grained and cannot provide precise guidance for subsequent test mutations. Summary of the Invention
[0004] This invention provides a testing method, device, and storage medium for stateful network protocols, which addresses the shortcomings of existing technologies in parsing state transition trigger conditions with coarse granularity, and enables precise positioning of state transition trigger fields.
[0005] This invention provides a testing method for stateful network protocols, comprising the following steps: Based on the response feedback from the server under test, the current state of the protocol session is inferred and new state transition events are identified. The response feedback from the server under test is obtained by performing fuzz testing on the target network server with a stateful protocol. From the complete sequence of protocol interaction messages, obtain the client request message pair corresponding to the new state transition event, wherein the client request message pair includes at least: the client request message before the new state transition event is triggered, and the client request message that triggers the new state transition event; Based on the preset field location rules, each client request message is split into multiple field units with independent semantic meanings, and a field name is assigned to each field unit; Identify the differences between field units with the same field name and generate candidate field groups; Based on each field unit and combination of field units in the candidate field group, the test is performed on the server under test to obtain a set of candidate fields that trigger the new state transition event; Based at least on the field units of the candidate field set, a structure-aware directed mutation operation is performed on the test seed of the fuzz test to generate test cases for the server under test.
[0006] According to a testing method for stateful network protocols provided by the present invention, the step of performing tests on the server under test based on each field unit and combination of field units in the candidate field group to obtain a set of candidate fields that trigger the new state transition event includes: Obtain a subset of fields from the candidate field group; The test server is tested sequentially using each field subset in ascending order of the number of field units in the field subset, to obtain a set of candidate fields that trigger the new state transition event.
[0007] According to a testing method for stateful network protocols provided by the present invention, the test is performed on the server under test sequentially using each field subset in ascending order of the number of field units in the field subset, to obtain a candidate field set that triggers the new state transition event, including: For any subset of fields, according to the preset field location rules, each field unit in the subset of fields is replaced with the corresponding field position in the client request message before the new state transition event is triggered, and a verification message is generated; The verification message is sent to the server under test to perform the test and determine the set of verification messages that trigger the new state transition; Based on the set of verification messages, the subset of fields with the fewest field units is selected as the candidate field set.
[0008] According to a testing method for stateful network protocols provided by the present invention, the method further includes: writing the candidate field set and the new state transition event into a mutation knowledge table; The process of performing a structure-aware directed mutation operation on the test seed of the fuzz test, based at least on the field units of the candidate field set, to generate test cases for the server under test includes: While retaining the random mutation strategy, targeted mutation operations are performed on the field units in the test seed that correspond to the mutation knowledge table to generate test cases for the server under test.
[0009] According to the testing method for stateful network protocols provided by the present invention, the mutation knowledge table includes at least a plurality of entries, each entry including at least: the target protocol state corresponding to a new state transition event, the structure-aware confidence level, the candidate field set, and the field mutation rule; The step of performing targeted mutation operations on the field units in the test seed corresponding to the mutation knowledge table, while retaining the random mutation strategy, to generate test cases for the server under test includes: Obtain the current protocol state of the server under test, and determine the unexplored successor state of the current protocol state as the target state; From the mutation knowledge table, query the table entries that match the target state and whose structure-aware confidence is greater than the preset confidence threshold to obtain the target table entry; According to the field mutation rules of the target table entry, targeted mutation is performed on the field units in the test seed that correspond to the candidate field set of the target table entry, and the mutated test seed is determined as the test case of the server under test.
[0010] According to the testing method for stateful network protocols provided by the present invention, the mutation knowledge table includes at least a plurality of entries, and each entry includes at least: a structure-aware confidence score and a set of candidate fields corresponding to a new state transition event; The step of performing targeted mutation operations on the field units in the test seed corresponding to the mutation knowledge table, while retaining the random mutation strategy, to generate test cases for the server under test includes: From the mutation knowledge table, select the top n entries with the highest structure-aware confidence to obtain the target entries; For the field units in the test seed that correspond to the candidate field set in the target table entry, perform random directional mutation to generate test cases for the server under test.
[0011] According to a testing method for stateful network protocols provided by the present invention, the method further includes: obtaining the proportion and code coverage of test cases triggering the new state transition event for each server under test; The step of performing targeted mutation operations on the field units in the test seed corresponding to the mutation knowledge table, while retaining the random mutation strategy, to generate test cases for the server under test includes: When the test process of the server under test meets the preset stagnation conditions, the performance value of the test cases of each server under test is determined according to the proportion of the new state transition events and the code coverage. Select the preset number of test cases with the highest performance values as target test cases; Based on the current protocol state, protocol interaction history, and set of explored protocol states of the target test case, determine the potential unexplored successor states; The current protocol state, the protocol interaction history, and the potential unexplored successor states are embedded into a preset prompt template, and a pre-trained large language model is invoked to generate test cases for the server under test.
[0012] The present invention also provides a testing apparatus for stateful network protocols, comprising the following modules: The inference unit is used to infer the current state of the protocol session and identify new state transition events based on the response feedback of the server under test, wherein the response feedback of the server under test is obtained by performing fuzz testing on the target network server with stateful protocol. The acquisition unit is used to acquire a client request message pair corresponding to the new state transition event from a complete sequence of protocol interaction messages, wherein the client request message pair includes at least: a client request message before the new state transition event is triggered, and a client request message that triggers the new state transition event; The splitting unit is used to split each client request message into multiple field units with independent semantic meanings according to preset field positioning rules, and assign field names to each field unit; The identification unit is used to identify the field differences between field units with the same field name and generate candidate field groups. The testing unit is used to perform tests on the server under test based on each field unit and combination of field units in the candidate field group, and to obtain a set of candidate fields that trigger the new state transition event. A generation unit is used to perform a structure-aware directed mutation operation on the test seed of the fuzz test, based at least on the field units of the candidate field set, to generate test cases for the server under test.
[0013] The present invention also provides an electronic device, including a memory, a processor, and a computer program stored in the memory and executable on the processor, wherein the processor executes the computer program to implement a testing method for stateful network protocols as described above.
[0014] The present invention also provides a non-transitory computer-readable storage medium having a computer program stored thereon, which, when executed by a processor, implements a test method for stateful network protocols as described above.
[0015] The present invention also provides a computer program product, including a computer program that, when executed by a processor, implements a testing method for stateful network protocols as described above.
[0016] This invention provides a testing method, device, and storage medium for stateful network protocols. First, it accurately identifies new state transition events based on the response feedback from the server under test. Then, it extracts corresponding client request message pairs from the protocol interaction messages, and further segments them according to field location rules to obtain semantically independent field units. It then identifies differences between field units with the same name to generate candidate field groups, and filters out the candidate field set that truly triggers the state transition through testing. Finally, it performs structure-aware targeted mutations on the test seed based on the candidate field set to generate test cases. By accurately locating the core fields that trigger state transitions, it solves the technical problem of insufficient granularity in trigger condition analysis, making subsequent mutations in the testing process more targeted and effectively improving the accuracy and efficiency of state exploration in fuzzy testing of stateful protocols. Attached Figure Description
[0017] To more clearly illustrate the technical solutions in this invention or the prior art, the drawings used in the description of the embodiments or the prior art will be briefly introduced below. Obviously, the drawings described below are some embodiments of this invention. For those skilled in the art, other drawings can be obtained from these drawings without creative effort.
[0018] Figure 1 This is one of the flowcharts of the testing method for stateful network protocols provided by the present invention.
[0019] Figure 2 This is one of the example flowcharts of the testing method for stateful network protocols provided by the present invention.
[0020] Figure 3 This is a schematic diagram of the structure of the testing method and apparatus for stateful network protocols provided by the present invention.
[0021] Figure 4 This is a schematic diagram of the structure of the electronic device provided by the present invention. Detailed Implementation
[0022] To make the objectives, technical solutions, and advantages of this invention clearer, the technical solutions of this invention will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some, not all, of the embodiments of this invention. All other embodiments obtained by those skilled in the art based on the embodiments of this invention without creative effort are within the scope of protection of this invention.
[0023] Network protocols are the foundation for the stable operation of communication systems and network services. Network servers need to interact with clients to establish connections, process services, and terminate sessions according to protocols. Protocol implementation involves multiple stages such as message parsing, session maintenance, and state switching. The logic is complex and the interaction links are long. Its implementation defects are easily exploited, threatening the security of network systems. Therefore, conducting vulnerability discovery and security testing on protocol implementations has significant engineering value.
[0024] Fuzzing is a core technology for automated vulnerability discovery in protocols. However, fuzzing of stateful protocols requires combining protocol states and transition relationships to effectively explore deep execution paths. Current mainstream technical solutions utilize mutation-based fuzzing of stateful protocols, using protocol message sequences as test seeds and inferring state changes and retaining high-value samples based on server feedback.
[0025] However, existing technologies have obvious drawbacks: 1. It can only identify the message sequence that triggers state transition, but cannot accurately locate the specific field, field combination, and field value change that causes the state transition, resulting in a coarse-grained analysis of the state transition triggering conditions.
[0026] 2. No explicit modeling was established for the differences in state-related fields. During mutation, fields were randomly perturbed indiscriminately, and a large amount of testing resources were consumed on irrelevant fields, reducing the efficiency of state exploration.
[0027] 3. The lack of a knowledge mechanism linking protocol states, state transitions, and key message fields means that structural knowledge cannot be accumulated and reused in the testing process.
[0028] 4. The lack of a verification step for candidate key fields makes it impossible to confirm the true causal relationship between the fields and state transitions, reducing the accuracy of subsequent mutation guidance.
[0029] The following is combined with Figures 1 to 2 This invention describes a testing method for stateful network protocols.
[0030] Figure 1 This is one of the flowcharts illustrating the testing method for stateful network protocols provided by this invention, such as... Figure 1 As shown, the method includes the following steps: S100. Based on the response feedback from the server under test, infer the current state of the protocol session and identify new state transition events. The response feedback from the server under test is obtained by performing fuzz testing on the target network server with a stateful protocol.
[0031] Specifically, a protocol session refers to the complete interactive process between a client and a server, from connection establishment to termination. During this interaction, the client and server exchange protocol messages to complete business functions, and the server maintains state information related to the protocol session. A new state transition event refers to an event during a protocol session where the server under test transitions from one protocol state to another upon receiving a specific client request message. A stateful protocol is a network protocol in which the target network server needs to maintain the client session state during communication, ensuring the correct execution of subsequent operations by preserving context data such as connection state and session identifiers. Fuzz testing involves inputting unexpected, semi-legal, or mutated test data into the server under test to monitor for crashes, abnormal exits, or other behaviors, thereby discovering potential security vulnerabilities in the server under test.
[0032] In the process of performing fuzz testing on a target network server with a stateful protocol, a state model is first constructed to describe the state set of the stateful protocol and the transition relationships between the states, and a seed pool is determined to cover the message sequences of normal business processes and the effective test cases generated by historical tests. Then, based on the coverage target of the state model and the historical test results, protocol message sequences covering unexplored states or high-risk state transition paths are preferentially selected from the seed pool as test seeds. Then, multi-dimensional mutation operations are performed on the test seeds, including random replacement of field values, abnormalization of message length, invalidation of protocol format, and disruption of timing logic, and the mutated test cases are encapsulated according to the protocol specification and sent to the server under test. By capturing the response codes, status indicators, and data payloads returned by the server under test in real time, and combining the state transition rules of the state model, the current state of the protocol session is inferred. The system also monitors whether the server under test experiences crashes, memory leaks, abnormal CPU utilization, or abnormal state transitions. When the server under test is detected to have transitioned from one protocol state to another, a new state transition event is determined to have occurred. Event information such as the client request message pair that triggered the new state transition event, the previous protocol state, and the current protocol state are obtained, providing a basis for subsequent analysis of candidate field groups and candidate field sets.
[0033] For example, the state model is set to include three protocol states: not logged in, authenticated, and data transmission. The seed pool includes protocol message sequences such as login sequences and file transfer sequences. During testing, protocol message sequences covering the not logged in to authenticated path are selected as test seeds. After performing mutation on the test seeds, they are sent to the server under test. If an authentication failure response code is received from the server under test, and the server under test abnormally transitions from the not logged in state to the new half-connection state, then it is determined that this test has triggered a new state transition event.
[0034] S200. From the complete protocol interaction message sequence, obtain the client request message pair corresponding to the new state transition event, wherein the client request message pair includes at least: the client request message before the new state transition event was triggered, and the client request message that triggered the new state transition event.
[0035] Specifically, a complete protocol interaction message sequence refers to the full set of all client request messages and server response messages sent and received sequentially by the client and the server under test in a single protocol session, reflecting the entire process of the protocol session from connection establishment and message interaction to state change. A client request message pair refers to two sets of client request messages that are directly causally related to the new state transition event, providing core comparison objects for subsequent field difference analysis and key field location. The client request message that triggers the new state transition event refers to the last client request message that is in the sequence before the state transition, which the server under test receives and only maintains the original protocol state without triggering any state change. The client request message that triggers the new state transition event refers to the client request message that is in the sequence immediately following the preceding message, which the server under test receives and directly triggers the state transition and generates the new state transition event.
[0036] After identifying a new state transition event, the complete protocol interaction message sequence is backtracked, filtered, and extracted using the occurrence sequence of this new state transition event as the anchor point. First, based on the state transition node corresponding to the new state transition event, the message interaction position where the tested server completes the state switch is located. Then, backtracking from this message interaction position, the last client request message that did not trigger a state transition is filtered and extracted as the client request message before the new state transition event is triggered. Next, the client request message that triggered the state transition is directly extracted as the client request message for the new state transition event. Finally, the client request message before the new state transition event is triggered and the client request message for the new state transition event are combined to obtain a client request message pair that uniquely corresponds to the new state transition event. The original format, field content, and temporal relationship of the two client request messages are recorded, providing a standardized data source for subsequent field splitting and difference identification.
[0037] For example, in a state model containing three protocol states—not logged in, authenticated, and data transmission—the server under test triggers a new state transition event from not logged in to a half-connection after receiving a client login request. In the complete protocol interaction message sequence, after the first login request message is sent, the server under test only returns a normal response and maintains the not logged in state; this is the client request message before triggering the new state transition event. After the second login request message is sent, the server under test returns an authentication failure response code and transitions to the half-connection state; this is the client request message that triggers the new state transition event. Combining the first and second login request messages yields the client request message pair corresponding to this new state transition event, providing a precise comparison basis for subsequent field splitting, difference identification, and candidate field group generation. This ensures the accuracy of key field positioning from the source and lays data support for structure-aware targeted mutation.
[0038] S300. According to the preset field positioning rules, each client request message is split into multiple field units with independent semantic meanings, and a field name is assigned to each field unit.
[0039] Specifically, the preset field location rules refer to a pre-constructed set of rules used to parse the format and semantic structure of client request messages. These rules are used to identify the first-line fields, header fields, parameter fields, key-value pairs, and payload fields in the protocol message, and to establish a mapping relationship between field positions and semantic meanings. The preset field location rules can be generated based on regular expressions, protocol syntax specifications, or small-sample hints from large language models. This application embodiment does not impose specific limitations. A field unit refers to the smallest data unit in a client request message that has independent business meaning and conforms to protocol format constraints. A single field unit carries a single semantic function and is a basic component of a complete client request message. A field name refers to the unique identifier name of each field unit, used to characterize the business semantics and functional purpose of the corresponding field unit, and to provide a unified identification basis for subsequent field difference comparison and candidate field group extraction.
[0040] After obtaining the client request message pair, field splitting and naming operations are performed on each client request message in the message pair: First, the preset field location rules are invoked to parse the overall structure of the client request message segment by segment. According to the protocol format boundaries and semantic delimiters, the client request message is segmented on the premise of ensuring that the legality of the protocol syntax is not violated and the complete business semantics are preserved. Next, each segment of data obtained after segmentation is determined as a field unit with independent semantic meaning. According to the preset field semantic definition in the field location rules, a matching unique field name is assigned to each field unit, and a correspondence between the field name, the content of the field unit, and the position of the corresponding field unit in the corresponding client request message is established. Finally, the split field units and their corresponding field names are stored in the original order of the message to form structured field data, which provides a standardized processing basis for subsequent identification of field differences and generation of candidate field groups.
[0041] For example, continuing from the aforementioned implementation example, the client request message pair consists of two login request messages. The preset field location rules are the key-value pair parsing rules based on the text protocol and the first-line request rules. By splitting the first login request message (i.e., the client request message before triggering the new state transition event), the request method field unit, request path field unit, authentication token field unit, and session identifier field unit are obtained, and the field names are assigned to them as Request-Method, Request-Path, Auth-Token, and Session-ID, respectively. The second login request message (i.e., the client request message that triggers the new state transition event) is split using the same rules to obtain field units that correspond one-to-one with the first login request message and have the same field names, so as to ensure that the field structure and naming rules of the two client request messages are completely consistent.
[0042] This embodiment uses preset field location rules to break down client request messages into semantically identifiable field units, providing a unified comparison dimension for subsequent field difference identification. By assigning field names to each field unit, it ensures that the field units of messages before and after state transitions are aligned and comparable, laying a structural foundation for accurately locating the key fields that trigger state transitions and improving the accuracy and reliability of the candidate field set.
[0043] S400: Identify the field differences between field units with the same field name and generate candidate field groups.
[0044] Specifically, field differences refer to the differences between two field units with the same field name in terms of content, value, format, length, or encoding. By judging field differences, it can be determined whether the corresponding field unit is related to state transition. Candidate field group refers to the set of all field units with field differences in the client request message pair, which represents all candidate fields that may trigger new state transition events and provides initial objects for subsequent field verification and filtering.
[0045] After splitting the fields and assigning field names to the client request message pairs, the following steps are performed: First, the field units of the two client request messages are matched and aligned one by one according to their field names, and only field units with the same field name are compared for differences. Then, the aligned field units are compared one by one in terms of content, value, format, etc., to determine whether there are any field differences. Next, all field units that are determined to have field differences are encapsulated into candidate field groups, and the field name, original content, and message location information of each field unit are retained to provide a basic dataset for the subsequent verification and screening of the candidate field set.
[0046] For example, following the aforementioned implementation example, the two client request messages are split into four field unit groups with the same names: Request-Method, Request-Path, Auth-Token, and Session-ID. Upon comparison, the content of the field units in the Request-Method field unit group is completely identical to that in the Request-Path field unit group, with no field differences. The value of the field unit in the Auth-Token field unit group changes from token_old to token_new, and the value of the field unit in the Session-ID field unit group changes from sess_001 to sess_002, both showing significant field differences. The Auth-Token field unit group and the Session-ID field unit group with differences are grouped together to generate the candidate field group corresponding to this new state transition event.
[0047] This embodiment uses precise alignment and comparison of field units with the same name to extract only field units related to state transitions and remove invalid field units with no difference, thus narrowing the scope of subsequent candidate field set analysis and verification. By standardizing and generating candidate field groups, it provides structured input for subsequent accurate location of the smallest key field that triggers state transitions, upgrading from coarse-grained message comparison to fine-grained field difference analysis, effectively improving the efficiency and accuracy of field identification.
[0048] S500. Based on the individual field units and combinations of field units in the candidate field group, perform tests on the server under test to obtain a set of candidate fields that trigger a new state transition event.
[0049] Specifically, a field unit combination refers to a combination of two or more field units selected from a candidate field group, used to verify the triggering effect of multiple fields on state transitions. A candidate field set refers to the smallest field unit or combination of field units selected from the candidate field group that can independently trigger new state transition events; it is the core set of key fields with a genuine causal relationship to state transitions. By employing a field set verification mechanism, key fields with a genuine causal relationship to state transitions are accurately selected, redundant and irrelevant fields are eliminated, providing the most accurate mutation targets for subsequent structure-aware targeted mutations, avoiding wasted testing resources due to invalid mutations, and improving the targeting and effectiveness of fuzz testing.
[0050] As one implementation method, S500, based on each field element and combination of field elements in the candidate field group, performs a test on the server under test to obtain a set of candidate fields that trigger a new state transition event, including: S510, Get a subset of fields from the candidate field group.
[0051] S520. Following the order of the number of field units in the field subset from fewest to most, perform tests on the server under test using each field subset in turn to obtain a set of candidate fields that trigger a new state transition event.
[0052] Specifically, a field subset refers to a non-empty subset composed of one or more field units selected from the candidate field set, covering single-field unit subsets and multi-field unit combination subsets, used to progressively verify the triggering effect of different field units on new state transition events; a candidate field set refers to the smallest set of field units selected from all field subsets that can independently and stably trigger new state transition events, which are the core key fields with a real causal relationship with state transitions, providing precise targets for subsequent structure-aware directed mutations.
[0053] After generating the candidate field group, the field subsets of the candidate field group are first obtained: based on all field units in the candidate field group, all possible non-empty field subsets are enumerated and generated. Single-field unit subsets are sets containing only one field unit, and multi-field unit combination subsets are sets containing two or more field units, ensuring coverage of the independent and combined triggering possibilities of all field units in the candidate field group, without omissions or duplications. Then, the server under test is tested: first, all possible non-empty field subsets are sorted according to the number of field units they contain, prioritizing single-field unit subsets, then double-field unit combination subsets, and finally multi-field unit combination subsets. Subsequently, for each sorted field subset, the server under test is tested, and the server's response feedback and protocol state changes are monitored in real time to determine whether a new state transition event is triggered. Finally, the field subsets that can trigger a new state transition event are determined as the candidate field set for triggering the new state transition event.
[0054] For example, following the aforementioned implementation example, the candidate field group includes two field units: Auth-Token and Session-ID. The field subset generated by executing S510 includes {Auth-Token}, {Session-ID}, and {Auth-Token, Session-ID}. When executing S520, in order of increasing number of field units, the single-field subsets {Auth-Token} and {Session-ID} are tested first, and then the double-field combination subset {Auth-Token, Session-ID} is tested. The test results show that replacing the {Auth-Token} field unit and the double-field combination subset {Auth-Token, Session-ID} can trigger a new state transition event for the unlogged-in half-connection. Therefore, {Auth-Token} and {Auth-Token, Session-ID} are determined as the candidate field set corresponding to this new state transition event.
[0055] This embodiment obtains a subset of all fields in the generated candidate field group, comprehensively covering scenarios where a single field is triggered independently or multiple fields are triggered jointly, thus avoiding the omission of key fields. It tests the field units step by step in order of increasing number of fields, quickly locating the candidate field set, reducing the number of subsequent test verifications and resource consumption, and providing the most accurate key field basis for subsequent structure-aware targeted mutations, thereby improving the targeting of fuzz testing and the efficiency of state exploration.
[0056] As one implementation method, S520, the test is performed on the server under test sequentially using each field subset in ascending order of the number of field units in the field subset, to obtain a set of candidate fields that trigger a new state transition event, including: S521. For any subset of fields, according to the preset field positioning rules, replace each field unit in the subset of fields with the corresponding field position in the client request message before the new state transition event is triggered, and generate a verification message.
[0057] S522. Send the verification message to the server under test to perform the test and determine the set of verification messages that trigger the new state transition.
[0058] S523. Based on the set of verification messages, select the subset of fields with the fewest field units as the candidate field set.
[0059] Specifically, a verification message refers to a test message that conforms to the protocol format and semantic constraints, generated by replacing the field units in the field subset with the corresponding positions based on the client request message before triggering the new state transition event; the verification message set refers to the set of all verification messages that can successfully trigger the target new state transition event, used to collect all valid test data; the candidate field set refers to the smallest valid field set that can independently trigger the new state transition event and has the fewest field units, and consists of the core key fields that have a direct causal relationship with the state transition.
[0060] After sorting the field subsets by the number of field units from smallest to largest, the following operations are performed on each field subset in sequence: First, using the client request message before the new state transition event is triggered as the base message, the field matching position is located according to the preset field positioning rules. Each field unit in the field subset is precisely replaced with the corresponding field position in the client request message before the new state transition event is triggered, while keeping the content, format, and order of the remaining field units in the client request message before the new state transition event unchanged, generating a syntactically valid and semantically complete verification message; then, the generated verification message is sent to the server under test according to the stateful protocol specification, and the response code, status identifier, and state transition result of the server under test are captured in real time. If the verification message can trigger a new state transition event, it is added to the set of verification messages that trigger a new state transition; finally, all field subsets corresponding to the set of verification messages are traversed, the number of field units contained in each field subset is counted, and the field subset with the fewest field units is selected as the candidate field set corresponding to this new state transition event.
[0061] For example, following the aforementioned implementation example, the candidate field group includes two field units: Auth-Token and Session-ID. The field subsets are sorted in ascending order of the number of field units as {Auth-Token}, {Session-ID}, and {Auth-Token, Session-ID}. The three field subsets are replaced with the corresponding field positions in the login request message before the trigger, generating three valid verification messages. The three verification messages are then sent to the server under test in sequence. The test shows that the verification messages corresponding to {Auth-Token} and {Auth-Token, Session-ID} can trigger a new state transition event for the unlogged-in half-connection. The above two verification messages are included in the verification message set, and {Auth-Token}, which has the fewest field units, is selected from the field subsets corresponding to the verification message set as the candidate field set for triggering the new state transition event.
[0062] This embodiment generates verification messages by precisely replacing field units, completing the verification of field triggering effects without disrupting the original structure of the client request message, ensuring the authenticity and reliability of the test results. It comprehensively collects all verification messages by constructing a verification message set, avoiding omissions of field combinations that can trigger state transitions. By selecting the subset of fields with the fewest field units, it accurately locates the smallest set of field units that trigger state transitions, eliminating redundant and irrelevant fields and reducing the target scope of subsequent mutation operations. Based on the minimum valid field set to guide subsequent fuzz testing, it effectively reduces invalid mutations, improves the targeting of test cases and the efficiency of state exploration, and provides accurate data support for structure-aware targeted mutation.
[0063] S600, at least based on the field units of the candidate field set, performs a structure-aware directed mutation operation on the test seed of the fuzz test to generate test cases for the server under test.
[0064] Specifically, structure-aware directed mutation refers to performing targeted perturbations on the field units corresponding to the candidate field set based on the structural constraints of the protocol message and the semantic information of the fields, while retaining the original random mutation capability of fuzz testing; test cases refer to protocol messages generated after structure-aware directed mutation, which conform to the protocol format constraints and can be sent to the server under test, and are used to advance protocol state exploration and vulnerability discovery.
[0065] After obtaining the candidate field set, structure-aware directed mutation and test case generation operations are performed: First, the field unit positions in the test seed of the fuzzing test corresponding to the candidate field set are located; then, while retaining the random mutation strategy, structure-aware directed mutation operations are performed on the field units in the test seed corresponding to the aforementioned field unit positions. Mutation methods include field value boundary perturbation, legal value replacement, and semantic compliance adjustment; next, while adhering to the protocol format specifications, the mutated field units are backfilled into the corresponding field unit positions in the test seed to ensure the syntactic legality and semantic validity of the test cases; finally, the test seed that has completed structure-aware directed mutation is determined as the target test case for the server under test. Through structure-aware directed mutation, while retaining the ability of random exploration, precise perturbation is implemented on the key field units that trigger state transitions, improving the effectiveness of test cases and the probability of state triggering, and ensuring the efficiency of state coverage, code coverage, and vulnerability discovery capabilities of stateful protocol fuzzing.
[0066] For example, following the aforementioned implementation example, the candidate field set is the Auth-Token field unit; a test seed for the unlogged-off-authenticated path is selected from the seed pool, and the Auth-Token field unit in the test seed is located; while retaining random mutation of other fields in the test seed, a structure-aware directed mutation is performed on the Auth-Token field unit to generate mutated data with different values; the mutated Auth-Token field unit is backfilled into the test seed to generate test cases that conform to the protocol specification, and sent to the server under test to explore new state transition paths.
[0067] This application first accurately identifies new state transition events based on the response feedback from the server under test. Then, it extracts corresponding client request message pairs from the protocol interaction messages. Next, it splits these into semantically independent field units according to field location rules. Further, it identifies differences between field units with the same name to generate candidate field groups. Through testing and verification, it filters out the candidate field set that truly triggers the state transition. Finally, based on the candidate field set, it performs structure-aware targeted mutations on the test seed to generate test cases. By accurately locating the core fields that trigger state transitions, it solves the technical problem of insufficient granularity in trigger condition analysis, making subsequent mutations in the testing process more targeted and effectively improving the accuracy and efficiency of state exploration in fuzzy testing of stateful protocols.
[0068] As one implementation, the method further includes writing the candidate field set and the new state transition event into a mutation knowledge table.
[0069] S600, based at least on field units of the candidate field set, performs structure-aware directed mutation operations on the test seed of the fuzz test to generate test cases for the server under test, including: S610. While retaining the random mutation strategy, perform targeted mutation operations on the field units in the test seed that correspond to the mutation knowledge table to generate test cases for the server under test.
[0070] Specifically, the mutation knowledge table refers to a structured data table used to store the association between new state transition events and the corresponding candidate field set, providing reusable structural knowledge for subsequent targeted mutation; the random mutation strategy refers to performing indiscriminate random perturbation operations on the field units of the test seed, used to preserve the global exploration capability of fuzz testing; the targeted mutation operation refers to the mutation method of performing targeted perturbation on the field units in the test seed that correspond to the candidate field set based on the structural knowledge in the mutation knowledge table, used to improve the triggering efficiency of state transition.
[0071] After determining the set of candidate fields that trigger a new state transition event, the set of candidate fields is first associated with the corresponding new state transition event and stored in the mutation knowledge table. In subsequent testing, while retaining the random mutation strategy for non-critical fields of the test seed, the field unit in the test seed corresponding to the candidate field set is located according to the association relationship recorded in the mutation knowledge table, and a targeted mutation operation is performed on the field unit. After mutation is completed, the mutated test seed that conforms to the protocol format specification is determined as the test case of the server under test.
[0072] For example, following the aforementioned implementation example, the candidate field set {Auth-Token} that triggers the new state transition event of not logged in - half-connection is associated with the new state transition event and written into the mutation knowledge table; in subsequent fuzz testing, a login sequence test seed is selected, and random mutations of fields such as Request-Method and Request-Path in the test seed are retained. At the same time, targeted mutations are performed on the Auth-Token field unit in the test seed that corresponds to the mutation knowledge table to generate test cases that conform to the protocol specification.
[0073] This embodiment achieves continuous accumulation and reuse of structural knowledge during testing by writing the candidate field set and new state transition events into the mutation knowledge table, avoiding redundant analysis. While retaining the random mutation strategy, it superimposes targeted mutation operations, taking into account both the global exploration capability and the local precise mining capability of fuzz testing, effectively improving the effectiveness of test cases and the probability of state transition triggering.
[0074] As one implementation, the mutation knowledge table includes at least a number of entries, and each entry includes at least: the target protocol state corresponding to a new state transition event, the structure-aware confidence, the candidate field set, and the field mutation rules.
[0075] S610. While retaining the random mutation strategy, perform targeted mutation operations on the field units in the test seed that correspond to the mutation knowledge table to generate test cases for the server under test, including: Obtain the current protocol state of the server under test, and determine the unexplored successor state of the current protocol state as the target state.
[0076] From the mutation knowledge table, query the entries that match the target state and whose structure-aware confidence is greater than the preset confidence threshold to obtain the target entry.
[0077] Based on the field mutation rules of the target table entry, targeted mutation is performed on the field cells in the test seed that correspond to the candidate field set of the target table entry, and the mutated test seed is determined as the test case of the server under test.
[0078] Specifically, the target protocol state refers to the protocol state recorded in the mutation knowledge table that can be triggered by the corresponding candidate field set; the structure-aware confidence level refers to a quantitative indicator used to characterize the reliability of the candidate field set in triggering the target protocol state; the field mutation rule refers to the preset legal value range, format constraints, and value replacement rules for the candidate field set; the preset confidence threshold refers to the preset confidence threshold used to screen high-reliability entries. The preset confidence threshold is set according to actual needs, and this application embodiment does not impose specific limitations.
[0079] When exploring unexplored state transitions, a breadth-based breakthrough mutation approach is adopted: First, the current protocol state of the server under test is obtained, and the set of successor states corresponding to this current protocol state is determined based on the state model. Unexplored successor states are then selected from the set of successor states. Next, all entries in the mutation knowledge table are traversed, and entries that match the target protocol state with the unexplored successor states and have a structure-aware confidence level greater than a preset confidence threshold are retrieved and used as target entries. While retaining the random mutation strategy, the field mutation rules recorded in the target entries are overwritten or replaced in the corresponding field positions of the test seeds, and targeted mutations are performed on the field units in the test seeds that correspond to the candidate field set of the target entries. Test seeds that have completed targeted mutations and conform to the protocol specifications are identified as test cases for the server under test, thereby pushing the test into the unexplored state.
[0080] For example, when the preset confidence threshold is 0.8 and the current protocol state of the server under test is not logged in, the following steps are taken: First, the set of subsequent states of the not logged-in state is determined based on the state model, including authenticated, half-connected, and disconnected, where half-connected is an unexplored subsequent state. Then, the table entry with the target protocol state of half-connected and a structure-aware confidence greater than 0.8 is retrieved from the mutation knowledge table. This table entry records the candidate field set as {Auth-Token} and the field mutation rule as legitimate token replacement. The field value corresponding to the field mutation rule is overwritten to the corresponding field position of the test seed, and targeted mutation is performed on the Auth-Token field unit of the test seed to generate test cases for exploring the half-connected state, thus guiding the test into the target unexplored state.
[0081] This embodiment improves the accuracy of targeted mutation by using a dual screening method of target state matching and confidence threshold, and combines a mutation knowledge table to mutate fields related to unexplored subsequent states, thereby increasing the efficiency of state coverage and the depth of vulnerability discovery.
[0082] As one implementation, the mutation knowledge table includes at least a number of entries, and each entry includes at least: a structure-aware confidence score and a set of candidate fields corresponding to a new state transition event.
[0083] S610. While retaining the random mutation strategy, perform targeted mutation operations on the field units in the test seed that correspond to the mutation knowledge table to generate test cases for the server under test, including: From the mutation knowledge table, select the top n entries with the highest structure-aware confidence to obtain the target entries.
[0084] For the field cells in the test seed that correspond to the candidate field set in the target table entry, perform random directional mutation to generate test cases for the server under test.
[0085] Specifically, random directional mutation refers to a hybrid mutation method that combines random perturbation with directional targets, performing random value adjustments within the legal range of the candidate field set, taking into account both the targeting and diversity of the mutation.
[0086] When further exploring the dependencies between complex fields, a deep breakthrough mutation approach is adopted: all entries in the mutation knowledge table are sorted from high to low according to their structure-aware confidence, and the top n entries are selected as target entries; while retaining the random mutation strategy, the field unit in the test seed that corresponds to the candidate field set of the target entries is located, and random directional mutation is performed on the field unit within the legal value range to explore more granular field combination patterns; the test seed that has completed mutation and meets the protocol format constraints is determined as the test case of the server under test. After testing with the test case, if a new state transition event is successfully triggered again, the structure-aware confidence of the corresponding entry is increased; if the above test case does not trigger a new state transition event, the structure-aware confidence of the corresponding entry is decreased, so as to achieve dynamic updating of the structure-aware confidence. The structure-aware confidence can be updated using an exponential moving average method, and this application embodiment does not impose specific limitations.
[0087] For example, the mutation knowledge table contains multiple entries. The entry with the highest structure-aware confidence is selected as the target entry, and its candidate field set is {Auth-Token}. Random directional mutation is performed on the Auth-Token field unit in the test seed within the range of valid tokens, while random mutation of other fields is retained to generate test cases that take into account both relevance and diversity.
[0088] This embodiment selects high-confidence entries for mutation, prioritizes valid structural knowledge, and reduces invalid mutations. It adopts a randomized directional mutation method to achieve directional mutation of key field units while retaining the randomness of values, so as to balance the utilization efficiency and exploration breadth of the test.
[0089] As one implementation, the method further includes: obtaining the proportion of test cases that trigger new state transition events and code coverage for each server under test.
[0090] While retaining the random mutation strategy, targeted mutation operations are performed on the field units in the test seed that correspond to the mutation knowledge table to generate test cases for the server under test, including: If the test process of the server under test meets the preset stagnation conditions, the performance value of each test case of the server under test is determined based on the proportion of new state transition events and code coverage.
[0091] Select the pre-defined number of test cases with the highest performance values as the target test cases.
[0092] Based on the current protocol state, protocol interaction history, and the set of explored protocol states of the target test case, determine the potential unexplored successor states.
[0093] The current protocol state, protocol interaction history, and potential unexplored successor states are embedded into a preset prompt template, and a pre-trained large language model is invoked to generate test cases for the server under test.
[0094] Specifically, the proportion of new state transition events refers to the ratio of the number of times a single test case triggers a new state transition event during the test to the total number of tests; code coverage refers to the ratio of the number of lines of code on the server under test covered by the test case to the total number of lines of code; preset stall conditions refer to pre-set conditions used to determine that the test process cannot continue to explore new states, such as not triggering a new state transition for a preset number of consecutive times, etc., which are not specifically limited in this application; performance value refers to a quantitative score calculated based on the trigger ratio and code coverage, used to evaluate the quality of test cases; preset prompt templates refer to pre-built prompt word templates used to input large language models, used to standardize the input and output format of the model.
[0095] The system acquires the proportion of new state transition events triggered by each test case and the code coverage in real time. When conventional targeted mutation operations and the mutation knowledge table are insufficient to advance protocol state exploration, a state breakthrough mutation approach is adopted: the performance value of each test case is calculated by weighting the proportion of new state transition events triggered and the code coverage; and a preset number of test cases with the highest performance values are selected as target test cases; based on the current protocol state, protocol interaction history, and the set of explored protocol states of the target test cases, potential unexplored successor states are derived; the current protocol state, protocol interaction history, and potential unexplored successor states are embedded into a preset prompt template, and a pre-trained large language model is called to generate a syntactically correct and semantically valid new request message to attempt to trigger a new protocol state.
[0096] For example, when neither regular directional mutation nor knowledge-guided mutation based on the mutation knowledge table can explore a new protocol state during fuzz testing of the server under test, the performance value of the test case is calculated based on the trigger ratio and code coverage, and the test case with the highest performance value is selected as the target test case. The current state of the target test case is not logged in, the explored states are not logged in and half-connected, and the potential unexplored subsequent state is authenticated. The above state information is embedded into a preset prompt template, and a new login request message is generated by calling the large language model to explore the authenticated state, in order to attempt to trigger the new protocol state of authenticated.
[0097] This embodiment activates a large language model-assisted generation mechanism when testing stalls, accurately overcoming bottlenecks in state exploration; it selects test seeds based on performance values to ensure the quality of generated test cases; and it guides the large language model to generate compliant messages through state context, avoiding invalid input and effectively improving the ability to overcome state limitations and discover vulnerabilities in complex protocol scenarios.
[0098] Figure 2This is one of the example flowcharts of the testing method for stateful network protocols provided by the present invention, such as... Figure 2 As shown, starting with fuzz testing guided by the state model, new state transition events are identified based on the response feedback of the server under test. If no new state transition is detected, the fuzz testing continues. If a new state transition event is detected, the process enters the seed structure analysis stage, locating the key message pairs (i.e., client request message pairs) that trigger state changes. The structure of each client request message is analyzed step by step using a large model to generate preset field location rules and extract key field combination candidates (i.e., candidate field groups). Subsequently, the process enters the knowledge verification and accumulation stage, where the effective set of mutated fields (i.e., candidate field sets) is determined through near-minimum mutation set verification (i.e., executing tests on the server under test in ascending order of the number of field units in the field subset). The effective set of mutated fields and the new state transition event are written into the mutation knowledge table MKT (i.e., the mutation knowledge table). Finally, the process enters the structure-aware mutation stage, where breadth-breakthrough mutation, depth-breakthrough mutation, and state-breakthrough mutation are executed based on the mutation knowledge table to generate new protocol test inputs (i.e., test cases for the server under test). These inputs are then input into the target service (i.e., the server under test), and state feedback is detected. The process then returns to the fuzz testing guided by the state model to form a closed-loop iteration, realizing the testing of stateful network protocols.
[0099] The seed structure-aware fuzzing method for stateful protocols provided in this invention addresses the problems of existing fuzzing methods for stateful protocols, such as difficulty in accurately locating key fields of state transitions, lack of explicit association between seed structure and protocol state, inability to accumulate and reuse structural knowledge, and insufficient targeting of mutations. It constructs a technical solution for message structure perception, analysis, verification, and reuse throughout the entire fuzzing process, aiming to improve the efficiency of protocol state space exploration and vulnerability discovery capabilities. This embodiment, upon detecting a new state transition event, compares and analyzes client request messages before and after the state transition to pinpoint the key fields and combinations that trigger the state transition. It establishes the association between the seed structure and the protocol state, transforming coarse-grained state awareness results into reusable fine-grained structural information. By verifying the candidate field set, fields causally related to the state transition are stored in a structured form in a mutation knowledge table, enabling continuous accumulation, dynamic updating, and reuse of structural knowledge. This reduces redundant analysis overhead and improves the stability and convergence efficiency of the testing process. While retaining the random mutation strategy, it performs structure-aware targeted mutation operations on key fields based on the verified structural knowledge. This guides testing to prioritize expanding unexplored state transitions and uncovering field dependencies. When conventional mutation and knowledge guidance fail to advance state exploration, it generates new request messages that can overcome state bottlenecks, balancing the testing's exploration capabilities and utilization efficiency. Ultimately, this forms an iterative closed-loop process of new state transition identification, key field analysis, causal relationship verification, mutation knowledge table updating, and mutation guidance. As testing executes, it continuously accumulates effective knowledge and optimizes testing directions, improving state coverage, state transition coverage, and code coverage, thereby enhancing the ability to discover real vulnerabilities.
[0100] Specifically, this application combines the internal structure of protocol messages with protocol state changes. After identifying new state transition events, it further locates key messages, key fields, and field combinations, transforming coarse-grained state feedback into fine-grained structural knowledge, thus improving the precision of state transition analysis and the targeting of testing. By establishing an explicit association mechanism between seed structure and protocol state, it generates candidate field groups by analyzing field differences in client request message pairs. Verification tests are then performed in ascending order of the number of field units in the field subset to filter out the minimum effective candidate field set that can trigger a state transition. A mutation knowledge table is then constructed to record the target protocol state and the candidate field set. Information such as structure-aware confidence levels enables the accumulation and reuse of testing experience. By constructing a knowledge-driven structure-aware mutation mechanism, targeted perturbations are applied to key field units based on random mutation. Combining three collaborative strategies—breadth-breakthrough mutation, depth-breakthrough mutation, and state-breakthrough mutation—it respectively achieves the expansion of unexplored state transitions, the mining of field dependencies, and the breakthrough of test stagnation states, taking into account the ability to expand states, refine fields, and explore unknown areas. By using a large language model only for high-value structure analysis and state-breakthrough message generation, routine testing is driven by the mutation knowledge table, reducing the dependency on repeated calls to the large language model and improving the stability, continuity, and convergence efficiency of the testing process.
[0101] This embodiment effectively solves the problems of coarse-grained state transition parsing, difficulty in locating key fields, difficulty in reusing structural knowledge, and insufficient targeted mutation in fuzz testing of stateful protocols. It not only upgrades from coarse-grained state awareness to fine-grained field-oriented exploration, but also automatically completes state transition analysis, key field extraction, and knowledge accumulation, eliminating the need for manual analysis of state transition conditions, lowering the testing threshold and labor costs, and improving the level of testing automation. By accurately utilizing key fields to perform structure-aware targeted mutation, it reduces invalid mutations, improves the effectiveness of test cases and the ability to explore the state space. In various protocol implementations, its state coverage, state transition coverage, and code branch coverage are all superior to existing methods. It has good adaptability to protocol scenarios with complex message structures, tight field dependencies, and complex state machine logic, and can effectively uncover deep state paths and high-value test areas. It can more efficiently trigger security flaws in deep protocol logic, improve vulnerability discovery capabilities, and provide an efficient, universal, and engineering-practical solution for the security testing of stateful network protocols.
[0102] The testing apparatus for stateful network protocols provided by the present invention will be described below. The testing apparatus for stateful network protocols described below and the testing method for stateful network protocols described above can be referred to in correspondence.
[0103] Figure 3 This is one of the structural schematic diagrams of the test device for stateful network protocols provided by the present invention, such as... Figure 3 As shown, the test setup for stateful network protocols includes: The inference unit 100 is used to infer the current state of the protocol session and identify new state transition events based on the response feedback of the server under test. The response feedback of the server under test is obtained by performing fuzz testing on the target network server with a stateful protocol.
[0104] The acquisition unit 200 is used to acquire a client request message pair corresponding to the new state transition event from the complete protocol interaction message sequence, wherein the client request message pair includes at least: the client request message before the new state transition event is triggered, and the client request message after the new state transition event is triggered.
[0105] The splitting unit 300 is used to split each client request message into multiple field units with independent semantic meanings according to preset field positioning rules, and to assign a field name to each field unit.
[0106] The identification unit 400 is used to identify the field differences between field units with the same field name and generate candidate field groups.
[0107] Test unit 500 is used to perform tests on the server under test based on each field unit and combination of field units in the candidate field group, and to obtain a set of candidate fields that trigger a new state transition event.
[0108] The generation unit 600 is used to perform structure-aware directed mutation operations on the test seed of fuzz testing, based at least on the field unit of the candidate field set, to generate test cases for the server under test.
[0109] In some embodiments, the test unit 500 includes: The retrieval module is used to retrieve a subset of fields from a candidate field group.
[0110] The testing module is used to perform tests on the server under test by sequentially using each field subset in ascending order of the number of field units in the field subset, thereby obtaining a set of candidate fields that can trigger new state transition events.
[0111] In some embodiments, the test module includes: The replacement submodule is used to replace each field unit in any field subset with the corresponding field position in the client request message before the new state transition event is triggered, according to preset field positioning rules, and generate a verification message.
[0112] The test submodule is used to send verification messages to the server under test to perform tests and determine the set of verification messages that trigger a new state transition.
[0113] The selection submodule is used to select the subset of fields with the fewest field units from the set of verification messages as the candidate field set.
[0114] In some embodiments, the testing apparatus for stateful network protocols further includes a writing unit for writing a set of candidate fields and new state transition events into a mutation knowledge table.
[0115] The generation unit 600 includes: The targeted mutation module is used to perform targeted mutation operations on the field units in the test seed that correspond to the mutation knowledge table while retaining the random mutation strategy, thereby generating test cases for the server under test.
[0116] In some embodiments, the mutation knowledge table includes at least a plurality of entries, each entry including at least: the target protocol state corresponding to a new state transition event, the structure-aware confidence, the candidate field set, and the field mutation rule.
[0117] The targeted mutation module includes: The target state determination submodule is used to obtain the current protocol state of the server under test and determine the unexplored successor state of the current protocol state as the target state.
[0118] The query submodule is used to retrieve entries from the mutation knowledge table that match the target state and have a structure-aware confidence level greater than a preset confidence threshold, thereby obtaining the target entry.
[0119] The directional mutation submodule is used to perform directional mutation on the field units in the test seed that correspond to the candidate field set of the target table entry according to the field mutation rules of the target table entry, and to determine the mutated test seed as the test case of the server under test.
[0120] In some embodiments, the mutation knowledge table includes at least a plurality of entries, each entry including at least: a structure-aware confidence score and a set of candidate fields corresponding to a new state transition event.
[0121] The targeted mutation module includes: The selection submodule is used to select the top n entries with the highest structure-aware confidence from the mutation knowledge table to obtain the target entry.
[0122] The Random Directed Mutation submodule is used to perform random directed mutation on the field units in the test seed that correspond to the candidate field set in the target table entry, in order to generate test cases for the server under test.
[0123] In some embodiments, the testing apparatus for stateful network protocols further includes: an acquisition unit, configured to acquire the proportion of test cases triggering new state transition events and code coverage for each server under test.
[0124] The targeted mutation module includes: The determination submodule is used to determine the performance value of each test case of the server under test based on the proportion of new state transition events and code coverage, when the test process of the server under test meets the preset stagnation conditions.
[0125] The selection submodule is used to select the preset number of test cases with the highest performance values as target test cases.
[0126] The determination submodule is used to determine potential unexplored successor states based on the current protocol state of the target test case, the protocol interaction history, and the set of explored protocol states.
[0127] The submodule is called to embed the current protocol state, protocol interaction history, and potential unexplored successor states into a preset prompt template, and to call a pre-trained large language model to generate test cases for the server under test.
[0128] Figure 4 An example is a schematic diagram of the physical structure of an electronic device, such as... Figure 4 As shown, the electronic device may include a processor 810, a communications interface 820, a memory 830, and a communication bus 840. The processor 810, communications interface 820, and memory 830 communicate with each other via the communication bus 840. The processor 810 can call logical instructions from the memory 830 to execute a test method for stateful network protocols. This method includes a test method for stateful network protocols.
[0129] Furthermore, the logical instructions in the aforementioned memory 830 can be implemented as software functional units and, when sold or used as independent products, can be stored in a computer-readable storage medium. Based on this understanding, the technical solution of the present invention, or the part that contributes to the prior art, or a part of the technical solution, can be embodied in the form of a software product. This computer software product is stored in a storage medium and includes several instructions to cause a computer device (which may be a personal computer, server, or network device, etc.) to execute all or part of the steps of the methods described in the various embodiments of the present invention. The aforementioned storage medium includes various media capable of storing program code, such as USB flash drives, portable hard drives, read-only memory (ROM), random access memory (RAM), magnetic disks, or optical disks.
[0130] On the other hand, the present invention also provides a computer program product, the computer program product including a computer program that can be stored on a non-transitory computer-readable storage medium, and when the computer program is executed by a processor, the computer is able to execute the test method for stateful network protocols provided by the above methods, the method including: a test method for stateful network protocols.
[0131] In another aspect, the present invention also provides a non-transitory computer-readable storage medium having a computer program stored thereon, which, when executed by a processor, is implemented to perform the test method for stateful network protocols provided by the above methods, the method comprising: a test method for stateful network protocols.
[0132] The device embodiments described above are merely illustrative. The units described as separate components may or may not be physically separate. The components shown as units may or may not be physical units; that is, they may be located in one place or distributed across multiple network units. Some or all of the modules can be selected to achieve the purpose of this embodiment according to actual needs. Those skilled in the art can understand and implement this without any creative effort.
[0133] Through the above description of the embodiments, those skilled in the art can clearly understand that each embodiment can be implemented by means of software plus necessary general-purpose hardware platforms, and of course, it can also be implemented by hardware. Based on this understanding, the above technical solutions, in essence or the part that contributes to the prior art, can be embodied in the form of a software product. This computer software product can be stored in a computer-readable storage medium, such as ROM / RAM, magnetic disk, optical disk, etc., and includes several instructions to cause a computer device (which may be a personal computer, server, or network device, etc.) to execute the methods described in the various embodiments or some parts of the embodiments.
[0134] Finally, it should be noted that the above embodiments are only used to illustrate the technical solutions of the present invention, and not to limit them; although the present invention has been described in detail with reference to the foregoing embodiments, those skilled in the art should understand that modifications can still be made to the technical solutions described in the foregoing embodiments, or equivalent substitutions can be made to some of the technical features; and these modifications or substitutions do not cause the essence of the corresponding technical solutions to deviate from the spirit and scope of the technical solutions of the embodiments of the present invention.
Claims
1. A testing method for stateful network protocols, characterized in that, Includes the following steps: Based on the response feedback from the server under test, the current state of the protocol session is inferred and new state transition events are identified. The response feedback from the server under test is obtained by performing fuzz testing on the target network server with a stateful protocol. From the complete sequence of protocol interaction messages, obtain the client request message pair corresponding to the new state transition event, wherein the client request message pair includes at least: the client request message before the new state transition event is triggered, and the client request message that triggers the new state transition event; Based on the preset field location rules, each client request message is split into multiple field units with independent semantic meanings, and a field name is assigned to each field unit; Identify the differences between field units with the same field name and generate candidate field groups; Based on each field unit and combination of field units in the candidate field group, the test is performed on the server under test to obtain a set of candidate fields that trigger the new state transition event; Based at least on the field units of the candidate field set, a structure-aware directed mutation operation is performed on the test seed of the fuzz test to generate test cases for the server under test.
2. The method according to claim 1, characterized in that, The step involves performing tests on the server under test based on each field element and combination of field elements in the candidate field group to obtain a set of candidate fields that trigger the new state transition event, including: Obtain a subset of fields from the candidate field group; The test server is tested sequentially using each field subset in ascending order of the number of field units in the field subset, to obtain a set of candidate fields that trigger the new state transition event.
3. The method according to claim 2, characterized in that, The test is performed on the server under test sequentially using each field subset in ascending order of the number of field units in the field subset, to obtain a candidate field set that triggers the new state transition event, including: For any subset of fields, according to the preset field location rules, each field unit in the subset of fields is replaced with the corresponding field position in the client request message before the new state transition event is triggered, and a verification message is generated; The verification message is sent to the server under test to perform the test and determine the set of verification messages that trigger the new state transition; Based on the set of verification messages, the subset of fields with the fewest field units is selected as the candidate field set.
4. The method according to claim 1, characterized in that, The method further includes: writing the candidate field set and the new state transition event into a mutation knowledge table; The process of performing a structure-aware directed mutation operation on the test seed of the fuzz test, based at least on the field units of the candidate field set, to generate test cases for the server under test includes: While retaining the random mutation strategy, targeted mutation operations are performed on the field units in the test seed that correspond to the mutation knowledge table to generate test cases for the server under test.
5. The method according to claim 4, characterized in that, The mutation knowledge table includes at least a number of entries, and each entry includes at least: the target protocol state corresponding to a new state transition event, the structure-aware confidence, the candidate field set, and the field mutation rule; The step of performing targeted mutation operations on the field units in the test seed corresponding to the mutation knowledge table, while retaining the random mutation strategy, to generate test cases for the server under test includes: Obtain the current protocol state of the server under test, and determine the unexplored successor state of the current protocol state as the target state; From the mutation knowledge table, query the table entries that match the target state and whose structure-aware confidence is greater than the preset confidence threshold to obtain the target table entry; According to the field mutation rules of the target table entry, targeted mutation is performed on the field units in the test seed that correspond to the candidate field set of the target table entry, and the mutated test seed is determined as the test case of the server under test.
6. The method according to claim 4, characterized in that, The mutation knowledge table includes at least a number of entries, and each entry includes at least: a structure-aware confidence score and a set of candidate fields corresponding to a new state transition event; The step of performing targeted mutation operations on the field units in the test seed corresponding to the mutation knowledge table, while retaining the random mutation strategy, to generate test cases for the server under test includes: From the mutation knowledge table, select the top n entries with the highest structure-aware confidence to obtain the target entries; For the field units in the test seed that correspond to the candidate field set in the target table entry, perform random directional mutation to generate test cases for the server under test.
7. The method according to claim 4, characterized in that, The method further includes: obtaining the proportion and code coverage of test cases triggering the new state transition event for each server under test; The step of performing targeted mutation operations on the field units in the test seed corresponding to the mutation knowledge table, while retaining the random mutation strategy, to generate test cases for the server under test includes: When the test process of the server under test meets the preset stagnation conditions, the performance value of the test cases of each server under test is determined according to the proportion of the new state transition events and the code coverage. Select the preset number of test cases with the highest performance values as target test cases; Based on the current protocol state, protocol interaction history, and set of explored protocol states of the target test case, determine the potential unexplored successor states; The current protocol state, the protocol interaction history, and the potential unexplored successor states are embedded into a preset prompt template, and a pre-trained large language model is invoked to generate test cases for the server under test.
8. A testing apparatus for stateful network protocols, characterized in that, include: The inference unit is used to infer the current state of the protocol session and identify new state transition events based on the response feedback of the server under test, wherein the response feedback of the server under test is obtained by performing fuzz testing on the target network server with stateful protocol. The acquisition unit is used to acquire a client request message pair corresponding to the new state transition event from a complete sequence of protocol interaction messages, wherein the client request message pair includes at least: a client request message before the new state transition event is triggered, and a client request message that triggers the new state transition event; The splitting unit is used to split each client request message into multiple field units with independent semantic meanings according to preset field positioning rules, and assign field names to each field unit; The identification unit is used to identify the field differences between field units with the same field name and generate candidate field groups. The testing unit is used to perform tests on the server under test based on each field unit and combination of field units in the candidate field group, and to obtain a set of candidate fields that trigger the new state transition event. A generation unit is used to perform a structure-aware directed mutation operation on the test seed of the fuzz test, based at least on the field units of the candidate field set, to generate test cases for the server under test.
9. An electronic device comprising a memory, a processor, and a computer program stored in the memory and running on the processor, characterized in that, When the processor executes the computer program, it implements the test method for stateful network protocols as described in any one of claims 1 to 7.
10. A non-transitory computer-readable storage medium having a computer program stored thereon, characterized in that, When the computer program is executed by the processor, it implements the test method for stateful network protocols as described in any one of claims 1 to 7.