《電子技術(shù)應(yīng)用》
您所在的位置:首頁 > 其他 > 設(shè)計(jì)應(yīng)用 > 基于Q算法的認(rèn)證協(xié)議漏洞挖掘技術(shù)研究
基于Q算法的認(rèn)證協(xié)議漏洞挖掘技術(shù)研究
2022年電子技術(shù)應(yīng)用第10期
呂樂樂,,董 偉,,趙云飛,馮 志,,李致成,,張雅勤
華北計(jì)算機(jī)系統(tǒng)工程研究所,,北京102209
摘要: 認(rèn)證授權(quán)協(xié)議在不泄露用戶口令的情況下允許第三方獲取用戶資源,解決了云平臺(tái)下第三方授權(quán)問題,,提高了用戶的交互體驗(yàn),。但是協(xié)議在交互處理中的不確定性和復(fù)雜性導(dǎo)致其在實(shí)際應(yīng)用時(shí)可能會(huì)存在邏輯漏洞。針對(duì)該問題提出一種模糊仿真方法,,通過對(duì)協(xié)議交互過程進(jìn)行模糊處理,,利用協(xié)議實(shí)體動(dòng)作的不確定性,發(fā)現(xiàn)協(xié)議的邏輯漏洞,。同時(shí),,結(jié)合SA-Q強(qiáng)化學(xué)習(xí)算法訓(xùn)練智能體學(xué)習(xí)最優(yōu)模糊策略,智能化挖掘漏洞,。經(jīng)過測(cè)試發(fā)現(xiàn),,相比于基本的Q學(xué)習(xí)算法,該方法的收斂速度提升了9.27%,,使得模型在訓(xùn)練時(shí)更容易收斂,,有效提高了漏洞的挖掘效率。
中圖分類號(hào): TN915.08
文獻(xiàn)標(biāo)識(shí)碼: A
DOI:10.16157/j.issn.0258-7998.222641
中文引用格式: 呂樂樂,,董偉,,趙云飛,等. 基于Q算法的認(rèn)證協(xié)議漏洞挖掘技術(shù)研究[J].電子技術(shù)應(yīng)用,,2022,,48(10):63-68.
英文引用格式: Lv Lele,,Dong Wei,Zhao Yunfei,,et al. Research on the vulnerability mining technology of authentication protocol based on Q-learning[J]. Application of Electronic Technique,,2022,48(10):63-68.
Research on the vulnerability mining technology of authentication protocol based on Q-learning
Lv Lele,,Dong Wei,,Zhao Yunfei,F(xiàn)eng Zhi,,Li Zhicheng,,Zhang Yaqin
National Computer System Engineering Research Institute of China,Beijing 102209,,China
Abstract: The authentication and authorization protocol allows a third party to obtain user resources without disclosing the user password, solves the problem of third-party authorization under the cloud platform, and improves the user′s interactive experience. However, the uncertainty and complexity of the protocol in interactive processing may lead to logical loopholes in its practical application. To solve this problem, a fuzzy simulation method is proposed. By fuzzy processing the protocol interaction process, the logical loopholes of the protocol are found by using the uncertainty of the action of the protocol entity. At the same time, combined with SA-Q reinforcement learning algorithm, the agent is trained to learn the optimal fuzzy strategy and mine the loopholes intelligently. After testing, it is found that compared with the basic Q-learning algorithm, the convergence speed of this method is improved by 9.27%, which makes the model easier to converge during training and effectively improves the efficiency of vulnerability mining.
Key words : authentication authorization protocols,;logical vulnerabilities;fuzzy simulation,;Q reinforcement learning algorithms

0 引言

    隨著互聯(lián)網(wǎng)技術(shù)的不斷發(fā)展,,網(wǎng)絡(luò)應(yīng)用已經(jīng)融入現(xiàn)實(shí)生活的方方面面。為了登錄不同的網(wǎng)絡(luò)應(yīng)用,,用戶需要注冊(cè)不同網(wǎng)站的賬號(hào)信息[1],,并維護(hù)相應(yīng)網(wǎng)站的賬號(hào)和口令,低效而麻煩,。認(rèn)證授權(quán)協(xié)議允許第三方服務(wù)在無需用戶提供賬戶和口令的情況下訪問用戶的私有資源,,解決了當(dāng)前開放云平臺(tái)下的第三方授權(quán)問題,提高了用戶的體驗(yàn),。但是當(dāng)前網(wǎng)絡(luò)環(huán)境復(fù)雜多樣,,且協(xié)議實(shí)體之間的交互存在著復(fù)雜的關(guān)系和制約,使得認(rèn)證協(xié)議在交互處理中存在不確定性,。因此,,協(xié)議在實(shí)際使用時(shí)可能存在安全漏洞[2],攻擊者會(huì)利用協(xié)議本身的邏輯缺陷對(duì)信息系統(tǒng)進(jìn)行攻擊,。

    針對(duì)協(xié)議進(jìn)行安全性分析是揭示協(xié)議缺陷和安全漏洞的重要方法,。模糊測(cè)試是進(jìn)行漏洞挖掘的常規(guī)方法[3],其本質(zhì)是變異報(bào)文字段取值,,而非變異協(xié)議本身邏輯,,因而只能發(fā)現(xiàn)協(xié)議編碼實(shí)現(xiàn)的漏洞,不能發(fā)現(xiàn)協(xié)議邏輯上的漏洞,。形式化方法是尋找協(xié)議邏輯缺陷的重要方法,,其主要通過形式化分析工具對(duì)目標(biāo)系統(tǒng)進(jìn)行形式化建模[4],但期間若存在較復(fù)雜的邏輯影響因素(如時(shí)延),會(huì)使模型變得非常復(fù)雜,,一方面可能會(huì)產(chǎn)生失真,,另一方面可能會(huì)出現(xiàn)狀態(tài)空間爆炸問題[5]




本文詳細(xì)內(nèi)容請(qǐng)下載:http://forexkbc.com/resource/share/2000004960,。




作者信息:

呂樂樂,,董  偉,,趙云飛,,馮  志,李致成,,張雅勤

(華北計(jì)算機(jī)系統(tǒng)工程研究所,,北京102209)




wd.jpg

此內(nèi)容為AET網(wǎng)站原創(chuàng),未經(jīng)授權(quán)禁止轉(zhuǎn)載,。