Search

CN-122001591-A - Firmware cryptographic algorithm verification method and system based on dynamic behavior analysis

CN122001591ACN 122001591 ACN122001591 ACN 122001591ACN-122001591-A

Abstract

The invention discloses a method and a system for verifying a firmware cryptographic algorithm based on dynamic behavior analysis, wherein the method comprises the steps of obtaining plaintext information input by a user, environmental parameters at the current moment, ciphertext information obtained by encrypting plaintext based on the cryptographic algorithm and multidimensional dynamic behavior data in the cryptographic algorithm encryption execution process; preprocessing the obtained data, checking ciphertext information by adopting a static checking method to obtain a ciphertext information checking result, extracting characteristics of the preprocessed data, inputting the characteristic data into a trained machine learning model, checking the execution process of a firmware cipher algorithm to obtain a firmware cipher algorithm checking result, and synthesizing the ciphertext information checking result and the firmware cipher algorithm checking result to obtain a final checking result. By adopting the method and the system, the comprehensiveness of verification is improved and the execution safety is improved by combining the static verification method with the dynamic behavior verification method.

Inventors

  • CHEN YONGPEI
  • QU XINYAN

Assignees

  • 上海伊世智能科技有限公司

Dates

Publication Date
20260508
Application Date
20260210

Claims (10)

  1. 1. A method for verifying a firmware cryptographic algorithm based on dynamic behavior analysis is characterized by comprising the following steps: S1, acquiring plaintext information input by a user, environmental parameters at the current moment, ciphertext information obtained by encrypting the plaintext based on a cryptographic algorithm and multidimensional dynamic behavior data in the cryptographic algorithm encryption execution process; s2, preprocessing the obtained data; S3, checking the ciphertext information by adopting a static checking method to obtain a ciphertext information checking result; S4, extracting features of the preprocessed data; s5, inputting the characteristic data into a trained machine learning model, and checking the execution process of the firmware cipher algorithm to obtain a firmware cipher algorithm checking result; S6, integrating the ciphertext information verification result and the firmware password algorithm verification result to obtain a final verification result.
  2. 2. The method of claim 1, wherein in step S1, the plaintext information includes a user identity and original data to be encrypted, the environment parameters include login time, IP location, network delay, and memory occupancy rate, and the multidimensional dynamic behavior data includes a cipher algorithm call time sequence, an instruction stream sequence in an algorithm execution process, a basic block execution sequence, memory read-write address distribution, access times, and a time sequence rule.
  3. 3. The method for verifying the firmware cryptographic algorithm based on the dynamic behavior analysis of claim 1, wherein the preprocessing of the obtained data in the step S2 comprises normalization processing, data cleaning and time stamp alignment.
  4. 4. The method for verifying a firmware cryptographic algorithm based on dynamic behavior analysis according to claim 1, wherein step S3 specifically comprises: s31, verifying whether the ciphertext length accords with an algorithm output standard according to the type of the cryptographic algorithm, verifying whether the ciphertext accords with a coding standard, if so, executing the step S32, and if not, judging that the ciphertext is abnormal; S32, decrypting by using a firmware password algorithm, if the obtained decryption information is consistent with the plaintext information input by the user, checking to pass, and if the obtained decryption information is inconsistent with the plaintext information input by the user, judging that the obtained decryption information is abnormal.
  5. 5. The method for verifying a firmware cryptographic algorithm based on dynamic behavior analysis according to claim 1, wherein the feature extraction of the preprocessed data in step S4 specifically comprises: S41, extracting ciphertext information characteristics, namely calculating a password entropy value based on ciphertext information The formula is: ; in the formula, =2, Represents the global single-byte information entropy, Represent the first The actual probability of occurrence of the seed bytes, For a set of bytes that do not occur, For a smooth probability of not being present, Representing the number of bytes; S42, extracting environmental parameter characteristics, namely extracting a time period to which login time belongs, extracting IP region codes, extracting a mean value, variance and standard deviation of network delay, and extracting an instantaneous value and a sliding mean value of memory occupancy rate; S43, extracting dynamic behavior data features, namely extracting the time sequence correlation of the time sequence of the time duration, the sub-function execution time length duty ratio and the instruction stream sequence of a cipher algorithm call time sequence, extracting the occurrence frequency and duty ratio of each opcode in the instruction stream, the similarity of basic block execution paths, the entropy value of memory read-write addresses, the average value, the peak value and the valley value of access times, extracting the time sequence rule of memory read-write and the Markov chain state transition probability of the instruction stream.
  6. 6. The method for verifying a firmware cryptographic algorithm based on dynamic behavior analysis as in claim 1, wherein the machine learning model training process in step S5 comprises: Collecting normal dynamic behavior data and abnormal dynamic behavior data in the execution process of the cryptographic algorithm and corresponding environment parameters and ciphertext information; preprocessing the obtained data, extracting the characteristics of the preprocessed data, and constructing a characteristic data set; Dividing the characteristic data set into a training set and a testing set; and training the machine learning model by using the training set, and verifying by using the testing set to obtain a trained machine learning model.
  7. 7. The method for verifying a firmware cryptographic algorithm based on dynamic behavior analysis as in claim 6, wherein the machine learning model is a CNN-BiLSTM hybrid deep learning model.
  8. 8. The method for verifying a firmware cryptographic algorithm based on dynamic behavior analysis of claim 7, wherein the CNN-BiLSTM hybrid deep learning model comprises: The feature extraction module comprises a plurality of parallel depth separable convolution layers, a splicing layer and a global average pooling layer and is used for extracting multi-scale features of an input feature sequence; BiLSTM the time sequence feature extraction module comprises a bidirectional BiLSTM layer, a normalization layer and a residual error connection layer, and is used for capturing time sequence features in the multi-scale features; The attention fusion module comprises an attention layer, wherein the attention layer calculates the weights of the multi-scale features and the time sequence features through an attention mechanism, and the fusion features are obtained through weighted summation of the attention weights; the output module comprises an output layer and is used for outputting a second class result of verification and corresponding confidence coefficient, wherein the second class result comprises normal and abnormal.
  9. 9. The method for verifying a firmware cryptographic algorithm based on dynamic behavior analysis according to claim 1, wherein step S6 specifically comprises: and integrating the ciphertext information verification result and the firmware password algorithm verification result, wherein the formula is as follows: ; in the formula, Represents the weight of the result of the ciphertext information verification, The result weights are checked for the firmware cryptographic algorithm, The result score is checked for ciphertext information, which is 1 when normal, 0 when abnormal, Check score for firmware cipher algorithm, at normal time In case of abnormality, the detecting device can detect, , Representing the confidence level of the corresponding result; When (when) More than or equal to 0.8, and is judged to be normal, checking is passed; when the time is less than or equal to 0.7 <0.8, The suspected abnormality requires a secondary check, when At <0.7, the check is not passed.
  10. 10. A firmware cryptographic algorithm verification system based on dynamic behavior analysis, for executing a firmware cryptographic algorithm verification method based on dynamic behavior analysis as recited in any one of claims 1 to 9, comprising: the data acquisition module is used for acquiring plaintext information input by a user, environmental parameters at the current moment, ciphertext information obtained by encrypting plaintext based on a cryptographic algorithm and multidimensional dynamic behavior data in the cryptographic algorithm encryption execution process; the data preprocessing module is used for preprocessing the obtained data; the ciphertext information verification module is used for verifying ciphertext information; The firmware cipher algorithm action verification module is used for analyzing action behaviors in the execution process of the firmware cipher algorithm to obtain a firmware cipher algorithm verification result; and the comprehensive verification module is used for comprehensively judging according to the ciphertext information verification result and the firmware password algorithm verification result to obtain a final verification result.

Description

Firmware cryptographic algorithm verification method and system based on dynamic behavior analysis Technical Field The invention relates to the technical field of information security, in particular to a method and a system for verifying a firmware cryptographic algorithm based on dynamic behavior analysis. Background The firmware is used as a core control program of electronic equipment such as embedded equipment, intelligent terminals and the like, and the safety of the firmware directly determines the overall safety of the equipment. Password verification is an important link of firmware security protection, and unauthorized users are prevented from accessing or tampering with firmware functions by verifying the legitimacy of passwords input by the users. The conventional firmware password algorithm verification method mostly adopts a static verification mode, namely password verification logic and legal password information are solidified in firmware in advance, after a user inputs a password, the input password is directly operated through a fixed algorithm and is compared with a preset legal result, and verification is completed. However, the static verification method has the defects that on one hand, static verification logic is fixed, a verification algorithm and legal password information are easily cracked by an attacker through reverse engineering, so that the firmware is illegally invaded, and on the other hand, the static verification only focuses on the legitimacy of the password, so that the attack behavior initiated by the attacker through dynamic attack means such as brute force cracking, time sequence attack and the like cannot be identified, and complex firmware attack scenes are difficult to deal with. Disclosure of Invention The invention aims to provide a firmware cryptographic algorithm verification method and system based on dynamic behavior analysis, which are used for solving the technical problems in the background technology. In order to achieve the above purpose, the present invention provides a firmware cryptographic algorithm verification method based on dynamic behavior analysis, comprising the steps of: S1, acquiring plaintext information input by a user, environmental parameters at the current moment, ciphertext information obtained by encrypting the plaintext based on a cryptographic algorithm and multidimensional dynamic behavior data in the cryptographic algorithm encryption execution process; s2, preprocessing the obtained data; S3, checking the ciphertext information by adopting a static checking method to obtain a ciphertext information checking result; S4, extracting features of the preprocessed data; s5, inputting the characteristic data into a trained machine learning model, and checking the execution process of the firmware cipher algorithm to obtain a firmware cipher algorithm checking result; S6, integrating the ciphertext information verification result and the firmware password algorithm verification result to obtain a final verification result. Preferably, in step S1, the plaintext information includes a user identity and original data to be encrypted, the environmental parameters include login time, IP location, network delay, and memory occupancy rate, and the multidimensional dynamic behavior data includes a cryptographic algorithm call time sequence, an instruction stream sequence in an algorithm execution process, a basic block execution sequence, memory read-write address distribution, access times, and a time sequence rule. Preferably, the preprocessing of the obtained data in step S2 includes normalization processing, data cleansing and time stamp alignment. Preferably, the step S3 specifically includes: s31, verifying whether the ciphertext length accords with an algorithm output standard according to the type of the cryptographic algorithm, verifying whether the ciphertext accords with a coding standard, if so, executing the step S32, and if not, judging that the ciphertext is abnormal; S32, decrypting by using a firmware password algorithm, if the obtained decryption information is consistent with the plaintext information input by the user, checking to pass, and if the obtained decryption information is inconsistent with the plaintext information input by the user, judging that the obtained decryption information is abnormal. Preferably, in step S4, the feature extraction of the preprocessed data specifically includes: S41, extracting ciphertext information characteristics, namely calculating a password entropy value based on ciphertext information The formula is: ; in the formula, =2,Represents the global single-byte information entropy,Represent the firstThe actual probability of occurrence of the seed bytes,For a set of bytes that do not occur,For a smooth probability of not being present,Representing the number of bytes; S42, extracting environmental parameter characteristics, namely extracting a time period to which login time belongs, extra