Ragewar Karkatar da Karkatacciyar Hukunci a Tsarin Ƙarfin Kalmar Sirri ta Hanyar Koyon Zurfin Kwakwalwa da Ƙamus Mai Sauƙi

1. Gabatarwa

Kalmomin sirri sun ci gaba da zama babbar hanyar tabbatar da ainihi duk da raunin tsaro da aka sani. Masu amfani suna son ƙirƙirar kalmomin sirri bisa tsarin da ake iya tsinkaya, wanda ke sa su zama masu rauni ga hare-haren zato. Tsaron irin wannan tsarin ba za a iya bayyana shi da sauƙaƙan ma'auni kamar girman maɓalli ba; yana buƙatar daidaitaccen samfurin halayen maƙiya. Duk da cewa shekaru da yawa na bincike sun samar da ƙaƙƙarfan samfuran kalmomin sirri na yuwuwar (misali, samfuran Markov, PCFGs), akwai babbar tazara wajen tsarin samfurin dabarun zahiri na masu kai hari na duniya ta zahiri waɗanda suka dogara da ingantattun hare-haren ƙamus tare da ƙa'idodin ɓarna.

Wannan aikin yana magance karkatacciyar hukunci ta ma'auni da aka gabatar lokacin da nazarin tsaro ya yi amfani da saitunan hare-haren ƙamus na yau da kullun, waɗanda ba su kusan ƙwarewar ƙwararru ba. Muna ba da shawarar sabon tsarin hare-haren ƙamus wanda ke amfani da koyon zurfin kwakwalwa don sarrafa kuma kwaikwayi ingantattun dabarun zato masu sauƙi na ƙwararrun maƙiya, wanda ke haifar da ingantaccen ƙimar ƙarfin kalmar sirri na zahiri.

2. Bayanan Baya & Bayyana Matsala

2.1 Tazarar Tsakanin Samfuran Ilimi da Hare-haren Duniya ta Zahiri

Samfuran ƙarfin kalmar sirri na ilimi sau da yawa suna amfani da cikakkun hanyoyin atomatik na yuwuwar kamar sarkar Markov ko Nahawun Mahallin Yuwuwar (PCFGs). Akasin haka, fashewar kalmar sirri ta zahiri a waje, kamar yadda kayan aiki kamar Hashcat da John the Ripper ke yi, sun mamaye hare-haren ƙamus. Waɗannan hare-haren suna amfani da jerin kalmomin tushe waɗanda aka faɗaɗa ta hanyar saitin ƙa'idodin ɓarna (misali, musanyawar `l33t`, ƙari na ƙarshe/gaba) don samar da kalmomin sirri masu yuwuwa. Tasirin yana dogara da inganci da daidaitawar ma'auratan ƙamus-doka, wani tsari da ke buƙatar zurfin ilimin yanki da gogewa.

2.2 Matsalar Karkatacciyar Hukunci ta Tsarin Saiti

Masu bincike da masu aiki waɗanda ba su da ilimin matakin ƙwararru yawanci suna amfani da saitunan tsoho, masu tsayayye. Wannan yana haifar da ƙima mai yawa na ƙarfin kalmar sirri, kamar yadda binciken da ya gabata ya nuna [41]. Sakamakon karkatacciyar hukunci yana karkatar da nazarin tsaro, yana sa tsarin ya zama kamar ya fi tsaro a kan ƙwararren maƙiyi mai ƙuduri. Babbar matsala ita ce rashin iya maimaita tsarin ƙwararren na daidaitawar tsarin saitunan daidaitawa bisa bayanan musamman na manufa.

3. Hanyar da aka Tsara

3.1 Cibiyar Sadarwar Jijiyoyi Mai Zurfi don Samfurin Ƙwarewar Maƙiyi

Bangare na farko yana amfani da cibiyar sadarwar jijiyoyi mai zurfi (DNN) don samfurin ƙwarewar maƙiyi wajen ƙirƙirar ingantattun saitunan kai hari. An horar da cibiyar sadarwa akan ma'auratan bayanan kalmar sirri da ingantattun saitunan kai hari (ƙamus + dokoki) waɗanda aka samo daga ko kuma suna kwaikwayon saitunan ƙwararru. Manufar ita ce koyon aiki $f_{\theta}(\mathcal{D}_{target}) \rightarrow (Dict^*, Rules^*)$ wanda, idan aka ba da bayanan kalmar sirri na manufa (ko halayensa), yana fitar da kusan mafi kyawun tsarin kai hari, yana ƙetare buƙatar daidaitawa da hannu.

3.2 Dabarun Zato Masu Sauƙi

Matsawa bayan aiwatar da dokokin tsayayye, mun gabatar da dabarun zato masu sauƙi. Yayin kai hari, tsarin bai yi amfani da duk dokoki ga duk kalmomi ba kawai. A maimakon haka, yana kwaikwayon ikon ƙwararren na daidaitawa ta hanyar ba da fifiko ko samar da dokoki bisa ra'ayoyin da aka gwada a baya da kuma tsarin da aka lura a cikin bayanan manufa. Wannan yana haifar da tsarin kai hari mai daidaitawa, mai rufaffiyar madauki.

3.3 Tsarin Fasaha

Tsarin haɗin gwiwar yana aiki a cikin matakai biyu: (1) Samarwar Tsarin Saiti: DNN tana nazarin manufar (ko samfurin wakilci) don samar da ƙamus na farko da saitin doka. (2) Aiwar da ke Sauƙi: Hare-haren ƙamus yana gudana, amma aiwatar da dokokinsa yana ƙarƙashin manufar da za ta iya daidaita tsarin zato da zaɓin doka a cikin ainihin lokaci, mai yuwuwa ta amfani da samfuri na biyu don tsinkaya mafi ingantaccen canji bisa ga nasara ta ɓangare.

Za a iya samfurin wakilcin sauƙi na fifikon da ke canzawa azaman sabunta rarraba yuwuwar akan dokoki $R$ bayan kowane rukunin zato: $P(r_i | \mathcal{H}_t) \propto \frac{\text{nasarori}(r_i)}{\text{ƙoƙarin}(r_i)} + \lambda \cdot \text{kamanceceniya}(r_i, \mathcal{H}_t^{success})$ inda $\mathcal{H}_t$ shine tarihin zato da nasarori har zuwa lokacin $t$.

4. Sakamakon Gwaji & Kimantawa

4.1 Bayanan Saƙo da Saiti

An gudanar da gwaje-gwaje akan bayanan kalmar sirri na zahiri da yawa masu girma (misali, daga keta da ya gabata kamar RockYou). An kwatanta hanyar da aka tsara da ingantattun samfuran yuwuwar (misali, FLA) da daidaitattun hare-haren ƙamus tare da shahararrun saitunan dokoki masu tsayayye (misali, `best64.rule`, `d3ad0ne.rule`). An horar da DNN akan wani ɓangare na ma'auratan bayanai-tsarin saitunan.

4.2 Kwatancen Aiki

Bayanin Jadawali (Layin Zato): Jadawalin layi wanda ke kwatanta adadin kalmomin sirri da aka fashe (y-axis) da adadin ƙoƙarin zato (x-axis, ma'aunin log). "Dynamic DeepDict" da aka tsara ya tashi da sauri sosai kuma ya kai matakin sama fiye da layukan "Static Best64", "Static d3ad0ne", da "Samfurin PCFG". Wannan yana nuna ingantaccen ingancin zato da babban ɗaukar hoto, yana kusan kusantar "Expert-Tuned" na hasashe.

Ma'auni Mai Muhimmanci na Aiki

A zato 10^10, hanyar da aka tsara ta fashe ~15-25% ƙarin kalmomin sirri fiye da mafi kyawun saitin doka na tushe, yana rufe fiye da rabin tazarar tsakanin saitunan tsoho da kai hari na ƙwararren da aka daidaita.

4.3 Nazarin Ragewar Karkatacciyar Hukunci

Ma'aunin nasara na farko shine ragewar karkatacciyar hukunci ta ƙimar ƙarfi. Lokacin da aka auna ƙarfin kalmar sirri a matsayin adadin zato da ake buƙata don fashe shi (ƙimar zato), hanyar da aka tsara tana samar da ƙididdiga waɗanda koyaushe suna kusa da waɗanda aka samo daga hare-haren ƙwararru da aka daidaita. Bambance-bambancen ƙimar ƙarfi a cikin saitunan farko daban-daban, marasa inganci shima ya ragu sosai, yana nuna ƙaruwar ƙarfi.

5. Tsarin Nazari & Nazarin Lamari

Misalin Aiwatar Tsarin (Babu Lamba): Yi la'akari da mai nazarin tsaro yana tantance manufar kalmar sirri don sabon tsarin kamfani na ciki. Ta amfani da hare-haren ƙamus na gargajiya mai tsayayye (tare da `rockyou.txt` da `best64.rule`), sun gano cewa 70% na samfurin gwajin kalmomin sirri masu kama da na ma'aikata suna tsayayya da zato 10^9. Wannan yana nuna tsaro mai ƙarfi. Duk da haka, amfani da tsarin da aka tsara mai sauƙi ya canza nazarin.

Bayanan Manufa: Bangaren DNN yana nazarin samfurin gwaji, yana gano yawan mita na kamfani (`XYZ`) da sunayen ƙungiyoyin wasanni na gida (`Gladiators`).
Kai Hari Mai Sauƙi: Kai harin yana samar da dokoki da sauri don amfani da waɗannan tsarin (misali, `^XYZ`, `Gladiators$[0-9][0-9]`, musanyawar `leet` akan waɗannan kalmomin tushe).
Binciken da aka Sake Bita: Kai harin mai sauƙi ya fashe 50% na samfurin guda ɗaya a cikin zato 10^9. Ƙarshen mai nazarin ya canza: manufar tana da rauni ga kai hari da aka yi niyya, kuma ana buƙatar matakan kariya (kamar haramta sharuɗɗan musamman na kamfani). Wannan yana nuna ƙarfin tsarin wajen gano ɓoyayyun raunin mahallin.

6. Aikace-aikace na Gaba & Jagorori

Mita na Ƙarfin Kalmar Sirri Mai Ƙarfafawa: Haɗa wannan fasaha cikin masu duba kalmar sirri na ainihin lokaci don samar da ƙimar ƙarfi bisa hare-hare masu sauƙi, masu sanin mahallin maimakon sauƙaƙan dokoki.
Jan-Tawaga ta Atomatik & Gwajin Shiga: Kayan aiki waɗanda ke daidaita dabarun fashewar kalmar sirri da suka dace da yanayin manufa ta musamman (misali, masana'antu, wurin ƙasa, harshe).
Ingantaccen Manufa & Gwajin A/B: Yin kwaikwayon ingantattun hare-hare don gwada da inganta manufofin ƙirƙirar kalmar sirri da ƙarfi kafin a tura su.
Koyo na Tarayya/Kiyaye Sirri: Horar da samfuran DNN akan bayanan kalmar sirri da aka rarraba ba tare da tattara bayanan sirri ba, yana magance matsalolin sirri.
Ƙaddamarwa zuwa Sauran Takaddun Shaida: Yin amfani da hanyar mai sauƙi, mai dogaro da koyo don samfurin hare-hare akan PINs, tambayoyin tsaro, ko kalmomin sirri na hoto.

7. Nassoshi

Weir, M., Aggarwal, S., Medeiros, B., & Glodek, B. (2009). Fashewar Kalmar Sirri ta Amfani da Nahawun Mahallin Yuwuwar. IEEE Symposium on Security and Privacy.
Ma, J., Yang, W., Luo, M., & Li, N. (2014). Nazarin Samfuran Kalmar Sirri na Yuwuwar. IEEE Symposium on Security and Privacy.
Ur, B., et al. (2015). Shin Tunanin Masu Amfani na Tsaron Kalmar Sirri Ya dace da Gaskiya? CHI.
Wang, D., Cheng, H., Wang, P., Huang, X., & Jian, G. (2017). Nazarin Tsaro na Kalmomin Zuma. NDSS.
Melicher, W., et al. (2016> M, Mai Sauri, da Daidai: Samfurin Yuwuwar Zato Kalmar Sirri ta Amfani da Cibiyoyin Sadarwar Jijiyoyi. USENIX Security.
Hashcat. (n.d.). Maido da Kalmar Sirri Mai Ci Gaba. An samo daga https://hashcat.net/hashcat/
Goodfellow, I., et al. (2014). Cibiyoyin Sadarwar Maƙiya Masu Haɓakawa. NeurIPS. (A matsayin ra'ayi na tushe na DL don samfurin haɓakawa).
NIST Special Publication 800-63B. (2017). Jagororin Asalin Dijital: Tabbatar da Ainihi da Gudanar da Rayuwa.

8. Nazari na Asali & Sharhin Kwararru

Fahimta ta Asali

Pasquini da sauransu sun bugi zuciyar ruɗi mai yaduwa a cikin binciken tsaron sadarwa: imanin cewa samfuran atomatik, na farko na ka'idar za su iya ɗaukar gaskiyar ƙwararren ƙwararren maƙiyi. Ayyukansu sun fallasa wani muhimmin tazarar kwaikwayo-zuwa-gaskiya a cikin tsaron kalmar sirri. Shekaru da yawa, fannin ya kasance cikin gamsuwa da samfuran yuwuwar kyawawan halaye (PCFGs, sarkar Markov) waɗanda, duk da cewa suna da inganci a ilimi, su ne kayan aikin dakin gwaje-gwaje. Masu kai hari na zahiri ba sa gudanar da sarkar Markov; suna gudanar da Hashcat tare da jerin kalmomi da aka tsara da kyau da dokokin da aka inganta ta hanyar shekaru na gogewa—wani nau'i na ilimin a ɓoye wanda aka sani da juriya ga tsarawa. Babban fahimtar wannan takarda ita ce don rage karkatacciyar hukunci, dole ne mu daina ƙoƙarin wuce maƙiyin tunani kuma mu fara ƙoƙarin kwaikwayon tsarinsu na daidaitawa, na zahiri ta amfani da ainihin kayan aiki—koyon zurfin kwakwalwa—waɗanda suka yi fice wajen kusantar ayyuka masu rikitarwa, marasa layi daga bayanai.

Kwararar Hankali

Hankalin takarda yana da ƙarfi kai tsaye: (1) Gano Karkatacciyar Hukunci: Gano cewa saitunan ƙamus na tsoho, na kasuwa marasa kyau ne ga hare-haren ƙwararru, suna haifar da ƙimar ƙarfi mai yawa. (2) Rarraba Ƙwarewar: Tsara ƙwarewar ƙwararren a matsayin biyu: ikon tsara kai hari (zaɓi ƙamus/dokoki) da daidaita shi da sauri. (3) Sarrafa tare da AI: Yi amfani da DNN don koyon tsarin tsarin saitunan daga bayanai (magance ƙwarewar farko) da aiwatar da madauki na ra'ayi don canza dabarun zato a tsakiyar kai hari (magance na biyu). Wannan kwararar tana kama da tsarin nasara a wasu yankunan AI, kamar AlphaGo, wanda bai ƙididdige yanayin allo kawai ba amma ya koyi kwaikwaya da wuce wasan ɗan adam na tushen tsari.

Ƙarfi & Kurakurai

Ƙarfi: Hanyar ƙirƙira ce mai mahimmanci. Yana motsa kimanta tsaron kalmar sirri daga nazari mai tsayayye zuwa kwaikwayo mai sauƙi. Haɗin koyon zurfin kwakwalwa ya dace, kamar yadda cibiyoyin sadarwar jijiyoyi suka tabbatar da masu kusantar aiki don ayyuka tare da tsarin ɓoye, kamar "fasahar duhu" na ƙirƙirar doka. Ragewar karkatacciyar hukunci da aka nuna ba ƙaramin abu bane kuma yana da tasiri kai tsaye ga tantance haɗari.

Kurakurai & Faɗakarwa: Tasirin hanyar yana da alaƙa da inganci da faɗin bayanan horonsa. Shin samfurin da aka horar da shi akan keta da ya gabata (misali, RockYou, 2009) zai iya daidaita saitunan hare-hare don bayanan gaba, canjin al'adu? Akwai haɗarin karkatacciyar hukunci ta lokaci ta maye gurbin karkatacciyar hukunci ta tsarin saiti. Bugu da ƙari, yanayin "baƙin akwati" na DNN na iya rage bayyanawa—me ya sa ya zaɓi waɗannan dokokin?—wanda ke da mahimmanci don fahimtar tsaro mai aiki. Aikin shima, watakila dole, ya ƙetare tsarin tseren makamai: yayin da irin waɗannan kayan aikin suka zama ruwan dare, halayen ƙirƙirar kalmar sirri (da dabarun masu kai hari na ƙwararru) za su ci gaba, suna buƙatar ci gaba da horar da samfuri.

Fahimta Mai Aiki

Ga Masu Aikin Tsaro: Nan da nan ƙi dogaro da saitunan dokoki na tsoho don nazari mai mahimmanci. Yi ɗaukar kowane ƙimar ƙarfin kalmar sirri da ba a samo ta daga hanyar mai sauƙi, mai sanin manufa ba a matsayin matsayin mafi kyau ba, ba na zahiri ba. Fara haɗa kwaikwayon fashewa mai daidaitawa cikin tantance raunin.

Ga Masu Bincike: Wannan takarda ta kafa sabon ma'auni. Takardun samfurin kalmar sirri na gaba dole ne su kwatanta da hare-hare masu daidaitawa, masu haɓaka koyo, ba kawai ƙamus masu tsayayye ko tsofaffin samfuran yuwuwar ba. Ya kamata fannin ya bincika Cibiyoyin Sadarwar Maƙiya Masu Haɓakawa (GANs), kamar yadda aka ambata a cikin aikin tushe na Goodfellow da sauransu, don samar da sababbin zato na kalmar sirri masu yuwuwa kai tsaye, mai yuwuwa ta ƙetare tsarin ƙamus/dokoki gaba ɗaya.

Ga Masu Tsara Manufofi & Ƙungiyoyin Ma'auni (misali, NIST): Jagororin manufar kalmar sirri (kamar NIST SP 800-63B) ya kamata su ci gaba don ba da shawara ko tilasta amfani da ingantattun kwaikwayon fashewa masu daidaitawa don kimanta tsarin kalmar sirri da aka tsara da manufofin ƙirƙira, suna matsawa bayan jerin bincike na sauƙaƙan aji na haruffa.

A taƙaice, wannan aikin bai kawai ba da ingantaccen mai fashewa ba; yana buƙatar canji na asali a yadda muke fahimta da auna tsaron kalmar sirri—daga kaddarar kalmar sirri kanta zuwa kaddarar da ta taso ta hanyar hulɗar tsakanin kalmar sirri da hankalin daidaitawa na mafarautanta.