Plaintext Structure Vulnerability: Robust Cipher Identification via a Distributional Randomness Fingerprint Feature Extractor

TL;DR

This paper introduces a novel ciphertext feature extraction method based on statistical randomness tests, enabling robust cipher identification across diverse and changing plaintext distributions with minimal performance loss.

Contribution

The paper presents a distributional randomness fingerprint feature extractor that does not rely on end-to-end learning from ciphertext, improving robustness in cipher classification under distribution shifts.

Findings

Achieves high discriminative performance (AUC > 0.98) on diverse datasets.

Maintains high robustness with minimal performance degradation across different domains.

Performs well even on purely random datasets with AUC > 0.90.

Abstract

Modern encryption algorithms form the foundation of digital security. However, the widespread use of encryption algorithms results in significant challenges for network defenders in identifying which specific algorithms are being employed. More importantly, we find that when the plaintext distribution of test data departs from the training data, the performance of classifiers often declines significantly. This issue exposes the feature extractor's hidden dependency on plaintext features. To reduce this dependency, we adopt a method that does not learn end-to-end from ciphertext bytes. Specifically, this method is based on a set of statistical tests to compute the randomness feature of the ciphertext, and then uses the frequency distribution pattern of this feature to construct the algorithms' respective fingerprints. The experimental results demonstrate that our method achieves high discriminative performance (e.g., AUC > 0.98) in the Canterbury Corpus dataset, which contains a diverse set of data types. Furthermore, in our cross-domain evaluation, baseline models' performance degrades significantly when tested on data with a reduced proportion of structured plaintext. In sharp contrast, our method demonstrates high robustness: performance degradation is minimal when transferring between different structured domains, and even on the most challenging purely random dataset, it maintains a high level of ranking ability (AUC > 0.90).