基于离散序列报文的协议格式特征可变域挖掘算法

Separate Protocol Message-Based Format Signature Construction Method for Variable Field

针对格式特征提取算法无法挖掘出具有可变取值的协议格式特征问题,提出一种基于离散序列报文的协议格式特征可变域自动提取算法(VFSC)。VFSC在对离散序列报文进行聚类的基础上,通过改进的频繁模式挖掘算法提取出具有可变域的协议关键字,筛选出具有可变域的协议格式特征。仿真结果表明,VFSC在以单个报文为颗粒度的识别中对7种协议的识别率达到95%以上,在与Apriori算法的比较中证明拥有识别新型报文种类的能力。实验结果表明,VFSC不依赖完整会话,能够发现识别新类型报文,更符合实际应用中由于接收条件限制导致会话信息及训练数据集不完整的情形。

To solve the problem that format signature extraction algorithms can＇ t get variable value signatures, a novel variable field signature construction （VFSC） based on separate protocol message algorithm was proposed. VFSC extracted the protocol variable field format signature automatically on the basis of protocol＇ s separate messages instead of flows. First, VFSC put the protocol＇ s separate messages into clusters. Then within each message cluster, VFSC extracted the variable field key words using modified frequent pattern mining algorithm VariableSpan. Last, VFSC acquired the var- iable field format signature by filtering and choosing the variable field key words using heuristic rules proposed in this paper. Simulation results show that VFSC is quite accurate and reliable. The accu- racy for each of seven protocols reaches above 95% when VFSC is used in protocol＇ s separate mes- sage classification. In comparison with Apriori, VFSC shows it can classify new kind of messages. Experimental results indicate that the proposed VFSC doesn＇ t depend on flow and can classify new kind of messages. VFSC is more practical in situations where separate protocol messages are received and training dataset is incomplete.