基于类型域识别的消息分类方法

Message Classification Based on Type Field Indentification

消息分类是协议格式逆向的基础。现有的消息分类方法无法兼顾准确率和召回率,设计一种基于类型域识别的消息分类方法,该方法基于消息长度对消息进行预分类,在预分类的基础上利用消息相似度对消息进行层次聚类,以消息聚类的结果构建专家系统,对类型域进行识别,最后以类型域的取值对消息进行最终分类。文章选择SMB和DCERPC协议进行实验,实验结果证明了该方法的有效性。

Message classification is the toundation of protocol tormat reverse engineering. Existing methods of message classification cannot deal with the contradiction between precision and recall. As a result, this paper proposes a new method based on type field recognition, which can be divided in- to a tew phases. Firstly, messages are classified roughly according to their lengths. On this basis, messages are further clustered by their similarity. Then an expert system designed to identiiy the type field is constructed based on the clusters. Finally, messages are classified according to the val- ue of type field. We evaluate our method over two protocols, SMB and DCERPC, and the results prove the effectiveness of our method.