摘要
现有的基于网络流量的协议格式推断方法只提取报文关键字的平坦序列,并没有考虑报文关键字之间的顺序、并列与层次关系的结构特性;此外,报文样本中的噪音往往导致关键字识别的准确率偏低。文中提出了一种自动识别未知协议报文关键字并推断报文结构的方法。所提出的方法在收集未知协议实体程序通信报文的基础上,采用二阶段闭合模式挖掘策略对通信报文实施闭合序列模式挖掘,识别协议关键字并生成包含具有关键字组合关系的关键字序列;在此基础上提取关键字之间的顺序、并列以及层次关系,进而推断报文结构。协议关键字识别过程中采用设置最小支持度阈值的方法,可直接分析实际网络中包含噪音的报文样本,保证了关键字识别的准确率。实验结果表明,所提出的协议格式推断方法被应用于文本协议和二进制协议时,对报文关键字识别与报文结构推断均能取得理想的推断效果。
Current protocol format inferring methods based on network traffic can only extract flat sequence of keywords,and they do not consider the structural features of message keywords,such as sequential,hierarchical and parallel relation between the keywords.Additionally,the noise in message samples always lead to low recognition accuracy of keywords.This paper presented a method to automatically identify keywords of unknown protocol message and infer the message structure.Based on the collected communication messages of the unknown protocol,the method implements two-phase closed sequential patterns to identify protocol keywords and generate keywords sequence with keyword composition relation,extract sequential,hierarchical and parallel relation of the keywords,and then infer messages structure inference.To ensure recognition accuracy of the keywords,the method analyzes message samples directly containing noise by setting minimum support in keywords identification procedure.Experimental results show that the proposed method performs well in keywords identification and message structure inference for both text protocol and binary protocol.
作者
张洪泽
洪征
王辰
冯文博
吴礼发
ZHANG Hong-ze;HONG Zheng;WANG Chen;FENG Wen-bo;WU Li-fa(Institute of Command and Control Engineering,Army Engineering University of PLA,Nanjing 210000,China;Unit 32179 of PLA,Beijing 100000,China)
出处
《计算机科学》
CSCD
北大核心
2019年第6期80-89,共10页
Computer Science
基金
国家重点研发计划项目(2017YFB0802900)资助
关键词
协议逆向工程
网络流量
协议格式推断
闭合序列模式挖掘
报文结构推断
Protocol reverse engineering
Network traffic
Protocol format inference
Closed sequential patterns mining
Message structure inference
