Dual Feature-based Network Application Protocol Identification System

With the rapid development of Internet and the high-speed information construction, increasing enterprise demand for network bandwidth. However, the development of domestic network infrastructure construction stays slow. According to the latest of Akamai which is world’s largest CDN service provider in America, the network speed of Chinese mainland ranked90th, an average of only1.4Mbps, far less than the world average (2.7Mbps). Not only bandwidth cannot satisfy the needs of citizens and businesses, but also more and more network security issues are particularly prominent. Domestic large community website’s600million password massive leaks and account information of the famous electronic commerce website leak show that the network security should be given adequate attention. Network Application Protocol Identification System can not only solve the tense situation of the enterprise internal network bandwidth, but also can monitor the internal network application so that make the enterprise information be security.This paper begins with a introduction of the open source of lightweight Snort intrusion detection system, showing the limitations of the traditional application protocol recognition technology, and then explains the double features——static characteristics based on identifying characteristic bit strings in the packet payload and flow characteristics based on the size of load data packets. By capturing packets of the application named "QQMusic", matching the load content, analyzing the packet data, matching related content, we can get the rules of the application so that we can identify the transport connection of the protocol. Then we introduce the K-Means algorithm and the improved LCS algorithm in the of application flow feature extraction. The paper describes how to get rules form a large number of connections, and uses the rules in the system to identify the applications.The paper finally implements the Dual Feature-Based Network Application Protocol Identification System. System composed by offline/online network application protocol identification module, data and rules storage module and background data training modules. The system not only can use the artificial extraction of the static characteristics, but also has the function of automatic feature extraction from a large number offline data, and then applies the rules to offline/online network application protocol identification. It can monitor network so that make sure that the network intrusion is prevented, and overcome the deficiencies of the traditional identification methods. At the same time, it has the characteristics of identifying the encrypted and non-encrypted network applications.