| With the continuous development of computer network technology,especially the rapidly growing popularity of the Internet, network andinformation security and confrontation has become a crucial topic in theinformation age. How to identify the protocol used in a bit stream from rawdata has become more and more important. Although traditional protocolanalysis tools are stable, they still have common weakness dealing with bitstream. Therefore, protocol analysis in bit stream is worth studying.Based on the technology of finding and extracting characteristicsequences from bit stream, this paper studies and optimizes further.Traditional way of finding "interesting relation" only relies on calculatingposition difference between two sequences, which has great limit: whenconfronted with big data or fixed parts in protocol header are relatively small,the consequence is disappointing. So, this paper uses Hidden Markov Modelto minimize the bad influence caused by "small header" and "big data".To the protocols defined in RFCs, protocol character can be used tomake the rules of building Hidden Markov Model. After training, the modelcan be used to test bit stream to identify the protocol used in it.To the protocols not defined in RFCs, raw data should be dealt first.After all possible patterns are draw using frequent sequence mining,association rule is introduced to locate the protocol header. Then, the thirdround mining runs based on the results from former two rounds to find smallsequences which have the same distance from frequent sequence but no"interesting relation". These sequences can be used to initial Hidden MarkovModel. At last, the model is used to accurate the protocol header structure.The results show that the mining method of association rules proves the possible structure of protocol header only on quantity level, while theintroduction of Hidden Markov Model can testify and precise the structuremore efficiently. Further study can go on to optimize algorithm and raiseperformance. |
PDF Full Text Request