| With the widely used of information weapon represented by unmanned platform, the relationship between network and warfare becomes more and more closer. In consequence of the increased dependence on network, the technology of network countermeasure has risen to national level and gained the attention of many countries. The foundation of network countermeasure is to parse the protocol type and the network characteristics after intercepting communications information. However most of the communication protocols are secret, it’s difficult to identify and analyze the protocol with the bit-stream data.This paper aimed at the large number of unknown binary protocol data frames acquired from the complex wireless network environment and focused on the two major problems of protocol clustering and format infer, by the way achieve the target of reverse for unknown binary protocol. This paper contains the following three parts:1) Study on the protocol reverse methods in common use, the basic idea and analytical model are compared. Then an unknown binary protocol reverse system based on net-trace is proposed. Formulate the scheme according to the characteristics of the network countermeasure environment and discuss the key technology involved.2) In view of the characteristics that protocol sequences are inconsistent in length and the character set is too single, Basic approach of unknown protocols identification from massive bit-stream data is the bit stream data mining, and using weighted feature vectors to form a specific description of all kinds of protocols. Combined with improved k-means clustering algorithm to realize the clustering of different kinds of protocols after the use of vector space.3) Use a two-step strategy of packet domain division and improved multiple sequence alignment algorithm to divide the fixed domains, variable domains, fixed-length and variable-length domains. Then further identify the address fields, the length fields, the purpose fields and other special fields with the semantic characteristics to improve the accuracy of message format extracting.The test results of both public protocol including ARP, ICMP, DNS, OICQ and secret protocol were presented. The comparison results of the test results with the outputs of description showed the effectiveness and correctness of the protocol reverse system. |
PDF Full Text Request