| Protocol signature is of great importance in the field of Network Traffic Classification and Application Protocol Identification. And it plays a major role in Network Trace Management, IDS, Network Firewall and the Internet development trends to rapidly and accurately classify and identify the traffic. The paper focuses on the study of protocol payloads, byte frequency statistics and message formats, and the main contents is as follows:(1) The paper concentrates on the research of the protocol communication process, protocol analysis and protocol content. And it also proposes that it is feasible to discover protocol signatures from message payloads, message formats and byte frequency statistics. Moreover, the framework of application protocol signature discovering is put forward, which lays the groundwork for the discovery of application protocol signatures.(2) For the shortcomings of the current method, the paper proposes an application protocol signature discovering method based on the modified LCS algorithm. Based on the analysis of the sesssion negotiation, the method puts forwards that it is better to only check the restricted packets in flows to extract signatures. Efficiency and accuracy are improved by means of modifying the LCS algorithm and raising a new way to filter the signatures based on frequent LCS. The experiments show that the proposed method is simple and efficient and is able to discover richer signatures.(3) With the existed application protocol message format discovering method based on network traces, this paper proposes to apply message format discovering to protocol signature discovering. To complete this method, it improves the Discoverer method. Also, it adds the semantic analysis of text tokens, extends the content of semantic analysis. Moreover, it modifies the process of clustering and merging and removes the unnecessary message format. Finally, tokens are merged with regular expressions and protocol format signatures are extracted. The experiments prove that the signatures we get are richer, more complete and explicit than the existed ones, and have a higher identification rate.(4) For the deficiency of the current method based on fixed payload length, this paper comes up with a method based on the protocol header. It tokenizes the former K bytes of message payloads and records the numbers of token patterns with different lengths. Then it estimates the length of the protocol header, obtains the byte frequency statistics, normalizes the feature vectors of byte probability and utilizes the cosine similarity to identify protocol. The experiments present that the features extracted by this method have a more extensive application, higher precision and recall than the ones extracted by the method based on fixed length.Finally, the summary has been made and the future work and next research goals of protocol signature discovering have been put forward. |
PDF Full Text Request