| With the continuous development of network applications and communication technology, a large number of zombie network communications and malicious code communications appeared which are harmful for the network security. Despite the current technology of protocol analysis is already quite mature, but in the case of the zero prior knowledge the existing protocol analysis tools cannot be used to identify and resolve the pure bit stream unknown protocol.This thesis proposes an unsupervised method which can automatically extract protocol features and discover protocols with zero prior knowledge. The study comes from a National Natural Science Foundation Laboratories which has studied the frame slicing method from bit stream protocol data and multi-protocol identification. The separated bit stream data of single protocol frames is as the original incoming data to the study. This thesis introduces the location information of protocol features sequence as the constraint condition of feature extraction. The feature sequences and location information constitute a two-dimensional complex features, which solves the problem of repetitive feature sequences. This thesis also designs feature selection algorithm to filter out the complex features which can identify different types of protocol messages. Then the thesis discovers protocol messages based on clustering by the minimum-dimensional of complex features extracted by the feature selection algorithm. The messages with similar formats are clustered together. Through the design of the protocol message quantization algorithm simplifies the clustering process in order to avoid the tedious calculations.Currently, there is almost no research on separating the multi-point communication stream into point-point communication stream. A large number of protocol communication data is used as the research object. Based on the statistical theory, this thesis proposes protocol feature identification and message address detection method based on zero knowledge, which can detect the communication pattern of the protocol and separate the multi-party communication data into point to point messages that published in foreign caucus. Finally, on the basis of previous research the message model is inferred.This thesis designs and implements a bit stream protocol identification system based on zero knowledge. Using the bit stream protocol dataset to conduct the experimental verification and designing the evaluation, the experimental results show that the proposed method of bit stream protocol identification not only reduce redundant data but also improve the accuracy of the identification protocol by introducing features of the field offset position which constraints the dimensions of the feature set. We conducted the verification experiments on two protocols, ARP and ICMP. The experimental results show that the precision rate, recall rate and recognition rate are 100% for ARP and all over 98% for ICMP. The system can accurately detect the key features of protocol message, including fixed feature, message type identification field, address field and the boundary length of each field, which is contribute to analytical research of unknown protocol messages. |
PDF Full Text Request