Research And Implementation Of Identification For Application Layer Protocols Based On Compound Rules

Identification for Application layer protocols is important in network and information security. This paper uses application's communication features to identificate application layer protocols, obtains every application's unique communication feature and forms the compound rules. According to the differences between implementation of the application software and the network communication bearer protocol used, the compound rules include HTTP header features, HTTPS header features and payload features. According to the specific contents of the packets, different packets apply to different feature sets. The system realizes deep identification for HTTP/HTTPS bearing applications,supports identification for traditional DPI features in application layer protocol identification, and supports identification for 120 kinds of application layer protocols. It solves the problem that traditional protocol recognition methods have a large granularity.This paper designs and implements the network flow processing platform firstly, which is used as a preprocessing part of the system. It captures the network flow packets from the network card in promiscuous mode and then processes them. The network flow processing platform extracts information such as Start line, Host and Referer from all the HTTP packets captured by the network card and stores them in a struct variable, extracts SSL server IP and SNI and stores them in a struct variable and stores other application layer packets in the queue. HTTP engine, HTTPS engine and payload engine are designed for the different features of the compound rules. HTTP engine focuses on the analysis of the model, because HTTP rules usually include Start line, Host and Referer field. This paper makes the rules into two groups, the first group contains all Hosts, and then traverses the rules, each Host is associated with zero or more URLs, the second group contains all the URLs, each URL is associated with zero or more Hosts. Then we construct two different automatic machines for the above two sets. The HTTPS engine includes an SNI automatic machine and a trie structure. The payload engine is a hybrid automatic machine constructed by the regular expressions. The experimental results show that the proposed compound rules is an effective scheme to solve the deep identification for HTTP/HTTPS bearer applications, and it provides the basis for the analysis and management of Internet.