| In recent years,with the rapid spread of the Internet in the world,various network applications have exploded,and a surge in network traffic has followed.These network traffic includes both publicly available protocols based on RFC documents and a large number of private protocols.For publicly available protocol network supervisors can analyze the behavior of the network traffic according to RFC documents or other publicly available documents.But for those private protocols,due to the lack of necessary prior knowledge,it is often impossible to analyze the behavior of network traffic.At this point,it is important to model the behavior of these private or unknown protocols and further reverse the behavioral model of the protocol.In this paper,a protocol behavior inverse method based on hidden Markov model is proposed.This method models the behavior of network protocol into hidden Markov model,and then uses Baum-Welch algorithm to reverse the behavior model.Since the input of the Baum-Welch algorithm is an observation sequence,the elements in the sequence should be the corresponding state of the message.This paper proposes an information-based keyword extraction method to make the elements of the observation sequence correspond the status of the message well.In the keyword extraction phase,the real network packet data is first captured,and then the network packet data is aligned.After that,the self-information expectation of different fields of the message and the mutual information of adjacent fields in the message are calculated.The key fields of the message are determined according to the two indicators,and finally the message keywords are extracted.In the reverse network protocol behavior model phase,the network session is first divided.Each session is an observation sequence,and then the keywords of all sessions are extracted to form the input of the Baum-Welch algorithm.At the same time,the number of hidden states needs to be initialized here.Then Baum-Welch algorithm is applied to reverses the network protocol behavior model corresponding to different numbers of hidden states.Finally,the forward-backward algorithm is used to score the reverse protocol behavior model,and the accurate and streamlined behavior model is selected as the final network protocol behavior model.Finally,three different protocols are used to test the new method proposed in this paper.The inverse network protocol behavior model and the behavior model of the protocol standard are analyzed and compared to verify the effectiveness of the proposed method.The results of the protocol behavior model derived from the experiments in this paper are better than the previous research results in terms of readability and streamlining. |
PDF Full Text Request