| The network protocol is a specification for people's communication which makes different members on the same net can communicate with each other and devices can understand one another respectively.Due to specific needs,the content of the protocol needs to be analyzed and extracted.Standard network protocols often use a specific format,with which analysts can easily identify the type and format of those protocols and reason its semantics.In battlefield environment,both the enemy and us often use proprietary protocols specified by their own parties to increase the information security.In order to analyze these proprietary protocols,methods based on fixed features may fail due to the exclusiveness of these protocols.In order to infer the structure of such protocols,it is necessary to infer the format of the frames of these protocols,while different types of data frames have different formats.As a result,different types of captured frames to be separated from each other and finding a universal feature to represent the association rules between key bytes within a data frame become necessary,all of these would become a criterion for separation of these data frames.This paper has in-depth analysis of these key points,which includes the following aspects:Firstly,the representation of the association between key bytes within a frame is studied.This paper extracts the frequent fields of the unknown protocol as elements and mines the association rule between them.Given the tree structure of the network protocols system,an improved frequent association rules mining method for network protocols with unknown types and formats is proposed.Meanwhile,the location information of protocol frames is also considered,which makes the process of frequent extraction more concise and accurate.Compared with the traditional fixed featurebased method,it can be effectively used to handle proprietary protocols,indicating it has a wide application range.Compared with other methods using frequent features,the proposed method considers the location of the key bytes of some protocol,which makes the subsequent separation more accurate.Given the structure of network protocols system,the concept of association tree containing information about protocol hierarchical classification is put forward,and the association rules between the extracted frequent bytes are mined to facilitate further analysis based on the data obtained after frequent extraction.Secondly,further analysis is carried out on the content and format of each layer's protocols.At first,a separation method of unknown protocols is studied,so that frames of different types could be separated out into different clusters.A hierarchical clustering algorithm based on Jaccard distance is adopted,which is more suitable for the structure of network protocol system,bringing a better separation effect;the use of Jaccard distance to measure the similarity between different frames makes the similarity between each frame more intuitive and concise.Based on the proximity of information entropy,a field partition method for network frame is used,which can further analyze the structure of a data frame of a specific type,so that deeper inference can be achieved.Finally,the simulation and testing are conducted with data captured in the intranet environment of the campus network,verifying the effectiveness of the proposed association rules mining algorithm for network protocols whose type and format are unknown.The clustering method is used to separate the different types of frames from the simulation data,and then the content of a specific protocol is parsed and inferred.This paper also tests the field partition method adopted and proves its feasibility.Experiments show that the proposed method can analyze the unknown network protocol,which is of great help to the analysis and reverse work of our military intelligence agent. |
PDF Full Text Request