Research On Key Technologies Of Private Protocol Active Recognition

With the continuous development of network applications,the type of network protocols has become more and more abundant.Except a large number of standardized and open communication protocols,there are many private protocols on the network.Due to economic interests,security and privacy considerations,various software vendors don't disclose the details of the agreement.However,the existing protocol identification systems still cannot meet the requirements in terms of performance,accuracy and robustness.Therefore,the identification of private protocols has great significance in the field of network security.The thesis aims to infer the complete protocol specification of the proprietary protocol,takes into account the defects of the current private protocol identification work,such as relying heavily on manual analysis,unable to effectively obtain field semantics and uses various methods to conduct in-depth research on private protocol identification.The main work includes:(1)A active method for extracting private protocol format based on recursive analysis is proposed.After preprocessing the data set,for each class of classified conversations,only multi-sequence alignment and semantic inference work are performed recursively on the same segment of the samples,which effectively shortens the time required for identification of protocol message fields.Then the improved multi-sequence ratio method is used to actively identify the field,and the similarity matrix scoring rule based on semantic information is added.The semantic information is used to accurately identify the protocol type field and part of the message key fields.(2)A protocol state machine inference method based on message sequence is proposed.This method firstly actively mines the protocol type keywords based on the idea of variance distribution in the field of statistics,and constructs the initial protocol state machine by combining Mealy automata and dictionary tree.In order to solve the problem of redundancy of protocol state,the Blue-Fringe algorithm is used to reduce redundancy and outputs the complete protocol specification model.This thesis implements the private protocol active identification system,and three public protocols,FTB,SMB and private protocol are selected to conduct experiments.The experimental result shows that after the improved multi-sequence alignment method adds a new similarity scoring mechanism,compared with the traditional PI and Netzob methods,the protocol format extracted from this thesis is more in line with the actual message specification,and the average accuracy of the recognized protocol fields is 74.7%.Compared with the Netzob method,the accuracy of the protocol state machine proposed in this thesis is 3.0%higher,and the recall rate is 2.1% higher,which effectively solves the redundancy problem of protocol state.