应用协议特征发现技术研究

发布时间：2018-03-25 02:23

本文选题：协议识别　切入点：协议特征发现　出处：《解放军信息工程大学》2014年硕士论文

【摘要】：协议特征在网络流量分类和应用协议识别等领域发挥着极其重要的作用。而快速准确地分类网络流量和识别应用协议,在网络流量管理、入侵检测系统、网络防火墙和网络发展趋势研究等应用领域发挥着非常重要的作用。本文针对应用协议的消息载荷、字频统计和消息格式三个方面对应用协议特征发现技术进行了研究,主要的研究内容包括以下几个方面:1.针对应用协议的会话协商、协议解析和协议内容三个方面对应用协议进行了研究,从消息载荷、消息格式和字频统计三个方面提出了协议特征发现的可行性,提出了应用协议特征发现的基本框架,为本文的应用协议特征发现技术奠定了理论基础。2.针对现有的应用协议指纹特征发现方法的不足,提出了一种基于改进的最长公共子序列查找算法的应用协议指纹特征发现方法。该方法限定了签名特征发现的样本长度,提出了基于频繁LCS的特征过滤方法,提高了特征发现的效率和准确性。实验结果表明,该方法简单高效,与传统方法相比,能发现更丰富的协议指纹特征。3.利用现有的基于网络数据流的应用协议报文格式发现方法,提出了将报文格式发现应用于协议特征发现。该方法对Discoverer方法进行了改进,将报文格式发现的方法应用到协议特征发现。增加了对文本类token的语义解析,扩充了语义解析的内容。改进了消息格式的聚类与合并过程,去除了不必要的消息格式。最后,利用正则表达式对token进行了合并,提取并描述了协议的格式特征。实验结果表明,与已有的用正则表达式描述的协议特征相比,该方法所提取的协议特征更加丰富、完整和详细,并且具有较高的识别率。4.针对现有的基于固定载荷长度的字节频率统计特征发现方法的不足,提出了一种基于协议首部的字节频率统计特征发现方法。该方法对消息载荷的前K个字节进行token化,记录不同长度token化后得到的token模式的数目,对协议首部的长度进行估计,并对协议首部进行字节频率统计,得到归一化后的字节频率特征向量,并提出利用余弦相似度进行协议识别。实验结果表明,该方法所提取的协议特征适用范围更广,与基于固定长度的字节频率统计特征相比,查准率和查全率都有所提高。最后,对全文工作进行了总结,并对应用协议特征发现技术进行了展望,提出了下一步的研究方向。
[Abstract]:Protocol features play an extremely important role in network traffic classification and application protocol identification, while fast and accurate classification of network traffic and identification of application protocols, in network traffic management, intrusion detection system, etc. Network firewalls and network development trends play a very important role. This paper studies the application protocol feature discovery technology from three aspects: message load, word frequency statistics and message format. The main research contents include the following aspects: 1.The application protocol is studied from three aspects: session negotiation, protocol resolution and protocol content. In this paper, the feasibility of protocol feature discovery is put forward in three aspects of message format and word frequency statistics, and the basic framework of protocol feature discovery is put forward. It lays a theoretical foundation for the application protocol feature discovery technology in this paper. 2. Aiming at the shortcomings of the existing application protocol fingerprint feature discovery methods, In this paper, an application protocol fingerprint feature discovery method based on an improved longest common subsequence lookup algorithm is proposed, which limits the sample length of signature feature discovery, and proposes a feature filtering method based on frequent LCS. The efficiency and accuracy of feature discovery are improved. The experimental results show that the method is simple and efficient, and compared with the traditional method, Based on the existing protocol packet format discovery method based on network data flow, the application of packet format discovery to protocol feature discovery is proposed. This method improves the Discoverer method. The method of message format discovery is applied to protocol feature discovery. The semantic parsing of text-like token is added, and the content of semantic parsing is expanded. The clustering and merging process of message format is improved, and the unnecessary message format is removed. The token is merged with regular expressions, and the format features of the protocol are extracted and described. The experimental results show that the protocol features extracted by this method are more abundant than those described by regular expressions. Complete and detailed, and has a high recognition rate. 4. Aiming at the shortcomings of the existing byte frequency statistical feature discovery methods based on fixed load length, In this paper, a method based on the first part of the protocol is proposed to discover the statistical characteristics of the byte frequency. The first K bytes of the message payload are token, the number of token patterns obtained by token with different lengths is recorded, and the length of the first part of the protocol is estimated. The byte frequency of the first part of the protocol is counted, the normalized byte frequency feature vector is obtained, and the protocol recognition is proposed by using cosine similarity. The experimental results show that the protocol feature extracted by this method has a wider range of application. Compared with the byte frequency statistical features based on fixed length, the precision rate and recall rate are improved. Finally, the work of this paper is summarized, and the application of protocol feature discovery technology is prospected, and the next research direction is put forward.
【学位授予单位】：解放军信息工程大学
【学位级别】：硕士
【学位授予年份】：2014
【分类号】：TP393.08

【参考文献】