关键词: 离散序列报文, 协议关键字提取, 自适应特征挖掘, 格式特征, 协议识别

Abstract: To solve the problem of separate messages received from protocol rather than flows, a novel Separate Protocol Message based Format Signature Construction (SPMbFSC) algorithm was proposed. SPMbFSC extracted the protocol format signature automatically on the basis of the protocol’s separate messages instead of flows. First, SPMbFSC put the protocol’s separate messages into clusters based on the Euclidean distances among them. Then within each of the message clusters, SPMbFSC extracted the key words out of them. At last, SPMbFSC acquired the format signature by filtering and choosing the key words. Simulation results show that SPMbFSC is quite accurate and reliable. The accuracy for each of six protocols achieves above 95% when SPMbFSC is used in protocol’s separate message classification. In comparison with Adaptive Application Signature Extraction Method (AdapSig), SPMbFSC achieves higher accuracy in protocol’s flow classification and the accuracy for each protocol is above 90%. Experimental results indicate that the proposed SPMbFSC doesn’t depend on flow and SPMbFSC is more practical in situations where separate protocol messages are received.

Key words: separate protocol message, protocol keyword extraction, automatic format signature mining, format signature, protocol classification