本文選題：協(xié)議識(shí)別　切入點(diǎn)：協(xié)議特征發(fā)現(xiàn)　出處：《解放軍信息工程大學(xué)》2014年碩士論文

【摘要】：協(xié)議特征在網(wǎng)絡(luò)流量分類和應(yīng)用協(xié)議識(shí)別等領(lǐng)域發(fā)揮著極其重要的作用。而快速準(zhǔn)確地分類網(wǎng)絡(luò)流量和識(shí)別應(yīng)用協(xié)議,在網(wǎng)絡(luò)流量管理、入侵檢測(cè)系統(tǒng)、網(wǎng)絡(luò)防火墻和網(wǎng)絡(luò)發(fā)展趨勢(shì)研究等應(yīng)用領(lǐng)域發(fā)揮著非常重要的作用。本文針對(duì)應(yīng)用協(xié)議的消息載荷、字頻統(tǒng)計(jì)和消息格式三個(gè)方面對(duì)應(yīng)用協(xié)議特征發(fā)現(xiàn)技術(shù)進(jìn)行了研究,主要的研究?jī)?nèi)容包括以下幾個(gè)方面:1.針對(duì)應(yīng)用協(xié)議的會(huì)話協(xié)商、協(xié)議解析和協(xié)議內(nèi)容三個(gè)方面對(duì)應(yīng)用協(xié)議進(jìn)行了研究,從消息載荷、消息格式和字頻統(tǒng)計(jì)三個(gè)方面提出了協(xié)議特征發(fā)現(xiàn)的可行性,提出了應(yīng)用協(xié)議特征發(fā)現(xiàn)的基本框架,為本文的應(yīng)用協(xié)議特征發(fā)現(xiàn)技術(shù)奠定了理論基礎(chǔ)。2.針對(duì)現(xiàn)有的應(yīng)用協(xié)議指紋特征發(fā)現(xiàn)方法的不足,提出了一種基于改進(jìn)的最長(zhǎng)公共子序列查找算法的應(yīng)用協(xié)議指紋特征發(fā)現(xiàn)方法。該方法限定了簽名特征發(fā)現(xiàn)的樣本長(zhǎng)度,提出了基于頻繁LCS的特征過(guò)濾方法,提高了特征發(fā)現(xiàn)的效率和準(zhǔn)確性。實(shí)驗(yàn)結(jié)果表明,該方法簡(jiǎn)單高效,與傳統(tǒng)方法相比,能發(fā)現(xiàn)更豐富的協(xié)議指紋特征。3.利用現(xiàn)有的基于網(wǎng)絡(luò)數(shù)據(jù)流的應(yīng)用協(xié)議報(bào)文格式發(fā)現(xiàn)方法,提出了將報(bào)文格式發(fā)現(xiàn)應(yīng)用于協(xié)議特征發(fā)現(xiàn)。該方法對(duì)Discoverer方法進(jìn)行了改進(jìn),將報(bào)文格式發(fā)現(xiàn)的方法應(yīng)用到協(xié)議特征發(fā)現(xiàn)。增加了對(duì)文本類token的語(yǔ)義解析,擴(kuò)充了語(yǔ)義解析的內(nèi)容。改進(jìn)了消息格式的聚類與合并過(guò)程,去除了不必要的消息格式。最后,利用正則表達(dá)式對(duì)token進(jìn)行了合并,提取并描述了協(xié)議的格式特征。實(shí)驗(yàn)結(jié)果表明,與已有的用正則表達(dá)式描述的協(xié)議特征相比,該方法所提取的協(xié)議特征更加豐富、完整和詳細(xì),并且具有較高的識(shí)別率。4.針對(duì)現(xiàn)有的基于固定載荷長(zhǎng)度的字節(jié)頻率統(tǒng)計(jì)特征發(fā)現(xiàn)方法的不足,提出了一種基于協(xié)議首部的字節(jié)頻率統(tǒng)計(jì)特征發(fā)現(xiàn)方法。該方法對(duì)消息載荷的前K個(gè)字節(jié)進(jìn)行token化,記錄不同長(zhǎng)度token化后得到的token模式的數(shù)目,對(duì)協(xié)議首部的長(zhǎng)度進(jìn)行估計(jì),并對(duì)協(xié)議首部進(jìn)行字節(jié)頻率統(tǒng)計(jì),得到歸一化后的字節(jié)頻率特征向量,并提出利用余弦相似度進(jìn)行協(xié)議識(shí)別。實(shí)驗(yàn)結(jié)果表明,該方法所提取的協(xié)議特征適用范圍更廣,與基于固定長(zhǎng)度的字節(jié)頻率統(tǒng)計(jì)特征相比,查準(zhǔn)率和查全率都有所提高。最后,對(duì)全文工作進(jìn)行了總結(jié),并對(duì)應(yīng)用協(xié)議特征發(fā)現(xiàn)技術(shù)進(jìn)行了展望,提出了下一步的研究方向。
[Abstract]:Protocol features play an extremely important role in network traffic classification and application protocol identification, while fast and accurate classification of network traffic and identification of application protocols, in network traffic management, intrusion detection system, etc. Network firewalls and network development trends play a very important role. This paper studies the application protocol feature discovery technology from three aspects: message load, word frequency statistics and message format. The main research contents include the following aspects: 1.The application protocol is studied from three aspects: session negotiation, protocol resolution and protocol content. In this paper, the feasibility of protocol feature discovery is put forward in three aspects of message format and word frequency statistics, and the basic framework of protocol feature discovery is put forward. It lays a theoretical foundation for the application protocol feature discovery technology in this paper. 2. Aiming at the shortcomings of the existing application protocol fingerprint feature discovery methods, In this paper, an application protocol fingerprint feature discovery method based on an improved longest common subsequence lookup algorithm is proposed, which limits the sample length of signature feature discovery, and proposes a feature filtering method based on frequent LCS. The efficiency and accuracy of feature discovery are improved. The experimental results show that the method is simple and efficient, and compared with the traditional method, Based on the existing protocol packet format discovery method based on network data flow, the application of packet format discovery to protocol feature discovery is proposed. This method improves the Discoverer method. The method of message format discovery is applied to protocol feature discovery. The semantic parsing of text-like token is added, and the content of semantic parsing is expanded. The clustering and merging process of message format is improved, and the unnecessary message format is removed. The token is merged with regular expressions, and the format features of the protocol are extracted and described. The experimental results show that the protocol features extracted by this method are more abundant than those described by regular expressions. Complete and detailed, and has a high recognition rate. 4. Aiming at the shortcomings of the existing byte frequency statistical feature discovery methods based on fixed load length, In this paper, a method based on the first part of the protocol is proposed to discover the statistical characteristics of the byte frequency. The first K bytes of the message payload are token, the number of token patterns obtained by token with different lengths is recorded, and the length of the first part of the protocol is estimated. The byte frequency of the first part of the protocol is counted, the normalized byte frequency feature vector is obtained, and the protocol recognition is proposed by using cosine similarity. The experimental results show that the protocol feature extracted by this method has a wider range of application. Compared with the byte frequency statistical features based on fixed length, the precision rate and recall rate are improved. Finally, the work of this paper is summarized, and the application of protocol feature discovery technology is prospected, and the next research direction is put forward.
【學(xué)位授予單位】：解放軍信息工程大學(xué)
【學(xué)位級(jí)別】：碩士
【學(xué)位授予年份】：2014
【分類號(hào)】：TP393.08

【參考文獻(xiàn)】

相關(guān)期刊論文 前4條

1 李偉明;張愛(ài)芳;劉建財(cái);李之棠;;網(wǎng)絡(luò)協(xié)議的自動(dòng)化模糊測(cè)試漏洞挖掘方法[J];計(jì)算機(jī)學(xué)報(bào);2011年02期

2 謝柏林;余順爭(zhēng);;基于應(yīng)用層協(xié)議關(guān)鍵詞序列的應(yīng)用層異常檢測(cè)方法[J];計(jì)算機(jī)研究與發(fā)展;2011年01期

3 何永君;舒輝;熊小兵;;基于動(dòng)態(tài)二進(jìn)制分析的網(wǎng)絡(luò)協(xié)議逆向解析[J];計(jì)算機(jī)工程;2010年09期

4 彭蕓;劉瓊;;Internet流分類方法的比較研究[J];計(jì)算機(jī)科學(xué);2007年08期

，

本文編號(hào)：1661124