基于最大似然概率的协议关键词长度确定方法

罗建桢; 余顺争; 蔡君

doi:10.11959/j.issn.1000-436x.2016121

您当前的位置：

首页 >

文章列表页 >

基于最大似然概率的协议关键词长度确定方法

学术论文 | 更新时间：2024-06-05

- 基于最大似然概率的协议关键词长度确定方法
- Method for determining the lengths of protocol keywords based on maximum likelihood probability
- 通信学报 2016年37卷第6期页码：119-128
- 作者机构：
  
  1. 广东技术师范学院电子与信息学院，广东广州 510665
  2. 中山大学电子与信息工程系，广东广州 510006
- 作者简介：
  
  [ "罗建桢（1984-），男，广东阳春人，博士，广东技术师范学院讲师，主要研究方向为协议逆向工程、未来网络。" ]
  [ "余顺争（1958-），男，江西南昌人，博士，中山大学教授、博士生导师，主要研究方向为信息安全、信号处理、无线网络。" ]
  [ "蔡君（1981-），男，湖南邵阳人，博士，广东技术师范学院副教授，主要研究方向为流量优化、未来网络。" ]
- 基金信息：
  
  国家自然科学基金资助项目(61571141);国家自然科学基金资助项目(61272381);广东省自然科学基金资助项目(2014A030313637);广东省自然科学基金资助项目(2016A030311013);广东省教育厅特色创新基金资助项目(2014KTSCX149);广东省高校优秀青年教师基金资助资助项目(YQ2015105);广东省应用型科技研发专项基金资助项目(2015B010131017);广东省科技计划基金资助项目(2014A010101156);广东省教育厅省级重大基金资助项目(2014KZDXM060);广东省普通高校国际合作重大基金资助项目(2015KGJHZ021);广东省公益研究与能力建设专项基金资助项目(2014A010103032)
- DOI：10.11959/j.issn.1000-436x.2016121
  中图分类号： TP393
- 网络出版日期：2016-06，
  
  纸质出版日期：2016-06-25
- 稿件说明：
移动端阅览
罗建桢, 余顺争, 蔡君. 基于最大似然概率的协议关键词长度确定方法[J]. 通信学报, 2016,37(6):119-128.

Jian-zhen LUO, Shun-zheng YU, Jun CAI. Method for determining the lengths of protocol keywords based on maximum likelihood probability[J]. Journal on communications, 2016, 37(6): 119-128.
罗建桢, 余顺争, 蔡君. 基于最大似然概率的协议关键词长度确定方法[J]. 通信学报, 2016,37(6):119-128. DOI： 10.11959/j.issn.1000-436x.2016121.

Jian-zhen LUO, Shun-zheng YU, Jun CAI. Method for determining the lengths of protocol keywords based on maximum likelihood probability[J]. Journal on communications, 2016, 37(6): 119-128. DOI： 10.11959/j.issn.1000-436x.2016121.

摘要

提出非齐次左—右型级联隐马尔可夫模型，用于应用层网络协议报文建模，描述状态之间的转移规律和各状态的内部相位变化规律，刻画报文的字段跳转规律和字段内的马尔可夫性质，基于最大似然概率准则确定协议关键词的长度，推断协议关键词，自动重构协议的报文格式。实验结果表明，所提出方法能有效地识别出协议关键词和重构协议报文格式。

Abstract

A left-to-right inhomogeneous cascaded hidden Markov modelwas proposed and applied to model application protocol messages.The proposed modeldescribed the transition probabilities between states and the evolution rule of phases inside the states

revealed the transition feature ofmessage fields and the left-to-right Markov characteristicsinside the fields.The protocol keywords were inferred by selecting lengths with maximum likelihood probability

and then the message format was recovered.The experimental results demonstrated that the proposed method perform well in protocol keyword extraction and message format recovery.

关键词

Keywords

references

赵咏 , 姚秋林 , 张志斌 , 等 . TPCAD:一种文本类多协议特征自动发现方法 [J ] . 通信学报 , 2009 , 30 ( 10A ): 28 - 35 .

ZHAO Y , YAO Q L , ZHANG Z B , et al . TPCAD:a text-oriented multi-protocol inference approach [J ] . Journal on Communications , 2009 , 30 ( 10A ): 28 - 35 .

张树壮 , 罗浩 , 方滨兴 . 面向网络安全的正则表达式匹配技术 [J ] . 软件学报 , 2011 , 22 ( 8 ): 1838 - 1854 .

ZHANG S Z , LUO H , FANG B X . Regular expressions matching for network security [J ] . Journal of Software , 2011 , 22 ( 8 ): 1838 - 1854 .

CABALLERO J , SONG D . Automatic protocol reverse-engineering:message format extraction and field semantics inference [J ] . Computer Networks , 2013 , 57 ( 2 ): 451 - 474 .

TRIDGELL A . How samba was written [EB/OL ] . Http://www.samba.org/ftp/tridge/misc/french_cafe.txt 2003 Http://www.samba.org/ftp/tridge/misc/french_cafe.txt 2003 .

Pidgin [EB/OL ] . http://www.pidgin.im/ http://www.pidgin.im/ . 2014 .

Rdesktop:a remote desktop protocol client [EB/OL ] . http://www.rdesktop.org/ http://www.rdesktop.org/ . 2014 .

KIM H , CHOI Y , LEE D . Efficient file fuzz testing using automated analysis of binary file format [J ] . Journal of Systems Architecture , 2011 , 57 : 259 - 268 .

李伟明 , 张爱芳 , 刘建财 , 等 . 网络协议的自动化模糊测试漏洞挖掘方 [J ] . 计算机学报 , 2011 , 34 ( 2 ): 242 - 255 .

LI W M , ZHANG A F , LIU J C , et al . An automatic network protocol fuzz testing and vulnerability discovering method [J ] . Chinese Journal of Computers , 2011 , 34 ( 2 ): 242 - 255 .

IETF [EB/OL ] . http://www.ietf.org/ http://www.ietf.org/ . 2014 .

Internet2 netflow statistic [EB/OL ] . http://netflow.internet2.edu http://netflow.internet2.edu , 2012 .

WEI X , GOMEZ L , NEAMTIU I , et al . ProfileDroid:multi-layer profiling of android applications [C ] // 18th Annual International Conference on Mobile Computing and Networking . ACM , 2012 : 137 - 148 .

DAI S , TONGAONKAR A , WANG X , et al . Networkprofiler:towards automatic fingerprinting of android apps [C ] // 2013 Proceedings IEEE,INFOCOM . 2013 . 809 - 817 .

LEE S W , PARK J S , LEE H S , et al . A study on smart-phone traffic analysis [C ] // IEEE Network Operations and Management Symposium (APNOMS) , 2011 : 1 - 7 .

FALAKI H , LYMBEROPOULOS D , MAHAJAN R , et al . A first look at traffic on smartphones [C ] // 10th ACM SIGCOMM Conference on Internet Measurement . ACM , 2010 : 281 - 287 .

NARAYAN J , SHUKLA S K , CLANCY T C . A survey of automatic protocol reverse engineering tools [J ] . ACM Computing Surveys , 2016 , 48 ( 3 ): 1 - 26 .

BEDDOE M A . Network protocol analysis using bioinformatics algorithms [EB/OL ] . http://www.4tphi.net/～awalters/PI/PI.html http://www.4tphi.net/～awalters/PI/PI.html , 2004 .

CUI W , KANNAN J , WANG H . Discoverer:automatic protocol reverse engineering from network traces [C ] // 16th USENIX Security Symposium on USENIX Security Symposium . Berkeley,CA,USA:USENIX Association , 2007 : 1 - 14 .

WANG Y , YUN X , SHAFIQ M . A semantics aware approach to automated reverse engineering unknown protocols [C ] // 20th IEEE International Conference on Network Protocols(ICNP) . 2012 : 1 - 10 .

ZHOU Z , ZHANG Z , LEE P . Toward unsupervised protocol feature word extraction [J ] . IEEE Journal on Selected Areas in Communications , 2014 , 32 ( 10 ): 1894 - 1906 .

ZHANG Z , ZHANG Z B , LEE P P , et al . ProWord:an unsupervised approach to protocol feature word extraction [C ] // 2014 Proceedings IEEE INFOCOM . 2014 : 1393 - 1401 .

HE L , WEN Q , ZHANG Z . A TLV Structure semantic constraints based method for reverse engineering protocol packet formats [J ] . Journal of Networking Technology , 2014 , 5 ( 1 ): 9 .

LI T , LIU Y , ZHANG C . A noise-tolerant system for protocol formats extraction from binary data [C ] // 2014 IEEE Workshop on Advanced Research and Technology in Industry Applications (WARTIA) . 2014 : 862 - 865 .

TAO S , YU H , LI Q . Bit-oriented format extraction approach for automatic binary protocol reverse engineering [J ] . IET Communications , 2016 , 10 ( 6 ): 709 - 716 .

MENG F , LIU Y , ZHANG C . State reverse method for unknown binary protocol based on state-related fields [J ] . Telecommunication Engineering , 2015 , 55 ( 4 ): 372 - 378 .

MENG F , LIU Y , ZHANG C . Inferring protocol state machine for binary communication protocol [C ] // 2014 IEEE Workshop on in Advanced Research and Technology in Industry Applications (WARTIA) . 2014 : 870 - 874 .

GASCON H , WRESSNEGGER C , YAMAGUCHI F . Pulsar:stateful black-box fuzzing of proprietary network protocols security and privacy in communication networks [M ] . Springer International Publishing , 2015 : 330 - 347 .

肖明明 , 余顺争 . 基于文法推断的协议逆向工程 [J ] . 计算机研究与发展 , 2013 , 50 ( 10 ): 2044 - 2058 .

XIAO M M , YU S Z . Protocol reverse engineering using grammatical inference [J ] . Journal of Computer Research ＆Development , 2013 , 50 ( 10 ): 2044 - 2058 .

游翔 , 葛卫丽 . 飞信协议识别与多元通联关系提取方法 [J ] . 现代电子技术 , 2014 ( 21 ): 19 - 23 .

YOU X , GE W L . Protocol identification and multi⁃conversation relationship extraction in Fetion [J ] . Modern Electronics Technique , 2014 ( 21 ): 19 - 23 .

岳旸 , 孟凡治 , 张春瑞 , 等 . 面向二进制数据帧的聚类系统 [J ] . 计算机应用研究 , 2015 ( 3 ): 909 - 916 .

YUE Y , MENG F Z , ZHANG C R , et al . Cluster system for binary data frame [J ] . Application Research of Computers , 2015 ( 3 ): 909 - 916 .

琚玉建 , 谢绍斌 , 张薇 . 网络协议帧切分优化过程研究与仿真 [J ] . 计算机仿真 , 2015 ( 1 ): 318 - 321 .

JU Y J , XIE S B , ZHANG W . Research and simulation of optimization process for network protocol frame segmentation [J ] . Computer Simulation , 2015 ( 1 ): 318 - 321 .

LI T , LIU Y , ZHANG C . A novel method for delimiting frames of unknown protocol [C ] // 2014 IEEE Workshop on Electronics,Computer and Applications . 2014 : 552 - 555 .

CABALLERO J , YIN H , LIANG Z . Polyglot:automatic extraction of protocol message format using dynamic binary analysis [C ] // 14th ACM Conference on Computer and Communications Security . New York,NY,USA,ACM , 2007 : 317 - 329 .

CABALLERO J , POOSANKAM P , KREIBICH C . Dispatcher:enabling active botnet infiltration using automatic protocol reverse-engineering [C ] // 16th ACM Conference on Computer and Communications Security . New York,NY,USA,ACM , 2009 : 621 - 634 .

CABALLERO J , SONG D . Automatic protocol reverse-engineering:Message format extraction and field semantics inference [J ] . Computer Networks , 2013 , 57 ( 2 ): 451 - 474 .

ZHAO L , REN X , LIU M . Collaborative reversing of input formats and program data structures for security applications [J ] . China Communications , 2014 , 11 ( 9 ): 135 - 147 .

LIN Z , ZHANG X , XU D . Reverse engineering input syntactic structure from program execution and its applications [J ] . IEEE Transactions on Software Engineering , 2010 , 36 ( 5 ): 688 - 703 .

CUI B , WANG F , HAO Y . A taint based approach for automatic reverse engineering of gray-box file formats [J ] . Soft Computing , 2015 : 1 - 16 .

WANG Z , JIANG X , CUI W . ReFormat:automatic reverse engineering of encrypted messages [M ] . Berlin : Springer , 2009 .

ZHAO R , GU D , LI J . Automatic detection and analysis of encrypted messages in malware [J ] . Information Security and Cryptology , 2014 , 8567 : 101 - 117 .

LIN W , FEI J , ZHU Y . A method of multiple encryption and sectional encryption protocol reverse engineering [C ] // 2014 Tenth International Conference on Computational Intelligence and Security(CIS) . 2014 : 420 - 424 .

LI M , WANG Y , HUANG Z . Reverse analysis of secure communication protocol based on taint analysis [C ] // 2014 Communications Security Conference , 2014 : 1 - 8 .

石小龙 , 祝跃飞 , 刘龙 , 等 . 加密通信协议的一种逆向分析方法 [J ] . 计算机应用研究 , 2015 ( 1 ): 214 - 221 .

SHI X L , ZHU Y F , LIU L , et al . Method of encrypted protocol reverse engineering [J ] . Application Research of Computers , 2015 ( 01 ): 214 - 221 .

JELINEK F . Continuous speech recognition by statistical methods [J ] . Proceedings of the IEEE , 1976 , 64 : 532 - 556 .

BAKIS R . Continuous speech recognition via centisecond acoustic states [J ] . The Journal of the Acoustical Society of America , 1976 , 59 ( S1 ): 97 .

LUO J Z , YU S Z . Position-based automatic reverse engineering of network protocols [J ] . Journal of Network and Computer Applications , 2013 , 36 ( 3 ): 1070 - 1077 .

YU S Z . Hidden semi-Markov models [J ] . Artificial Intelligence , 2010 , 174 ( 2 ): 215 - 243 .

RABINER L . A tutorial on hidden Markov models and selected applications in speech recognition [J ] . Proceedings of the IEEE , 1989 , 77 ( 2 ): 257 - 286 .

YU S Z , KOBAYASHI H . An efficient forward-backward algorithm for an explicit-duration hidden Markov model [J ] . IEEE Signal Processing Letters , 2003 , 10 ( 1 ): 11 - 14 .

浏览量

934

下载量

CSCD

文章被引用时，请邮件提醒。

提交

工具集

关联资源

基于改进马尔可夫链的高效域名生成算法

基于信誉的域间路由选择机制的研究与实现

隐马尔可夫模型的异质网络链接预测方法研究

基于空间感知的多级损失目标跟踪对抗攻击方法

基于威胁情报的网络安全态势感知模型