A Length Semantic Constraints Based Approach for Mining Packet Formats of Unknown Protocols

doi:10.13190/jbupt.201206.55.zhangzh

JOURNAL OF BEIJING UNIVERSITY OF POSTS AND TELECOM ›› 2012, Vol. 35 ›› Issue (6): 55-59.doi: 10.13190/jbupt.201206.55.zhangzh

• Papers • Previous Articles Next Articles

A Length Semantic Constraints Based Approach for Mining Packet Formats of Unknown Protocols

ZHANG Zhao, TANG Wen, WEN Qiao-yan

1. State Key Laboratory of Networking and Switching Technology, Beijing University of Posts and Telecommunications, Beijing 100876, China;2. IT Security, Cooperate Technology, Siemens (China) Ltd, Beijing 100102, China

Received:2012-04-09 Revised:2012-07-24 Online:2012-12-28 Published:2013-01-07
Contact: Zhao ZHANG E-mail:108283@bupt.edu.cn
Supported by:
;Specialized Research Fund for the Doctoral Program of Higher Education

Abstract

Abstract:

In order to get the format of unknown protocols, a length semantic constraints based packet format mining method is proposed based on length semantic constraints. First, multiple sequence alignment method is applied to partition a packet into segments. Then, a length identification algorithm is utilized to scan the segments separately to infer length fields and corresponding referred field(s). At last, the format (hierarchy structure) of the packets is obtained. Experiments demonstrate the effectiveness of this method: the false negative rates of length fields for GetNextRequest and GetResponse of simple network management protocol version 1 are both 9.1%, and the false positive rates are 16.7% and 23.1%. The packet hierarchy is also obtained, approximately consistent with protocol format specification.

Key words: length field, packet format, protocol specification mining, protocol reverse engineering, multiple sequence alignment

CLC Number:

TP393.08

ZHANG Zhao, TANG Wen, WEN Qiao-yan. A Length Semantic Constraints Based Approach for Mining Packet Formats of Unknown Protocols[J]. JOURNAL OF BEIJING UNIVERSITY OF POSTS AND TELECOM, 2012, 35(6): 55-59.

[1]	. Network Security Analysis Based on Host-Security-Group [J]. JOURNAL OF BEIJING UNIVERSITY OF POSTS AND TELECOM, 2012, 35(1): 19-23.
[2]	. Research of Automatically Generating Signatures for Botnets [J]. JOURNAL OF BEIJING UNIVERSITY OF POSTS AND TELECOM, 2011, 34(4): 109-112.
[3]	YU Wang-ke; MA Wen-ping; YAN Ya-jun; YANG Yuan-yuan. Constructing Secure Routing Protocol Using Trust Model [J]. JOURNAL OF BEIJING UNIVERSITY OF POSTS AND TELECOM, 2010, 33(3): 48-51.
[4]	ZHU Hong-liang;LI Rui;CHENG Ming-zhi;XIN Yang;YANG Yi-xian;HU Zheng-ming. A Multi-Track Separating Method Using Bubble Principle [J]. JOURNAL OF BEIJING UNIVERSITY OF POSTS AND TELECOM, 2010, 33(1): 74-79.
[5]	WU Bin, ZHENG Kang-feng, YANG Yi-xian . Analysis of Alert Correlation in Honeynet [J]. JOURNAL OF BEIJING UNIVERSITY OF POSTS AND TELECOM, 2008, 31(6): 63-66.
[6]	ZHENG Hui-fang, JIANG Ting, ZHOU Zheng. Theoretical Study with the Model for MANET Cooperation Enforcement [J]. JOURNAL OF BEIJING UNIVERSITY OF POSTS AND TELECOM, 2008, 31(5): 21-24.
[7]	ZHANG Hong-qi, ZHOU Jing, ZHANG Bin. The Research of Extension of Static Constraints Mechanism in RBAC Model [J]. JOURNAL OF BEIJING UNIVERSITY OF POSTS AND TELECOM, 2008, 31(3): 123-127.
[8]	LI Yang1, XIN Yang1, GAO Xue-song2, NIU Xin-xin1, YANG Yi-xian1. Optimized Re-Keying Solution for Secure Multicast Using PRF and XOR Operation [J]. JOURNAL OF BEIJING UNIVERSITY OF POSTS AND TELECOM, 2008, 31(1): 92-96.
[9]	HONG Zheng, WU Li-fa, WANG Yuan-yuan. Worm Detection Based on Improved V-detector Algorithm [J]. JOURNAL OF BEIJING UNIVERSITY OF POSTS AND TELECOM, 2007, 30(2): 98-101.
[10]	GAO Chang-xi, ZHANG Fu-yuan, XIN Yang, NIU Xin-xin, YANG Yi-xian . Research on Worm’s Propagation and Defense Model in Different P2P Networks [J]. JOURNAL OF BEIJING UNIVERSITY OF POSTS AND TELECOM, 2006, 29(s2): 49-53.
[11]	WANG Ping, FANG Bin-xing, YUN Xiao-chun. The Division Based Restraint Approach of Worm Propagation [J]. JOURNAL OF BEIJING UNIVERSITY OF POSTS AND TELECOM, 2006, 29(5): 24-27.
[12]	LI Xin, JI Zhen-zhou, LIU Wei-chen, HU Ming-zeng. An Algorithm for Detecting Firewall Filters Conflicts [J]. JOURNAL OF BEIJING UNIVERSITY OF POSTS AND TELECOM, 2006, 29(4): 90-93.
[13]	XIAN Jiqing1,LANG Fenghua2. Anomaly Detection Method Based on CSABased Unsupervised Fuzzy Clustering Algorithm [J]. JOURNAL OF BEIJING UNIVERSITY OF POSTS AND TELECOM, 2005, 28(4): 103-106.

A Length Semantic Constraints Based Approach for Mining Packet Formats of Unknown Protocols

PDF

Knowledge

Abstract

Cite this article

share this article

References

Related Articles 13

Recommended Articles

Metrics

Comments