LONG Xiao-fei,FENG Yan,WANG Rui-jie

DOI: https://doi.org/10.3785/j.issn.1008-973x.2006.10.009

2006-01-01

Abstract:A pre-decision detection engine to mitigate false positives generated by signature-based network intrusion detection system and improve the performance of processing packets was proposed.By utilizing hosts'software information on monitored network,predecision detection engine makes a decision before pattern match to filter out unnecessary rules,which minimizes average pattern-match times for each packet,and reduces false positives and improves performance as a result.Experimental results showed that pre-decision detection engine can decrease false positives and improve the performance of processing packets,without increasing the false negative rate.

Rui-jie WANG,yan FENG,Xiao-fei LONG

DOI: https://doi.org/10.3969/j.issn.1671-7147.2007.03.005

2007-01-01

Abstract:The paper presents a payloadbased anomaly detector model describing the normal pakcet payload of network traffic in a fully automatic,unsupervised and very effecient fashion,for intrusion detection.We firstly compute during a training phase a profile byte frequency distribution and their standard deviation of the application payload flowing to a single host and port.then,Mahalanobis distance during the detection phase is used to calculate the similarity of new data against the precomputed profile.The detector compares this measure against a threshold and generates an alert when the distance of the new input exceeds this threshold.The surprising effectiveness of the method is demonstrated for the 1999 DARPA IDS dataset.In one case nearly 100% accuracy is achieved with 0.1% false positive rate for port 80 traffic.

Lu Gang,Zhang Hongli,Zhang Yu,Mahmoud T. Qassrawi,Yu Xiangzhan,Peng Lizhi

DOI: https://doi.org/10.1109/cc.2013.6549262

2013-01-01

Abstract:Automatic signature generation approaches have been widely applied in recent traffic classification. However, they are not suitable for LightWeight Deep Packet Inspection (LW_DPI) since their generated signatures are matched through a search of the entire application data. On the basis of LW_DPI schemes, we present two Hierarchical Clustering (HC) algorithms: HC_TCP and HC_UDP, which can generate byte signatures from TCP and UDP packet payloads respectively. In particular, HC_TCP and HC_ UDP can extract the positions of byte signatures in packet payloads. Further, in order to deal with the case in which byte signatures cannot be derived, we develop an algorithm for generating bit signatures. Compared with the LASER algorithm and Suffix Tree (ST)-based algorithm, the proposed algorithms are better in terms of both classification accuracy and speed. Moreover, the experimental results indicate that, as long as the application-protocol header exists, it is possible to automatically derive reliable and accurate signatures combined with their positions in packet payloads.

Mingjiang Ye,Ke Xu,Jianping Wu,Hu Po

DOI: https://doi.org/10.1109/cit.2009.97

2009-01-01

Abstract:Classifying network traffic according to the applications is important to a broad range of network areas. Compared with the traditional method which classifies traffic using predefined well-known port numbers, the method using application signatures is more accurate. Unfortunately, analyzing signatures and maintaining up-to-date signatures for various applications is very difficult. To solve the problem, the paper proposes AutoSig which is an automatic application signature generation system. AutoSig extracts multiple common substring sequences from sample flows as application signature. First all possible common substrings in an application protocol are extracted and then a substring tree is constructed to generate the final signature of the application. The method is evaluated on campus traffic traces, and the experiment results show that AutoSig can generate effective application signatures with very high accuracy automatically.

Yuxiang Lin,Yi Gao,Bingji Li,Wei Dong

DOI: https://doi.org/10.1145/3536423

2022-01-01

ACM Transactions on Sensor Networks

Abstract:The broadcast nature of wireless media makes WLANs easily attacked by rogue Access Points (APs) . Rogue AP attacks can potentially cause severe privacy leakage and financial loss. Hardware fingerprinting is the state-of-the-art technology to detect rogue APs since an attacker would find it difficult to set up a rogue AP with specific hardware fingerprints. However, existing hardware fingerprints not only depend on the AP but also depend on the client, significantly limiting their application scenarios. In this work, we investigate two novel client-agnostic fingerprints, which can be extracted using commercial off-the-shelf WiFi devices, to detect rogue APs. One is the power amplifier non-linearity fingerprint and the other is the frame interval distribution fingerprint . These two fingerprints remain consistent over time and space for the same AP but vary across different APs even with the same brand, model, and firmware. We use the fingerprint similarity between the candidate AP and the authorized AP for device authentication in typical indoor environments. We have also proposed a threshold-improved authentication scheme to improve the robustness of our system in dynamic environments. Our schemes can be implemented without modifying the infrastructural APs and can work well with new clients without rebuilding the fingerprint database. We evaluate our scheme in both in-lab and field scenarios, by analyzing 18 million WiFi packets. Results show that our scheme achieves an overall 96.55% positive detection rate and a 4.31% false alarm rate. Moreover, the threshold-improved authentication scheme can further reduce the false alarm rate by 13.0%-44.8% for dynamic environments.

Zhenlong Yuan,Yibo Xue,Yingfei Dong

DOI: https://doi.org/10.1109/CNS.2013.6682724

2013-01-01

Abstract:Network traffic classification is critical to both network management and security. Identifying application traffic at the flow level with signature matching has been widely used as the most efficient method due to its reliability and robustness. However, due to the increasing number of applications and their frequent updates, we have to constantly regenerate application signatures, which is both resource intensive and time consuming. To address this issue, we propose to explore the unique characteristics in packet sequences and discovered two types of packet sequence signatures. We introduce our design and implementation of an automated packet-sequence signature construction (APSC) system, based on association rule mining and data clustering technologies. This system can not only automatically generate traditional signatures from individual packet payloads but also construct new packet sequence signatures based on payloads or features from packet sequences, even for encrypted flows. To the best of our knowledge, this is the first practical and efficient system that supports automated packet sequence signature construction. Our experimental results show that the proposed system can automatically construct high quality signatures for a variety of application with limited overhead.

Pinghui Wang,Xiaohong Guan,Tao Qin

DOI: https://doi.org/10.1109/camad.2009.5161471

2009-01-01

Abstract:Peer-to-Peer (P2P) protocol is widely used in many network applications and P2P traffic is becoming dominating in the current Internet and may cause serious congestion. Recently, P2P applications tend to intentionally disguise their traffic flows by using arbitrary ports, which leads the accurate identification of P2P traffic to become a very difficult job and hot research topic in network traffic control. In this paper, we employ the longest common subsequence to identify the key packets from the traffic flows, and present a new method to identify the P2P flows based on the signatures of key packets with only direction and payload length in the first few packets of a flow. We test the new method with four popular P2P applications in the actual network environment and the results show that the new method has high accuracy and efficiency since only a few packets in each flow needs to be analyzed. The new method is suitable for real time traffic management and monitoring.

Yipeng Wang,Xiaochun Yun,Yongzheng Zhang

DOI: https://doi.org/10.1109/icnp.2015.43

2015-01-01

Abstract:Protocol traffic analysis is important for a variety of networking and security infrastructures, such as intrusion detection and prevention systems, network management systems, and protocol specification parsers. In this paper, we propose ProHacker, a nonparametric approach that extracts robust and accurate protocol keywords from network traces and effectively identifies the protocol trace from mixed Internet traffic. ProHacker is based on the key insight that the n-grams of protocol traces have highly predictable statistical nature that can be effectively captured by statistical language models and leveraged for robust and accurate protocol identification. In ProHacker, we first extract protocol keywords using a nonparametric Bayesian statistical model, and then use the corresponding protocol keywords to classify protocol traces by a semi-supervised learning algorithm. We implement and evaluate ProHacker on real-world traces, including SMTP, FTP, PPLive, SopCast, and PPStream, and our experimental results show that ProHacker can accurately identify the protocol trace with an average precision of about 99.42% and an average recall of about 98.64%. We also compare the results of ProHacker to two state-of-the-art approaches ProWord and Securitas using backbone traffic. We show that ProHacker provides significant improvements on precision and recall for online protocol identification.

Liu Bin,Li Zhi Tang,Tu Hao

DOI: https://doi.org/10.4108/infoscale.2007.905

2007-01-01

Abstract:P2P application has become tremendously popular over the last few years, now accounting for a significant share of the total network traffic. P2P protocols used arbitrary ports to camouflage its traffic to avoid detection and recognition with standard measurement tools. This paper presents a measurement system which reliably detects and measures P2P traffic in real-time. The methodology is based on using application level signatures implemented by Netfilter extension as well as packet classifier. The results from test in a large university network indicate that this approach not only can significantly improve the P2P traffic volume estimates but also provided the performance required for practical applications.

Yipeng Wang,Xiaochun Yun,Yongzheng Zhang,Liwei Chen,Tianning Zang

DOI: https://doi.org/10.1016/j.comnet.2017.09.006

IF: 5.493

2017-01-01

Computer Networks

Abstract:Protocol traffic analysis is a fundamental problem regarding a variety of networking and security applications, such as intrusion detection and prevention systems, network management systems, and protocol specification parsers. In this paper, we propose ProHacker, a nonparametric approach that extracts robust and accurate protocol keywords from the byte sequences generated by an application protocol, and effectively identifies the protocol trace from mixed Internet traffic. ProHacker is based on the key insight that the n-grams of protocol traces have highly predictable statistical nature that can be effectively captured by statistical language models and be leveraged for robust and accurate protocol identification. In ProHacker, we first extract protocol keywords using a nonparametric Bayesian statistical model, and then use the corresponding protocol keywords to classify protocol traces by a semi-supervised learning algorithm. We implement and evaluate ProHacker on real-world traces, and our experimental results show that ProHacker can accurately identify the protocol trace with an average precision of about 99.4% and an average recall of about 99.28%. We compare the results of ProHacker to one state-of-the-art approach, ProWord, and one our previous work, Securitas, using backbone traffic. We note that ProHacker provides significant improvements on precision and recall for online protocol identification.

YiPeng Wang,Xiaochun Yun,Yongzheng Zhang,Liwei Chen,Guangjun Wu

DOI: https://doi.org/10.1016/j.jnca.2017.10.009

IF: 7.574

2017-01-01

Journal of Network and Computer Applications

Abstract:Protocol fingerprints are a set of byte subsequences within packet payload that can distinguish individual application protocols. They play an important role for deep packet analysis in traffic normalization and network management. In this paper, we propose ProPrint, a network trace-based protocol fingerprint inference system. In ProPrint, we first build a protocol language model based on a modified nonparametric Bayesian statistical model. Second, we use the corresponding protocol language model to identify field boundaries in packet payload, such that we can segment each payload into a set of protocol feature words according to the hidden structure information. Third, we propose a ranking algorithm that selects true protocol fingerprints from the candidate protocol feature words. In evaluations, we measure ProPrint on real-world network traces, and also compare ProPrint to existing state-of-the-art solutions, ProWord and Securitas. The experimental results show that ProPrint performs better than ProWord and Securitas on f-measure for online application classification.

Yan Shen,Jun Bi,Jianping Wu,Qiang Liu

DOI: https://doi.org/10.1007/978-3-540-74819-9_105

2007-01-01

Abstract:SPM (Spoofing Prevention Method) proposed a peer-to-peer anti-spoofing method which could effectively filter spoofed packets and support incremental deployment. However, mechanism of SPM key updating has some serious problems: (1) heavy management cost; (2) risk of becoming the target of DOS/DDOS attacks during the key updating; (3) limitation of the scale of the SPM union; (4) impossibility of tackling the threat of real-time packet sniffing. This paper proposes an Automatic Peer-to-Peer Anti-spoofing Method (APPA). APPA resolves the key management problem and could effectively prevent source address spoofing.

Kai Bu,Zhixin Sun

DOI: https://doi.org/10.1109/ICYCS.2008.324

2008-01-01

Abstract:The emergence of Distributed Denial of Service (DDoS) attack increases the destructive force of Denial of Service (DoS) attack drastically. Besides bringing more terrible threats, the attack from far and near and the employment of internet protocol (IP) spoofing make the abnormal traffic detection harder and harder. This paper proposes a mechanism defined as AMHI (Address Matching and Hash Inspection) and a method based on it for DDoS attacks detection and defense. Through the simulation experiment, the Address Matching and backup Hash Inspection operations to the suspicious traffic implemented on router interface for local subnet can detect and defend DDoS attacks effectively even when using IP Spoofing. In addition, this method can also decrease a mass of statistical work for the routers, and to some extent ease the pressure of heavy traffic caused by attacks.

Siyuan Pan,Yijun Wang,Zhi Xue,Xiang Lin

DOI: https://doi.org/10.3969/j.issn.1000-386x.2018.04.058

2018-01-01

Abstract:With the increasing demand for network security,the requirements for the analysis of remote control Trojan in APT attacks are also constantly increasing.Correspondingly,various methods and tools for analyzing unknown network protocols appear.In this paper,we introduced several existing methods of unknown network protocol reverse,and draw on the advantages of the existing methods.An improved method based on message data Tokenization,multiple sequence alignment and agglomerative hierarchical clustering for APT Trojan network protocol is proposed.

Zhenlong Yuan,Yibo Xue,Mihaela van der Schaar

DOI: https://doi.org/10.1145/2829988.2789997

IF: 1.937

2015-01-01

ACM SIGCOMM Computer Communication Review

Abstract:Traditionally, signatures used for traffic classification are constructed at the byte-level. However, as more and more data-transfer formats of network protocols and applications are encoded at the bit-level, byte-level signatures are losing their effectiveness in traffic classification. In this poster, we creatively construct bit-level signatures by associating the bit-values with their bit-positions in each traffic flow. Furthermore, we present BitMiner, an automated traffic mining tool that can mine application signatures at the most fine-grained bit-level granularity. Our preliminary test on popular peer-to-peer (P2P) applications, e.g. Skype, Google Hangouts, PPTV, eMule, Xunlei and QQDownload, reveals that although they all have no byte-level signatures, there are significant bit-level signatures hidden in their traffic.

Zhenlong Yuan,Cuilan Du,Xiaoxian Chen,Dawei Wang,Yibo Xue

DOI: https://doi.org/10.1109/ICCNC.2014.6785294

2014-01-01

Abstract:Skype has been a typical choice for providing VoIP service nowadays and is well-known for its broad range of features, including voice-calls, instant messaging, file transfer and video conferencing, etc. Considering its wide application, from the viewpoint of ISPs, it is essential to identify Skype flows and thus optimize network performance and forecast future needs. However, in general, a host is likely to run multiple network applications simultaneously, which makes it much harder to classify each and every Skype flow from mixed traffic exactly. Especially, current techniques usually focus on host-level identification and do not have the ability to identify Skype traffic at the flow-level. In this paper, we first reveal the unique sequence signatures of Skype UDP flows and then implement a practical online system named SkyTracer for precise Skype traffic identification. To the best of our knowledge, this is the first time to utilize the strong sequence signatures to carry out early identification of Skype traffic. The experimental results show that SkyTracer can achieve very high accuracy at fine-grained level in identifying Skype traffic.

Fei He,Fan Xiang,Yiyang Shao,Yibo Xue,Jun Li

DOI: https://doi.org/10.1016/s1007-0214(11)70061-x

2011-01-01

Tsinghua Science & Technology

Abstract:Modern datacenter and enterprise networks require application identification to enable granular traffic control that either improves data transfer rates or ensures network security. Providing application visibility as a core network function is challenging due to its performance requirements, including high throughput, low memory usage, and high identification accuracy. This paper presents a payload-based application identification method using a signature matching engine utilizing characteristics of the application identification. The solution uses two-stage matching and pre-classification to simultaneously improve the throughput and reduce the memory. Compared to a state-of-the-art common regular expression engine, this matching engine achieves 38% memory use reduction and triples the throughput. In addition, the solution is orthogonal to most existing optimization techniques for regular expression matching, which means it can be leveraged to further increase the performance of other matching algorithms.

Haifeng Li,Bo Shuai,Jian Wang,Chaojing Tang

DOI: https://doi.org/10.1109/CIS.2015.83

2015-01-01

Abstract:Automatic protocol reverse engineering for application protocol is becoming more and more important for many applications such as application protocol analyzer, penetration testing, intrusion prevention and detection. However, many techniques for extracting the protocol message format specifications of unknown applications often have some limitations for little priori information or the time-consuming problem. In this paper, we present a method for automatically reverse engineering the protocol message formats of an application from its network trace, by using LDA and association analysis. The approach exploits the semantics of protocol messages without the executable code of application protocols, but focuses on the insight that the n-grams of protocol traces exhibit highly semantic information that can be leveraged for accurate protocol message format inference. Firstly, we propose the way to key words extract by utilizing the LDA model, secondly, the association analysis method is applied to constructing the feature words based on the above process. Lastly our experiments Show that the method can accurately infer message format specifications of SMTP text protocol.

Yong Wang,Nan Zhang,Yan-mei Wu,Bin-bin Su

DOI: https://doi.org/10.1007/978-3-642-53917-6_40

2013-01-01

Abstract:Protocol reverse engineering is becoming important in analyzing unknown protocols. Unfortunately, many techniques often have some limitations for few priori information or the time-consuming problem. To address these issues, we propose a framework based on protocol finite state machine FSM construction, which can infer the protocol specifications without any priori information of protocols. To improve our framework's efficiency, we identify the keywords before the finite state construction. Our framework constructs two FSMs, one is L --- FSM language FSM and the other is S --- FSM state FSM. L --- FSM is to illustrate the protocol languages. S --- FSM shows protocol sessions' state transitions. We evaluate our framework with both binary and text protocol. The ARP and the SMTP are the target protocols as inputs. The precision rate and the recall rate are used for evaluation criterias in our experiments. The ARP's precision and recall rate are both reached 100%. The SMTP's precision rate is 100% and recall rate is almost 98%.

Bi Jun,Liu Bingyang,Wu Jianping,Shen Yan

DOI: https://doi.org/10.1016/s1007-0214(09)70097-5

2009-01-01

Tsinghua Science & Technology

Abstract:A signature-and-verification-based method, automatic peer-to-peer anti-spoofing （APPA）, is proposed to prevent IP source address spoofing. In this method, signatures are tagged into the packets at the source peer, and verified and removed at the verification peer where packets with incorrect signatures are filtered. A unique state machine, which is used to generate signatures, is associated with each ordered pair of APPA peers. As the state machine automatically transits, the signature changes accordingly. KISS random number generator is used as the signature generating algorithm, which makes the state machine very small and fast and requires very low management costs. APPA has an intra-AS （autonomous system） level and an inter-AS level. In the intra-AS level, signatures are tagged into each departing packet at the host and verified at the gateway to achieve finer-grained anti-spoofing than ingress filtering. In the inter-AS level, signatures are tagged at the source AS border router and verified at the destination AS border router to achieve prefix-level anti-spoofing, and the automatic state machine enables the peers to change signatures without negotiation which makes APPA attack-resilient compared with the spoofing prevention method. The results show that the two levels are both incentive for deployment, and they make APPA an integrated anti-spoofing solution.