WANG Yi-peng,YUN Xiao-chun,ZHANG Yong-zheng,LI Shu-hao

DOI: https://doi.org/10.3969/j.issn.1000-436x.2013.10.016

2013-01-01

Abstract:Obtaining qualified training data for protocol identification generally requires domain experts to be involved, which is time-consuming and laborious. A novel approach for network protocol identification based on active learning and SVM algorithm was proposed. The experimental evaluations on real-world network traces show this approach can accurately and efficiently classify the target network protocol from mixed Internet traffic, and meanwhile display a sig-nificant reduction in the number of labeled samples. Therefore, this approach can be employed as an auxiliary tool for analyzing unknown protocols in real-world environment.

YoungGiu Jung,Chang-Min Jeong

DOI: https://doi.org/10.1007/s11227-019-03108-w

IF: 3.3

2020-01-01

The Journal of Supercomputing

Abstract:The protocol reverse engineering technique can be used to extract the specification of an unknown protocol. However, there is no standardized method, and in most cases, the extracting process is executed manually or semiautomatically. Since only frequently seen values are extracted as fields from the messages of a protocol, it is difficult to understand the complete specification of the protocol. Therefore, if the information about the structure of an unknown protocol could be acquired in advance, it would be easy to conduct reverse engineering. As such, one of the most important techniques for classifying unknown protocols is a feature extraction algorithm. In this paper, we propose a new feature extraction algorithm based on average histogram for classification of an unknown protocol and design unknown protocol classifier using deep belief networks, one of deep learning algorithms. In order to verify the performance of the proposed system, we performed the training using eight open protocols to evaluate the performance using unknown data. Experimental results show that the proposed technique gives significantly more reliable results of about 99% classification performance, regardless of the strength of the modification of the protocol.

Na Xing,Shuai Zhao,Yuehai Wang,Keqing Ning,Xiufeng Liu

DOI: https://doi.org/10.14569/ijacsa.2023.0140743

2023-01-01

Abstract:recent years, deep learning-based network intrusion detection systems (IDS) have shown impressive results in detecting attacks. However, most existing IDS can only recognize known attacks that were included in their training data. When faced with unknown attacks, these systems are often unable to take appropriate actions and incorrectly classify them into known categories, leading to reduced detection performance. Furthermore, as the number and types of network attacks continue to increase, it becomes challenging for these IDS to update their model parameters promptly and adapt to new attack scenarios. To address these issues, this paper introduces a dynamic intrusion detection system, Dynamic Unknown Attack Intrusion Detection System (DUA-IDS). This system aims to learn and detect unknown attacks effectively. DUA-IDS comprises three components: Feature Extractor: This component employs CNN and Transformer models to extract data features from various perspectives. Threshold-Based Classifier: The second part utilizes the nearest mean rule of samples to classify known and unknown attacks, enabling the distinction between them. Dynamic Learning Module: The third part incorporates data playback and knowledge distillation techniques to retain existing category knowledge while continuously learning new attack categories. To assess the effectiveness of DUA-IDS, this paper conducted experiments using the UNSW-NB15 public dataset. The experimental results show that DUA-IDS improves the classification accuracy of flow network data with unknown traffic attacks. Can accurately distinguish unknown traffic and correctly classify known traffic. When dynamically learning unknown traffic, the classification accuracy of previously learned known traffic is less affected. This indicates the advantages of DUA-IDS in detecting unknown attacks and learning new attack categories.

Yi-Chuan Wang,Bin-Bin Bai,Xin-Hong Hei,Ju Ren,Wen-Jiang Ji

DOI: https://doi.org/10.6688/jise.202007_36(4).0005

2020-01-01

Journal of information science and engineering

Abstract:In recent years, unscrupulous hacker attacks have led to the information leakage of enterprise and individual network users, which makes the network security issue unprecedented concerned. Botnet and dark network, which use C & C channel of unknown protocol format to communicate, are the important parts. With the development of wireless mobile networks technology, this problem becomes more prominent. Classifying and identifying the unknown protocol features can help us to judge and predict the unknown attack behavior in the Internet of things environment, so as to protect the network security. Firstly, this paper compares the protocol features to be detected with the existing protocol features in the feature base through the vectorization operation of protocol features, selects the feature set with high recognition rate, and judges the similarity between protocols. The extracted composite features are digitized to generate 0-1 matrix, then Principal Component Analysis (PCA) dimension reduction is processed, and finally clustering analysis is carried out. A Clique to Protocol Feature Vectorization (CPFV) algorithm is designed to improve the efficiency of protocol clustering and finally generate a new protocol format. The experimental results show that compared with the traditional Clique and BIRCH algorithms, the proposed optimization algorithm improves the accuracy by 20% and the stability by 15%. It can cluster and identify unknown protocols accurately and quickly.

Haishuai Wang,Jia Wu,Peng Zhang,Yixin Chen

DOI: https://doi.org/10.1109/tii.2018.2885700

IF: 12.3

2019-01-01

IEEE Transactions on Industrial Informatics

Abstract:This paper formulates the problem of learning discriminative features (i.e., segments) from networked time-series data, considering the linked information among time series. For example, social network users are considered to be social sensors that continuously generate social signals represented as a time series. The discriminative segments are often referred to as shapelets in a time series. Extracting shapelets for time-series analysis has been widely studied. However, existing works on shapelet selection assume that the time series are independent and identically distributed. This assumption restricts their applications to social networked time-series analysis since a user's actions can be correlated to his/her social affiliations. In this paper, we propose a novel network regularized least squares (NetRLS) feature selection model that combines typical time-series data and user network data for analysis. Experiments on real-world Twitter, Weibo, and DBLP networked time-series data demonstrate the performance of the proposed method. NetRLS performs better than the representative baselines on four evaluation criteria, namely classification accuracy, area under the curve (AUC), F1-score, and statistical significance analysis. NetRLS also has competitive running time as the baselines.

Yipeng Wang,Xiaochun Yun,Yongzheng Zhang

DOI: https://doi.org/10.1109/icnp.2015.43

2015-01-01

Abstract:Protocol traffic analysis is important for a variety of networking and security infrastructures, such as intrusion detection and prevention systems, network management systems, and protocol specification parsers. In this paper, we propose ProHacker, a nonparametric approach that extracts robust and accurate protocol keywords from network traces and effectively identifies the protocol trace from mixed Internet traffic. ProHacker is based on the key insight that the n-grams of protocol traces have highly predictable statistical nature that can be effectively captured by statistical language models and leveraged for robust and accurate protocol identification. In ProHacker, we first extract protocol keywords using a nonparametric Bayesian statistical model, and then use the corresponding protocol keywords to classify protocol traces by a semi-supervised learning algorithm. We implement and evaluate ProHacker on real-world traces, including SMTP, FTP, PPLive, SopCast, and PPStream, and our experimental results show that ProHacker can accurately identify the protocol trace with an average precision of about 99.42% and an average recall of about 98.64%. We also compare the results of ProHacker to two state-of-the-art approaches ProWord and Securitas using backbone traffic. We show that ProHacker provides significant improvements on precision and recall for online protocol identification.

徐莉,赵曦,赵群飞,秦涛

DOI: https://doi.org/10.3321/j.issn:0253-987x.2009.02.010

2009-01-01

Abstract:An application protocol identification method is proposed based on the statistical characteristics of network flows.The flow features at the network level are extracted according to the concept of network flow,and three attributes: the number of packets,the number of bytes,and time,are used to capture the flow characteristics roundly.Then the principal component analysis algorithm is used to determine the main characteristics of the flow attributes to reduce the effect of environment.Finally,a BP neural network model is given to identify the application protocols.As the features used in the proposed method are more stable,the output results of the model are hence accurate with the change of the network environment.Experimental results in real network environments show that the proposed method can identify several major application protocols accurately,such as HTTP,BitTorrent,FTP and TELNET,and the identification precision is above 97%.

Zhang Luoshi,Xue Yibo,Wang Dawei

DOI: https://doi.org/10.14257/ijfgcn.2015.8.2.16

2015-01-01

International Journal of Future Generation Communication and Networking

Abstract:Due to the wide use of encrypted protocols and random ports, traditional methods that based on port number or packet payload have gradually lose their effectiveness. To address this issue, new methods that based on machine learning techniques become the research hotspots. With many further studies, some research institutions show that ML-based protocol identification methods can generally achieve over 95% accuracy. However, different from most research studies, industry claims that ML-based techniques are hardly to be deployed for practical use due to their high false positives and false negatives. In this paper, different Machine Learning techniques are evaluated for the actual accuracy under different network environments, and a variety of features are tested on different encrypted protocols. The results show that the identification accuracy will go down due to the changed network scale and network environment while the same ML-based models are used under different network environments, and the choices among different Machine Learning techniques, protocol types or statistical features are not critical.

Dawei Wei,Feifei Shi,Sahraoui Dhelim

DOI: https://doi.org/10.3390/fi14100289

2022-10-11

Future Internet

Abstract:The identification of Internet protocols provides a significant basis for keeping Internet security and improving Internet Quality of Service (QoS). However, the overwhelming developments and updating of Internet technologies and protocols have led to large volumes of unknown Internet traffic, which threaten the safety of the network environment a lot. Since most of the unknown Internet traffic does not have any labels, it is difficult to adopt deep learning directly. Additionally, the feature accuracy and identification model also impact the identification accuracy a lot. In this paper, we propose a surge period-based feature extraction method that helps remove the negative influence of background traffic in network sessions and acquire as many traffic flow features as possible. In addition, we also establish an identification model of unknown Internet traffic based on JigClu, the self-supervised learning approach to training unlabeled datasets. It finally combines with the clustering method and realizes the further identification of unknown Internet traffic. The model has been demonstrated with an accuracy of no less than 74% in identifying unknown Internet traffic with the public dataset ISCXVPN2016 under different scenarios. The work provides a novel solution for unknown Internet traffic identification, which is the most difficult task in identifying Internet traffic. We believe it is a great leap in Internet traffic identification and is of great significance to maintaining the security of the network environment.

Ziming Zhao,Zhaoxuan Li,Xiaofei Xie,Jiongchi Yu,Fan Zhang,Rui Zhang,Binbin Chen,Xiangyang Luo,Ming Hu,Wenrui Ma

DOI: https://doi.org/10.1109/tnet.2024.3413789

2024-01-01

Abstract:Anomaly-based network intrusion detection systems (NIDSs) are essential for ensuring cybersecurity. However, the security communities realize some limitations when they put most existing proposals into practice. The challenges are mainly concerned with fine-grained unknown attack detection and ever-changing legitimate traffic adaptation. To tackle these problem, we present three key design norms. The core idea is to construct a model to split the data distribution hyperplane and leverage the concept of isolation, as well as advance the incremental model update. We utilize the isolation tree as the backbone to design our model, named, to echo back three norms. By analyzing the popular dataset of network intrusion traces, we show that significantly outperforms the state-of-the-art methods. Further, we perform an initial deployment of by working with the Internet Service Provider (ISP) to detect distributed denial of service (DDoS) attacks. With real-world tests and manual analysis, we demonstrate the effectiveness of to identify previously-unseen attacks in a fine-grained manner.

Stephan Kleber,Milan Stute,Matthias Hollick,Frank Kargl

DOI: https://doi.org/10.1109/DSN-W54100.2022.00023

2022-11-08

Abstract:Reverse engineering of unknown network protocols based on recorded traffic traces enables security analyses and debugging of undocumented network services. In particular for binary protocols, existing approaches (1) lack comprehensive methods to classify or determine the data type of a discovered segment in a message, e.,g., a number, timestamp, or network address, that would allow for a semantic interpretation and (2) have strong assumptions that prevent analysis of lower-layer protocols often found in IoT or mobile systems. In this paper, we propose the first generic method for analyzing unknown messages from binary protocols to reveal the data types in message fields. To this end, we split messages into segments of bytes and use their vector interpretation to calculate similarities. These can be used to create clusters of segments with the same type and, moreover, to recognize specific data types based on the clusters' characteristics. Our extensive evaluation shows that our method provides precise classification in most cases and a data-type-recognition precision of up to 100% at reasonable recall, improving the state-of-the-art by a factor between 1.3 and 3.7 in realistic scenarios. We open-source our implementation to facilitate follow-up works.

Cryptography and Security,Networking and Internet Architecture

Zhu Li,Ruixi Yuan,Xiaohong Guan

DOI: https://doi.org/10.1007/978-3-540-73111-5_8

2007-01-01

Abstract:Timely traffic identification is critical in network security monitoring and traffic engineering. Traditional methods using well-known ports, protocols and precise signature matching are no longer accurate with the proliferation of new applications. Recently, applying pattern recognition methods to classify network application traffic based on the flow parameters (e.g. port, flow duration, etc.) has become increasing popular. However, many methods developed in the previous works are either too complex to be applied in real-time, or suffer from lower accuracy due to the insufficient knowledge of the application. In this paper, we first give an overview on the developments of pattern recognition methods as traffic classification tools. We then develop two separate pattern recognition methods: one with supervised learning, and one with un-supervised learning, and apply them to classify traffic captured from a campus backbone network. The supervised learning method (an optimized SVM method) yields approximately 99.41 % accuracy for the collected traffic. The un-supervised learning method (an entropy based clustering method) gets the average accuracy of 92.41% for the top 20 traffic generating hosts during the same time period. Performance test on a single PC with 3GHz Pentium 4 processors and 1 GB of memory show that both methods can handle more than 10000 network flows per second, close to real time requirements for many situations.

Jiantao Shi,Xiangzhan Yu,Zechao Liu

DOI: https://doi.org/10.1155/2021/6672911

IF: 1.968

2021-01-01

Security and Communication Networks

Abstract:In recent years, with the rapid development of mobile Internet and 5G technology, great changes have been brought to our lives, and human beings have stepped into the era of big data. These new features and techniques in 5G support many different types of mobile applications for users, which makes network security extremely challenging. Among them, more and more applications involve users' private data, such as location information, financial information, and biological information. In order to prevent users' privacy disclosure, most applications choose to use private protocols. However, such private protocols also provide a means for malware and malicious applications to steal users' privacy and confidential data. From a more secure point of view, we need to provide a way for users to know how many private protocols are running on their mobile phones and distinguish which are authorized applications and which are not. Therefore, the analysis and identification of private protocols have become a hot topic in current research. How to extract the characteristics of network protocol effectively and identify the private protocol accurately becomes the most important part of this research. In this paper, we combine genetic algorithm and association rule algorithm and then propose a set of feature extraction algorithm and protocol recognition algorithm for unknown protocols. The experimental analysis based on the actual data shows that these methods can effectively solve the problems of feature extraction and recognition for unknown protocols and can greatly improve the accuracy of private protocol recognition.

Yipeng Wang,Xiaochun Yun,Yongzheng Zhang,Liwei Chen,Tianning Zang

DOI: https://doi.org/10.1016/j.comnet.2017.09.006

IF: 5.493

2017-01-01

Computer Networks

Abstract:Protocol traffic analysis is a fundamental problem regarding a variety of networking and security applications, such as intrusion detection and prevention systems, network management systems, and protocol specification parsers. In this paper, we propose ProHacker, a nonparametric approach that extracts robust and accurate protocol keywords from the byte sequences generated by an application protocol, and effectively identifies the protocol trace from mixed Internet traffic. ProHacker is based on the key insight that the n-grams of protocol traces have highly predictable statistical nature that can be effectively captured by statistical language models and be leveraged for robust and accurate protocol identification. In ProHacker, we first extract protocol keywords using a nonparametric Bayesian statistical model, and then use the corresponding protocol keywords to classify protocol traces by a semi-supervised learning algorithm. We implement and evaluate ProHacker on real-world traces, and our experimental results show that ProHacker can accurately identify the protocol trace with an average precision of about 99.4% and an average recall of about 99.28%. We compare the results of ProHacker to one state-of-the-art approach, ProWord, and one our previous work, Securitas, using backbone traffic. We note that ProHacker provides significant improvements on precision and recall for online protocol identification.

Libing Qiao,Enhuan Dong,Huanpu Yin,Haisheng Li,Jiahai Yang

DOI: https://doi.org/10.1109/mnet.2024.3374080

IF: 10.294

2024-01-01

IEEE Network

Abstract:With the continuous development of network devices, there are increasingly types and quantities of network devices. Accurate identification of device types helps proactively protect potentially vulnerable devices exposed on the Internet. Among the network device identification methods, the TCP/IP stack active detection method is an important kind since it does not require many open ports of target devices. However, its performance is limited by the rule/fingerprint database quality. Maintaining such a database requires a lot of expert effort, making the method difficult to scale up. To solve the scalability problem, our insight in this paper is to use machine learning methods to generate network device classifiers without needing expert effort. However, generating labeled datasets, extracting features, and selecting features without expert effort is non-trivial. We propose IntelliNDI, an intelligent and active network device identification method. IntelliNDI collects network device type information from multiple cyberspace search engines and filter out the network devices with different types on different search engines. We regard the approximately consistent network device types as the ground truth network device types. As for feature extraction, we use the same attributes employed in the well-known Nmap protocol stack detection to avoid the requirements for constructing features. Finally, we select features with basic ML methods. We implement IntelliNDI for several kinds of typical network devices. The trained classifiers in our experiments can achieve 90 percent accuracy.

computer science, information systems,telecommunications,engineering, electrical & electronic, hardware & architecture

Feng Liu,Zhitang Li,Qingbin Nie

DOI: https://doi.org/10.1109/ITCS.2009.257

2009-01-01

Abstract:These years, P2P applications have multiplied, evolved and take a big part of Internet traffic workload. Identifying the P2P traffic and understanding their behavior is an important field. Some port, payload and transport layer feature based methods were proposed. P2P traffic identification methods by examining user payload or well-defined port numbers no longer adapt to current P2P applications. In recent years, some scholars do researches on traffic classification by using Machine Learning. However, previous researches are almost on the flow level. In this paper, we develop a new method of P2P traffic identification based on Support Vector Machine by analyzing packet length, remote hosts’ discreteness, connection responded success rate and the ratio of IP and port at the host level without relying on the port numbers and packet payload. Finally, the experiment results indicate that this approach can effectively identify P2P applications.

Haiyang Liu,Linghang Meng,Yuantao Gu

DOI: https://doi.org/10.1109/iceict55736.2022.9909347

2022-01-01

Abstract:In recent years, with the rapid development of Internet communication and satellite communication, and other fields, the number of network protocol types has gradually increased, which contains a large number of private protocols or unknown protocols, which makes the network management and maintenance work increasingly heavy and very difficult. To address this problem, we proposed a classification method of unknown protocols. By preprocessing, feature extraction, and clustering method based on hyperparametric optimization scheme, two classes of classifiers are constructed to classify and identify the unknown protocol data to meet the actual business requirements. The experimental results show that the improved optimization method has a 4.6% increase in the mean probability of obtaining the global optimal solution compared with the traditional optimization method, and the proposed method can effectively identify and classify the protocols.

Tao Qin,Lei Wang,Zhaoli Liu,Xiaohong Guan

DOI: https://doi.org/10.1016/j.knosys.2015.03.002

IF: 8.139

2015-01-01

Knowledge-Based Systems

Abstract:Application identification plays an essential role in network management such as intrusion detection and security monitoring. But the continuous growth of bandwidth and massive amount of packets pose serious challenges for efficacious and accurate application identification. In this paper, we develop a new method to reduce the number of packets being processed while achieving the goal of accurate P2P and VoIP application identification. Firstly, we employ the Bi-flow model to aggregate traffic packets into Bi-flow, which can capture the exchange behavior characteristics between different terminals. Then we employ the signature of Packet Size Distribution (PSD) to capture flow dynamics, which is defined as the payload length distribution probability of the packets in one Bi-flow. Secondly, we collect PSD of several different P2P and VoIP applications and the analysis results show that PSD of different applications are different with each other, which can be used as features to perform traffic identification. We also find the PSD characteristics of one Bi-flow can be captured by its first few packets, which demonstrate our methods can identify the Bi-flow quickly after its establishment. We employ the Renyi cross entropy to perform identification by calculating the similarity between PSD of the Bi-flow being identified and that of specific application. If the similarity is higher than a selected threshold, the Bi-flow being identified is classified to the specific application. Finally, as the PSD is a type of probability feature which is not sensitive to packet lose, we integrate the Poisson sampling method into our framework to process the massive data in backbone networks. Experimental results using the artificial and actual traces collected from monitoring platform in the Northwest Center of CERNET (China Education and Research Network) verify the accuracy and robustness of our method.

Yapeng Ye,Zhuo Zhang,Fei Wang,Xiangyu Zhang,Dongyan Xu

DOI: https://doi.org/10.14722/ndss.2021.24531

2021-01-01

Abstract:Network protocol reverse engineering is an important challenge with many security applications. A popular kind of method leverages network message traces. These methods rely on pair-wise sequence alignment and/or tokenization. They have various limitations such as difficulties of handling a large number of messages and dealing with inherent uncertainty. In this paper, we propose a novel probabilistic method for network trace based protocol reverse engineering. It first makes use of multiple sequence alignment to align all messages and then reduces the problem to identifying the keyword field from the set of aligned fields. The keyword field determines the type of a message. The identification is probabilistic, using random variables to indicate the likelihood of each field (being the true keyword). A joint distribution is constructed among the random variables and the observations of the messages. Probabilistic inference is then performed to determine the most likely keyword field, which allows messages to be properly clustered by their true types and enables the recovery of message format and state machine. Our evaluation on 10 protocols shows that our technique substantially outperforms the state-of-the-art and our case studies show the unique advantages of our technique in IoT protocol reverse engineering and malware analysis.

Weina Niu,Zhongliu Zhuo,Xiaosong Zhang,Xiaojiang Du,Guowu Yang,Mohsen Guizani

DOI: https://doi.org/10.1109/tvt.2019.2894290

IF: 6.8

2019-01-01

IEEE Transactions on Vehicular Technology

Abstract:In recent years, malware with strong concealment uses encrypted protocol to evade detection. Thus, encrypted traffic identification can help security analysts to be more effective in narrowing down those encrypted network traffic. Existing methods are protocol independent, such as statistical-based and machine-learning- based approaches. Statistical-based approaches, however, are confined to payload length and machine-learning-based approaches have a low recognition rate for encrypted traffic using undisclosed protocols. In this paper, we proposed a heuristic statistical testing (HST) approach that combines both statistics and machine learning and has been proved to alleviate their respective deficiencies. We manually selected four randomness tests to extract small payload features for machine learning to improve real-time performances. We also proposed a simple handshake skipping method called HST-R to increase the classification accuracy. We compared our approach with other identification approaches on a testing dataset consisting of traffic that uses two known, two undisclosed, and one custom cryptographic protocols. Experimental results showed that HST-R performs better than other traditional coding-based, entropy-based, and ML-based approaches. We also showed that our handshake skipping method could generalize better for unknown cryptographic protocols. Finally, we also conducted experimental comparisons among different classification algorithms. The results showed that C4.5, with our method, has the highest identification accuracy for secure sockets layer and secure shell traffic.