CN104796407A

CN104796407A - Method for extracting unknown protocol features

Info

Publication number: CN104796407A
Application number: CN201510127979.3A
Authority: CN
Inventors: 张凤荔; 周洪川; 张春瑞; 王勇; 张俊娇
Original assignee: University of Electronic Science and Technology of China
Current assignee: University of Electronic Science and Technology of China
Priority date: 2015-03-23
Filing date: 2015-03-23
Publication date: 2015-07-22
Anticipated expiration: 2035-03-23
Also published as: CN104796407B

Abstract

The invention discloses a method for extracting unknown protocol features. The method includes: the data frames of each kind of protocol are divided into two parts, each part is segmented according to bytes, and occurrence times and frequencies of each byte are counted to obtain frequent bytes; the frequent bytes are screened to obtain the frequent bytes corresponding to each kind protocol; splicing the frequent bytes, which occurs continuously, corresponding to each kind protocol to obtain feature long strings, namely frequent strings, and the frequent strings are screened to obtain the feature candidate set of each kind of protocol; the data frames of each kind of protocol are represented into vectors according to the corresponding feature candidate set; a correlative feature selecting CFS algorithm is used to perform feature selection on each feature candidate set, and the selected features are recorded; a KNN algorithm is used to categorize the features, and categorizing accuracy rate and recognition rate are statistically counted. By the method for extracting unknown protocol features, decision makers can effectively recognize unknown protocols.

Description

A kind of extracting method of unknown protocol feature

Technical field

The present invention relates to a kind of extracting method of unknown protocol feature.

Background technology

Along with the development of network is increasingly sophisticated, ensure that the safety of information network has become the core content of national information strategy; Under specific network environment, the threat being undertaken stealing secret information by any special measures is increasingly severe, this type of approach of stealing secret information normally sends classified information by the mode of radio communication, and the agreement that this communication adopts is unconventional special unknown protocol, and the existing precautionary measures are basic only for known protocol, most employing, cannot to such the steal secret information monitoring of channel type and detection based on methods such as port mapping or static nature couplings.

In order to ensure network safe operation and to attacking and the early warning of dangerous act, policymaker in the urgent need to accurately finding the feature of agreement to be identified under current structure complex network environment, therefore we need the extracting method finding a kind of feasible protocol characteristic, and aid decision making person identifies unknown protocol efficiently.

Summary of the invention

The object of the invention is to overcome the deficiencies in the prior art, provide a kind of extracting method of unknown protocol feature, aid decision making person identifies unknown protocol efficiently.

The object of the invention is to be achieved through the following technical solutions: a kind of extracting method of unknown protocol feature, it comprises the following steps:

S1. the Frame of each agreement of data centralization is divided into two parts at random, by byte, cutting is carried out to every part, and add up number of times and the frequency of the appearance of each byte respectively, obtain frequent byte;

S2. use Jaccard parameter to screen frequent byte, select the frequent byte that each agreement is corresponding;

S3. the frequent byte of continuous appearance corresponding for a kind of agreement is spliced, obtain the long string of feature i.e. frequent string, and filter out byte and occur that quantity is greater than the long string of feature of frame total byte quantity 50%, obtain two feature Candidate Sets of this agreement, get it to occur simultaneously as the feature Candidate Set of this agreement, frequent byte corresponding to each agreement respectively carries out the feature Candidate Set that above-mentioned process obtains each agreement;

S4. according to the feature Candidate Set obtaining each agreement, the Frame of this agreement is characterized by vector, makes each frame data become the vectorial of feature Candidate Set;

S5. use correlative character to select CFS algorithm to carry out feature selecting to the feature Candidate Set of each obtained agreement, and the feature poised out is carried out record;

S6. KNN algorithm is utilized to classify, the accuracy rate of statistical classification and discrimination, as the evaluation index of feature selecting result.

Described step S2 comprises following sub-step:

S21. the threshold value by changing a kind of agreement calculates different Jaccard values;

S22. when Jaccard value first time peaks, the threshold value of this agreement corresponding to record;

S23. corresponding according to this agreement Threshold selection goes out frequent byte corresponding to this agreement;

S24. respectively aforesaid operations is carried out to each agreement and obtain frequent byte corresponding to each agreement.

Described step S3 comprises following sub-step:

S31. to each frame data in a kind of agreement, if the frequent byte screened occurs continuously, just they are stitched together as the long string of feature and pick out;

S32. filter out wherein byte and occur that quantity is greater than the long string of feature of frame total byte quantity 50%, obtain two feature Candidate Sets of this agreement;

S33. the feature Candidate Set of common factor as this agreement of two feature Candidate Sets is got;

S34. corresponding to each agreement respectively frequent byte carries out above-mentioned process, obtains the feature Candidate Set of each agreement.

Described Jaccard parameter is defined as:

J (A, B) = \frac{Σ_{i = 1}^{n} {T 1}_{i} * {T 2}_{i}}{Σ_{i = 1}^{n} {T 1}_{i}^{2} + Σ_{i = 1}^{n} {T 2}_{i}^{2} - Σ_{i = 1}^{n} {T 1}_{i} * {T 2}_{i}}

In formula, T1 _iand T2 _irepresent i-th feature in A and B respectively.

Described correlative character selects CFS algorithm, and formula is as follows:

{Merit}_{s} (k) = \frac{k {\overset{&OverBar;}{r}}_{cf}}{\sqrt{k + k (k - 1) {\overset{&OverBar;}{r}}_{ff}}}

Wherein Merit _sk (), represents an evaluation comprising the character subset S of k feature, larger then selected character subset S is more excellent for its value;

the mean value of the coefficient correlation between each feature and classification c;

the mean value of the coefficient correlation between feature and feature.

Will with bring formula into it to be converted to further:

{Merit}_{s} (k) = \frac{r_{c f_{2}} + r_{c f_{2}} + \cdot \cdot \cdot + r_{{cf}_{k}}}{\sqrt{k + 2 (r_{f_{1} f_{2}} + \cdot \cdot \cdot + r_{f_{i} f_{i}} \cdot \cdot \cdot + r_{f_{k} f_{1}})}}

The effect that CFS algorithm is classified for each by each feature of assessment, thus draw final character subset.

The invention has the beneficial effects as follows: (1) is by the extraction of frequent byte, the splicing of frequent long string, classification after frame data to the conversion and feature selecting of vector, the feature of identification data frame can be obtained, and the feature obtained not only greatly reduces the quantity of feature after feature selecting, and the few of decline of the classification accuracy of protocol frame; (2) by the extraction of protocol characteristic, can aid decision making person efficiently unknown protocol be identified.

Accompanying drawing explanation

Fig. 1 is flow chart of the present invention.

Embodiment

Below in conjunction with accompanying drawing, technical scheme of the present invention is described in further detail, but protection scope of the present invention is not limited to the following stated.

As shown in Figure 1, a kind of extracting method of unknown protocol feature, it comprises the following steps:

S6. KNN algorithm is utilized to classify, the accuracy rate of statistical classification and discrimination, as the evaluation index of feature selecting result.Described step S2 comprises following sub-step:

Described step S3 comprises following sub-step:

S34. corresponding to each agreement respectively frequent byte carries out above-mentioned process, obtains the feature Candidate Set of each agreement.Described Jaccard parameter is defined as:

J (A, B) = \frac{Σ_{i = 1}^{n} {T 1}_{i} * {T 2}_{i}}{Σ_{i = 1}^{n} {T 1}_{i}^{2} + Σ_{i = 1}^{n} {T 2}_{i}^{2} - Σ_{i = 1}^{n} {T 1}_{i} * {T 2}_{i}}

In formula, T1 _iand T2 _irepresent i-th feature in A and B respectively.

{Merit}_{s} (k) = \frac{k {\overset{&OverBar;}{r}}_{cf}}{\sqrt{k + k (k - 1) {\overset{&OverBar;}{r}}_{ff}}}

the mean value of the coefficient correlation between feature and feature.

Will with bring formula into it to be converted to further:

{Merit}_{s} (k) = \frac{r_{c f_{1}} + r_{c f_{2}} + \cdot \cdot \cdot + r_{{cf}_{k}}}{\sqrt{k + 2 (r_{f_{1} f_{2}} + \cdot \cdot \cdot + r_{f_{i} f_{i}} \cdot \cdot \cdot + r_{f_{k} f_{1}})}}

Claims

1. an extracting method for unknown protocol feature, is characterized in that: it comprises the following steps:

S6. KNN algorithm is utilized to classify.

2. the extracting method of a kind of unknown protocol feature according to claim 1, is characterized in that: described step S2 comprises following sub-step:

3. the extracting method of a kind of unknown protocol feature according to claim 1, is characterized in that: described step S3 comprises following sub-step:

4. the extracting method of a kind of unknown protocol feature according to claim 2, is characterized in that: described Jaccard parameter is defined as:

J (A, B) = \frac{Σ_{i = 1}^{n} {T 1}_{i} * {T 2}_{i}}{Σ_{i = 1}^{n} {T 1}_{i}^{2} + Σ_{i = 1}^{n} {T 2}_{i}^{2} - Σ_{i = 1}^{n} {T 1}_{i} * {T 2}_{i}}

In formula, T1 _iand T2 _irepresent i-th feature in A and B respectively.