Research Article
A Markov Random Field Approach to Automated Protocol Signature Inference
@INPROCEEDINGS{10.1007/978-3-319-28865-9_25, author={Yongzheng Zhang and Tao Xu and Yipeng Wang and Jianliang Sun and Xiaoyu Zhang}, title={A Markov Random Field Approach to Automated Protocol Signature Inference}, proceedings={Security and Privacy in Communication Networks. 11th International Conference, SecureComm 2015, Dallas, TX, USA, October 26-29, 2015, Revised Selected Papers}, proceedings_a={SECURECOMM}, year={2016}, month={2}, keywords={Protocol signatures Markov random field Network security}, doi={10.1007/978-3-319-28865-9_25} }- Yongzheng Zhang
Tao Xu
Yipeng Wang
Jianliang Sun
Xiaoyu Zhang
Year: 2016
A Markov Random Field Approach to Automated Protocol Signature Inference
SECURECOMM
Springer
DOI: 10.1007/978-3-319-28865-9_25
Abstract
Protocol signature specifications play an important role in networking and security services, such as Quality of Service(QoS), vulnerability discovery, malware detection, and so on. In this paper, we propose ProParser, a network trace based protocol signature inference system that exploits the embedded contextual correlations of -grams in protocol messages. In ProParser, we first apply markov field aspect model to discover the contextual relations and spatial structure among -grams extracted from protocol traces. Next, we perform keyword-based clustering algorithm to cluster messages into extremely cohesive groups, and finally use heuristic ranking rules to generate the signature specifications for the corresponding protocol. We evaluate ProParser on real-world network traces including both textual and binary protocols. We also compare ProParser with the state-of-the-art tool, ProWord, and find that our approach performs more accurately and effectively in practice.
