Security and Privacy in Communication Networks. 11th International Conference, SecureComm 2015, Dallas, TX, USA, October 26-29, 2015, Revised Selected Papers

Research Article

A Markov Random Field Approach to Automated Protocol Signature Inference

Download
271 downloads
  • @INPROCEEDINGS{10.1007/978-3-319-28865-9_25,
        author={Yongzheng Zhang and Tao Xu and Yipeng Wang and Jianliang Sun and Xiaoyu Zhang},
        title={A Markov Random Field Approach to Automated Protocol Signature Inference},
        proceedings={Security and Privacy in Communication Networks. 11th International Conference, SecureComm 2015, Dallas, TX, USA, October 26-29, 2015, Revised Selected Papers},
        proceedings_a={SECURECOMM},
        year={2016},
        month={2},
        keywords={Protocol signatures Markov random field Network security},
        doi={10.1007/978-3-319-28865-9_25}
    }
    
  • Yongzheng Zhang
    Tao Xu
    Yipeng Wang
    Jianliang Sun
    Xiaoyu Zhang
    Year: 2016
    A Markov Random Field Approach to Automated Protocol Signature Inference
    SECURECOMM
    Springer
    DOI: 10.1007/978-3-319-28865-9_25
Yongzheng Zhang1,*, Tao Xu,*, Yipeng Wang1,*, Jianliang Sun,*, Xiaoyu Zhang1,*
  • 1: Chinese Academy of Sciences
*Contact email: zhangyongzheng@iie.ac.cn, xutao9083@iie.ac.cn, wangyipeng@iie.ac.cn, sunjianliang@iie.ac.cn, zhangxiaoyu@iie.ac.cn

Abstract

Protocol signature specifications play an important role in networking and security services, such as Quality of Service(QoS), vulnerability discovery, malware detection, and so on. In this paper, we propose ProParser, a network trace based protocol signature inference system that exploits the embedded contextual correlations of -grams in protocol messages. In ProParser, we first apply markov field aspect model to discover the contextual relations and spatial structure among -grams extracted from protocol traces. Next, we perform keyword-based clustering algorithm to cluster messages into extremely cohesive groups, and finally use heuristic ranking rules to generate the signature specifications for the corresponding protocol. We evaluate ProParser on real-world network traces including both textual and binary protocols. We also compare ProParser with the state-of-the-art tool, ProWord, and find that our approach performs more accurately and effectively in practice.