融合自动化逆向和聚类分析的协议识别方法

网络流分类与协议识别是网络管理的前提和必要条件,但是越来越多加密协议的出现,使得传统的流分类方法失效。针对加密协议的协议识别问题,提出了一种融合自动化逆向分析技术和网络消息聚类分析技术的新型分类方法(automatic reverse and message analysis,ARCA)。该方法通过自动化逆向分析技术获得网络协议的结构特征;再利用网络消息聚类分析技术,获得网络协议的交互过程;最后将网络协议的结构特征与交互过程用于加密协议流量的识别和分类检测。该方法不依赖于网络包的内容检测,能够解决协议加密带来的识别问题。通过对多个加密协议(如迅雷、BT、QQ和GTalk等)真实流量的实验,其准确率和召回率分别高于96.9%和93.1%,而且只需要检测流量中0.9%的字节内容即可。因此,ARCA方法能够对各类加密协议流量进行有效和快速的识别。

ARCA: Traffic Classification Method Based on Automatic Reverse and Cluster Analysis

Traffic classification and protocol identification are the premise and the essential condition to effective network management. However, more and more encrypted protocols make traditional traffic classification methods less effective. To address the issue, this paper proposes an automatic reverse and message analysis (ARCA) method to identify encryption protocols. Different from traditional classification approaches, the proposed method exploits the protocol structure by automatically and reversely analyzing the target protocol, obtains the protocol interactive process by clustering messages, then identifies the protocol using the protocol structure and interactive process together. This method does not need to check payload, so it can classify the encrypted protocols. The paper evaluates the efficacy and accuracy of ARCA with real world traffic, such as encryption protocols Thunder, BitTorrent, QQ and GTalk. The experimental results show that the accuracy rates and the recall rates are over 96.9% and 93.1% respectively and only need check 0.9% of traffic. Therefore the proposed method has a great potential to accurately and quickly identify encryption protocols.