Generating regular expression signatures for network traffic classification in trusted network management |
| |
| Affiliation: | 1. School of Information Technology, Deakin University, Melbourne, 221 Burwood Highway, Burwood VIC 3125, Australia;2. Department of Electronic and Communication Engineering, Sun Yat-Sen University, Guangzhou, China;1. Universidade Federal de Pernambuco (UFPE), Recife, Brazil;2. Ericsson Research, Traffic Lab, Budapest, Hungary;1. School of Computer Science and Information Technology, RMIT University, Melbourne, Victoria, Australia;2. Department of Computer Science, Al-Baha University, Al-Baha City, Saudi Arabia;3. Faculty of Computing and IT King Abdulaziz University, Jeddah, Saudi Arabia;4. Deakin University, School of Information Technology, Melbourne, Australia;5. New South Wales University, School of Engineering and IT, Canberra, Australia;1. Section for Networking and Security, Department of Electronic Systems, Aalborg University, DK-9220 Aalborg East, Denmark;2. Broadband Communications Research Group, Department of Computer Architecture, Universitat Politécnica de Catalunya, ES-08034 Barcelona, Spain |
| |
| Abstract: | Network traffic classification is a critical foundation for trusted network management and security systems. Matching application signatures in traffic payload is widely considered to be the most reliable classifying method. However, deriving accurate and efficient signatures for various applications is not a trivial task, for which current practice is mostly manual thus error-prone and of low efficiency. In this paper, we tackle the problem of automatic signature generation. In particular, we focus on generating regular expression signatures with a certain subset of standard syntax rules, which are of sufficient expressive power and compatible with most practical systems. We propose a novel approach that takes as input a labeled training data set and produces a set of signatures for matching the application classes presented in the data. The approach involves four procedures: pre-processing to extract application session payload, tokenization to find common substrings and incorporate position constraints, multiple sequence alignment to find common subsequences, and signature construction to transform the results into regular expressions. A real life full payload traffic trace is used to evaluate the proposed system, and signatures for a range of applications are automatically derived. The results indicate that the signatures are of high quality, and exhibit low false negatives and false positives. |
| |
| Keywords: | |
| 本文献已被 ScienceDirect 等数据库收录! |
|
