基于递归聚类的报文结构提取方法

Recursive Clustering Based Method for Message Structure Extraction

作者：潘璠(解放军理工大学指挥自动化学院)；洪征(解放军理工大学指挥自动化学院)；杜有翔(解放军理工大学指挥自动化学院)；吴礼发(解放军理工大学指挥自动化学院)

Author：Pan Fan(Inst. of Command Automation,PLA Univ. of Sci. and Technol.)；Hong Zheng(Inst. of Command Automation,PLA Univ. of Sci. and Technol.)；Du Youxiang(Inst. of Command Automation,PLA Univ. of Sci. and Technol.)；Wu Lifa(Inst. of Command Automation,PLA Univ. of Sci. and Technol.)

收稿日期：2012-04-09 年卷（期）页码：2012,44(6):137-142

期刊名称：工程科学与技术

Journal Name：Advanced Engineering Sciences

关键字：协议逆向分析；报文结构提取；多序列比对；递归聚类

Key words：protocol reverse analysis;message structure extraction;multi-sequence alignment;recursive clustering

基金项目：国家自然科学基金资助项目(60773170)；江苏省自然科学基金资助项目(BK2011115)；军用网络技术实验室创新开放基金资助项目

中文摘要

针对应用层协议报文序列长、结构复杂的特点，提出了一种基于递归聚类的报文结构提取方法。方法首先在基本块级通过渐近多序列比对算法对样本集进行递归聚类，在分离不同格式报文的同时，降低了序列比对规模；在报文对齐的基础上，依据对齐字节的取值变化率识别字段边界；提出递归回溯的协议结构分析策略，通过识别格式标识字段实现字段间层次关系的提取。对多种公开协议的分析测试表明，该方法能够得到BNF形式的报文格式，并在提高字段识别准确度的同时减少了时间开销，具有较高的应用价值。

英文摘要

Messages of complex protocols usually have long byte sequences and many structure types, which pose serious challenges to protocol reverse analysis. A recursive clustering based method for message structure extraction was proposed. Firstly, the method recursively clustered the messages through progressive multiple sequence alignment in blocks, which separated messages of different structures with smaller scale of sequence alignment. Then, it identified field boundaries according to the rates of change of aligned bytes. Moreover, a new backtracking policy for hierarchical message structure extraction was applied to extract message structures by identifying format distinguisher fields. Experiments on several public protocols showed that the proposed method can derive message formats in BNF form and improve the accuracy of field identification with less time overhead.

【关闭】

论文摘要

基于递归聚类的报文结构提取方法

Recursive Clustering Based Method for Message Structure Extraction