Unknown network protocol classification method based on semi-supervised learning

Lin, Rong; Ou, Li; Li, Qing; Liu, Yan

doi:10.1109/compcomm.2015.7387586

Cited by 16 publications

(12 citation statements)

References 19 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…For instance, since the field keyword "GET" has high frequency in HTTP sessions, it is considered as a field keyword. This is an Apriori property implementation (Agrawal and Srikant, 1994 [29] 2005 I Dialogs/scripts RolePlayer [30] 2006 I Dialogs/scripts Ma et al [31] 2006 I App-identification Boosting [32] 2008 I Field(s) Dispatcher [6] 2009 I C&C malware ASAP [33] 2011 I Semantics Dispatcher2 [34] 2013 I C&C malware ProVeX [35] 2013 I Signatures PIP [36] 2014 I Keywords/ fields FieldHunter [37] 2015 I Fields RS Cluster [38] 2015 I Grouped-messages UPCSS [39] 2015 I Proto-classification PowerShell [40] 2017 I Dialogs/scripts ProPrint [41] 2017 I Fingerprints ProHacker [42] 2017 I Keywords network traces based inputs and 1 approach utilizes both network trace and execution trace based inputs whereas 1 approach utilizes execution traces based input.…”

Section: Both Protocols Formats and Pfsmmentioning

confidence: 99%

“…The technique is suitable for clustering network traffic and group protocol messages according to their types and can analyze multidimension of uncertain information in multiple categorical attributes based on Rough Sets theory [51]. UPCSS (Unknown network Protocol Classification method based on Semi-Supervised learning) [39] is a semisupervised learning method, proposed to identify applications from unknown protocols by labeling small training sample set. Based on Erman's semisupervised approach, UPCSS is designed to detect unknown samples generated by unknown protocols with the help of flow correlation information and semisupervised clustering techniques.…”

Section: Neither Protocols Formats Nor Pfsmsmentioning

confidence: 99%

“…Analyzed/reverse engineered protocols Related approach, method, or tool 7-application HTTP, HTTPS, DNS, SIP, FTP, TFTP, IMAP, SSH, IRC, XMPP, SMTP, BitTorrent, MIME, SNMP, MSNP, POP3, DHCP, SMB, CIFS, Samba, XunLei, BitSpirit, QQLive, eMule, ICQ, SopCast, PPLIVE, PPTV, KAD, ISAKMP, SSDP, WeChat, Kugoo [3-11, 13, 14, 16-22, 24-26, 28-30, 32-37, 39, 41, 42] 6-presentation SMB, WMF, BMP, JPG, PNG, TIF, MIME, SSL [8-11, 29, 39] 5-session RPC, NetBIOS, NFS, SSL [8,14,29,30,39,40] 4-transport TCP, UDP, SrvLoc [17,23,31,38] 3-network ICMP, OSPF, RIP [7,12,40] 2-data link ARP, STP [12,15,17,23] 1-physical none [15] analyzed or reverse engineered by 33 out of 39 approaches, methods, and tools presented in this paper. HTTP protocol appears in 21 approaches as the most analyzed protocol.…”

Section: Osi-layermentioning

confidence: 99%

See 2 more Smart Citations

A Survey of Automatic Protocol Reverse Engineering Approaches, Methods, and Tools on the Inputs and Outputs View

Sija

Goo

Shim

et al. 2018

Security and Communication Networks

View full text Add to dashboard Cite

A network protocol defines rules that control communications between two or more machines on the Internet, whereas Automatic Protocol Reverse Engineering (APRE) defines the way of extracting the structure of a network protocol without accessing its specifications. Enough knowledge on undocumented protocols is essential for security purposes, network policy implementation, and management of network resources. This paper reviews and analyzes a total of 39 approaches, methods, and tools towards Protocol Reverse Engineering (PRE) and classifies them into four divisions, approaches that reverse engineer protocol finite state machines, protocol formats, and both protocol finite state machines and protocol formats to approaches that focus directly on neither reverse engineering protocol formats nor protocol finite state machines. The efficiency of all approaches’ outputs based on their selected inputs is analyzed in general along with appropriate reverse engineering inputs format. Additionally, we present discussion and extended classification in terms of automated to manual approaches, known and novel categories of reverse engineered protocols, and a literature of reverse engineered protocols in relation to the seven layers’ OSI (Open Systems Interconnection) model.

show abstract

Section: Both Protocols Formats and Pfsmmentioning

confidence: 99%

Section: Neither Protocols Formats Nor Pfsmsmentioning

confidence: 99%

Section: Osi-layermentioning

confidence: 99%

See 1 more Smart Citation

A Survey of Automatic Protocol Reverse Engineering Approaches, Methods, and Tools on the Inputs and Outputs View

Sija

Goo

Shim

et al. 2018

Security and Communication Networks

View full text Add to dashboard Cite

show abstract

“…In addition to static supervised and unsupervised algorithms, a growing number of studies have also utilized semi-supervised learning algorithms employing both labelled and unlabelled data [28]. Studies such as [29,30] proposed semi-supervised algorithms which combine two or more ML algorithms to detect new applications. Zhang in [29] studied the problem of zero-day applications using machine learning algorithms.…”

Section: Semi-supervised Learning Techniquesmentioning

confidence: 99%

“…The experimental results showed that the system outperformed other methods (semi-supervised clustering, one-class SVM, random forest and correlation-based classification). Similarly, Lin in [30] studied the problem of unknown protocols in traffic when the traditional methods misclassified the unknown samples which led to reduction in classification accuracy. The authors used three realtime databases (WIDE-10, WIDE-12, and CND) that were collected within different time period.…”

Section: Semi-supervised Learning Techniquesmentioning

confidence: 99%

A Novel Feature Set for Application Identification

Oudah¹,

Ghita²,

Bakhshi³

2018

IJISR

View full text Add to dashboard Cite

Classifying Internet traffic into applications is vital to many areas, from quality of service (QoS) provisioning, to network management and security. The task is challenging as network applications are rather dynamic in nature, tend to use a web front-end and are typically encrypted, rendering traditional port-based and deep packet inspection (DPI) method unusable. Recent classification studies proposed two alternatives: using the statistical properties of traffic or inferring the behavioural patterns of network applications, both aiming to describe the activity within and among network flows in order to understand application usage and behaviour. The aim of this paper is to propose and investigate a novel feature to define application behaviour as seen through the generated network traffic by considering the timing and pattern of user events during application sessions, leading to an extended traffic feature set based on burstiness. The selected features were further used to train and test a supervised C5.0 machine learning classifier and led to a better characterization of network applications, with a traffic classification accuracy ranging between 90-98%.

show abstract

Decision and Recommendation System Services for Patients Using Artificial Intelligence

Tandon,

Dangey,

Mishra

et al. 2023

Privacy Preservation of Genomic and Medical Data

View full text Add to dashboard Cite

Unknown network protocol classification method based on semi-supervised learning

Cited by 16 publications

References 19 publications

A Survey of Automatic Protocol Reverse Engineering Approaches, Methods, and Tools on the Inputs and Outputs View

A Survey of Automatic Protocol Reverse Engineering Approaches, Methods, and Tools on the Inputs and Outputs View

A Novel Feature Set for Application Identification

Decision and Recommendation System Services for Patients Using Artificial Intelligence

Contact Info

Product

Resources

About