Semi-supervised clustering integrated protocol identification system

Abstract

The invention discloses a semi-supervised clustering integrated protocol identification method. The method comprises the following steps: various data packets in a network are acquired; received network data is analyzed, and each field of the data packets is extracted and counted; feature code of network data obtained after the network data is analyzed is matched with various feature codes preset in a data base, if the match is successful, the data packets are corresponding protocols; data not successfully matched is subject to cluster analysis, a plurality of base clustering devices are used to cluster the data packets, and the result is fed back, and a priori label value is modified; and a semi-supervised statistical learning is carried out for the result of the clustering of the network data packets and each known protocol, and a discriminant learner is trained. According to the invention, the terminal protocol identification rate is improved, and the amount of calculation is moderate, so that the efficiency is high; one time of dialog generate less flow, inaccurate identification is not easy; and besides, the method integrates a plurality of identification methods, so as to achieve multi-dimension identification. The invention also discloses a corresponding semi-supervised clustering integrated protocol identification system.

Description

technical field [0001] The invention relates to the fields of information communication and artificial intelligence, especially a system and method for identifying network protocols. Background technique [0002] Currently, there are mainly four methods for network protocol identification: port identification, feature identification, association identification, and behavioral feature identification. details as follows: [0003] Port identification: Ports can be divided into two types: TCP protocol port and UDP protocol port. The port-based protocol identification method is exactly the same as the method of identifying common applications. Check the transmission information of the message group. If the port number is consistent with some specific port numbers Matching, you can judge which type of protocol it belongs to. In the protocol specification, the communication port used by the protocol by default, such as port 80 for HTTP protocol, and port 21 for FTP protocol. In t...

AI Technical Summary

Problems solved by technology

[0023] 1. With the widespread adoption of technologies such as port hopping information hiding, the recognition rate of the port identification method is extremely low

[0024] 2. The recognition method based on the application feature word has a large amount of calculation and weak self-adaptive ability

Feature recognition can only be recognized for applications with known data formats, and due to the need for comprehensive inspection and analysis of the internal data of the group, the implementation efficiency is low

[0025] 3. There are too many streams generated in one session, which is easy to be misidentified

[0027] 5. The identification method is also relatively single, lacking the mechanism and idea of ​​fusion and integration

[0028] 6. The identification method is to identify from one dimension, lacking multi-dimensional thinking

Images