文法推断网络协议状态机*

针对现有正则的正负推断(regular positive and negative inference,RPNI)算法的局限性,提出一种通过标记前缀树接受器中的状态,以差异化的状态标记方法防止状态的过度融合改进的算法——改进的RPNI算法(improved RPNI,IRPNI)。该算法从网络数据流量中导出协议规范,并将该规范表示为确定性有限自动机(definite finite automata,DFA)模型;根据网路协议特性,把启发式的差异化的状态标记算法嵌入该算法中,使得状态融合结果体现网络协议的结构特征。实验证明IRPNI算法更有助于推断出更一般化的网络协议状态机。

Protocol State Machine Derived Reversely Using Grammatical Inference

To deeply understand procedures of various network applications, and to automatically classify, recognize, trace and control them, protocol state machine that represent the application sessions have to be obtained in advance. A novel approach is presented to reversely infer protocol state machine from collected application layer data. The proposals presented consist in the modification of RPNI algorithm by means of introducing heuristics about network feature that label merging states from the prefix tree acceptor to prevent state from merging excessively. Preliminary experiments done seem to show that the improvement over the original RPNI algorithm is more helpful for deriving the more general network protocol automaton.