Generating regular expression signatures for network traffic classification in trusted network management

Authors:
Yu Wang;Yang Xiang;Wanlei Zhou;Shunzheng Yu
Affiliations:
School of Information Technology, Deakin University, Melbourne, 221 Burwood Highway, Burwood VIC 3125, Australia;School of Information Technology, Deakin University, Melbourne, 221 Burwood Highway, Burwood VIC 3125, Australia;School of Information Technology, Deakin University, Melbourne, 221 Burwood Highway, Burwood VIC 3125, Australia;Department of Electronic and Communication Engineering, Sun Yat-Sen University, Guangzhou, China
Venue:
Journal of Network and Computer Applications
Year:
2012

Citing 24
Cited 1

Color Set Size Problem with Application to String Matching

CPM '92 Proceedings of the Third Annual Symposium on Combinatorial Pattern Matching
Accurate, scalable in-network identification of p2p traffic using application signatures

Proceedings of the 13th international conference on World Wide Web
Fast Regular Expression Matching Using FPGAs

FCCM '01 Proceedings of the the 9th Annual IEEE Symposium on Field-Programmable Custom Computing Machines
Polygraph: Automatically Generating Signatures for Polymorphic Worms

SP '05 Proceedings of the 2005 IEEE Symposium on Security and Privacy
Internet traffic classification using bayesian analysis techniques

SIGMETRICS '05 Proceedings of the 2005 ACM SIGMETRICS international conference on Measurement and modeling of computer systems
BLINC: multilevel traffic classification in the dark

Proceedings of the 2005 conference on Applications, technologies, architectures, and protocols for computer communications
ACAS: automated construction of application signatures

Proceedings of the 2005 ACM SIGCOMM workshop on Mining network data
Automated Traffic Classification and Application Identification using Machine Learning

LCN '05 Proceedings of the The IEEE Conference on Local Computer Networks 30th Anniversary
Traffic classification on the fly

ACM SIGCOMM Computer Communication Review
Hamsa: Fast Signature Generation for Zero-day PolymorphicWorms with Provable Attack Resilience

SP '06 Proceedings of the 2006 IEEE Symposium on Security and Privacy
Algorithms to accelerate multiple regular expressions matching for deep packet inspection

Proceedings of the 2006 conference on Applications, technologies, architectures, and protocols for computer communications
Traffic classification using clustering algorithms

Proceedings of the 2006 SIGCOMM workshop on Mining network data
Semi-automated discovery of application session structure

Proceedings of the 6th ACM SIGCOMM conference on Internet measurement
Unexpected means of protocol inference

Proceedings of the 6th ACM SIGCOMM conference on Internet measurement
Fast and memory-efficient regular expression matching for deep packet inspection

Proceedings of the 2006 ACM/IEEE symposium on Architecture for networking and communications systems
Traffic classification through simple statistical fingerprinting

ACM SIGCOMM Computer Communication Review
Identifying and discriminating between web and peer-to-peer traffic in the network core

Proceedings of the 16th international conference on World Wide Web
Autograph: toward automated, distributed worm signature detection

SSYM'04 Proceedings of the 13th conference on USENIX Security Symposium - Volume 13
An improved DFA for fast regular expression matching

ACM SIGCOMM Computer Communication Review
AutoSig-Automatically Generating Signatures for Applications

CIT '09 Proceedings of the 2009 Ninth IEEE International Conference on Computer and Information Technology - Volume 02
Critical infrastructure protection: Resource efficient sampling to improve detection of less frequent patterns in network traffic

Journal of Network and Computer Applications
An automatic application signature construction system for unknown traffic

Concurrency and Computation: Practice & Experience - Advanced Topics on Scalable Computing
Toward the accurate identification of network applications

PAM'05 Proceedings of the 6th international conference on Passive and Active Network Measurement
Bayesian Neural Networks for Internet Traffic Classification

IEEE Transactions on Neural Networks

Editorial: Special issue on trusted computing and communications

Journal of Network and Computer Applications

Quantified Score

Hi-index	0.00

Visualization

Abstract

Network traffic classification is a critical foundation for trusted network management and security systems. Matching application signatures in traffic payload is widely considered to be the most reliable classifying method. However, deriving accurate and efficient signatures for various applications is not a trivial task, for which current practice is mostly manual thus error-prone and of low efficiency. In this paper, we tackle the problem of automatic signature generation. In particular, we focus on generating regular expression signatures with a certain subset of standard syntax rules, which are of sufficient expressive power and compatible with most practical systems. We propose a novel approach that takes as input a labeled training data set and produces a set of signatures for matching the application classes presented in the data. The approach involves four procedures: pre-processing to extract application session payload, tokenization to find common substrings and incorporate position constraints, multiple sequence alignment to find common subsequences, and signature construction to transform the results into regular expressions. A real life full payload traffic trace is used to evaluate the proposed system, and signatures for a range of applications are automatically derived. The results indicate that the signatures are of high quality, and exhibit low false negatives and false positives.