A message keyword extraction approach by accurate identification of field boundaries

Abstract

With the recent exponential increase in internet speeds, the traditional network environment is evolving into a high-capacity network environment. Network traffic usage is also increasing exponentially, as are new malicious behaviors and related applications. Most of these applications and malicious behaviors use unknown protocols for which the structure is inaccessible; hence, protocol reverse engineering is receiving increasing attention in the field of network management. Various approaches have been proposed, but they still suffer from misidentification of field boundaries. To understand message structures properly, it is important to identify accurately the boundaries of the fields constituting the protocol message; accurate keyword extraction based on this approach leads to the correct inference of message types, semantics, and state machine. In this study, we propose a message keyword extraction method using accurate identification of field boundaries from delimiter inference and statistical analysis. Through the identification of field boundaries, messages can be subdivided into fields. We evaluate the efficacy of the proposed method by applying it to several textual and binary protocols. The proposed method showed better results than did other previous studies for both textual and binary protocols.