GramMatch: An automatic protocol feature extraction and identification system

Abstract

Network protocol identification, or traffic classification, plays a key role in field of network monitoring, management, and optimization. Deep Packet Inspection (DPI) technology is the most popular and effective way of protocol identification. However, the accuracy of deep packet inspection often depends on the selection of protocol features, which is a complex task. To cope with the ever-increasing types of network protocols and identify traffic of them, we propose a basic model of protocol traces, and propose GramMatch, an automatic protocol feature extraction and identification system based on the model. It first aligns packets in the protocol flows by similarity with order, and then uses n-gram’s statistical features for keyword segmentation and gets keywords’ correlated characteristic as the protocol features. Finally, it performs protocol identification based on features extracted. We test GramMatch on eleven commonly used protocols and compare it with other algorithms and DPI programs. Our results prove that GramMatch is an effective, broadly applicable and better protocol feature extraction and identification system which can identify the network traces of a protocol with a weighted precision reached up to 99.81%, and a weighted recall reached up to 98.21%.