2013-06-132013-08-19。9732011CB311801114200510001。1989-、1963-、1981-1980-。1001-9081201312-3486-04doi10.11772/j.issn.1001-9081.2013.12.3486*,,,(,450004)(*eileen0908@qq.com)。。。TP393AProtocolstatemachinereversemethodbasedonlabelingstateHUANGXiaoyan*,CHENXingyuan,ZHUNing,TANGHuilin(InformationEngineeringUniversity,ZhengzhouHenan450004,China)Abstract:Protocolstatemachinecandescribethebehaviorofaprotocol,whichcanhelptounderstandthebehaviorlogicofprotocol.Orientedtowardstextprotocols,astatisticalmethodwasfirstlyusedtoextractthesemantickeywordofrepresentativemessagetype,andanadjacencymatrixwasusedtodescribethesequentialrelationshipbetweenthemessagetypes,basedonwhichtheprotocolstateswerelabeledandastatetransitiondiagramwasbuilt.Theexperimentalresultsshowthatthemethodcanaccuratelydescribethesequentialrelationshipbetweenthemessagetypesandabstractstatemachinemodelaccurately.Keywords:protocolreverse;protocolsemantic;protocolsession;protocolstatemachine;adjacencymatrix0。12、3。MicroSoftSMBServerMessageBlock4、OracleTNS5、IPTV6。。7、8。。。19。。。。。2007Shevertalov10PEXT。PEXTIDID。2009Trifilo11JournalofComputerApplications,2013,33(12):3486-3489,3498ISSN1001-9081CODENJYIIDU2013-12-01.joca.cn。2011Wang12ProbabilisticProtocolStateMachinePPSM。PPSMPartitioningAroundMedoidsPAM。2009Comparetti13Prospex。AugmentedPrefixTreeAcceptorAPTAAPTAExbarAPTA。Trifilo11Wang12。。。。1。122.11。。ASCII3tokenIP、、URL14tokentoken。。。2.1.1。token。SM|S||M|。t|Mt|tt|St|tt。1δttδt=|Mt|/|M|0<δt<101。δt≥1δt≈0δt≥1|Mt|≥|M|tδt≈0|Mt||M|ttoken。2φttφt=|Mt|/|St|φt1。φt=1t。2.1.22.1.1。2pos_permanenttt。PFmttmPFmt=Nmt/|Mt|。Nmtttokenmpos_permanentt=maxPFmt。3pos_permanentt=maxPFmt≥tmm。2.1.1。2.23。。。。784312。。2.2.1。nn×nVvij11aiaj20aiaj。。2.2.24ABAB。5ABBCABC。。4vij0vji0aiajaiaj。aiaj〈aiaj〉ajai。2.2.36。。1。K=GAIGAIG×AGA。g∈Ga∈Aga∈Iga。2。VrrVVr=vrij。vrijaiajr。3。nec_loada1amSr//a1am//Sra1amStrassenVrifvr1m=0r++nec_loada1amSrelseload=shortest_loada1amr//a1amM=g∈G|ga∈Ia∈load//MifM=S//returnnec_loadelseS=S-Mr++nec_loada1amSrshortest_loada1ayr//a1ayH=ai|vr-11i*viy≠0//aia1ayForeachhinHAddhtoloadn//addhtoa1ayr--ifr>1shortest_loada1ayhrelsereturnload//vn1i*vim=0n<r-14。a11am。。S=UUr=1nec_loada1amSr//a1am2.2.4atagat→agTatag。T。7abab。8ABa∈Ab∈Bab。9ABBCA、B、C。。5Vvij0vji0aiaj。a、b、c、da→ca→bb→dc→da→bc→d。2.32.2。2.2.32.2.4。3WindowsXPPython2.7SMTPFTP。WindowsXPWebMailSMTPServ-UFTP。。8843333.1150SMTP432SMTP2100FTP2500FTP。1SMTP1EHLO6RESET2HELO7EMPTYCONTENT3MAILFROM8CONTENT4RCPTTO9QUIT5DATA2FTP1USER8PORT2PASS9LIST3QUIT10XMKD4CMD11TYPE5CDUP12STOR6RNFR13RETR7RNTO14DELE3.2———。3.2.1。NITPIRecallFSM=TP/N。。SMTP855FTP642。2SMTP。SMTP30094.1%SMTP803FTP52SSL。3SMTP200SMTPHELOEHLO3。2SMTP4FTP。FTP200091.7%FTP589FTP531241SSL。5FTP1500FTP。3SMTP4FTP5FTP3.2.2MCPPrecisionFSM=CP/M。0.1。SMTP786SMTP78。FTP489FTP64。SMTPSMTP708FTPFTP473。FTPFTP100%。4。。。。34989843123Code-RedII。6antMSA。antMSA。。[1]KIMH-A,KARPB.Autograph:towardautomated,distributedwormsignaturedetection[C]//SSYM'04:Proceedingsofthe13thConferenceonUSENIXSecuritySymposium.Berkeley:USENIXAssociation,2004,13:271-286.[2]NEWSOMEJ,SONGD.Dynamictaintanalysisforautomaticdetec-tion,analysis,andsignaturegenerationofexploitsoncommoditysoftware[C]//NDSS2005:Proceedingsofthe12thAnnualNet-workandDistributedSystemSecuritySymposium.SanDiego:Bib-Sonomy,2005:1-38.[3]NEWSOMEJ,KARPB,SONGD.Polygraph:automaticallygener-atingsignaturesforpolymorphicworms[C]//SP'05:Proceedingsofthe2005IEEESymposiumonSecurityandPrivacy.Washington,DC:IEEEComputerSociety,2005:226-241.[4],,,.[J].,2006,29(9):1533-1541.[5]TANGY,XIAOB,LUXC.Usingabioinformaticsapproachtogenerateaccurateexploit-basedsignaturesforpolymorphicworms[J].Computers&Security,2009,28(8):827-842.[6]TANGY,CHENS.DefendingagainstInternetworms:asignature-basedapproach[C]//ProceedingsoftheINFOCOM2005.Piscat-away:IEEE,2005:1384-1394.[7]CRANDALLJR,WUSF,CHONGFT.Experiencesusingminosasatoolforcapturingandanalyzingnovelwormsforunknownvul-nerabilities[C]//DIMVA'05:ProceedingsoftheSecondInterna-tionalConferenceonDetectionofIntrusionsandMalware,andVul-nerabilityAssessment,LNCS3548.Berlin:Springer-Verlag,2005:32-50.[8]NEEDLEMANSB,WUNSCHCD.Ageneralmethodapplicabletothesearchforsimilaritiesintheaminoacidsequenceoftwoproteins[J].JournalofMolecularBiology,1970,48(3):443-453.[9]DORIGOM,MANIEZZOV,COLOMIA.AntsystemoptimizationbyacolonyofcoorperatingAgents[J].IEEETransactionsonSys-tems,ManandCybernetics,PartB:Cybernetics,1996,26(1):29-41.[10],.[J].,2005,22(1):100-106.[11],,.[J].,2008,23(2):225-228.[12],,.[J].,2010,30(12):3349-3353.[13]OLUSOLAAA,OLADELEAS,ABOSEDEDO.AnalysisofKDD'99intrusiondetectiondatasetforselectionofrelev-vancefea-tures[C]//WCECS2010:ProceedingsoftheWorldCongressonEngineeringandComputerScience.SanFrancisco:[s.n.],2010.[14]UCIknowledgediscoveryindatabasesarchive[EB/OL].[2013-03-20]..ics.uci.edu/databases/kddcup99/kddcup.data.gz.3489[1]KRUEGERT,KRMERN,RIECKK.ASAP:automaticseman-tics-awareanalysisofnetworkpayloads[C]//Proceedingsofthe2011InternationalECML/PKDDConferenceonPrivacyandSecurityIssuesinDataMiningandMachineLearning,LNCS6549.Berlin:Springer-Verlag,