Exploring Unsupervised Learning Methods for Automated Protocol Analysis

TL;DR

This paper evaluates various unsupervised learning methods for automated protocol analysis, introduces a novel feature extraction approach, and demonstrates its robustness and superior performance across diverse datasets.

Contribution

It proposes a comprehensive framework for evaluating and optimizing unsupervised clustering methods in automated protocol analysis, including a new hybrid approach that outperforms existing techniques.

Findings

The hybrid approach outperformed in 7 of 9 datasets.

It outperformed NETZOB in all datasets.

The automated parameter selection improved performance.

Abstract

The ability to analyse and differentiate network protocol traffic is crucial for network resource management to provide differentiated services by Telcos. Automated Protocol Analysis (APA) is crucial to significantly improve efficiency and reduce reliance on human experts. There are numerous automated state-of-the-art unsupervised methods for clustering unknown protocols in APA. However, many such methods have not been sufficiently explored using diverse test datasets. Thus failing to demonstrate their robustness to generalise. This study proposed a comprehensive framework to evaluate various combinations of feature extraction and clustering methods in APA. It also proposed a novel approach to automate selection of dataset dependent model parameters for feature extraction, resulting in improved performance. Promising results of a novel field-based tokenisation approach also led to our proposal of a novel automated hybrid approach for feature extraction and clustering of unknown protocols in APA. Our proposed hybrid approach performed the best in 7 out of 9 of the diverse test datasets, thus displaying the robustness to generalise across diverse unknown protocols. It also outperformed the unsupervised clustering technique in state-of-the-art open-source APA tool, NETZOB in all test datasets.