{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2022,4,2]],"date-time":"2022-04-02T19:46:46Z","timestamp":1648928806023},"reference-count":18,"publisher":"World Scientific Pub Co Pte Lt","issue":"03n04","content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["J. Inter. Net."],"published-print":{"date-parts":[[2015,9]]},"abstract":"<jats:p> Protocol's abnormal behavior analysis is an important task in protocol reverse analysis. Traditional protocol reverse analysis focus on the protocol message format, but protocol behavior especially the abnormal behavior is rare studied. In this paper, protocol behavior is represented by the labeled behavior instruction sequences. Similar behavior instruction sequences mean the similar protocol behavior. Using our developed virtual analysis platform HiddenDisc, we can capture a variety of known or unknown protocols' behavior instruction sequences. All kinds of executed or unexecuted instruction sequences can automatic clustering by our designed instruction clustering algorithm. Thereby we can distinguish and mine the unknown protocols' potential abnormal behavior. The mined potential abnormal behavior instruction sequences are executed, monitored and analyzed on HiddenDisc to determine whether it is an abnormal behavior and what is the behavior's nature. Using the instruction clustering algorithm, we have analyzed 1297 protocol samples, mined 193 potential abnormal instruction sequences, and determined 187 malicious abnormal behaviors by regression testing. Experimental results show that our proposed instruction clustering algorithm has high efficiency and accuracy, can mine unknown protocols' abnormal behaviors effectively, and enhance the initiative defense capability of network security. <\/jats:p>","DOI":"10.1142\/s0219265915400022","type":"journal-article","created":{"date-parts":[[2016,9,2]],"date-time":"2016-09-02T08:24:07Z","timestamp":1472804647000},"page":"1540002","source":"Crossref","is-referenced-by-count":0,"title":["Instruction Clustering Analysis for Unknown Network Protocol's Abnormal Behavior"],"prefix":"10.1142","volume":"15","author":[{"given":"YANJING","family":"HU","sequence":"first","affiliation":[{"name":"State Key Laboratory of Integrated Services Networks, Xidian University, Xi'an 710071, China"},{"name":"Key Laboratory of Cryptology &amp; Information Security under the Chinese PLA, Engineering University of the Armed Police Force, Xi'an 710086, China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"QINGQI","family":"PEI","sequence":"additional","affiliation":[{"name":"State Key Laboratory of Integrated Services Networks, Xidian University, Xi'an 710071, China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"LIAOJUN","family":"PANG","sequence":"additional","affiliation":[{"name":"State Key Laboratory of Integrated Services Networks, Xidian University, Xi'an 710071, China"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"219","published-online":{"date-parts":[[2016,9,2]]},"reference":[{"key":"p_1","first-page":"3","author":"Anderson B.","year":"2012","journal-title":"North Carolina, USA"},{"key":"p_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.comnet.2012.08.003"},{"key":"p_3","first-page":"1","author":"Cui B.","year":"2015","journal-title":"Soft Computing."},{"key":"p_7","doi-asserted-by":"publisher","DOI":"10.1145\/2089125.2089126"},{"key":"p_9","first-page":"317","author":"Han K.","year":"2013","journal-title":"Canada"},{"key":"p_10","first-page":"79","author":"Hu X.","year":"2013","journal-title":"Louisiana"},{"issue":"2","key":"p_13","first-page":"451","volume":"54","author":"Juan Caballero D.S","year":"2012","journal-title":"Computer Networks"},{"key":"p_17","doi-asserted-by":"publisher","DOI":"10.1016\/j.jnca.2013.01.013"},{"key":"p_19","first-page":"121","author":"Polino M.","year":"2015","journal-title":"Springer International Publishing"},{"key":"p_20","first-page":"62","author":"Rahbarinia B.","year":"2013","journal-title":"Springer Berlin Heidelberg"},{"key":"p_21","first-page":"408","author":"Rahimian A.","year":"2014","journal-title":"Springer International Publishing"},{"key":"p_22","first-page":"1","author":"Rostami M.","year":"2014","journal-title":"IEEE Transactions on Emerging Topics in Computing."},{"key":"p_23","first-page":"329","author":"Sedaghat L.","year":"2014","journal-title":"Springer International Publishing"},{"key":"p_24","first-page":"577","author":"Tao L.","year":"2007","journal-title":"Seventh IEEE International Conference on"},{"key":"p_25","doi-asserted-by":"publisher","DOI":"10.1016\/j.jnca.2011.03.017"},{"key":"p_26","first-page":"200","author":"Wang Zhi J.X.-X.","year":"2009","journal-title":"Computer Security, 5789."},{"key":"p_29","first-page":"95","author":"Ye Y.","year":"2010","journal-title":"DC, USA"},{"key":"p_30","first-page":"75","author":"Ying","year":"2013","journal-title":"The Journal of China Universities of Posts and Telecommunications, 20."}],"container-title":["Journal of Interconnection Networks"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.worldscientific.com\/doi\/pdf\/10.1142\/S0219265915400022","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2019,8,7]],"date-time":"2019-08-07T05:07:02Z","timestamp":1565154422000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.worldscientific.com\/doi\/abs\/10.1142\/S0219265915400022"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2015,9]]},"references-count":18,"journal-issue":{"issue":"03n04","published-online":{"date-parts":[[2016,9,2]]},"published-print":{"date-parts":[[2015,9]]}},"alternative-id":["10.1142\/S0219265915400022"],"URL":"https:\/\/doi.org\/10.1142\/s0219265915400022","relation":{},"ISSN":["0219-2659","1793-6713"],"issn-type":[{"value":"0219-2659","type":"print"},{"value":"1793-6713","type":"electronic"}],"subject":[],"published":{"date-parts":[[2015,9]]}}}