ProNet: Toward Payload-Driven Protocol Fingerprinting via Convolutions and Embeddings

Abstract

Protocol fingerprinting (PF) focuses on the capability to derive a series of distinguishable features for recognizing which protocol or application generated the network traffic. Unfortunately, deep packet inspection (DPI), a widely adopted method for PF, requires significant expert effort to develop and maintain protocol signatures. Additionally, the new solution paradigm, deep flow inspection (DFI) using machine learning for PF, also relies on hand-designed features. In this paper, we present ProNet, a payload based approach to protocol fingerprinting, which overcomes the limitation of artificial feature engineering. The key novelty of ProNet is two-fold: (i) it takes generic, raw short packet payloads as input, instead of the typical flow-statistical-features (e.g., port, packet size, packet-interval); (ii) it learns to simultaneously extract features via convolutional operations on the byte-level embeddings and ngram-level embeddings. We implement and evaluate ProNet on real-world traces, including DNS, QQLive, PPLive, PPStream, SopCast, DHCP, NBNS, HTTP, SMTP and SMB. Our experiment results show that ProNet achieves over 99% precision and recall with low false-positives (less than 1%) and nearly no false-negatives.