An Automated Detection Scheme For wireless Protocol Classification

Open Access
Weiss, Daniel Ross
Graduate Program:
Electrical Engineering
Master of Science
Document Type:
Master Thesis
Date of Defense:
December 03, 2014
Committee Members:
  • Sven G Bilen, Thesis Advisor
  • Mark P Mahon, Thesis Advisor
  • Protocol Analysis
  • Wireless Protocols
  • Wireless Protocol Classification
  • Automated Protocol Detection
The field of protocol analysis arose from the increasing need for network security. Analysis and identification of the protocols of traffic on a network allowed for some classification of whether or not the behavior on the network was permissible. This type of protocol classification can address similar needs in the software-defined radio space as well as in various military applications. In these, as well as many other, applications there is a need to classify the protocol of an unknown wireless signal and to provide some general insights into the activity that is present on such signals. To this end, a protocol detection system was developed to compare the protocol of an unknown set of recorded packet traces to a set of known and previously characterized protocols. The basis for this detection system was the concept that protocols can be defined by the related sets of packets that get transmitted between the client and server of a connection. Many protocols have a request-and-response communication structure in which one side of the connection, often the client, is requesting data from the other, often the server. In the case of the server sending command or configuration packets to the client device, there are often sets of acknowledgment packets that follow this request-and-response structure. This system was designed to analyze a network trace using an unknown protocol by comparing the packets to the request-and-response structure of previously characterized, known protocols. By determining how similar the unknown protocol traffic is to known protocols, a detection decision can be made based on the number of packets that are identified as belonging to each of the known protocols. This approach is shown to be relatively successful for the limited, available sets of network traces that were recorded for this research. Packet trace lengths of greater than 200 packets are shown to provide a sufficient amount of detection accuracy when comparing an unknown trace to the Bluetooth and ZigBee protocols. However, there is much room for improvement for this system in its detection-decision criteria.