[go: up one dir, main page]

CN109547443B - A Detection Method of Network Storage Type Covert Channel - Google Patents

A Detection Method of Network Storage Type Covert Channel Download PDF

Info

Publication number
CN109547443B
CN109547443B CN201811430859.0A CN201811430859A CN109547443B CN 109547443 B CN109547443 B CN 109547443B CN 201811430859 A CN201811430859 A CN 201811430859A CN 109547443 B CN109547443 B CN 109547443B
Authority
CN
China
Prior art keywords
cluster
point
channel
data
value
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CN201811430859.0A
Other languages
Chinese (zh)
Other versions
CN109547443A (en
Inventor
杨婉霞
冯全
王咏梅
杨梅
李红岭
刘燕
杨森
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Gansu Agricultural University
Original Assignee
Gansu Agricultural University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Gansu Agricultural University filed Critical Gansu Agricultural University
Priority to CN201811430859.0A priority Critical patent/CN109547443B/en
Publication of CN109547443A publication Critical patent/CN109547443A/en
Application granted granted Critical
Publication of CN109547443B publication Critical patent/CN109547443B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L65/00Network arrangements, protocols or services for supporting real-time applications in data packet communication
    • H04L65/60Network streaming of media packets
    • H04L65/65Network streaming protocols, e.g. real-time transport protocol [RTP] or real-time control protocol [RTCP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/70Reducing energy consumption in communication networks in wireless communication networks

Landscapes

  • Engineering & Computer Science (AREA)
  • Multimedia (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention belongs to the technical field of information security, and particularly relates to a detection method of a network storage type hidden channel. Establishing an RTP differential time stamp polynomial fitting model; selecting and extracting the clustering features of the obtained model result; whether steganography exists or not is judged by using a clustering algorithm, and detection of network storage type hidden channels can be simply, rapidly and accurately achieved.

Description

一种网络存储型隐信道的检测方法A Detection Method of Network Storage Type Covert Channel

技术领域technical field

本发明属于信息安全技术领域,具体涉及一种网络存储型隐信道的检测方法。The invention belongs to the technical field of information security, and in particular relates to a detection method of a network storage type covert channel.

背景技术Background technique

互联网技术的迅速发展和广泛普及亟待信息的安全传输作为保障,这也对传统的以密码技术为基础的信息传输安全方案提出了更大的挑战。主要原因是密码技术是将待传输的信息置乱以达到保密的目的,然而,正是信息加密后表现出的乱码特征使得机密信息的存在性被暴露了,这便激发了监控者破译信息的热情和欲望。加密的密文一旦被破译,就无安全性可言。其次,由原理分析,密码技术的安全性是建立在数学变换和数学特定问题难以求解的基础上,随着量子计算机时代的到来,最不看好的穷举计算质因子速度被提高N个数量级,能够在有限的时间内破解RSA密钥。可见,对于私密信息的保护,在注重于保护传输信息内容的同时,更需注意对其存在性的掩饰。在此情景下,网络隐信道应用而生。网络隐信道是以公开的通信数据为载体构建了一个隐蔽的通信信道,使不合法的信息流(通常为秘密信息)逃避常规安全控制机构的检测,安全地传递给通信的对方,从而推动了信息安全技术的快速发展和应用。The rapid development and widespread popularization of Internet technology urgently require the secure transmission of information as a guarantee, which also poses a greater challenge to the traditional information transmission security scheme based on cryptography. The main reason is that cryptographic technology scrambles the information to be transmitted to achieve the purpose of confidentiality. However, it is the garbled character of encrypted information that exposes the existence of confidential information, which stimulates the desire of monitors to decipher information. Passion and desire. Once the encrypted ciphertext is deciphered, there is no security at all. Secondly, from the principle analysis, the security of cryptography is based on the mathematical transformation and the difficulty of solving specific mathematical problems. With the advent of the quantum computer era, the speed of the most unfavorable exhaustive calculation of prime factors will be increased by N orders of magnitude. Ability to crack RSA keys in a limited amount of time. It can be seen that for the protection of private information, while focusing on protecting the content of the transmitted information, more attention should be paid to concealing its existence. In this scenario, network covert channel applications emerge. The network covert channel constructs a covert communication channel based on public communication data, so that illegal information flow (usually secret information) can escape the detection of conventional security control agencies and be safely transmitted to the communication counterparty, thereby promoting The rapid development and application of information security technology.

在隐信道的构建中,载体是基础,信息隐写是手段,良好的载体和适合的隐写算法相结合才能使得隐信道的构建更加隐蔽。可见,载体的选择很关键。由于网络中有大量的流媒体数据需要实时传输,RTP/RTCP协议为此提供了重要服务,便成为网络隐信道构建的主要对象和载体之一。特别是每个RTP数据分组均由协议头部(head)和有效数据(payload)两部分组成。因此,可以以网络协议的冗余字段或有效数据为载荷构建网络隐信道。由于网络隐信道是将隐秘信息嵌入在网络协议的冗余字段中,使网络中的安全设备和检测设备很难识别,因此具有很强的隐蔽性。即便隐蔽信道被发现,其构建者采用的特殊机制使传输的隐秘信息不至于被破解。其次,研究发现,即便一个数据包携带1bit数据,那么在一年内,一个网络隐蔽信道就可以从一个大型网站非法窃取26GB的信息,实用价值极高。可见,作为主要的流媒体传输协议之一,RTP/RTCP被广泛应用于网络隐信道的构建。研究如何利用RTP/RTCP协议的冗余进行信息隐藏和检测,是发展趋势和研究重点所在。In the construction of covert channels, the carrier is the foundation, and information steganography is the means. The combination of a good carrier and a suitable steganographic algorithm can make the construction of the covert channel more concealed. It can be seen that the choice of carrier is critical. Since a large amount of streaming media data needs to be transmitted in real time in the network, the RTP/RTCP protocol provides important services for this, and has become one of the main objects and carriers for network hidden channel construction. In particular, each RTP data packet is composed of two parts: a protocol header (head) and a valid data (payload). Therefore, network hidden channels can be constructed with redundant fields or valid data of network protocols as payloads. Since network covert channels embed secret information in redundant fields of network protocols, it is difficult for security devices and detection devices in the network to identify them, so they have strong concealment. Even if the covert channel is discovered, the special mechanism adopted by its builder prevents the secret information transmitted from being cracked. Secondly, the study found that even if a data packet carries 1 bit of data, a network covert channel can illegally steal 26GB of information from a large website within a year, which is of extremely high practical value. It can be seen that, as one of the main streaming media transmission protocols, RTP/RTCP is widely used in the construction of network hidden channels. Research on how to use the redundancy of the RTP/RTCP protocol for information hiding and detection is the development trend and the focus of research.

发明内容Contents of the invention

针对上述问题和现有技术的不足,本发明提供了一种网络存储型隐信道的检测方法,该方法包括以下步骤:In view of the above problems and the deficiencies of the prior art, the present invention provides a method for detecting a network storage type covert channel, the method comprising the following steps:

①建立RTP差分时间戳多项式拟合模型:定义信道报文的序号为X轴的数据点,y轴的数据为报文时间戳的差分值,假设通信过程中的w+1个报文窗口的时间戳差分序列计为(d1,d2,…,dW)(w≥1),由此可得待拟合点的集合P={i,di;)|i=1,2,...,w;w≥1},P为报文序号和报文发送的时间差分序列的集合,再利用多项式拟合得到信道间RTP时间戳差分的多项式模型;①Establish the RTP differential timestamp polynomial fitting model: define the serial number of the channel message as the data point on the x-axis, and the data on the y-axis as the differential value of the message timestamp, assuming that w+1 message windows in the communication process The time stamp difference sequence is counted as (d1, d2, ..., dW) (w≥1), thus the set of points to be fitted is P={i, di;)|i=1, 2, ..., w; w≥1}, P is the set of the sequence number of the message and the time difference sequence sent by the message, and then use the polynomial fitting to obtain the polynomial model of the RTP time stamp difference between the channels;

②对步骤①中所得的模型结果的聚类特征进行选择和提取:采用公式

Figure BDA0001882675430000021
计算正常c(x)和隐写h(x)两信道拟合曲线的绝对值面积,并以此作为聚类对象;② Select and extract the clustering features of the model results obtained in step ①: use the formula
Figure BDA0001882675430000021
Calculate the absolute value area of the two channel fitting curves of normal c(x) and steganographic h(x), and use this as the clustering object;

③利用聚类算法来判断是否存在隐写:③ Use clustering algorithm to judge whether there is steganography:

a、分别计算正常信道之间及正常信道与隐写信道之间w窗口长度时间戳差分序列拟合曲线面积差异度{Sd};a. Calculate the area difference {S d } of the fitting curve of the time stamp difference sequence of w window length between the normal channels and between the normal channel and the steganographic channel respectively;

b、从聚类对象{Sd}中多次选取初值,找到最合适的k个中心点作为初始值{C1,C2,…Ck};b. Select the initial value multiple times from the clustering object {S d }, and find the most suitable k center points as the initial value {C 1 , C 2 ,...C k };

c、按公式

Figure BDA0001882675430000022
计算剩余每个数据点与初始中心点的距离R(i,k),将距离中心点最近的数据点归类到该中心点所代表的簇中;c. According to the formula
Figure BDA0001882675430000022
Calculate the distance R(i,k) between each remaining data point and the initial center point, and classify the data points closest to the center point into the cluster represented by the center point;

d、用公式

Figure BDA0001882675430000023
计算出每个簇的中心点,其中,Nk表示簇Ck中数据点的个数;Sdi表示簇Ck中所有的数据点;d. Use the formula
Figure BDA0001882675430000023
Calculate the central point of each cluster, where N k represents the number of data points in the cluster C k ; S di represents all the data points in the cluster C k ;

e、重复步骤c,d直到误差平方和准则函数开始收敛为止,即聚类中心的值不再变化,得到数据源每个簇的聚类中心点μk和每个数据源到各聚类中心的距离Rke. Repeat steps c and d until the error square sum criterion function starts to converge, that is, the value of the cluster center does not change anymore, and the cluster center point μ k of each cluster of the data source and each data source to each cluster center are obtained The distance R k ;

f、依据公式

Figure BDA0001882675430000024
计算每个数据源到各聚类中心μk的距离Rk的均值,其中,i=1,2,…,n,Nk表示簇μk中心点的个数;f. According to the formula
Figure BDA0001882675430000024
Calculate the mean value of the distance R k from each data source to each cluster center μ k , wherein, i=1, 2,..., n, N k represents the number of cluster μ k central points;

g、将要对比的数据点的M与正常数据点的M做比较,如果未变化,则为正常通道,如有变化,则为隐蔽通道。g. Compare the M of the data point to be compared with the M of the normal data point. If there is no change, it is a normal channel, and if there is a change, it is a covert channel.

进一步地,所述步骤①中的多项式拟合方法是最小二乘法,即设实测的时间戳差分数序列数据为{dk}(k=1,2,3,...,w),w为窗口数据点数,用一个多项式函数

Figure BDA0001882675430000025
表示拟合函数,则:
Figure BDA0001882675430000026
其中j=0,1,3,...,k,
Figure BDA0001882675430000027
是dk的估计值,观测点与估计点的距离的平方为
Figure BDA0001882675430000028
使拟合模型与实际观测值在各点的残差(或离差)Ek的加权平方和达到最小,即
Figure BDA0001882675430000031
的值达到最小,以求取其中的参数值。Further, the polynomial fitting method in step ① is the least squares method, that is, the measured sequence data of time stamp difference is set as {d k }(k=1,2,3,...,w), w For the number of data points in the window, use a polynomial function
Figure BDA0001882675430000025
Represents the fitting function, then:
Figure BDA0001882675430000026
where j=0,1,3,...,k,
Figure BDA0001882675430000027
is the estimated value of d k , the square of the distance between the observation point and the estimated point is
Figure BDA0001882675430000028
To minimize the weighted sum of squares of the residual (or dispersion) Ek between the fitted model and the actual observation at each point, that is
Figure BDA0001882675430000031
The value reaches the minimum, in order to obtain the parameter value.

进一步地,所述步骤①中的多项式拟合次数为3-7次,优选为5次。Further, the number of polynomial fittings in step ① is 3-7 times, preferably 5 times.

本发明的有益效果在于:The beneficial effects of the present invention are:

①简单,快速及准确地实现了网络存储型隐信道的检测;①Simple, fast and accurate detection of network storage hidden channels;

附图说明Description of drawings

图1正常信道与隐写信道RTP时间戳差分序列拟合曲线;Fig. 1 Fitting curve of normal channel and steganographic channel RTP timestamp difference sequence;

图2窗口w为50的各点到各聚类中心距离的平均值变化;Figure 2 The average change of the distance from each point where the window w is 50 to each cluster center;

图3窗口w为100的各点到各聚类中心距离的平均值变化;Figure 3 The average change of the distance from each point where the window w is 100 to each cluster center;

图4初始聚类和二次聚类结果对比。Figure 4 Comparison of initial clustering and secondary clustering results.

具体实施例specific embodiment

下面将对本发明实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例仅仅是本发明的一部分,而不是发明的全部。基于本发明中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都属于本发明保护的范围。The following will clearly and completely describe the technical solutions in the embodiments of the present invention. Obviously, the described embodiments are only a part of the present invention, rather than the whole of the invention. Based on the embodiments of the present invention, all other embodiments obtained by persons of ordinary skill in the art without making creative efforts belong to the protection scope of the present invention.

实施例1一种网络存储型隐信道的检测方法Embodiment 1 A detection method of a network storage type covert channel

①建立RTP差分时间戳多项式拟合模型:定义信道报文的序号为X轴的数据点,y轴的数据为报文时间戳的差分值,假设通信过程中的w+1个报文窗口的时间戳差分序列计为(d1,d2,…,dW)(w≥1),由此可得待拟合点的集合P={i,di;)|i=1,2,...,w;w≥1},P为报文序号和报文发送的时间差分序列的集合,再利用多项式拟合得到信道间RTP时间戳差分的多项式模型,多项式拟合方法是最小二乘法,即设实测的时间戳差分数序列数据为{dk}(k=1,2,3,...,w),w为窗口数据点数,用一个多项式函数

Figure BDA0001882675430000032
表示拟合函数,则:
Figure BDA0001882675430000033
其中j=0,1,3,...,k,
Figure BDA0001882675430000034
是dk的估计值,观测点与估计点的距离的平方为
Figure BDA0001882675430000035
使拟合模型与实际观测值在各点的残差(或离差)Ek的加权平方和达到最小,即
Figure BDA0001882675430000036
的值达到最小,拟合次数为5次,拟合结果如图1所示;①Establish the RTP differential timestamp polynomial fitting model: define the serial number of the channel message as the data point on the x-axis, and the data on the y-axis as the differential value of the message timestamp, assuming that w+1 message windows in the communication process The time stamp difference sequence is counted as (d1, d2, ..., dW) (w≥1), thus the set of points to be fitted is P={i, di;)|i=1, 2, ..., w; w≥1}, P is the set of the sequence number of the message and the time difference sequence sent by the message, and then use the polynomial fitting to obtain the polynomial model of the RTP timestamp difference between the channels. The polynomial fitting method is the least square method, that is, set The measured timestamp difference sequence data is {d k }(k=1,2,3,...,w), w is the number of window data points, and a polynomial function is used
Figure BDA0001882675430000032
Represents the fitting function, then:
Figure BDA0001882675430000033
where j=0,1,3,...,k,
Figure BDA0001882675430000034
is the estimated value of d k , the square of the distance between the observation point and the estimated point is
Figure BDA0001882675430000035
To minimize the weighted sum of squares of the residual (or dispersion) Ek between the fitted model and the actual observation at each point, that is
Figure BDA0001882675430000036
The value of is the minimum, the number of fittings is 5 times, and the fitting results are shown in Figure 1;

②对步骤①中所得的模型结果的聚类特征进行选择和提取:采用公式

Figure BDA0001882675430000037
计算正常c(x)和隐写h(x)两信道拟合曲线的绝对值面积,并以此作为聚类对象,如图3,初次聚类后正常信道数据点到各聚类中心距离的平均值不变,而隐写信道的该值总是变化的;② Select and extract the clustering features of the model results obtained in step ①: use the formula
Figure BDA0001882675430000037
Calculate the absolute value area of the two channel fitting curves of normal c(x) and steganographic h(x), and use this as the clustering object, as shown in Figure 3, after the initial clustering, the distance between the normal channel data point and each cluster center The average value does not change, while the value of the steganographic channel always changes;

③利用聚类算法来判断是否存在隐写:③ Use clustering algorithm to judge whether there is steganography:

a、分别计算正常信道之间及正常信道与隐写信道之间w窗口长度时间戳差分序列拟合曲线面积差异度{Sd};a. Calculate the area difference {S d } of the fitting curve of the time stamp difference sequence of w window length between the normal channels and between the normal channel and the steganographic channel respectively;

b、从聚类对象{Sd}中多次选取初值,找到最合适的k个中心点作为初始值{C1,C2,…Ck};b. Select the initial value multiple times from the clustering object {S d }, and find the most suitable k center points as the initial value {C 1 , C 2 ,...C k };

c、按公式

Figure BDA0001882675430000041
计算剩余每个数据点与初始中心点的距离R(i,k),将距离中心点最近的数据点归类到该中心点所代表的簇中;c. According to the formula
Figure BDA0001882675430000041
Calculate the distance R(i,k) between each remaining data point and the initial center point, and classify the data points closest to the center point into the cluster represented by the center point;

d、用公式

Figure BDA0001882675430000042
计算出每个簇的中心点,其中,Nk表示簇Ck中数据点的个数;Sdi表示簇Ck中所有的数据点;d. Use the formula
Figure BDA0001882675430000042
Calculate the central point of each cluster, where N k represents the number of data points in the cluster C k ; S di represents all the data points in the cluster C k ;

e、重复步骤c,d直到误差平方和准则函数开始收敛为止,即聚类中心的值不再变化,得到数据源每个簇的聚类中心点μk和每个数据源到各聚类中心的距离Rke. Repeat steps c and d until the error square sum criterion function starts to converge, that is, the value of the cluster center does not change anymore, and the cluster center point μ k of each cluster of the data source and each data source to each cluster center are obtained The distance R k ;

f、依据公式

Figure BDA0001882675430000043
计算每个数据源到各聚类中心μk的距离Rk的均值,其中,i=1,2,…,n,Nk表示簇μk中心点的个数,如图4,得到了比初次聚类更准确的聚类结果;f. According to the formula
Figure BDA0001882675430000043
Calculate the average value of the distance R k from each data source to each cluster center μ k , where i=1, 2,..., n, N k represents the number of center points of the cluster μ k , as shown in Figure 4, the ratio More accurate clustering results for initial clustering;

g、将要对比的数据点的M与正常数据点的M做比较,如果未变化,则为正常通道,如有变化,则为隐蔽通道。g. Compare the M of the data point to be compared with the M of the normal data point. If there is no change, it is a normal channel, and if there is a change, it is a covert channel.

Claims (3)

1.一种网络存储型隐信道的检测方法,其特征在于,该方法包括以下步骤:1. A detection method of a network storage type covert channel, characterized in that the method comprises the following steps: ①建立RTP差分时间戳多项式拟合模型:定义信道报文的序号为X轴的数据点,y轴的数据为报文时间戳的差分值,假设通信过程中的w+1个报文窗口的时间戳差分序列计为(d1,d2,…,dW)(w≥1),由此可得待拟合点的集合P={i,di;)|i=1,2,...,w;w≥1},P为报文序号和报文发送的时间差分序列的集合,再利用多项式拟合得到信道间RTP时间戳差分的多项式模型;①Establish the RTP differential timestamp polynomial fitting model: define the serial number of the channel message as the data point on the x-axis, and the data on the y-axis as the differential value of the message timestamp, assuming that w+1 message windows in the communication process The time stamp difference sequence is counted as (d1, d2, ..., dW) (w≥1), thus the set of points to be fitted is P={i, di;)|i=1, 2, ..., w; w≥1}, P is the set of the sequence number of the message and the time difference sequence sent by the message, and then use the polynomial fitting to obtain the polynomial model of the RTP time stamp difference between the channels; ②对步骤①中所得的模型结果的聚类特征进行选择和提取:采用公式
Figure FDA0004133650950000011
计算正常c(x)和隐写h(x)两信道拟合曲线的绝对值面积,并以此作为聚类对象;② Select and extract the clustering features of the model results obtained in step ①: use the formula
Figure FDA0004133650950000011
Calculate the absolute value area of the two channel fitting curves of normal c(x) and steganographic h(x), and use this as the clustering object; ③利用聚类算法来判断是否存在隐写:③ Use clustering algorithm to judge whether there is steganography: a、分别计算正常信道之间及正常信道与隐写信道之间w窗口长度时间戳差分序列拟合曲线面积差异度{Sd};a. Calculate the area difference {S d } of the fitting curve of the time stamp difference sequence of w window length between the normal channels and between the normal channel and the steganographic channel respectively; b、从聚类对象{Sd}中多次选取初值,找到最合适的k个中心点作为初始值{C1,C2,…Ck};b. Select the initial value multiple times from the clustering object {S d }, and find the most suitable k center points as the initial value {C 1 , C 2 ,...C k }; c、按公式
Figure FDA0004133650950000012
计算剩余每个数据点与初始中心点的距离R(i,k),将距离中心点最近的数据点归类到该中心点所代表的簇中;c. According to the formula
Figure FDA0004133650950000012
Calculate the distance R(i,k) between each remaining data point and the initial center point, and classify the data points closest to the center point into the cluster represented by the center point; d、用公式
Figure FDA0004133650950000013
计算出每个簇的中心点,其中,Nk表示簇Ck中数据点的个数;Sdi表示簇Ck中所有的数据点;d. Use the formula
Figure FDA0004133650950000013
Calculate the central point of each cluster, where N k represents the number of data points in the cluster C k ; S di represents all the data points in the cluster C k ; e、重复步骤c,d直到误差平方和准则函数开始收敛为止,即聚类中心的值不再变化,得到数据源每个簇的聚类中心点μk和每个数据源到各聚类中心的距离Rke. Repeat steps c and d until the error square sum criterion function starts to converge, that is, the value of the cluster center does not change anymore, and the cluster center point μ k of each cluster of the data source and each data source to each cluster center are obtained The distance R k ; f、依据公式
Figure FDA0004133650950000014
计算每个数据源到各聚类中心μk的距离Rk的均值,其中,i=1,2,…,n,Nk表示簇μk中心点的个数;f. According to the formula
Figure FDA0004133650950000014
Calculate the mean value of the distance R k from each data source to each cluster center μ k , wherein, i=1, 2,..., n, N k represents the number of cluster μ k central points; g、将要对比的数据点的M与正常数据点的M做比较,如果未变化,则为正常通道,如有变化,则为隐蔽通道。g. Compare the M of the data point to be compared with the M of the normal data point. If there is no change, it is a normal channel, and if there is a change, it is a covert channel. 2.如权利要求1所述的一种网络存储型隐信道的检测方法,其特征在于,所述步骤①中的多项式拟合方法是最小二乘法,即设实测的时间戳差分数序列数据为{dk}(k=1,2,3,...,w),w为窗口数据点数,用一个多项式函数
Figure FDA0004133650950000015
表示拟合函数,则:
Figure FDA0004133650950000021
其中j=0,1,3,...,k,
Figure FDA0004133650950000022
是dk的估计值,观测点与估计点的距离的平方为
Figure FDA0004133650950000023
使拟合模型与实际观测值在各点的残差Ek的加权平方和达到最小,即
Figure FDA0004133650950000024
的值达到最小,以求取其中的参数值。2. the detection method of a kind of network storage type hidden channel as claimed in claim 1, it is characterized in that, described step 1. the polynomial fitting method in is the least squares method, promptly suppose measured time stamp difference number sequence data as {d k }(k=1,2,3,...,w), w is the number of window data points, using a polynomial function
Figure FDA0004133650950000015
Represents the fitting function, then:
Figure FDA0004133650950000021
where j=0,1,3,...,k,
Figure FDA0004133650950000022
is the estimated value of d k , the square of the distance between the observation point and the estimated point is
Figure FDA0004133650950000023
The weighted sum of squares of the residual E k of the fitting model and the actual observation value at each point is minimized, that is
Figure FDA0004133650950000024
The value reaches the minimum, in order to obtain the parameter value. 3.如权利要求1所述的一种网络存储型隐信道的检测方法,其特征在于,所述步骤①中的多项式拟合次数为3-7次,优选为5次。3. The detection method of a network storage type covert channel as claimed in claim 1, characterized in that the number of polynomial fittings in the step ① is 3-7 times, preferably 5 times.
CN201811430859.0A 2018-11-28 2018-11-28 A Detection Method of Network Storage Type Covert Channel Expired - Fee Related CN109547443B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201811430859.0A CN109547443B (en) 2018-11-28 2018-11-28 A Detection Method of Network Storage Type Covert Channel

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811430859.0A CN109547443B (en) 2018-11-28 2018-11-28 A Detection Method of Network Storage Type Covert Channel

Publications (2)

Publication Number Publication Date
CN109547443A CN109547443A (en) 2019-03-29
CN109547443B true CN109547443B (en) 2023-04-25

Family

ID=65850637

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811430859.0A Expired - Fee Related CN109547443B (en) 2018-11-28 2018-11-28 A Detection Method of Network Storage Type Covert Channel

Country Status (1)

Country Link
CN (1) CN109547443B (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110392050B (en) * 2019-07-18 2020-11-27 北京理工大学 A Construction Method of Timestamp-Based Storage Hidden Channel
CN110324210B (en) * 2019-08-06 2020-12-25 杭州安恒信息技术股份有限公司 Detection method and device for covert channel communication based on ICMP (Internet control protocol)
CN110912921B (en) * 2019-11-29 2022-02-15 广东工业大学 Safety data verification system and method for industrial control system

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20090129009A (en) * 2008-06-12 2009-12-16 주식회사 케이티 Hidden station problem detection method, adaptive RTS / CTS switching method and cancellation method
US7920705B1 (en) * 2006-07-26 2011-04-05 Rockwell Collins, Inc. System and method for convert channel detection
CN102594619A (en) * 2012-02-15 2012-07-18 南京理工大学常熟研究院有限公司 Network covert channel detecting method
CN104753617A (en) * 2015-03-17 2015-07-01 中国科学技术大学苏州研究院 Time-series hidden channel detection method based on neural network
CN105847250A (en) * 2016-03-22 2016-08-10 甘肃农业大学 VoIP stream media multi-dimensional information steganography real time detection method
WO2017185433A1 (en) * 2016-04-25 2017-11-02 深圳大学 Steganalysis method based on hamming distance distribution

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7920705B1 (en) * 2006-07-26 2011-04-05 Rockwell Collins, Inc. System and method for convert channel detection
KR20090129009A (en) * 2008-06-12 2009-12-16 주식회사 케이티 Hidden station problem detection method, adaptive RTS / CTS switching method and cancellation method
CN102594619A (en) * 2012-02-15 2012-07-18 南京理工大学常熟研究院有限公司 Network covert channel detecting method
CN104753617A (en) * 2015-03-17 2015-07-01 中国科学技术大学苏州研究院 Time-series hidden channel detection method based on neural network
CN105847250A (en) * 2016-03-22 2016-08-10 甘肃农业大学 VoIP stream media multi-dimensional information steganography real time detection method
WO2017185433A1 (en) * 2016-04-25 2017-11-02 深圳大学 Steganalysis method based on hamming distance distribution

Non-Patent Citations (4)

* Cited by examiner, † Cited by third party
Title
周雪 ; .基于VoIP的隐蔽通信系统的研究与设计.安徽电子信息职业技术学院学报.2016,(06),全文. *
杨婉霞,等.《计算机工程与设计》.2013,第第34卷卷(第第8期期),全文. *
杨永周 ; .隐蔽通信及安全检测防护技术探究.通讯世界.2016,(21),全文. *
梁竣 ; .网络存储隐蔽信道检测的改进与优化仿真.计算机仿真.2017,(02),全文. *

Also Published As

Publication number Publication date
CN109547443A (en) 2019-03-29

Similar Documents

Publication Publication Date Title
CN109547443B (en) A Detection Method of Network Storage Type Covert Channel
CN103577835B (en) A Method for Detecting IP ID Covert Channels Using Multi-Dimensional Eigenvectors
CN102012980B (en) Security Detection Method for Text Information Hiding Based on Homomorphic Encryption System
CN103118139B (en) Distributed information hides transmission system and transmission method thereof
Ke et al. Steganography security: Principle and practice
CN108599934A (en) It is a kind of to test safe and secret Enhancement Method for quantum key distribution
CN116886276B (en) Data transmission method and system based on dynamic key
CN104967610A (en) A Watermark Hopping Communication Method Based on Time Slot
CN115242369B (en) Federal learning privacy protection method and device based on multi-key homomorphic encryption
CN104852914A (en) Watermark hopping communication method based on data packet interval
WO2019091071A1 (en) Railway signal security encryption method and system
CN105260981A (en) Optimal coupling image steganography method based on packet replacement
CN105553980A (en) Safety fingerprint identification system and method based on cloud computing
WO2005057841A1 (en) The method for generating the dynamic cryptogram in network transmission and the method for transmitting network data
CN108206738A (en) A kind of quantum key output method and system
Liu et al. Covert transmission via steganography and smart contract
CN115484030B (en) Enterprise tax data sharing method and system based on Internet of things technology
CN106534144A (en) Network covert channel construction method based on Web application directory tree
CN111371727A (en) Detection method for NTP protocol covert communication
Ayad et al. Enhanced Audio Encryption Scheme: Integrating Blowfish, HMAC-SHA256, and MD5 for Secure Communication
CN101364868A (en) Pseudo-random code generator and its generation method based on generalized information domain
TWI613899B (en) A method of quantum encryption and decryption
CN104901944B (en) Security protocol cipher-text information estimating method based on main body interbehavior
Hu et al. A security evaluation method for voice-over-IP streaming media information hiding
Xie et al. A network covert timing channel detection method based on threshold secret sharing

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20230425