Research On Typical Covert Channel Detection Algorithm Under HTTP Protocol

Covert network communication is a communication technology that carries secret information in the process of Internet data communication.It is mainly used to avoid third-party censorship mechanisms.Multimedia(graphics,sound,animation),network protocols(TCP,HTTP,FTP),and network operation behavior are all commonly used carriers.covert network communication technology is a double-edged sword.While protecting information security,it also provides a carrier for data communication of malicious applications.Therefore,in order to realize the manageability and control of the network,it is necessary to carry out research on covert communication detection technology.This article takes the covert channel detection technology under the HTTP protocol as the research object,and carries out detection research for three typical covert communication methods.The main research contents are as follows:1)Design and implement a detection method for HTTP protocol parameter ranking covert channels.Covert channel based on HTTP protocol parameter ordering is an application layer storage-type covert channel,which realizes covert communication by adjusting the order of request header information in the message.This paper designs and implements a detection method based on the Markov model.First,the status bits of the HTTP data packet are established according to the request header sequence.Then,the Markov models of normal communication and abnormal communication are constructed using the status bit sequence.Build the model.Experimental results show that the method designed in this paper has good detection effect on this channel.2)A combined covert channel detection method for request distribution behavior in HTTP protocol is proposed.The combined covert channel(LIHB)based on the request distribution behavior in the HTTP protocol is to use some actions of the HTTP data packet in the transmission process to complete the transmission of the secret message.This paper proposes a multi-feature-based detection method for it.The method proposed in this paper first extracts features such as the mean,variance and information entropy of the data stream,and then uses a random forest-based method to give the detection results.Experimental results show that the multi-feature detection method based on random forest has a good effect on this channel.3)Design and implement a covert channel detection method based on HTTP / 2protocol sending frame receiving sequence.The covert channel(H2CSC)based on the HTTP / 2 protocol sending frame receiving sequence uses the characteristic that data frames of different HTTP / 2 streams in an HTTP / 2 session can be interleaved to construct a covert channel.The construction of H2 CSC will not affect the normal access of users,nor will it cause abnormalities on the server side or the client side.This paper designs and implements a detection algorithm based on conditional entropy.The method first extracts the stream number of the filtered data frame,generates a one-dimensional array based on the distance between two adjacent data frames,and uses it to calculate the conditional entropy value.Finally,it sets the threshold to detect covert communication.The experimental results show that the detection method based on conditional entropy has a good effect on the channel.This paper researches the detection technology of the covert communication under the HTTP protocol,and the effectiveness of the presented approach has been proved.Finally,the full text is summarized and the covert communication detection technology after many years is expected.