Research On Key Technologies Of Network Covert Channel Detection

In recent years,there have been frequent infiltration attacks against national infras-tructure.The state-supported Advanced Persistent Threat(APT)attack has seriously threat-ened the security of various industries.In order to avoid the containment of security pro-tection systems and security auditing equipment,the attacker introduces the covert chan-nel as the key technologies of malware command and control(C&C/C2)to avoid ex-posing the behavior and communication fingerprints when conducts the complex network attacks.The C&C constructed by the covert channel are highly concealed,which brings severe challenges and may destroy the network security.To facilitate the devolopment of network security technologies,this paper conducts research on the key countermeasures of network covert channel detection.The main research contents and innovations are as follows:Firstly,the theory of covert channels are deeply studied.The current technologies of covert channels are summarized,and its common construction methods and existing problems are analyzed,meanwhile,the in-depth analysis that refines characteristics and patterns of covert channel technologies are also conducted,which lays the foundation for subsequent related research.Secondly,the blind detection of covert channels are studied.Since the current blind detection algorithms have a low success rate in a mixed application environment,where few types of detection and multiple covert channels coexist are existed.This paper anal-ysis the current covert channel technology modes and protocol mechanisms,extracts the comprehensive feature information based on channel behavior and statistics,detects and classifies the covert channels through the integrated learning algorithms.As a result,the experiments demonstrate that the mothod proposed in this paper has a high detection rate and has a certain application ability.Finally,a transfer learning based covert channel detection scheme is proposed.The proposed scheme focus on the problem such as the C2 server in the current APT attack using the covert channel as the communication basis,and new covert communication tech-nologies are emerging one after another while the covert channel samples of APT are dif-ficult to form large-scale training data samples,etc.By utilizing the open source data sets,a deep neural network model is trained based on migration learning to detect red team penetration data and C2 data.The experimental results verify the principle similar-ity and migration feasibility between the open source covert channel tool and C&C data communication.The results on multiple data sets also show that the proposed method improves the detection rate of cross-domain covert channel data by 12.6%compared with the detection without the transfer learning method.To sum up,this paper starts from the high confrontational security threats in cy-berspace,conducts research on the blind detection of covert channels and APT covert com-munication technology,proposed a blind detection algorithm and an APT covert channel detection algorithm based on the integrated learning and migration learning respectively.The experimental results demonstrated the feasibility and effectiveness of the proposed algorithms.The technologies and methods studied in this paper may have a great value and significance to devolop countermeasures that enhance network security,and play an important role in safeguarding the country' s critical infrastructure and protecting key data of important departments.