Research On Detection And Novel Construction Of Network Protocol-based Covert Channels

With the booming development of Internet,research on network protocol-based covert channel has been attracting more and more researchers' attention.As network media is dynamic,instantaneous and numerous,building covert communication based on network protocols has incomparable advantages than others.In addition,the security of traditional encryption technology is increasingly threatened so that it cannot meet the needs of security transmission for people.Alternatively,covert channel that hides the existence of secret information has become a popular choice.So far,research on construction of protocol-based covert channels has made some achievements,but study of reverse detection is still in the initial stage.At present,some Trojan horses combined with network covert channel have caused privacy leakage,which bring great challenges to network security and individual privacy security.Therefore,it is very necessary to study the design and detection technology of network protocol-based covert channels.In view of current researches of network protocol-based covert channels,this dis-sertation studies the network protocol-based covert channels from two aspects:detec-tion algorithms and novel building algorithms.In the detection research,we propose a detection algorithm for covert storage channels based on multi-dimensional feature vec-tor and protocol behavior,and a detection algorithm for covert timing channels based on timing fingerprints.Based on the two methods,a practical detection framework of network protocol-based covert channels is designed.In the building research,given the current research of construction of covert storage channels and timing channels,we design a type of novel application-layer covert channel based on the HTTP behavior of browsers.The main contributions of this dissertation are summarized as follows:1.Based on the current research of covert storage channels,we study the detection technology of TCP/IP based covert storage channels.Most of existing detection algorithms are target detection,which lacks a comprehensive detection algorith-m.Moreover,existing algorithms focus on the regularity of field values,ignor-ing that each header field has its own behavior characteristics.Through express-ing the behavior of each field by the regularity or correlation between adjacent packets,we propose a detection algorithm for covert storage channels based on multi-dimensional feature vector and protocol behavior.The SVM classification model incorporated into the algorithm is trained by the behavior feature vectors of legitimate channel and covert channel.The experimental results show that the detection algorithm can detect TCP/IP based covert storage channels efficiently.2.Existing detection algorithms are designed for a specific type of timing chan-nel,and each has its own applicability and limitation.To solve this problem,we propose a detection algorithm for covert timing channels based on timing finger-prints,which uses metrics of the four recognized detection algorithms(i.e.,KS,?similarity,Entropy,CCE)from different angles as timing fingerprint features,and extract the timing fingerprints of the four typical covert timing channels,IPCTC,LtoN,TRCTC and MBCTC,as fingerprint features of covert timing channels.The experiment results show that the algorithm is able to detect TCP/IP based covert timing channels effectively,and also can,to some extent,realize blind detection of covert timing channels.3.We design a network protocol-based covert channel detection framework for prac-ticability of detection algorithms of covert storage channels and timing channels.As the detection algorithm is closely related to the specific hiding algorithm,and existing algorithms can only detect one or more targeted covert channels,we pro-pose a practical detection framework of network protocol-based covert channels based on previous researches and the above studies,and introduce the functional design of each module.Through analysis,the system based on this framework is efficient,comprehensive,scalable and self-learning,so that it can realize blind detection of TCP/IP based covert storage channels and timing channels.4.Aiming at the current research on the construction of TCP/IP based covert chan-nels,we focus on the design of novel application-layer covert channels based on HTTP.By capture experiments,we found a natural HTTP behavior of browsers:when opening a webpage,the distribution relationships between HTTP request-s and flows are dynamic.Using the HTTP behavior as a carrier,we propose a application-layer covert channel,LiHB,based on HTTP behaviors,which embed-s secret messages into the HTTP request-flow distributions using combinatorics,without changing any packet content or format.Moreover,LiHB can penetrate Web proxy to leak secret messages.To eliminate the limitations of LiHB,we design a more stealthy and efficient covert channel,HBCC.HBCC employs an independent and identically distributed inter-request delays(IRD)to maintain the request distribution of legitimate channel,and mimics the browsing patterns of normal users based on the frequent access itemsets of webpages.Experiments results show LiHB and HBCC have a good reliability,and HBCC outperforms LiHB in terms of channel capacity and undetectability.