Based On The Decision Tree Network Covert Channel Detection Model

Covert Channel is an important branch of Message Hiding, which is a communication channel that allows the processes to Communicate endangering security policy of the system. Network Covert Channel is a kind of Covert Channels, which often used by hackers to steal confidential information, in this way, the users for high level information security will face a huge threat, therefore, it is necessary to research the detection technology for Network Covert Channel.Networks generally use the TCP/IP protocol cluster to interconnect, it is a protocol cluster of industry-standard agreement, however, in the formulation of it, they gave little consideration of security issues, as a result, the protocol cluster has a lot of security vulnerabilities. Covert Channel leaks confidential message by the vulnerabilities, and we call the channels by TCP/IP protocol cluster Network Covert Channels, Network Covert Channel becomes an important research topic in the area of message security, what's more, with the secret agencies joining up Internet continuously, hackers will continue to use Network Covert Channel to leak confidential information, so the detection of Network Covert Channel can be no delay. There are some research results on Network Covert Channel at home and abroad, that mainly focus on how to construct Covert Channel, but no many on detection.For the shortage of traditional detection methods, by summarizing and analyzing the characteristics of Network Covert Channel, the paper aims at finding a number of attributes to describe Network Covert Channel, and proposing a thinking of detection for Network Covert Channel based on it's feature set, finally, by use of data mining methods, we realize a detection model based on decision tree, by a lot of experiments we prove that the detection model is effective, this model can enrich the rule set according to different attributes of Network Covert Channel, manifesting the auto-adapted characteristic; And it can keep up with fine detector's standard about virtual alarm rate and false reporting rate.