Packet Delay Between The Detection And Parameters Hidden Channel Estimation

Network covert channel can be used to steal data secretly as well as to transmit important information for spies by using a Trojan or other malicious programs in the computer. Therefore, the detection of network covert channel is a very important technology in network security. It has attracted widly attention for researchers, and there are many achievements in this field. In this paper, after studying the detection algorithm for network covert channel based on inter-packet delays, a detection algorithm is proposed which has smaller windows and lower computational complexity. What is more, the subsequent estimation problem of covert channel parameter is also studied. Major research work in this paper is as follows:(1) The basic concepts of network covert channel were introduced. A review and summary are given on the related technologies of pros and cons technologies about the network covert channel as well as the development progress.(2) It describes the structure principle of Inter-Pacaket Delays-based covert timing channel. At the same time, the effect of network jitter under different strength on inter-pacaket delays covert timing channel is analyzed. The paper gives a detailed introduction about current major detection algorithms based on inter-pacaket delays covert timing channel, sums up the features of the algorithm and points out the existed deficiencies.(3) There is step effect in the sorted inter-package delayed sequence(SIPDS) which is obtained from Inter-Pacaket Delays covert timing channel.Under the weak network jitter, a covet channel detection algorithm based on the step effect of the sorted inter-package delayed sequence is proposed.Compared with traditional statistics method, the proposed algorithm has a smaller detection window and low computational complexity. Under the strong network jitter, a covert channel detection algorithm based on the quality and centroid location of sort inter-package delayed sequence is proposed, which uses relatively lower detection window. Under weak step effect it can achieve a more reliable detection by determining the overall level of step effect and distribution. Simulation results verify the effectiveness of the two methods.(4) For the parameter estimation of IPD covert timing channel such as the estimation of the encoding bits and the encoding time window, the method is proposed based on the superposed wavelet transform coefficients of the several window. The method firstly divide the inter-packet delays stored by track on average into multiple copies, and every sorted data experiences the secondary wavelet transform, then multiple copies of the wavelet transform coefficients after superposition step effect to highlight the weak the step effect of the sorted inter-packet delay. Simulation results show that even in a very strong network jitter this method can be still proved to be a more accurate estimation results.Finally, a summarization of this paper is given, the shortcoming of existing researches is analyzed, and worthy study contents for the future research this topic are discussed.