Research And Implementation On The System Of Network Covert Channels Detection

With the development of network technology, data leakage has increasingly become a severe problem. Firewall and intrusion detection system, which have been deployed in current network system, are difficult to meet the demands of network security. Especially in recent years, the security threat from covert channels is more and more serious,thus the study on covert channels detection system based on the intra LAN data protection, has guiding sense to this research area.Firstly, we introduce the mechanism of covert channel and overview the related detection techniques of covert channel. We observe that most of the detection process must be based on the collected knowledge of the channels, and only a few covert channels can be identified. However, blind detection is the basic requirement of a detection system in practical networks. This dissertation starts with the system demand analysis, analyzes the principle of existing classic covert channels and captures the features of channels. According to the strategies of channel detection, cover channel falls into three types which are the covert channels based on pattern(PCC), the covert channels based on knowledge(KCC), and the covert channels based on statistics(SCC), respectively. The classification is the core foundation of the detection strategy design. At the same time, the network demands and the management demands show the demands of the system configuration design. The whole system design consists of six modules, which cover the whole procedure of detection, including packets capture, channel identification and threat notice. In covert channels detection module, there are three detectors, PCC, KCC and SCC, respectively, which identify different types of covert channels. PCC detector identifies covert channels based on feature matching rules, KCC detector identifies covert channels based on internal network knowledge, and SCC identifies covert channels based on the density clustering algorithm. The three detectors not only work independently, but also cooperate at some times. We realize each of them in the design of system.Finally, we build a network environment to test the system performance. By setting different network scenarios, we test and verify the functions availability and the effectiveness of the detection strategy for this detector. Evaluation and simulation results demonstrate that the system achieve blind test, and the system proposed in this dissertation is with high performance of full functionality and detection effect. Overall, the system is with nice commonality and scalability.