Study On Covert Channels Of Operating System Based On Decision Tree

Since covert channels were put forward, the detection of covert channels are mainly based on static methods. Now the method of detecting covert channels are mainly based on the static method. These methods are lack of corresponding automation tools, and need heavy workload artificial analysis. And it is quite error-prone, the identified covert channels also contains a large number of false covert channels. Aiming at the shortcomings of the static covert channels identification methods, a new method of covert channels identification which are mainly based on dynamic and static is complement. The methods which are combined with association rules algorithm and decision tree algorithm can automated and efficient identify covert channels that exist in operating system. Detailed research content is divided into the following four aspects:(1)Summarizing the minimum conditions for the existence of covert channels. Reading a large number of literature, and summed up the four minimum conditions for the existence of covert channels.(1)There is a higher security level sender;(2)There is a low security level receiver;(3)Sender and receiver have shared variables, and sender can modify the variable properties, receiver can sense the change of variable properties;(4)There is a synchronization mechanism between sender and receiver.(2)The improved association rule algorithm. An improved association rule algorithm is proposed in view of the deficiency of a large number of invalid rules in the rule set of association rules algorithm. First of all, the application of chi-square remove independent rules; Secondly, the degree of interest was redefined to remove the negative correlation rules; Finally, combined with the features of covert channels, the set of rules are given an additional screening to remove invalid rules, which makes the rule set of algorithm more efficient.(3)Applying the improved association rule algorithm to identify covert channels. High security level TCB primitives can modify shared variables, and low security level TCB primitives can sense the change of the shared variables. Through the operation of the shared variables, high security level TCB primitives can transfer information to the low security level TCB primitives, then constitute a covert channels. So as long as finding two TCB primitives which covert channels can be identified. First, monitoring the time and order of the system call is executed in the system, then the data mining function of the improved association rule algorithm is applied to find out the two TCB primitives which are consistent with the conditions.The two TCB primitives are covert channels that exist in the system.(4)Applying decision tree algorithm to classify and identify covert channels. A large number of false covert channelss are also contained in the covert channelss which are identified by the improved association rule algorithm. Aiming at this deficiency, combined with covert channels which have a large bandwidth, synchronization mechanism and other characteristics, the method applies decision tree algorithm to construct decision tree and form a rule set. Then the method applies the rule set to classify channels and marks covert channels.