Research On Key Technologies Of Detection Of Network Covert Channel

In recent years,many stealth attacks using network covert channels have occurred.Traditional firewall and intrusion detection and other defense technologies have not been able to effectively combat this new type of cyber espionage.The network covert channel transmission has strong concealment and great safety hazards,which seriously undermines the security of Internet information.Therefore,it is a new challenge for network security protection.The main research contents and innovations are as follows:1.Aiming at the problem that the existing network covert storage channel detection algorithm cannot balance the computational complexity and the detection rate.A detection method for network covert storage channel based on the rule feature is proposed.According to relevant documents,the information hiding mechanism of network storage covert channels is studied.Based on this analysis,the internal characteristics of regular pattern in packets and the characteristics of the correlation between packets are analyzed.The above features are abstracted into eigenvector matrices by kernel density estimation,coefficient of variation,scent entropy and autocorrelation coefficient.Train SVM classifier for classification detection.The proposed method is verified experimentally and detection performance is analyzed.According to the experimental results,this method can detect network covert storage channel with high accuracy,and the computational complexity it brings is lower than current ones.2.Aiming at the problem of low detection rate of the existing network covert timing channel detection algorithm.A novel detection method of network covert timing channel based on the multidimensional feature of IPDs is proposed.Traffic flow samples of network covert timing channels are collected.The mathematical definition and formal description of the data packet time interval sequence,network jitter,and network delay of the network covert timing channel are performed.Based on this,the distribution of IPDs of On-Off,L-N,Jitterbug,and Time Replay are analyzed.Derive the above definition of their IPDs distribution formula and analyze their IPDs from the three dimensions of shape,change laws,and statistics.Polarization characteristics,autocorrelation characteristics and clustering characteristics are respectively proposed.And thresholds are used to determine whether the channels to be detected are normal channels.According to the experimental results,this method can detect network covert timing channel with high accuracy.3.Aiming at the existing problem that network covert timing channel detection algorithm does not have the ability of blind detection.The reasons why the current SVM blind detection method is poor are analyzed.Based on this,four statistical features are added and eight statistical features are obtained in final.The IPDs of the network covert timing channel are described through eight statistical characteristics.The above features are used as communication fingerprints of network covert timing channel.Then,use the communication fingerprint to train the classifier based on the random forest algorithm to realize the blind detection of the network covert timing channel.According to the experimental results,this method can blind detect network covert timing channel and the blind detection performance it obtains is more than current ones.