基于One-class SVM的网络时间隐蔽信道检测方法

网络时间隐蔽信道的检测是网络隐蔽信道研究中的热点和难点。当前的网络时间隐蔽信道的检测方法更多是针对某个或者某些特定的网络时间隐蔽信道,不具备通用性。本文利用机器学习中的SVM思想,提出一种基于One-class SVM的通用检测方法。把时间隐蔽信道的检测看作是一种单值分类问题,利用正常信道数据集进行训练,构建分类模型。实验表明该检测方法在保证较高检测率的同时,又具备较好的通用性,可以比较有效地检测出多种网络时间隐蔽信道。     

面向Liquid时间隐通道的检测方法

IP时间隐通道严重威胁着网络用户的信息安全,基于熵的检测方法是目前最有效的时间隐通道检测方法,可以检测已知的IP时间隐通道。而近期提出的Liquid时间隐通道将包序列分为两部分,通过相互间的补偿来有效地躲避了熵的检测。针对Liquid方法的特点,提出了基于滑动窗口的熵检测方法。该方法先利用滑动窗口找出隐信息包序列和补偿包序列,然后再基于正常通信和Liquid通信在这两种包序列间存在熵差异性的特点实现检测,大量实验结果表明该方法能够有效地检测出Liquid时间隐通道。     

基于Markov模型的HTTP参数排序隐蔽信道检测方法

网络隐蔽信道是利用网络协议中的保留、可选或未定义等字段在网络不同主机间建立秘密消息传输的通信信道,其中HTTP协议作为万维网上最常用的协议之一,是网络隐蔽信道的良好载体。为有效检测基于HTTP协议的隐蔽信道,提出一种基于Markov模型的隐蔽信道检测方法。以Host、Connection、Accept和User-Agent为关键字,建立数据包的Markov模型并计算其状态转移概率矩阵,利用待测数据包与正常数据包2个概率矩阵之间的相对熵,判别是否存在隐蔽信道通信。实验结果表明,当隐蔽信道中的异常数据超过70%时,该方法检测率可达97%以上。     

差分信息熵的网络时序型隐蔽信道检测

网络隐蔽信道是以合法网络通信信道作为载体建立的一种隐蔽通信技术.相比信息加密,网络隐蔽信道不仅隐藏了传输信息的内容,同时还隐藏了传输信息的行为,因而具有更强的隐蔽性.隐蔽信道技术的出现,使得网络通信中的信息安全和隐私保护受到了极大的威胁,尤其是间谍和其他不法分子可以利用隐蔽信道绕过系统的安全检查机制,窃取机密信息.因此,研究高效且准确率高的隐蔽信道检测技术势在必行.在分析和总结前人研究成果的基础上,提出了差分信息熵的概念,进而提出了基于差分熵的网络时序型隐蔽信道检测算法.首先给出了差分信息熵的定义和相关特性,然后给出了基于差分信息熵的隐蔽信道检测算法的实现原理,以及算法在具体实现过程中的参数设定,最后设计实验检测算法的性能和效果.实验结果表明,基于差分信息熵的检测算法可以有效检测IPCTC,TRCTC,JitterBug时序型隐蔽信道.     

一种基于Web访问模型的网络隐蔽通道

网络隐蔽信道是将窃取的机密信息隐藏在正常的网络传输协议中的一种通信方法. 由于网络时间隐蔽信道不修改网络数据包的内容, 因此更加难以检测和限制, 从而具有更大的威胁. 提出一种新的基于Web访问模型的网络时间隐蔽信道, 恶意用户通过规律性的访问Web服务器实现机密信息传输; 实现了该网络隐蔽信道原型, 并给出了信道的性能分析结果.     

一种基于Bayesian分类器的SSH网络隐蔽信道检测方法

隐蔽信道是一种能够以难以察觉的方式泄漏信息系统机密信息的通信方式。网络隐蔽信道是信息安全领域的研究热点,对保护网络数据安全以及于云计算平台数据安全至关重要。提出一种基于SSH数据包间隔时间的网络时间隐蔽信道实例;基于SSH协议的时间间隔特征,设计一种基于Bayesian分类器的检测方法;实验结果证明该检测方法能够达到95%的准确率,具有很好的检测性能。     

一种基于熵率和标准差混合指标的云平台隐蔽信道检测方法

云计算是目前信息技术领域研究的热点,而云平台隐蔽信道是由云计算平台的基础架构导致的新的安全问题。云平台隐蔽信道会泄漏云客户的机密信息,严重危害云平台安全。总结隐蔽信道检测的相关工作,并针对基于CPU响应时间的云平台隐蔽信道,抽象云平台隐蔽信道模型,首次提出融合熵率和标准差混合指标的检测方法。实验结果表明使用该检测方法能够达到低于5%的误报率,具有很好的检测性能。     

一种基于文件存储分布的隐蔽信道构造方法

针对现有的长度式隐蔽信道在信道熵和长度分布特征中与合法信道有差异的问题,提出一种基于隐蔽信息存储分布的隐蔽信道构造方法。将不同编码方式下的隐蔽信息转换为二进制比特流,研究比特流中作为隐蔽信息的比特或者比特串的分布概率。分析该概率对传统长度式隐蔽信道的影响,将概率分布统计应用到长度式隐蔽信道的模型构建中,并实现信道熵和长度分布检测。实验结果表明,与传统参考长度隐蔽信道相比,提出方法具有更好的隐蔽性。     

一种新型可靠网络隐蔽信道的研究

针对传统IP时间隐蔽信道传输速率低,在广域网中缺少一种稳定的时间同步机制,难以实现收发双方间可靠、稳定传输隐蔽信息的问题,提出了一种可靠网络隐蔽信道的模型。这种信道利用在固定时间窗口内发送的IP数据包数量作为载体传输隐蔽信息。通过引入一种新的信息编码机制,显著提高了网络隐蔽信道的传输带宽。进一步提出了一种比特块定界方法,解决了传统IP时间隐蔽信道的时间同步问题。实验结果表明,提出的可靠网络隐蔽信道的传输速率和稳定性均好于传统的IP时间隐蔽信道。     

HMM特征提取结合感知哈希匹配的网络时间隐蔽信道检测

针对传统网络隐蔽信道检测识别率低和鲁棒性差的问题,利用正常信道和隐蔽信道在网络流量时间序列特性的差异,提出一种隐马尔科夫链(HMM)和感知哈希匹配的网络隐蔽信道检测方法。实验表明：所提方法能准确检测隐蔽信道的网络流量,且整体区分水平在70%～85%之间;在信号噪声干扰下能够保持较高的识别率,具有较好的鲁棒性;所提方法在感知特征提取花费的时间要明显少于传统的频谱域感知特征提取,且复杂度低。     

基于二维图像特征的网络时间隐通道检测方法

网络时间隐通道以违反安全策略的形式传递信息且以难以检测,为了减少不必要的安全隐患,网络时间隐通道的检测已成为网络安全领域亟需解决的问题.针对现有检测方法仅反映一维特征的缺陷,提出一种基于二维图像特征的网络时间隐通道的检测方法,通过将网络流隐蔽通道在时间轴上的特性关系反映到二维图像的纹理特性上,进而通过基于灰度共生矩阵的...     

Covert timing channels: analyzing WEB traffic

In case there is a communication contrary to the system security policies, a covert channel has been created. The attacker can easily disclosure information from the victim’s system with just one public access permission. Covert timing channels, unlike covert storage channels, do not have memory storage and they draw less attention. Different methods have been proposed for their identification, which generally benefit from the shape of traffic and the channel’s regularity. The application nature of HTTP protocol allows the creation of a covert timing channel based on different features of this protocol (or different levels) that has not been addressed in previous researches. This research tries to study the effect of using different features (or levels) of HTTP protocol on identifying the covert channel. The amount of channel’s entropy could be manipulated by changing the channel’s level or adding intentional noise on the channel to protect from the analyzer’s detection. The difference in the placement of the covert channel and the detector causes the amount of channel entropy to be far from the detection threshold. Therefore, we concluded that the analyzer must investigate traffic at all possible levels. Adding noise on the covert channel decrease its capacity, but as entropy increases, it would be harder to detect it.

     

IP时间隐通道抗检测技术的研究

在任何一个网络系统中,时间作为发送方和接收方的共享资源是无法被割断的,这使得IP时间隐通道几乎不可能被根除。通过分析现有的多种IP时间隐通道的检测方法,提出一种不需要计算伪装分布函数反函数的新型抗检测方法,提高了IP时间隐通道的抗检测性。     

Using hierarchical statistical analysis and deep neural networks to detect covert timing channels

Covert timing channels provide a mechanism to leak data across different entities. Manipulating the timing between packet arrivals is a well-known example of such approach. The time based property makes the detection of the hidden messages impossible by traditional security protecting mechanisms such as proxies and firewalls. This paper introduces a new generic hierarchical-based model to detect covert timing channels. The detection process consists of the analysis of a set of statistical metrics at consecutive hierarchical levels of the inter-arrival times flows. The statistical metrics considered are: mean, median, standard deviation, entropy, Root of Average Mean Error (RAME). A real statistical metrics timing channel dataset of covert and overt channel instances is created. The generated dataset is set to be either flat where the statistical metrics are calculated on all flows of data or hierarchal (5 levels of hierarchy were considered) where the statistical metrics are computed on sub parts of the flow as well. Following this method, 5 different datasets were generated, and used to train/test a deep neural network based model. Performance results about accuracy and model training time showed that the hierarchical approach outperforms the flat one by 4 to 10 percent (in terms of accuracy) and was able to achieve short model training time (in terms of seconds). When compared to the Support Vector Machine (SVM) classifier, the deep neural network achieved a better accuracy level (about 2.3% to 12% depends on the used kernel) and significantly shorter model training time (few seconds versus few 100’s of seconds). This paper also explores the importance of the used metrics in each level of the detection process.     

Mimic: An active covert channel that evades regularity-based detection

A covert timing channel is a hidden communication channel based on network timing that an attacker can use to sneak secrets out of a secure system. Active covert channels, in which the attacker uses a program to automatically generate innocuous traffic to use as a medium for embedding the covert channel, are especially problematic, as they allow the attacker to output large amounts of secret data. Further, it is relatively easy to create an active covert channel that outputs traffic with the same delay distribution as legitimate traffic. However, these channels are generally detectable due to their regularity – as they are generate by a computer program, they do not have the variations found in human-generated traffic. In this work, we show how to build a an active covert channel that generates traffic in a purposefully irregular manner. In particular, we propose Mimic, an active covert channel that mimics both the shape and regularity of legitimate traffic to disguise its presence. Mimic includes two modules, a shape modeler and a regularity modeler, for learning about the statistical properties of real traffic and generating traffic with the same properties. The main novelty of Mimic stems from its ability to produce irregular patterns similar to those of legitimate traffic while maintaining the distribution shape. To measure the effectiveness of our mechanism, we run experiments for both detection and throughput over a LAN and over the Internet. Our results show that Mimic can generate channels with a wide range of regularity values, making it undetectable by any known detection technique, without sacrificing channel capacity.     

On covert channels between virtual machines

Virtualization technology has become very popular because of better hardware utilization and easy maintenance. However, there are chances for information leakage and possibilities of several covert channels for information flow between the virtual machines. Our work focuses on the experimental study of security threats in virtualization, especially due to covert channels and other forms of information leakage. The existence of data leakage during migration shutdown and destruction of virtual machines, is tested on different hypervisors. For empirically showing the possibility of covert channels between virtual machines, three new network based covert channels are hypothesized and demonstrated through implementation, on different hypervisors. One of the covert channels hypothesized is a TCP/IP steganography based covert channel. Other covert channels are a timing covert channel and a new network covert channel having two pairs of socket programs. We propose a VMM (Virtual Machine Monitor) based network covert channel avoidance mechanism, tackling detection resistant covert channel problems. We also address issue of reducing the possibilities of network based covert channels using VMM-level firewalls. In order to emphasize the importance of addressing the issue of information leakage through virtual machines, we illustrate the simplicity of launching network covert channel based attacks, by demonstrating an attack on a virtual machine using covert channels through implementation.     

自适应伪随机序列混合网络隐蔽通道构建方法

现有网络隐蔽通道研究主要集中于存储型、时间型和序列型等单一模式,单一网络隐蔽通道对网络流量影响较大,隐蔽性差,综合使用多种模式构建混合型隐蔽通道方法鲜见,且混合使用方法无法根据网络流量动态调整。提出了一种新的混合使用多种隐蔽通道的方法,建立可以根据当前网络流量特征自适应变化的隐蔽通道构建框架,通过网络流量在不同隐蔽通道下的隐蔽性强弱生成具有一定分布的伪随机序列,使用该伪随机序列在不同的模式中写入隐蔽信息,使得隐蔽信息在信息传输的过程中在多种通道中随机存在,在传输隐蔽信息的同时降低对原始流量的影响,并使隐蔽通道可以实时根据网络流量动态调整使用模式。真实网络环境中实验结果证明,该类隐蔽通道具有较强的隐蔽性和自适应性,实用价值明显。     

隐蔽信道新型分类方法与威胁限制策略

隐蔽信道是指恶意通信双方通过修改共享资源的数值、特性或状态等属性,来编码和传递信息的信道.共享资源的选取,由隐蔽信道的类型与具体通信场景所决定.早期,存储隐蔽信道和时间隐蔽信道主要存在于传统操作系统、网络和数据库等信息系统中.近年来,研究重点逐渐拓展到了3类新型隐蔽信道,分别为混合隐蔽信道、行为隐蔽信道和气隙隐蔽信道.对近年来国内外隐蔽信道研究工作进行了系统的梳理、分析和总结.首先,阐述隐蔽信道的相关定义、发展历史、关键要素和分析工作.然后,根据隐蔽信道共享资源的类型以及信道特征,提出新的隐蔽信道分类体系.首次从发送方、接收方、共享资源、编码机制、同步机制、评价指标和限制方法这7个方面,对近年来新型隐蔽信道攻击技术进行系统的分析和归纳,旨在为后续隐蔽信道分析和限制等研究工作提供有益的参考.进而,讨论了面向隐蔽信道类型的威胁限制技术,为设计面向一类隐蔽信道的限制策略提供研究思路.最后,总结了隐蔽信道中存在的问题和挑战.     

尺度变换复双树小波网络隐藏信道深度检测

针对隐藏信道检测问题解决中,传统检测算法存在特定隐藏信道盲区,或对某类隐藏信道针对性过强而忽视其他隐藏信道的问题,提出一种基于复双树小波包变换的邻域和空域联合网络隐藏信道检测。首先,基于复双树小波包有限冗余变换所特有的平移不变特性,尺度间不同变换系数的相关性,以及尺度相同变换系数邻域间的相关特征,并结合信号增强机制,实现对变换系数的取舍,以达到隐藏信道信号增强效果;其次,与块阈值算法进行联合对网络时间隐藏通道特征提取,然后采用深度学习方式实现隐藏信道训练和检测。最后,通过在IPCTC、TRCTC、Jitterbug、MBCTC、FXCTC五种典型时间隐藏通道中进行实验验证,显示所提算法具有更高的特征精度和较快的计算时间。