CN105447410A - Operation detection method and apparatus for covert channel - Google Patents
Operation detection method and apparatus for covert channel Download PDFInfo
- Publication number
- CN105447410A CN105447410A CN201510932951.7A CN201510932951A CN105447410A CN 105447410 A CN105447410 A CN 105447410A CN 201510932951 A CN201510932951 A CN 201510932951A CN 105447410 A CN105447410 A CN 105447410A
- Authority
- CN
- China
- Prior art keywords
- frequent item
- item set
- user
- correlation rule
- communication channel
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Computer Hardware Design (AREA)
- Health & Medical Sciences (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Databases & Information Systems (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
The invention provides an operation detection method and apparatus for a covert channel. The method comprises: converting parameter data of user operation into Boolean type data; performing frequent item set mining on the Boolean type data; mining an association rule according to a frequent item set; and detecting the user operation according to the association rule. The operation of the covert channel can be detected without the need for large-scale operation, and the accuracy is relatively high, so that the performance is greatly improved.
Description
Technical field
The invention belongs to technical field of database security, especially relate to a kind of operation detection method and device of private communication channel.
Background technology
Private communication channel refers to that permission process is to endanger the communication channel of the mode transmission information of System Security Policy. " computer information system female full guard grade classification criterion " (GB17859-1999) of China." Trusted Computer System Evaluation Criteria " (TCSEC) of the U.S. like and " infotech female assesses Common Criteria entirely " (ISO/IEC15408 of issuing in 1999 of ISO (International Standards Organization) ISO, be called for short CC standard) [3] all propose clear and definite regulation to covert channel analysis. require high-grade infosystem (the GB17859-1999 fourth stage, in TCSEC more than B2 level) must covert channel analysis be carried out, on the basis identifying private communication channel, private communication channel is measured and disposes.
The concept of private communication channel is that Lampson proposed in 1973 at first, its private communication channel provided is defined as: be not to be designed or original idea is not used to the communication channel of transmission information. in this section of initiative article, Lampson pays close attention to the restricted problem of program, namely how to limit in the implementation of program, make it can not to other undelegated program transportation information. the program that he lists malice or misbehave walks around restriction, 6 kinds of methods of leak data and corresponding treatment measures, and these methods are summarized as 3 types: memory channel, legitimate channel and " private communication channel ".
Legitimate channel is then a kind of subliminal channel (subliminalchannel), a kind of mode realizing covert communications set up in overt channel. disclosed in channel, significant information only act as the carrier of secret information, secret information is transmitted by it. and the mode of this hided transmission information had been faded out the center of private communication channel research afterwards gradually, defined relatively independent research field.
Covert channel analysis work comprises channel identification, tolerance and disposal. channel identification is the static analysis to system, to emphasize to carry out analyzing to design and code to find all potential private communication channels. channel metrics is the evaluation to channel transfer capability and threaten degree. channel Disposal Measures comprises channel and eliminates, restriction and audit. private communication channel removing measure comprises amendment system, get rid of the source producing private communication channel, but destroying the existence condition of channel. restriction requires channel harm to be reduced in the scope that system can tolerate., and the potential private communication channel of not all can the actual utilization of invaded person, if to measure all potential private communication channels and disposal can produce unnecessary performance consumption, reduce system effectiveness.
Summary of the invention
Embodiments provide a kind of operation detection method and device of private communication channel, to realize on the basis of low performance consumption, detect the object of the operation of private communication channel.
First aspect, embodiments provide a kind of operation detection method of private communication channel, described method comprises:
The supplemental characteristic of user operation is converted to Boolean type data;
Frequent item set mining is carried out to described Boolean type data;
According to described frequent item set mining correlation rule;
The operation of user is detected according to correlation rule.
Further, described frequent item set mining is carried out to described Boolean type data, comprising:
According to the minimum support determination frequent item set preset.
Further, described according to described frequent item set mining correlation rule, comprising:
Scanning frequent item set;
Calculate the degree of confidence of frequent item set, and compare with the min confidence preset, produce at least two regular frequent item sets;
To described regular frequent item set connection, beta pruning, generate candidate;
Using the member relation in candidate as correlation rule.
Further, the described operation detecting user according to correlation rule, comprising:
When the supplemental characteristic of described user operation does not meet correlation rule, determine the illegal operation being operating as private communication channel of user.
Second aspect, embodiments provide a kind of operation detection device of private communication channel, described device comprises:
Data conversion module, for being converted to Boolean type data by the supplemental characteristic of user operation;
Excavate module, for carrying out frequent item set mining to described Boolean type data;
Rule digging module, for according to described frequent item set mining correlation rule;
Operation detection module, for detecting the operation of user according to correlation rule.
Further, described excavation module, for:
According to the minimum support determination frequent item set preset.
Further, described rule digging module, for:
Scanning frequent item set;
Calculate the degree of confidence of frequent item set, and compare with the min confidence preset, produce at least two regular frequent item sets;
To described regular frequent item set connection, beta pruning, generate candidate;
Using the member relation in candidate as correlation rule.
Further, described operation detection module, for:
When the supplemental characteristic of described user operation does not meet correlation rule, determine the illegal operation being operating as private communication channel of user.
Adopting the technical scheme that the embodiment of the present invention provides, by carrying out comprehensive statistics to the supplemental characteristic of user operation, obtaining the correlation rule of user operation supplemental characteristic; And judge that whether the operation of user is the operation of private communication channel according to correlation rule.Can be able to realize detecting the operation of private communication channel without the need to extensive computing, and accuracy rate is higher, greatly improves performance.
Accompanying drawing explanation
In order to be illustrated more clearly in the technical scheme of the embodiment of the present invention, be briefly described to the accompanying drawing used required in embodiment or description of the prior art below, apparently, accompanying drawing in the following describes is only some embodiments of the present invention, for those of ordinary skill in the art, under the prerequisite not paying creative work, other accompanying drawing can also be obtained according to these accompanying drawings.
Fig. 1 is the schematic flow sheet of the operation detection method of the private communication channel that first embodiment of the invention provides;
Fig. 2 is the structural representation of the operation detection device of the private communication channel that second embodiment of the invention provides.
Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the present invention, be clearly and completely described the technical scheme in the embodiment of the present invention, obviously, described embodiment is the present invention's part embodiment, instead of whole embodiments.Based on the embodiment in the present invention, those of ordinary skill in the art, not making the every other embodiment obtained under creative work prerequisite, belong to the scope of protection of the invention.
Fig. 1 is the schematic flow sheet of the operation detection method of the private communication channel that first embodiment of the invention provides, and described method relies on corresponding device to realize.Described device can be realized by software/hardware, and is generally integrated in database.
See Fig. 1, the operation detection method of described private communication channel, comprising:
Step S101, is converted to Boolean type data by the supplemental characteristic of user operation.
When user does data manipulation, various parameter state can be related to, after doing an operation, carry out the time interval of next operation; After an operation returns mistake, the reaction time of user; Carry out the type of next operation; User makes the time interval length of a large amount of operation at short notice; User is to the number of operations of same database object; User is to the action type etc. of same database object.
These parameters may some be relevant property, the normal manipulation mode of this association reaction normal users.The normal running of a large amount of normal users of the methods analyst of association rule mining can be utilized, thus sum up the pattern in the normal operational data storehouse of normal users.
The data used due to the algorithm of association rule mining are all Boolean types, need to convert to be applicable to this calculating to the supplemental characteristic of user operation.In data base management system (DBMS), database audit data to be analyzed are many-valued type data, should be converted into boolean association rule by about quantitative association rule problem.Concrete, each property value is mapped as a new Boolean property.For the pretreated method of classification multi-valued attribute be: be directly Boolean each category mappings, such as, classification multi-valued attribute main body be converted into user_liming, the Boolean properties such as user_zhangqiang, user_wangfang.Boolean property is hinted obliquely at for interval division such as quantity multi-valued attribute carry out, as: ascending by pacifying after the numerical ordering of quantity multi-valued attribute, be divided into multiple interval, form the Boolean properties such as number0_4, number5_10, number11_20.
Step S102, carries out frequent item set mining to described Boolean type data.
After usage data booleanization algorithm obtains data, Frequent Item Sets mining algorithm Apriori algorithm can be used to carry out frequent item set mining to Boolean type data, according to the Minimum support4 minconf of user's setting, minimum support Min_sup, excavates frequent item set L.
Step S103, according to described frequent item set mining correlation rule.
By scanning frequent item set, and calculate the degree of confidence of frequent item set, and compare with the min confidence preset, produce at least two regular frequent item sets; To described regular frequent item set connection, beta pruning, generate candidate; And produce correlation rule, and exemplary, for each frequent item set L, produce all nonvoid subsets of L; For each nonvoid subset S of L, if (S)≤min_con exports rule " S à L-S " to P (L)/P.
Step S104, detects the operation of user according to correlation rule.
Described correlation rule is mated with the operation of user, when the supplemental characteristic of described user operation does not meet correlation rule, determines the illegal operation being operating as private communication channel of user.Otherwise, then think that user's is operating as valid operation.
The present embodiment, by carrying out comprehensive statistics to the supplemental characteristic of user operation, obtains the correlation rule of user operation supplemental characteristic; And judge that whether the operation of user is the operation of private communication channel according to correlation rule.Can be able to realize detecting the operation of private communication channel without the need to extensive computing, and accuracy rate is higher, greatly improves performance.
Fig. 2 illustrates second embodiment of the invention.
Fig. 2 is the structural representation of the operation detection device of the private communication channel that second embodiment of the invention provides.
As seen from Figure 2, the operation detection device of described private communication channel comprises:
Data conversion module 210, for being converted to Boolean type data by the supplemental characteristic of user operation;
Excavate module 220, for carrying out frequent item set mining to described Boolean type data;
Rule digging module 230, for according to described frequent item set mining correlation rule;
Operation detection module 240, for detecting the operation of user according to correlation rule.
Further, described excavation module 220, for:
According to the minimum support determination frequent item set preset.
Further, described rule digging module 230, for:
Scanning frequent item set;
Calculate the degree of confidence of frequent item set, and compare with the min confidence preset, produce at least two regular frequent item sets;
To described regular frequent item set connection, beta pruning, generate candidate;
Using the member relation in candidate as correlation rule.
Further, described operation detection module 240, for:
When the supplemental characteristic of described user operation does not meet correlation rule, determine the illegal operation being operating as private communication channel of user.
The above-mentioned device loading compression data file from low speed data source, can perform the method loading compression data file from low speed data source, possesses function and the beneficial effect of method execution.
One of ordinary skill in the art will appreciate that: all or part of step realizing above-mentioned each embodiment of the method can have been come by the hardware that programmed instruction is relevant.Aforesaid program can be stored in a computer read/write memory medium.This program, when performing, performs the step comprising above-mentioned each embodiment of the method; And aforesaid storage medium comprises: ROM, RAM, magnetic disc or CD etc. various can be program code stored medium.
Last it is noted that above each embodiment is only in order to illustrate technical scheme of the present invention, be not intended to limit; Although with reference to foregoing embodiments to invention has been detailed description, those of ordinary skill in the art is to be understood that: it still can be modified to the technical scheme described in foregoing embodiments, or carries out equivalent replacement to wherein some or all of technical characteristic; And these amendments or replacement, do not make the essence of appropriate technical solution depart from the scope of various embodiments of the present invention technical scheme.
Claims (8)
1. an operation detection method for private communication channel, is characterized in that, described method comprises:
The supplemental characteristic of user operation is converted to Boolean type data;
Frequent item set mining is carried out to described Boolean type data;
According to described frequent item set mining correlation rule;
The operation of user is detected according to correlation rule.
2. method according to claim 1, is characterized in that: describedly carry out frequent item set mining to described Boolean type data, comprising:
According to the minimum support determination frequent item set preset.
3. method according to claim 2, is characterized in that, described according to described frequent item set mining correlation rule, comprising:
Scanning frequent item set;
Calculate the degree of confidence of frequent item set, and compare with the min confidence preset, produce at least two regular frequent item sets;
To described regular frequent item set connection, beta pruning, generate candidate;
Using the member relation in candidate as correlation rule.
4. method according to claim 1, is characterized in that, the described operation detecting user according to correlation rule, comprising:
When the supplemental characteristic of described user operation does not meet correlation rule, determine the illegal operation being operating as private communication channel of user.
5. an operation detection device for private communication channel, is characterized in that, described device comprises:
Data conversion module, for being converted to Boolean type data by the supplemental characteristic of user operation;
Excavate module, for carrying out frequent item set mining to described Boolean type data;
Rule digging module, for according to described frequent item set mining correlation rule;
Operation detection module, for detecting the operation of user according to correlation rule.
6. device according to claim 5, is characterized in that, described excavation module, for:
According to the minimum support determination frequent item set preset.
7. device according to claim 6, is characterized in that, described rule digging module, for:
Scanning frequent item set;
Calculate the degree of confidence of frequent item set, and compare with the min confidence preset, produce at least two regular frequent item sets;
To described regular frequent item set connection, beta pruning, generate candidate;
Using the member relation in candidate as correlation rule.
8. device according to claim 1, is characterized in that, described operation detection module, for:
When the supplemental characteristic of described user operation does not meet correlation rule, determine the illegal operation being operating as private communication channel of user.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510932951.7A CN105447410A (en) | 2015-12-12 | 2015-12-12 | Operation detection method and apparatus for covert channel |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510932951.7A CN105447410A (en) | 2015-12-12 | 2015-12-12 | Operation detection method and apparatus for covert channel |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN105447410A true CN105447410A (en) | 2016-03-30 |
Family
ID=55557573
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510932951.7A Pending CN105447410A (en) | 2015-12-12 | 2015-12-12 | Operation detection method and apparatus for covert channel |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105447410A (en) |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20110004631A1 (en) * | 2008-02-26 | 2011-01-06 | Akihiro Inokuchi | Frequent changing pattern extraction device |
| CN104715073A (en) * | 2015-04-03 | 2015-06-17 | 江苏物联网研究发展中心 | Association rule mining system based on improved Apriori algorithm |
-
2015
- 2015-12-12 CN CN201510932951.7A patent/CN105447410A/en active Pending
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20110004631A1 (en) * | 2008-02-26 | 2011-01-06 | Akihiro Inokuchi | Frequent changing pattern extraction device |
| CN104715073A (en) * | 2015-04-03 | 2015-06-17 | 江苏物联网研究发展中心 | Association rule mining system based on improved Apriori algorithm |
Non-Patent Citations (2)
| Title |
|---|
| 叶明全 等: "《数据库技术与应用》", 31 July 2015 * |
| 郭鸿雁: "基于数据挖掘的自适应网络安全审计系统的研究与实现", 《中国优秀硕士学位论文全文数据库·信息科技辑》 * |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101593253B (en) | Method and device for judging malicious programs | |
| CN107992751B (en) | Real-time threat detection method based on branch behavior model | |
| US20090158385A1 (en) | Apparatus and method for automatically generating SELinux security policy based on selt | |
| CN103699844B (en) | Safety protection system and method | |
| CN102915423B (en) | A kind of power business data filtering system based on rough set and gene expression and method | |
| CN102479305A (en) | Software licensing verification method and system | |
| CN105243252A (en) | Account risk evaluation method and apparatus | |
| CN105320887A (en) | Static characteristic extraction and selection based detection method for Android malicious application | |
| Park et al. | Detecting common modules in Java packages based on static object trace birthmark | |
| CN103034810B (en) | A kind of detection method, device and electronic equipment | |
| CN105528558A (en) | Method and device for detecting hidden channel communication | |
| CN104502693A (en) | Intelligent electric meter | |
| US20240005008A1 (en) | Monitoring information-security coverage to identify an exploitable weakness in the information-securing coverage | |
| CN103699828A (en) | Information security management method | |
| CN105447410A (en) | Operation detection method and apparatus for covert channel | |
| CN106156046B (en) | Information management method, device and system and analysis equipment | |
| CN116028953A (en) | Data encryption method based on privacy calculation | |
| CN106778276B (en) | Method and system for detecting malicious codes of entity-free files | |
| CN110096900A (en) | A kind of Frequent Pattern Mining method of efficient difference secret protection | |
| Petkovic et al. | A host based method for data leak protection by tracking sensitive data flow | |
| CN116010360A (en) | Similarity-based electric power text data storage method and device | |
| Hassan et al. | Android malware variant detection by comparing traditional antivirus | |
| Li et al. | DPIF: a framework for distinguishing unintentional quality problems from potential shilling attacks | |
| Gao | RETRACTED: Research on Network Information Security and Privacy Protection in the Age of Big Data | |
| CN103973708A (en) | Determination method and system for data breach event |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WD01 | Invention patent application deemed withdrawn after publication | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20160330 |