CN105763271A - Concealed channel detection method and apparatus - Google Patents
Concealed channel detection method and apparatus Download PDFInfo
- Publication number
- CN105763271A CN105763271A CN201510927065.5A CN201510927065A CN105763271A CN 105763271 A CN105763271 A CN 105763271A CN 201510927065 A CN201510927065 A CN 201510927065A CN 105763271 A CN105763271 A CN 105763271A
- Authority
- CN
- China
- Prior art keywords
- communication channel
- information
- private communication
- parameter
- user
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Landscapes
- Mobile Radio Communication Systems (AREA)
Abstract
The invention discloses a concealed channel detection method and apparatus. The method comprises the following steps: obtaining information for detecting concealed channels when a database system runs, and according to the information, determining a concealed channel application event; determining a parameter state of each operation included by the concealed channel application event; and according to the scope of the probability that the state parameters belong to a set parameter space, determining whether the operation is legal. According to the invention, the problems of high misjudgement rate and missed detection conditions existing in a conventional concealed channel detection technology based on concealed channel determining rules are solved, concealed channel communication can be detected without prior knowledge, the detection efficiency is improved, and the effects of reducing the misdugement rate and the missed detection rate are realized.
Description
Technical field
The present embodiments relate to database technology, particularly relate to detection method and the device of the communication of a kind of private communication channel.
Background technology
Private communication channel refers to that permission process transmits the communication channel of information in the way of endangering System Security Policy.
The concept of private communication channel is that Lampson proposed in 1973 at first, and its private communication channel provided is defined as: be not be designed or be not intended to the communication channel for transmitting information.In article this section initiative, Lampson pays close attention to the restricted problem of program, namely how to limit in the execution process of program so that it is can not to other undelegated program transportation information.He lists malice or the program that misbehaves walks around restriction, 6 kinds of methods of leak data and corresponding treatment measures, and these methods are summarized as 3 kinds of types: storage channel, legitimate channel and " private communication channel ".Private communication channel is reclassified as two types by follow-up research: storage private communication channel and time private communication channel, is referred to as private communication channel.Wherein: time private communication channel is corresponding to " private communication channel " of Lampson indication;Legitimate channel is then a kind of subliminal channel (subliminalchannel), is a kind of mode realizing covert communications set up in overt channel.Information disclosed in channel, significant has acted only as the carrier of secret information, and secret information is transmitted by it.The mode of this hided transmission information had been faded out the center of private communication channel research later gradually, defined relatively independent research field.
Covert channel analysis work includes channel identification, tolerance and disposal.Channel identification is the static analysis to system, emphasizes to be analyzed finding all potential private communication channels to design and code.Channel metrics is the evaluation to channel transfer capability and the degree of threat.Channel Disposal Measures includes channel and eliminates, limits and audit.Private communication channel removing measure includes amendment system, the existence condition got rid of the source producing private communication channel, destroy channel.Restriction requires to be reduced in the scope that system can be tolerated channel harm.But, not all of potential private communication channel can be utilized by invader is actual, if all of potential private communication channel is measured and disposal can produce the performance consumption of little necessity, reduces system effectiveness.Further, there is the high situation with missing inspection of False Rate in traditional detection private communication channel technology based on private communication channel judgment rule.
Summary of the invention
The present invention provides the detection method and device that a kind of private communication channel communicates, and can detect private communication channel communication being implemented without priori, improve detection efficiency, reduce False Rate and loss.
First aspect, embodiments provides a kind of private communication channel detection method, including:
Obtain when Database Systems are run in order to detect the information of private communication channel, determine that private communication channel uses event according to described information;
Determine that described private communication channel uses the parameter state of each operation that event includes;
The probable range belonging to the parameter space of setting according to described state parameter determines that whether described operation is legal.
Second aspect, the embodiment of the present invention additionally provides a kind of private communication channel detecting device, and this device includes:
Private communication channel uses event to determine unit, for obtaining when Database Systems are run in order to detect the information of private communication channel, determines that private communication channel uses event according to described information;
Parameter state determines unit, for determining that described private communication channel uses the parameter state of each operation that event includes;
Mode of operation determines unit, and the probable range of the parameter space for belonging to setting according to described state parameter determines that whether described operation is legal.
In order to detect the information of private communication channel when the present invention runs by obtaining Database Systems, determine that private communication channel uses event according to described information;Determine that described private communication channel uses the parameter state of each operation that event includes;The probable range belonging to the parameter space of setting according to described state parameter determines that whether described operation is legal.This invention address that the existing detection private communication channel technology based on private communication channel judgment rule exists the high problem with missing inspection situation of False Rate, it is implemented without priori and can detect private communication channel communication, improve detection efficiency, reach to reduce the effect of False Rate and loss.
Accompanying drawing explanation
Fig. 1 is the flow chart of a kind of private communication channel detection method in the embodiment of the present invention one;
Fig. 2 is the structural representation of a kind of private communication channel detecting device in the embodiment of the present invention two.
Detailed description of the invention
Below in conjunction with drawings and Examples, the present invention is described in further detail.It is understood that specific embodiment described herein is used only for explaining the present invention, but not limitation of the invention.It also should be noted that, for the ease of describing, accompanying drawing illustrate only part related to the present invention but not entire infrastructure.
Embodiment one
The flow chart of a kind of private communication channel detection method that Fig. 1 provides for the embodiment of the present invention one, the present embodiment is applicable to the situation carrying out private communication channel detection without priori, the method can be performed by a kind of private communication channel detecting device, specifically includes following steps:
In order to detect the information of private communication channel when step 110, acquisition Database Systems are run, determine that private communication channel uses event according to described information.
Terminal obtains the operation information of the shared resource that Database Systems are included by user and the shared Resource Properties information of operation.Such as, terminal according to the conclusion of the related status information of user operation resource and shared Resource Properties information etc. with sum up determine that Database Systems are run time in order to detect the information of private communication channel.The development that described status information is according to research is constantly perfect, is not changeless.Then, determine that channel uses the parameter state of operation, channel type, the receiving-transmitting sides of the communication information and setting according to described operation information and shared Resource Properties information.Wherein, road uses operation to be exactly that user uses the operation done during data base.The receiving-transmitting sides of information refers to two users utilizing private communication channel to communicate.
Step 120, determine that described private communication channel uses the parameter state of each operation that event includes.
Wherein, described parameter state includes:
Interval between a, adjacent two operations, represents with ot;
B, Database Systems for current operation return error message time, user input respond this error message response time, represent with rt;
The type of next operation of the current operation that c, user input, represents with oc;
In d, predetermined time period, the interval length exceeding the operation setting quantity of user's input, represents with sot;
The number of operations to same database object that e, user input, represents with ots;
The action type to same database object that f, user input, represents with oso.
The operation of terminal detection user's input, it is determined that the parameter state of each operation in private communication channel use event, calculates parameters shape probability of state.Such as, we evaluate one group of operation of a user, represent with o, and evaluating is m1,m2,...,mn.P (o) is the probability that operation o is normal operating, then have the formula of calculating probability: P (o)=f (p (m1),p(m2),...,p(mn)), namely we use function f (p (m1),p(m2),…,p(mn)) calculate the probability that o is normal operating.f(p(m1),p(m2),…,p(mn))=p (m1)*p(m2)*...*p(mn), namely the product of parameters shape probability of state is exactly the joint probability of estimation when operating o and being normal operating.Shown in Figure 2, each p (m), is all by the normal operating of substantial amounts of normal users is taken statistics, and the codomain probability graph obtained obtains.Such as, if wanting to determine the probability that a certain parameter state ot value occurs, P (ot)=f (p (t1),p(t2),...,p(tn))。
Step 130, the probable range belonging to the parameter space of setting according to described state parameter determine that whether described operation is legal.
Add up normal user and carry out the various state parameters of valid operation, make the state range of valid operation according to normal users, it is determined that the operation in scope is not probably the illegal operation utilizing private communication channel to communicate.Such as, when considering that only two users carry out private communication channel communication, it is possible to carry out the various state parameters of valid operation according to the normal user of statistics, after doing an operation, the interval of next operation is carried out;After one operation returns mistake, the response time of user, with the type carrying out next operation;User makes the time span of a large amount of operation at short notice;User is to the number of operations of same database object and action type etc..Calculate a normal parameter space according to state parameter, beyond the data of the proper space, do the calculating of probability.If multiple state parameters belong to the probability in setup parameter space less than setting first threshold, and the joint probability of the plurality of state parameter is less than setting Second Threshold, it is determined that described operation is illegal operation.And then the operation of this user is limited, thus block private communication channel.Wherein, the threshold value of setting is that normal operating is carried out information by the method that use is added up, analysis obtains.Such as, in advance carrying out the data of valid operation according to a large amount of validated users and carry out statistical analysis, the method for statistical analysis can be completed by software program, it is also possible to is compare icon method intuitively.Shown in Figure 2, data are distributed on a codomain probability graph, in figure, transverse axis is parameter state value, and the longitudinal axis is the probability that each concrete parameter state value occurs.The parameter value space of normal operating is 5 to 100, and super going beyond the scope is then suspicious operation.
In order to detect the information of private communication channel when the technical scheme of the present embodiment is run by obtaining Database Systems, determine that private communication channel uses event according to described information;Determine that described private communication channel uses the parameter state of each operation that event includes;The probable range belonging to the parameter space of setting according to described state parameter determines that whether described operation is legal.The technical scheme of the present embodiment solves the existing detection private communication channel technology based on private communication channel judgment rule and there is the high problem with missing inspection situation of False Rate, it is implemented without priori and can detect private communication channel communication, improve detection efficiency, reach to reduce the effect of False Rate and loss.
Embodiment two
Fig. 2 is the structural representation of a kind of private communication channel detecting device in the embodiment of the present invention two.Described private communication channel detecting device specifically includes:
Private communication channel uses event to determine unit 210, for obtaining when Database Systems are run in order to detect the information of private communication channel, determines that private communication channel uses event according to described information;
Parameter state determines unit 220, for determining that described private communication channel uses the parameter state of each operation that event includes;
Mode of operation determines unit 230, and the probable range of the parameter space for belonging to setting according to described state parameter determines that whether described operation is legal.
By private communication channel use event, the technical scheme of the present embodiment determines that unit 210 obtains when Database Systems are run in order to detect the information of private communication channel, determine that private communication channel uses event according to described information;Determine that unit 220 determines that described private communication channel uses the parameter state of each operation that event includes by parameter state;The probable range being operated by the parameter space that status determining unit 230 belongs to setting according to described state parameter determines that whether described operation is legal.The technical scheme of the present embodiment solves the existing detection private communication channel technology based on private communication channel judgment rule and there is the high problem with missing inspection situation of False Rate, it is implemented without priori and can detect private communication channel communication, improve detection efficiency, reach to reduce the effect of False Rate and loss.
Further, private communication channel use event 210 determine unit specifically for:
Obtain the operation information of the shared resource that Database Systems are included by user and the shared Resource Properties information of operation;
Determine that channel uses the parameter state of operation, channel type, the receiving-transmitting sides of the communication information and setting according to described operation information and shared Resource Properties information.
Further, described parameter state includes:
Interval between adjacent two operations;
When Database Systems return error message for current operation, user inputs the response time responding this error message;
The type of next operation of the current operation of user's input;
The interval length exceeding the operation setting quantity of user's input in predetermined time period;
The number of operations to same database object of user's input;
The action type to same database object of user's input.
Further, described mode of operation determine unit 230 specifically for:
If multiple state parameters belong to the probability in setup parameter space less than setting first threshold, and the joint probability of the plurality of state parameter is less than setting Second Threshold, it is determined that described operation is illegal operation.
Above-mentioned private communication channel detecting device can perform the private communication channel detection method that any embodiment of the present invention provides, and possesses the corresponding functional module of execution method and beneficial effect.
It should be noted that, in this article, the relational terms of such as first and second or the like is used merely to separate an entity or operation with another entity or operating space, and not necessarily requires or imply the relation that there is any this reality between these entities or operation or sequentially.And, term " includes ", " comprising " or its any other variant are intended to comprising of nonexcludability, so that include the process of a series of key element, method, article or equipment not only include those key elements, but also include other key elements being not expressly set out, or also include the key element intrinsic for this process, method, article or equipment.When there is no more restriction, statement " including ... " key element limited, it is not excluded that there is also other identical element in including the process of described key element, method, article or equipment.
Each embodiment in this specification all adopts relevant mode to describe, between each embodiment identical similar part mutually referring to, what each embodiment stressed is the difference with other embodiments.Especially for system embodiment, owing to it is substantially similar to embodiment of the method, so what describe is fairly simple, relevant part illustrates referring to the part of embodiment of the method.
The foregoing is only presently preferred embodiments of the present invention, be not intended to limit protection scope of the present invention.All make within the spirit and principles in the present invention any amendment, equivalent replacement, improvement etc., be all contained in protection scope of the present invention.
Claims (8)
1. a private communication channel detection method, it is characterised in that including:
Obtain when Database Systems are run in order to detect the information of private communication channel, determine that private communication channel uses event according to described information;
Determine that described private communication channel uses the parameter state of each operation that event includes;
The probable range belonging to the parameter space of setting according to described state parameter determines that whether described operation is legal.
2. according to described information, method according to claim 1, it is characterised in that obtain when Database Systems are run in order to detect the information of private communication channel, determines that private communication channel uses event, including:
Obtain the operation information of the shared resource that Database Systems are included by user and the shared Resource Properties information of operation;
Determine that channel uses the parameter state of operation, channel type, the receiving-transmitting sides of the communication information and setting according to described operation information and shared Resource Properties information.
3. method according to claim 2, it is characterised in that described parameter state includes:
Interval between adjacent two operations;
When Database Systems return error message for current operation, user inputs the response time responding this error message;
The type of next operation of the current operation of user's input;
The interval length exceeding the operation setting quantity of user's input in predetermined time period;
The number of operations to same database object of user's input;
The action type to same database object of user's input.
4. method according to claim 1, it is characterised in that the probable range belonging to the parameter space of setting according to described state parameter determines that whether described operation is legal, including:
If multiple state parameters belong to the probability in setup parameter space less than setting first threshold, and the joint probability of the plurality of state parameter is less than setting Second Threshold, it is determined that described operation is illegal operation.
5. a private communication channel detecting device, it is characterised in that including:
Private communication channel uses event to determine unit, for obtaining when Database Systems are run in order to detect the information of private communication channel, determines that private communication channel uses event according to described information;
Parameter state determines unit, for determining that described private communication channel uses the parameter state of each operation that event includes;
Mode of operation determines unit, and the probable range of the parameter space for belonging to setting according to described state parameter determines that whether described operation is legal.
6. device according to claim 5, it is characterised in that private communication channel use event determine unit specifically for:
Obtain the operation information of the shared resource that Database Systems are included by user and the shared Resource Properties information of operation;
Determine that channel uses the parameter state of operation, channel type, the receiving-transmitting sides of the communication information and setting according to described operation information and shared Resource Properties information.
7. device according to claim 6, it is characterised in that described parameter state includes:
Interval between adjacent two operations;
When Database Systems return error message for current operation, user inputs the response time responding this error message;
The type of next operation of the current operation of user's input;
The interval length exceeding the operation setting quantity of user's input in predetermined time period;
The number of operations to same database object of user's input;
The action type to same database object of user's input.
8. device according to claim 5, it is characterised in that described mode of operation determine unit specifically for:
If multiple state parameters belong to the probability in setup parameter space less than setting first threshold, and the joint probability of the plurality of state parameter is less than setting Second Threshold, it is determined that described operation is illegal operation.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510927065.5A CN105763271A (en) | 2015-12-12 | 2015-12-12 | Concealed channel detection method and apparatus |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510927065.5A CN105763271A (en) | 2015-12-12 | 2015-12-12 | Concealed channel detection method and apparatus |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN105763271A true CN105763271A (en) | 2016-07-13 |
Family
ID=56342104
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510927065.5A Pending CN105763271A (en) | 2015-12-12 | 2015-12-12 | Concealed channel detection method and apparatus |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105763271A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110992980A (en) * | 2019-11-28 | 2020-04-10 | 南方电网科学研究院有限责任公司 | Hidden latent channel identification method based on edge calculation |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8151348B1 (en) * | 2004-06-30 | 2012-04-03 | Cisco Technology, Inc. | Automatic detection of reverse tunnels |
| CN102624706A (en) * | 2012-02-22 | 2012-08-01 | 上海交通大学 | Method for detecting DNS (domain name system) covert channels |
| CN104753617A (en) * | 2015-03-17 | 2015-07-01 | 中国科学技术大学苏州研究院 | Detection method of time-sequence type covert channel based on neural network |
-
2015
- 2015-12-12 CN CN201510927065.5A patent/CN105763271A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8151348B1 (en) * | 2004-06-30 | 2012-04-03 | Cisco Technology, Inc. | Automatic detection of reverse tunnels |
| CN102624706A (en) * | 2012-02-22 | 2012-08-01 | 上海交通大学 | Method for detecting DNS (domain name system) covert channels |
| CN104753617A (en) * | 2015-03-17 | 2015-07-01 | 中国科学技术大学苏州研究院 | Detection method of time-sequence type covert channel based on neural network |
Non-Patent Citations (6)
| Title |
|---|
| CHII-REN TSAI.ET: "On the Identification of Covert storage channels in Secure Systems", 《IEEE TRANSACTIONS ON SOFTWARE ENGINEERING》 * |
| RICHARD A.KEMMERER: "Covert Flow Trees:A Visual Approach to Analyzing Covert Storage Channels", 《IEEE TRANSACTIONS ON SOFTWARE ENGINEERING》 * |
| 唐彰国等: "基于量子神经网络的启发式网络隐蔽信道检测模型", 《计算机应用研究》 * |
| 汪婧等: "网络时间隐蔽信道研究", 《信息网络安全》 * |
| 王永吉等: "隐蔽信道研究", 《软件学报》 * |
| 田雪等: "不符合专利法实施细则第17条的规定。", 《中国科学院研究生学报》 * |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110992980A (en) * | 2019-11-28 | 2020-04-10 | 南方电网科学研究院有限责任公司 | Hidden latent channel identification method based on edge calculation |
| CN110992980B (en) * | 2019-11-28 | 2023-06-23 | 南方电网科学研究院有限责任公司 | Hidden latent channel identification method based on edge calculation |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Ji et al. | Structural data de-anonymization: Quantification, practice, and implications | |
| CN107819771B (en) | Information security risk assessment method and system based on asset dependency relationship | |
| Mohaisen et al. | Measuring the mixing time of social graphs | |
| CN102892073B (en) | Continuous query oriented location anonymizing method applicable to location service system | |
| CN106104556A (en) | Log analysis system | |
| CN110166423B (en) | User credit determination method, device and system and data processing method | |
| CN106133740A (en) | Log analysis system | |
| CN104462970A (en) | Android application program permission abuse detecting method based on process communication | |
| Kwak et al. | Cosine similarity based anomaly detection methodology for the CAN bus | |
| CN110750807A (en) | Method for protecting network data privacy from leakage | |
| Zhang et al. | Achieving bilateral utility maximization and location privacy preservation in database-driven cognitive radio networks | |
| Chen et al. | Probabilistic detection of missing tags for anonymous multicategory RFID systems | |
| Mejri et al. | Entropy as a new metric for denial of service attack detection in vehicular ad-hoc networks | |
| Chen et al. | MAC: Missing tag iceberg queries for multi-category RFID systems | |
| Petridou et al. | Survivability analysis using probabilistic model checking: A study on wireless sensor networks | |
| CN101699787A (en) | Worm detection method used for peer-to-peer network | |
| CN108833442A (en) | A kind of distributed network security monitoring device and its method | |
| CN105528558A (en) | Method and device for detecting hidden channel communication | |
| Wang et al. | Interactive analysis of attack graphs using relational queries | |
| CN105763271A (en) | Concealed channel detection method and apparatus | |
| Chen et al. | Privacy-preserving anomaly counting for time-series data in edge-assisted crowdsensing | |
| Peng et al. | Sensing network security prevention measures of BIM smart operation and maintenance system | |
| CN105516164A (en) | P2P botnet detection method based on fractal and self-adaptation fusion | |
| CN105430638A (en) | Data safety forwarding method with public key trust degree sensing | |
| Chen et al. | Real-location reporting based differential privacy trajectory protection for mobile crowdsensing |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20160713 |