CN109309644B - Network watermarking method and system based on biorthogonal carrier - Google Patents

Network watermarking method and system based on biorthogonal carrier Download PDF

Info

Publication number
CN109309644B
CN109309644B CN201710616391.3A CN201710616391A CN109309644B CN 109309644 B CN109309644 B CN 109309644B CN 201710616391 A CN201710616391 A CN 201710616391A CN 109309644 B CN109309644 B CN 109309644B
Authority
CN
China
Prior art keywords
watermark
information
inter
time interval
gravity center
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CN201710616391.3A
Other languages
Chinese (zh)
Other versions
CN109309644A (en
Inventor
王利明
雷程
杨倩
马多贺
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Institute of Information Engineering of CAS
Original Assignee
Institute of Information Engineering of CAS
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Institute of Information Engineering of CAS filed Critical Institute of Information Engineering of CAS
Priority to CN201710616391.3A priority Critical patent/CN109309644B/en
Publication of CN109309644A publication Critical patent/CN109309644A/en
Application granted granted Critical
Publication of CN109309644B publication Critical patent/CN109309644B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/60Digital content management, e.g. content distribution
    • H04L2209/608Watermarking
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2463/00Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
    • H04L2463/146Tracing the source of attacks

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Image Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention provides a network watermarking method based on a biorthogonal carrier, which comprises the following steps: capturing network data flow, and extracting basic information and characteristic information from the network data flow, wherein the basic information is quintuple flow information of < source IP address, destination IP address, source port number, destination port number and protocol number >, and the characteristic information comprises time interval gravity center characteristic and inter-packet delay characteristic; generating watermark information according to the basic information; respectively taking the time interval gravity center feature and the inter-packet time delay feature as a time interval gravity center carrier and an inter-packet time delay carrier, and performing orthogonalization processing on the two carriers; and embedding the watermark information into the time interval gravity center carrier and the inter-packet time delay carrier by using a watermark embedding algorithm based on time interval gravity center and inter-packet time delay, and sending a data packet to finish the network watermark marking.

Description

Network watermarking method and system based on biorthogonal carrier
Technical Field
The invention belongs to the field of computer network security, and particularly relates to a network watermarking method and a network watermarking system based on a biorthogonal carrier.
Background
The continuous popularization and deepening of network application enable the internet to deeply influence the life style of people and bring forward a new normal state of social operation; on the other hand, the system also becomes a key infrastructure of national strategic, and supports the effective operation of national important fields. With the succession of distributed computing, cloud storage, big data, technologies such as thing networking, mobile internet, electron eye, robot and unmanned aerial vehicle constantly develop, and data exchange's characteristics are different day by day: the data center presents the characteristics of a distributed architecture; the data scale shows an expanding trend; and acquiring the service mode to present the virtualization characteristics. Thus, data exchange requirements are more agile, more reliable, and more controllable, and stream exchange takes place accordingly.
With the increasing use of stream switching, the security problem of stream switching becomes increasingly prominent. There is a constant history of significant security events such as "prism gate", SWIFT banking system wind waves, 2.7 billion Gmail and Hotmail account leaks. The report that CNCERT published in 2016 shows that hundreds of thousands of Trojan horse control terminals IP stare at hundreds of thousands of controlled computers in continental of China, and the Trojan horse control terminals adopt 'springboard attack' to permeate and steal secret to my network. Meanwhile, with continuous popularization of the cloud storage technology and increasing development of attack means, the harmfulness of problems such as sensitive data leakage caused by information stealing based on a middle springboard, incapability of normally providing services for a server caused by DDoS attack based on a botnet and the like is increasing day by day.
Careful analysis shows that existing attacks on the data center server, regardless of the principle and means, mostly combine a springboard and an anonymous communication technology to hide an attack source and an attack path. An attacker mainly achieves the purposes of hiding the flow identity information, hiding the flow exchange range and hiding the flow exchange path by destroying the flow identity information and weakening the similar characteristics of the associated flow, so that the flow identity in the flow exchange is unknown; the uncontrollable stream switching range and the uncontrollable switching path. Meanwhile, stream switching has the characteristics of sensitivity to time delay, multi-stream intersection and the like. Compared with the existing exchange system and the stream exchange application system, such as an electronic government affair business platform based on the internet, a financial application system, a real-time analysis system and the like, the system has the characteristics of sensitivity to time delay, multi-stream intersection, complex structure and the like. The existing safety exchange technology researches, such as digital signature, MAC and the like, have the problems of large resource consumption, high time delay and the like, cannot adapt to the stream exchange environment and are difficult to meet the stream safety exchange requirements.
Therefore, network stream watermarking technology comes, and network stream watermarking is implemented by modulating some aspects of characteristics of streams at an embedded end to enhance the similarity of related streams; the technology of the purpose of identifying the stream correlation is achieved by extracting the bound stream watermark information at a receiving end. At present, the network stream watermarking technology is mainly used for the aspects of jump attack detection, anonymous communication association, sensitive data leakage blocking, tracing and the like. However, the existing stream watermarking scheme has the following two problems:
1) the existing network stream watermark only indicates that one data stream is marked or unmarked, and has no other meaning, so that data source judgment and transmission path tracking cannot be performed according to watermark information.
2) The existing network watermark only selects a single flow characteristic as a carrier, and cannot meet the requirements of large information quantity of the watermark to be embedded and different application scenes on the watermark characteristic, so that the capacity of the single flow characteristic is limited, and the watermark information is easily interfered or removed.
Disclosure of Invention
In view of this, the invention provides a network watermarking method and system based on a biorthogonal carrier, the method and system are realized based on an OpenStack cloud platform, and stream features respectively having strong robustness and high concealment are selected as watermarking carriers by the method, so that the network watermarking can be suitable for different network conditions. Meanwhile, mutual interference of stream watermarks is prevented through orthogonalization processing of the dual carriers. On the basis, a time interval gravity center-based watermark embedding and detecting algorithm and a packet interval-based watermark embedding and detecting algorithm are respectively designed, and robustness and concealment of the watermark are both considered.
In order to solve the technical problems, the invention adopts the following technical scheme:
a network watermarking method based on a biorthogonal carrier comprises the following steps:
capturing a network data stream, and extracting basic information and characteristic information from the network data stream, wherein the characteristic information comprises a time interval gravity center characteristic and an inter-packet time delay characteristic;
generating watermark information according to the basic information;
respectively taking the time interval gravity center feature and the inter-packet time delay feature as a time interval gravity center carrier and an inter-packet time delay carrier, and performing orthogonalization processing on the two carriers;
and embedding the watermark information into the time interval gravity center carrier and the inter-packet time delay carrier by using a watermark embedding algorithm based on time interval gravity center and inter-packet time delay, and sending a data packet to finish the network watermark marking.
Further, the basic information is five-tuple flow information of < source IP address, destination IP address, source port number, destination port number, protocol number >.
Furthermore, when generating the watermark information according to the basic information, time, security level and category are added as stream identity information, and watermark coding is generated in a way of sharing an encryption key.
Furthermore, during the orthogonalization processing, the time interval gravity center carrier is modulated firstly, and then the inter-packet delay carrier is modulated.
Furthermore, watermark information is embedded into the time interval gravity center carrier, and then watermark information is embedded into the inter-packet time delay gravity center carrier.
Further, when the data packet is transmitted, the transmission time information of the first data packet of the interval is read, and the transmission time information, the basic information and the watermark information are transmitted at the same time.
A watermark embedding method based on time interval gravity center or inter-packet time delay comprises the following steps:
capturing a network data stream, and extracting basic information and characteristic information from the network data stream, wherein the characteristic information comprises a time interval gravity center characteristic or an inter-packet delay characteristic;
generating watermark information according to the basic information;
taking the time interval gravity center feature as a time interval gravity center carrier, or taking the inter-packet time delay feature as an inter-packet time delay carrier;
randomly selecting the time interval gravity center carriers by using a time interval gravity center-based watermark embedding algorithm, grouping the time interval gravity center carriers, and embedding the watermark information; or randomly selecting the inter-packet delay carrier by using a watermark embedding algorithm based on inter-packet delay, and embedding the watermark information after carrying out quantization index modulation on the inter-packet delay carrier.
Further, if the time interval gravity center carrier or the inter-packet delay carrier cannot embed complete watermark information, the watermark information is regenerated according to the size of the acquired data stream; and if the residual carriers to be embedded are left after the complete watermark information is embedded, circularly embedding watermark information into the carriers to be embedded.
A network watermark detection method comprises the following steps:
acquiring a data stream containing watermark information, and extracting basic information and characteristic information from the data stream, wherein the characteristic information comprises a time interval gravity center characteristic and/or an inter-packet time delay characteristic;
extracting watermark information based on the time interval gravity center characteristic and/or the inter-packet time delay characteristic by using a watermark detection algorithm based on the time interval gravity center and/or the inter-packet time delay;
requesting and acquiring original watermark information according to the basic information;
comparing the watermark information with the original watermark information, authenticating the data stream with the accuracy rate higher than a set threshold value, and allowing the authenticated data stream to pass through a network node; and discarding the data streams with the accuracy rate lower than the set threshold and failed in authentication, and reporting the early warning information.
A network watermark tracing method, comprising the steps of:
collecting early warning information, and tracing the transmission path of the suspicious data stream according to the basic information and the early warning information;
and extracting the transmission path of the suspicious data stream, and reconstructing and displaying the forwarding path of the suspicious data stream according to the time sequence.
A watermark proxy node comprising:
the data flow acquisition module is used for capturing network data flow, collecting basic information of the data flow, time interval gravity center characteristics and inter-packet time delay characteristic information, and generating statistical data of the data flow characteristics;
a watermark generating module, which is used for generating watermark information according to the basic information of the data stream;
a watermark embedding module, which is used for modulating the data stream and embedding watermark information into the carrier;
a watermark detection module, which is used for demodulating the data stream containing the watermark information and identifying the extracted watermark information;
the cache space maintenance module is used for storing data stream and watermark information in a data cache queue mode;
a time window maintenance module, configured to implement a time window mechanism, specifically: and maintaining a time window with a certain width time interval, wherein the time window slides on the buffer queue in the time sequence increasing direction, the data sliding out of the time window on the buffer queue is deleted, and the queue space is released.
A watermark tracing server comprising:
a buffer space maintenance module for storing reported early warning information, data stream and watermark mapping relation information;
the security policy module is used for generating an access control policy based on the watermark information;
and the watermark tracking module is used for extracting the transmission path of the suspicious data stream according to the basic information and the early warning information on the basis of the network topology, and reconstructing and displaying the forwarding path of the suspicious data stream according to the time sequence.
A network watermarking system based on a biorthogonal carrier comprises a watermark tracking server and a plurality of watermark agent nodes, wherein the watermark tracking server is established on a cloud platform control node, and the watermark agent nodes are established on each computing node and a boundary gateway of a cloud platform.
The invention integrally adopts a distributed embedding and detecting framework, the watermarking system can be flexibly expanded along with the scale expansion of the cloud computing system, the transmission range of the data stream can be controlled, and simultaneously the suspicious data stream path can be tracked in real time. The watermark agent node starts from the data source end, marks the data stream flowing out of the server according to stream basic information, security constraint conditions and the like, and ensures the uniqueness and credibility of the data stream identity; meanwhile, the time interval gravity center and the inter-packet time delay carrier are adopted, so that the robustness and the concealment of the watermark information are both considered, and the method is suitable for different application requirements. In addition, the watermark embedding method based on the time interval gravity center and the time delay between the packets is designed, the content of the data packets does not need to be modified, only the sending time of the network data stream needs to be finely adjusted, the high efficiency of watermark embedding is guaranteed, and meanwhile, the watermark embedding method is suitable for encrypted flow. The watermark tracing server is based on basic information and watermark information, is driven by events, and utilizes the relation between early warning information and time partial order to trace and trace the source of suspicious data streams and control the suspicious data streams in real time, thereby realizing jump attack detection, anonymous communication association, sensitive data leakage blocking and tracing and the like under the conditions of time delay sensitivity, multi-stream intersection and complex structure.
Drawings
Fig. 1 is a schematic diagram of an implementation of a network watermarking system based on a biorthogonal carrier according to the present invention.
Fig. 2 is a schematic diagram of a network watermarking system based on a biorthogonal carrier according to the present invention.
Fig. 3 is a flowchart of a network watermarking method based on a biorthogonal carrier according to the present invention.
Fig. 4A is a flowchart of a watermark embedding method based on time interval gravity center according to the present invention.
Fig. 4B is a flowchart of a watermark detection method based on the time interval gravity center according to the present invention.
Fig. 5A is a flowchart of a watermark embedding method based on inter-packet delay according to the present invention.
Fig. 5B is a flowchart of a watermark detection method based on inter-packet delay according to the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it should be understood that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The embodiment discloses a network watermarking system based on a biorthogonal carrier, as shown in fig. 2, which includes a plurality of watermark agent nodes and a watermark tracing server.
The watermark proxy node comprises: the system comprises a data stream acquisition module, a cache space maintenance module, a watermark generation module, a time window maintenance module, a watermark embedding module and a watermark detection module. The data flow acquisition module is used for capturing network data, collecting data flow basic information, time interval gravity center and packet interval characteristic information and generating flow characteristic statistical data in a time interval t; the watermark generating module generates watermark information according to the basic information of the data stream; the cache space maintenance module is used for storing data streams and locally generated watermark information; the time window maintenance module is used for realizing a time window mechanism; the watermark embedding module modulates the characteristics of the data stream according to a watermark embedding algorithm; the watermark detection module demodulates the watermark information in the data stream according to a watermark detection algorithm and identifies the extracted watermark information.
The watermark tracing server includes: the system comprises a cache space maintenance module, a security strategy making module and a watermark tracking module. The cache space maintenance module is used for storing the early warning information reported by the watermark agent and the mapping relation between the data stream and the watermark; the security policy module is used for generating an access control policy based on the watermark; the watermark tracing module extracts the transmission path of the suspicious data stream according to the basic information of the data stream and the reported early warning information on the basis of network topology, and reconstructs the forwarding path of the suspicious data stream according to the time sequence.
The embodiment discloses a network watermarking method based on a biorthogonal carrier, as shown in fig. 3, the steps are as follows:
firstly, intercepting and capturing exchanged data flow, and extracting the characteristic information of time interval gravity center and time delay between packets of the carrier. And secondly, performing orthogonalization processing on the two-dimensional carrier, firstly modulating the time interval gravity center carrier, and then modulating the packet time delay carrier. Because two carriers of time interval gravity center and time delay between packets are used to carry data stream information together, it is first necessary to ensure that the carriers are orthogonal to each other and become orthogonal carriers, that is, the change of each carrier hardly affects the characteristic information of the other carriers. By selecting proper parameters, the two carriers of the time interval gravity center and the time delay between packages are ensured not to interfere with each other after modulation, and the orthogonality of the carriers is realized. Here, since the time interval centroid has better robustness than the inter-packet delay, when embedding information, watermark information based on the time interval centroid is embedded first, and then watermark information based on the inter-packet delay is embedded. Although the embedded watermark information has a certain influence on the watermark information based on the time interval gravity center, the time interval gravity center is not sensitive to the packet delay, so that the correct extraction of the watermark information based on the time interval gravity center by a detection party is not influenced. On the basis, watermark information is embedded into the carrier according to a watermark embedding algorithm based on time interval gravity center and a watermark embedding algorithm based on inter-packet time delay. And finally, judging whether the data packet to be sent needs to be sent in a delayed manner.
The embodiment also discloses a network watermark detection method, which comprises the following steps: acquiring a data stream containing watermark information, and extracting basic information and characteristic information, wherein the characteristic information comprises a time interval gravity center characteristic and an inter-packet time delay characteristic; extracting watermark information based on the time interval gravity center and the inter-packet time delay by using a watermark detection algorithm based on the time interval gravity center and the inter-packet time delay; acquiring original watermark information according to the basic information request; comparing the watermark information with the original watermark information, authenticating the data stream with the accuracy rate higher than a set threshold value, and allowing the authenticated data stream to pass through a network node; and discarding the data streams with the accuracy rate lower than the set threshold and failed in authentication, and reporting the early warning information.
The embodiment also discloses a network watermark tracking method, which comprises the following steps: collecting early warning information, and tracing the transmission path of the suspicious data stream according to the basic information and the early warning information; and extracting the transmission path of the suspicious data stream, and reconstructing and displaying the forwarding path of the suspicious data stream according to the time sequence.
The watermark tracking server is built on a control node of the cloud platform, a cache space maintenance module is used as an early warning data storage space, a mapping relation between a data stream and a watermark is stored, a timing mechanism is started, and information reported by a watermark agent node is monitored and detected. Establishing a watermark proxy node between each computing node and the border gateway, wherein the watermark proxy node takes a cache space maintenance module as a data cache queue and a storage space of watermark information, a sliding time window is set through a time window maintenance module, and all modules enter a monitoring stage after being initialized. Establishing a cloud platform service cluster based on the cloud platform
The data flow acquisition module extracts the characteristic information of time interval gravity center (ICC) and inter-packet delay (IPD) of data flow statistical data of the intercepting and sending queue, simultaneously extracts the basic information of five tuple flows of the data flow, namely the source IP address, the destination IP address, the source port number, the destination port number and the protocol number, and reports the characteristic information and the basic information of the data flow to the data cache queue.
The watermark generating module generates watermark codes as watermark information by sharing an encryption key according to the basic information of the data stream and adding time, security level and category as stream identity information, and reports the watermark information to a watermark information storage space.
And the watermark embedding module is used for carrying out orthogonalization processing on the time interval gravity center and the inter-packet time delay carrier of the data stream.
The watermark embedding module randomly selects time interval gravity center carriers to be embedded by reading time interval gravity center characteristic information of a data stream and utilizing a watermark embedding algorithm based on time interval gravity center, and embeds watermark information after grouping the time interval gravity center carriers to be embedded; if the time interval gravity center carrier of the data stream can not embed complete watermark information, the watermark embedding module sends error information and data stream size information to the watermark generating module, and the watermark generating module regenerates watermark information according to the data stream size information and feeds the watermark information back to the watermark embedding module; if the time interval gravity center carrier of the data stream still has the residual time interval gravity center carrier to be embedded after the watermark information is completely embedded, the watermark embedding module is used for circularly embedding the watermark information.
The watermark embedding module randomly selects an inter-packet time delay carrier to be embedded by reading the inter-packet time delay characteristic of the data stream and utilizing a watermark embedding algorithm based on inter-packet time delay, and embeds watermark information after carrying out quantization index modulation on the inter-packet time delay carrier to be embedded; if the inter-packet delay carrier of the data stream cannot be embedded with complete watermark information, the watermark embedding module sends error information and data stream size information to the watermark generating module, and the watermark generating module regenerates watermark information according to the data stream size information and feeds the watermark information back to the watermark embedding module; if the rest time delay carriers to be embedded still remain after the complete embedding of the watermark information in the inter-packet time delay carriers of the data stream, the watermark embedding module cyclically embeds the watermark information.
And the watermark embedding module adds the data stream into a sending queue after the watermark embedding is finished, and reports the basic information of the data stream, the corresponding watermark information and the sending time to the watermark tracking module.
The above is the working process of the watermark embedding end, and the following is the working process of the watermark receiving end. When the watermark agent node receives the network data flow, the data flow acquisition module captures the time interval gravity center and the time delay characteristic information between packets of the data flow statistical data of the sending queue, and simultaneously extracts the five-tuple flow basic information of the data flow, namely the source IP address, the destination IP address, the source port number, the destination port number and the protocol number.
The watermark detection module requests the original watermark information embedded by the data stream from the watermark tracking module according to the extracted basic information of the data stream, and simultaneously extracts the watermark information based on the watermark of the time interval gravity center and the watermark field detection algorithm of the time delay between packets. Comparing the extracted watermark information with the obtained original watermark information; if the accuracy of the extracted watermark information is lower than a set threshold value, discarding the data stream, and reporting early warning information to the watermark tracking module; if the accuracy of the extracted watermark information is higher than a set threshold value, authenticating the data stream; if the authentication judges that the network data flow flows into/out of the end node, continuing to forward the data flow; if the authentication is judged to be 'no', namely the network data stream is not allowed to flow into/out of the end node, the data stream is blocked, and early warning information is reported to the watermark tracking module.
And the watermark tracking module reconstructs suspicious data stream information forwarding paths according to the reported early warning information and the basic information and the watermark information of the data streams and visually presents the reconstructed information to a network administrator.
And the watermark agent node regards the data packets with the five-tuple of the source IP address, the destination IP address, the source port number, the destination port number and the protocol number as the same flow, and counts the data packet characteristics of one flow in a continuous time interval t. The statistical data of each data stream is stored on a data buffer queue with local time sequence increasing, and a time window with the width of a time interval t is maintained, so that the time window slides on the buffer queue. The time window slides towards the time sequence increasing direction, the data on the buffer queue sliding out of the time window is deleted, and the queue space is released.
The watermark agent node captures data stream and embeds watermark information according to the following processes:
a) carrying out initialization operation: when the streaming data acquisition module is called, the open function will call the tun _ chr _ open () function, which will complete a series of initialization processes, including the initialization function to set the network card driver portion, the initialization of the network buffer list, and the initialization of the wait queue.
b) Receiving a data packet: upon receiving streaming data, the tun _ chr _ write function will be called, which receives data from the user area using tun _ get _ user and stores the data in the SKB. Then, a key function netif _ rx (SKB) is called, and the SKB is sent to a TCP/IP protocol stack for processing, so that data receiving of the network card is completed. Wherein, the ndo _ open _ tun _ net _ open function notifies the upper layer to start receiving the packet by calling netif _ start _ queue (dev); the ndo _ stop _ tun _ net _ close function notifies the upper layer to stop receiving packets by calling netif _ stop _ queue (dev).
c) Modulation packet transmission time: the watermark embedding module determines the delay time of the data packet to be modulated based on a watermark embedding and extracting algorithm of the time delay between packets and a watermark embedding and extracting algorithm of the time interval. And after the delay time is obtained, processing the data packet by calling the skb _ queue _ tail function. Wherein the tun- > socket.sk- > sk _ receive _ queue function pushes the data packet into a receiving queue; the function ndo _ change _ time _ tun _ net _ change _ time implements the delay packet transmission time function.
d) And (3) sending a data packet: the driver first registers the hard _ start _ xmit send function and calls the function after receiving the send packet command. Meanwhile, the hard _ start _ xmit function calls the tun _ net _ xmit function, wherein the SKB is added into the SKB linked list, and wakes up the blocked character-driven data reading process. And then, the character driver of the network card calls a tun _ chr _ read () function to read the SKB linked list, and sends each read SKB to the user area to finally complete data packet forwarding.
Fig. 1 shows an application example of the present invention, a cloud platform based on OpenStack establishes a cloud platform service cluster and an internal data cluster, a watermark proxy node is established at each computing node and a border gateway, a watermark tracking server is established at a control node, the two clusters are connected by a router, and are connected with a public management and service platform by a gateway, and data security transmission is realized by embedding and extracting watermark information, so as to provide security service for a remote client.
The method can also be based on watermark information embedding and detection of time interval gravity center and inter-packet time delay, and is realized independently without orthogonalization processing, and a watermark embedding and detecting method based on time interval gravity center and inter-packet time delay is disclosed herein, such as the flow charts shown in fig. 4A, 4B and fig. 5A and 5B, and the process is basically the same as the above except that the orthogonalization processing is not included.
A time interval centroid-based watermark embedding and detecting algorithm and a packet interval-based watermark embedding algorithm and detecting algorithm are described in detail below with reference to the drawings.
Fig. 4A and 4B are flowcharts of a watermark embedding and detecting method based on the time interval gravity center. Given data flow FNBy definition, it can be seen as a duration of tnHaving n offA collection of ordered data packets. Let each time interval be TnThen it shares
Figure BDA0001360666530000081
A time interval, wherein the last time interval does not perform any operation. It requires that the embedding party and the detecting party share information as shown in table 1.
Table 1 watermark embedding and detection algorithm sharing parameters based on time interval gravity center
Figure BDA0001360666530000091
1. Watermark embedding algorithm based on time interval gravity center:
inputting: data stream to be embedded with watermark and watermark information;
and (3) outputting: embedding the data stream of the watermark, and the corresponding relation between the watermark and the data stream:
(1) initialization sampling period T ═ T1,t2…tmF, sampling frequency, window Win ═ Win { (Win)1,win2…winn};
(2) Extracting basic information and time interval gravity center characteristic information of the data stream;
(3) obtaining a time interval center of gravity by using a formula (1);
Figure BDA0001360666530000092
(4) obtaining [0, q.S ] by the formula (2)c]Upper basis center of gravity attribute value CNI', using CNIRandomly selecting the time interval gravity center to be embedded to realize the randomization of carrier selection so as to eliminate the inter-stream dependency of embedding the same information;
CNI′=(q·S·CNI/Tn)mod(q·S),(q>1) (2)
where q → 2.5 is a quantization multiplier, and q · C is defined by the limit theorem when q → ∞NIAt [0, ∞]Are uniformly distributed. Then, a large prime number S is selected, and C after the quantization multiplier is used is selected as shown in formula (1)NIMapping to CNI′。
(5) By CNI' corresponding random number
Figure BDA00013606665300000912
From
Figure BDA0001360666530000093
Randomly selecting n from the intervalrA time interval
Figure BDA0001360666530000094
The first 2k (2k < n)r) The intervals are used as positions for embedding watermarks and are divided into k groups in sequence;
(6) the two time interval centroids within a group are modulated separately. Setting ICC of two intervals in a group as CF2And CF3Get it
Figure BDA0001360666530000095
Wherein
Figure BDA0001360666530000096
Figure BDA0001360666530000097
Wherein
Figure BDA0001360666530000098
Let YF=CF2-CF3By changing YFAnd the embedding and the detection of the watermark are realized.
If "+ 1" is embedded, C is increased by increasing the delay of each packetF2Decrease CF3. To CF2And CF3Each of which is
Figure BDA0001360666530000099
And
Figure BDA00013606665300000910
the following adjustments are made:
Figure BDA00013606665300000911
from this, it can calculate
Figure BDA0001360666530000101
Figure BDA0001360666530000102
Then there is
Figure BDA0001360666530000103
Figure BDA0001360666530000104
If "0" is embedded, C is addedF2The data packet part in (1) is transferred to (C)F3In order to reduce CF2Increasing CF3. To CF2The data packet in (1) is transformed as follows: [0, T-a ]]The data packet on the data packet is not transformed; [ T-a, T]The data packet above is transformed as follows:
Figure BDA0001360666530000105
to CF3The data packet in (1) is transformed as follows: [0, a ]]The data packet above is transformed as follows:
Figure BDA0001360666530000106
for [ a, T]The data packet above does not change. From this, it can calculate
Figure BDA0001360666530000107
Figure BDA0001360666530000108
Then there is
Figure BDA0001360666530000109
Figure BDA00013606665300001010
2. Watermark detection algorithm based on time interval barycenter:
inputting: the data stream with the watermark and the obtained original watermark information;
and (3) outputting: the extracted watermark information and early warning information are as follows:
(1) initialization sampling period T ═ T1,t2…tmF, sampling frequency, window Win ═ Win { (Win)1,win2…winn};
(2) Extracting basic information and time interval gravity center characteristic information of the data stream;
(3) obtaining a time interval center of gravity by using a formula (1);
(4) since the watermark information is detected by the formula (5) and the probabilities of "0", "1" and the like embedded in the watermark information based on the time interval gravity center are equal, the judgment threshold V can be obtained by the formulas (3) and (4)th
Figure BDA00013606665300001011
(5) If the accuracy of the extracted watermark information is lower than a set threshold value, discarding the data stream and reporting early warning information, otherwise, turning to the step (6);
(6) if the authentication is judged to be 'yes', the network data stream is allowed to flow into/out of the end node, the data stream is continuously forwarded, and if the authentication is judged to be 'no', the network data stream is not allowed to flow into/out of the end node, the data stream is blocked, and early warning information is reported.
Fig. 5A and 5B are flowcharts of a watermark embedding and detecting method based on inter-packet delay. It requires that the embedding party and the detecting party share information as shown in table 2.
Table 2 watermark embedding and detection sharing parameters based on inter-packet delay
Figure BDA0001360666530000111
3. Watermark embedding algorithm based on time delay between packets:
inputting: data stream to be embedded with watermark and watermark information;
and (3) outputting: embedding the data stream of the watermark, and the corresponding relation between the watermark and the data stream:
(1) initialization sampling period T ═ T1,t2…tmF, sampling frequency, window Win ═ Win { (Win)1,win2…winn};
(2) Extracting basic information and inter-packet delay characteristic information of a data stream;
(3) obtaining an average inter-packet delay characteristic value by using a formula (6);
Figure BDA0001360666530000112
(4) IPD is calculated using formula (7) using quantized multipliersavgMapping to IPDavg', to eliminate inter-stream dependencies embedding the same information;
IPDavg′=(q·S·IPDavg/Tn)mod(q·S),(q>1) (7)
(5) respectively calculating IPD and IPD in Tij=ti(j+1)-tij,i∈[0,k-1](j 1,2.. times. (r-2)), and the last inter-packet delay is not processed. Since the IPD is theoretically a continuous value, it is quantized first. Quantize x to its nearest integer by using standard uniform quantization function round (x), and set the quantization step size to 2qs> 0, the quantization function is as follows:
fq(ipd,qs)=round(ipd/qs) (8)
as can be seen from the above-mentioned formula (8),
Figure BDA0001360666530000113
fq(i×qs,qs)=fq(i×qs+y,qs). Assuming that the watermark information bits are derived from 0,1, the inter-packet delay can only be increased and cannot be decreased, so to ensure that f passesEThe value after function operation is at least ipd, and the embedding function utilizes (ipd + q)s/2) instead of ipd. After embedding watermark information, obtaining the time delay (IPD) between packets of each time intervalF) By adjusting qsThe increased time delay is small enough, so that a normal user can consider the time delay as being caused by network jitter, and the concealment of watermark information is ensured. The embedding function is as follows:
fE(ipd,qs,w)=[fq(ipd+qs/2,qs)+Δ]×qs (9)
wherein, Delta is (2+ w-f)q(ipd+qs/2,qs)mod2)mod2。
4. Watermark detection algorithm based on time interval barycenter:
inputting: the data stream with the watermark and the obtained original watermark information;
and (3) outputting: the extracted watermark information and early warning information are as follows:
(1) initialization sampling period T ═ T1,t2…tmF, sampling frequency, window Win ═ Win { (Win)1,win2…winn};
(2) Extracting basic information and time interval gravity center characteristic information of the data stream;
(3) obtaining a time interval center of gravity by using a formula (1);
(4) watermark information is detected using the formula (10), the detection function fDThe following were used:
yi=fD(ipdF,qs)=fq(ipdF,qs)mod 2 (10)
(5) if the accuracy of the extracted watermark information is lower than a set threshold value, discarding the data stream and reporting early warning information, otherwise, turning to the step (6);
(6) if the authentication is judged to be 'yes', the network data stream is allowed to flow into/out of the end node, the data stream is continuously forwarded, and if the authentication is judged to be 'no', the network data stream is not allowed to flow into/out of the end node, the data stream is blocked, and early warning information is reported.
It should be noted that the watermark embedding algorithm and the detection algorithm described in the above embodiments are only preferred algorithms, and are not limited, and all the algorithms capable of embedding watermark information into a time interval gravity center carrier and an inter-packet delay carrier fall within the coverage range of the watermark embedding algorithm based on time interval gravity center and inter-packet delay described in the claims, and all the algorithms capable of extracting watermark information based on the time interval gravity center feature and the inter-packet delay feature fall within the coverage range of the watermark detection algorithm based on time interval gravity center and inter-packet delay described in the claims.

Claims (8)

1. A network watermarking method based on a biorthogonal carrier comprises the following steps:
capturing network data flow, and extracting basic information and characteristic information from the network data flow, wherein the basic information is quintuple flow information of < source IP address, destination IP address, source port number, destination port number and protocol number >, and the characteristic information comprises time interval gravity center characteristic and inter-packet delay characteristic;
generating watermark information according to the basic information;
respectively taking the time interval gravity center feature and the inter-packet time delay feature as a time interval gravity center carrier and an inter-packet time delay carrier, and performing orthogonalization processing on the two carriers;
embedding the watermark information into the time interval gravity center carrier and the inter-packet delay carrier by using a watermark embedding algorithm based on time interval gravity center and inter-packet delay, and sending a data packet to finish network watermark marking;
the watermark embedding algorithm based on the time interval gravity center comprises the following steps:
extracting basic information and time interval gravity center characteristic information of the data stream to obtain a time interval gravity center;
obtaining a basic gravity center attribute value according to the time interval gravity center, and randomly selecting the time interval gravity center to be embedded by using the basic gravity center attribute value;
randomly selecting a plurality of time intervals by using random numbers corresponding to the basis gravity attribute values, and taking the previous time intervals as the positions for embedding the watermarks;
sequentially grouping time intervals as watermark embedding positions, wherein each group comprises two time intervals, and modulating the gravity centers of the two time intervals in each group respectively;
the watermark embedding algorithm based on the inter-packet delay comprises the following steps:
extracting basic information and inter-packet delay characteristic information of a data stream to obtain an average inter-packet delay characteristic value;
mapping the average inter-packet delay characteristic value;
and calculating and quantizing the inter-packet delay, and modulating the inter-packet delay according to the quantization step length.
2. The method according to claim 1, wherein when generating watermark information according to the basic information, time, security level, and category are further added as stream identity information, and watermark encoding is generated by sharing an encryption key.
3. The method of claim 1, wherein the orthogonalizing process modulates the interval centroid vector and then modulates the inter-packet delay vector; when embedding watermark information, firstly embedding watermark information into the time interval gravity center carrier, and then embedding watermark information into the inter-packet time delay carrier.
4. The method according to claim 1, wherein the time interval gravity center carriers are randomly selected by using a time interval gravity center based watermark embedding algorithm, and the watermark information is embedded after the time interval gravity center carriers are grouped; and randomly selecting the inter-packet delay carrier by using a watermark embedding algorithm based on inter-packet delay, and embedding the watermark information after carrying out quantization index modulation on the inter-packet delay carrier.
5. The method according to claim 1, wherein if the time interval gravity carrier or the inter-packet delay carrier cannot embed complete watermark information, the watermark information is regenerated according to the acquired data stream size; and if the residual carriers to be embedded are left after the complete watermark information is embedded, circularly embedding watermark information into the carriers to be embedded.
6. A network watermark detection method, the network watermark being marked by the method of claim 1, the steps of the detection method comprising:
acquiring a data stream containing watermark information, and extracting basic information and characteristic information from the data stream, wherein the characteristic information comprises a time interval gravity center characteristic and/or an inter-packet time delay characteristic;
extracting watermark information based on the time interval gravity center characteristic and/or the inter-packet time delay characteristic by using a watermark detection algorithm based on the time interval gravity center and/or the inter-packet time delay;
requesting and acquiring original watermark information according to the basic information;
comparing the watermark information with the original watermark information, authenticating the data stream with the accuracy rate higher than a set threshold value, and allowing the authenticated data stream to pass through a network node; and discarding the data streams with the accuracy rate lower than the set threshold and failed in authentication, and reporting the early warning information.
7. A network watermark tracing method, the network watermark being marked by the method of claim 1, the tracing method comprising the steps of:
collecting early warning information, and tracing the transmission path of the suspicious data stream according to the basic information and the early warning information;
and extracting the transmission path of the suspicious data stream, and reconstructing and displaying the forwarding path of the suspicious data stream according to the time sequence.
8. A network watermarking system based on a biorthogonal carrier is based on the method of claim 1, and the system comprises a watermark tracking server and a plurality of watermark agent nodes, wherein the watermark tracking server is established on a cloud platform control node, and the watermark agent nodes are established on each computing node and a boundary gateway of a cloud platform;
the watermark agent node comprises:
the data flow acquisition module is used for capturing network data flow, collecting basic information of the data flow, time interval gravity center characteristics and inter-packet time delay characteristic information, and generating statistical data of the data flow characteristics;
a watermark generating module, which is used for generating watermark information according to the basic information of the data stream;
a watermark embedding module, which is used for modulating the data stream and embedding watermark information into the carrier;
a watermark detection module, which is used for demodulating the data stream containing the watermark information and identifying the extracted watermark information;
the cache space maintenance module is used for storing data stream and watermark information in a data cache queue mode;
a time window maintenance module, configured to implement a time window mechanism, specifically: maintaining a time window with a certain width time interval, wherein the time window slides on the buffer queue in the time sequence increasing direction, the data sliding out of the time window on the buffer queue is deleted, and the queue space is released;
the watermark tracing server includes:
a buffer space maintenance module for storing reported early warning information, data stream and watermark mapping relation information;
the security policy module is used for generating an access control policy based on the watermark information;
and the watermark tracking module is used for extracting the transmission path of the suspicious data stream according to the basic information and the early warning information on the basis of the network topology, and reconstructing and displaying the forwarding path of the suspicious data stream according to the time sequence.
CN201710616391.3A 2017-07-26 2017-07-26 Network watermarking method and system based on biorthogonal carrier Expired - Fee Related CN109309644B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710616391.3A CN109309644B (en) 2017-07-26 2017-07-26 Network watermarking method and system based on biorthogonal carrier

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710616391.3A CN109309644B (en) 2017-07-26 2017-07-26 Network watermarking method and system based on biorthogonal carrier

Publications (2)

Publication Number Publication Date
CN109309644A CN109309644A (en) 2019-02-05
CN109309644B true CN109309644B (en) 2020-11-20

Family

ID=65202436

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710616391.3A Expired - Fee Related CN109309644B (en) 2017-07-26 2017-07-26 Network watermarking method and system based on biorthogonal carrier

Country Status (1)

Country Link
CN (1) CN109309644B (en)

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111565125B (en) * 2020-07-15 2020-10-09 成都数维通信技术有限公司 Method for acquiring message passing through network traffic path
CN111988288B (en) * 2020-08-04 2021-11-23 网络通信与安全紫金山实验室 Key exchange method, system, equipment and storage medium based on network time delay
CN112070650B (en) * 2020-09-15 2023-12-22 中国科学院信息工程研究所 Watermark embedding and detecting method for panoramic image
CN113965351A (en) * 2021-09-15 2022-01-21 佳缘科技股份有限公司 Ciphertext tracking method based on three-dimensional stream fingerprint
CN113569122B (en) * 2021-09-27 2021-12-10 武大吉奥信息技术有限公司 Recognition method and system for map tile data crawler
CN116915519B (en) * 2023-09-14 2023-12-12 北京华云安信息技术有限公司 Method, device, equipment and storage medium for tracing data stream

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105187265A (en) * 2015-07-01 2015-12-23 中国科学院信息工程研究所 Network flow watermark labeling and tracing method for flow test
CN106302433A (en) * 2016-08-11 2017-01-04 华侨大学 A kind of network flow method of detecting watermarks based on predicting network flow and entropy and system
CN106686007A (en) * 2017-03-03 2017-05-17 南京理工大学 Active flow analysis method for finding intranet controlled rerouting nodes

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7724782B2 (en) * 2007-03-20 2010-05-25 George Mason Intellectual Properties, Inc. Interval centroid based watermark

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105187265A (en) * 2015-07-01 2015-12-23 中国科学院信息工程研究所 Network flow watermark labeling and tracing method for flow test
CN106302433A (en) * 2016-08-11 2017-01-04 华侨大学 A kind of network flow method of detecting watermarks based on predicting network flow and entropy and system
CN106686007A (en) * 2017-03-03 2017-05-17 南京理工大学 Active flow analysis method for finding intranet controlled rerouting nodes

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
基于正交流量特征的多维流水印技术;张璐、罗军舟、杨明;《2010年全国通信安全学术会议论文集》;20100807;第244-247页第2-4章 *

Also Published As

Publication number Publication date
CN109309644A (en) 2019-02-05

Similar Documents

Publication Publication Date Title
CN109309644B (en) Network watermarking method and system based on biorthogonal carrier
Yang et al. RIHT: a novel hybrid IP traceback scheme
Liang et al. A payload-dependent packet rearranging covert channel for mobile VoIP traffic
Ji et al. A novel covert channel based on length of messages
Potluri et al. Detection and prevention mechanisms for DDoS attack in cloud computing environment
Tian et al. A survey of key technologies for constructing network covert channel
Luo et al. Robust network covert communications based on TCP and enumerative combinatorics
Hou et al. An intrusion tracking watermarking scheme
Gu et al. Multiple-features-based semisupervised clustering DDoS detection method
Al Sibahee et al. Lightweight secure message delivery for E2E S2S communication in the IoT-cloud system
CN115051836B (en) SDN-based APT attack dynamic defense method and system
Ling et al. Novel and practical SDN-based traceback technique for malicious traffic over anonymous networks
Yang et al. Deep learning approach for detecting malicious activities over encrypted secure channels
CN115664629A (en) Homomorphic encryption-based data privacy protection method for intelligent Internet of things platform
Li et al. An efficient secure data transmission and node authentication scheme for wireless sensing networks
CN113518083A (en) Lightweight security authentication method and device based on device fingerprint and PUF
CN108173791A (en) The blind authentication method of physical layer and system of time-varying fading channels based on smoothing technique
Balyk et al. A survey of modern IP traceback methodologies
Mallikarachchi et al. An authentication scheme for FANET packet payload using data hiding
Xue et al. A New Network Steganographic Method Based on the Transverse Multi-Protocol Collaboration.
Barati et al. Features selection for IDS in encrypted traffic using genetic algorithm
Srinivasan et al. XTRA—eXtended bit-Torrent pRotocol for Authenticated covert peer communication: Authenticated covert P2P communication
Awadh et al. Efficiently Secure Data Communications Based on CBC-RC6 and the Overflow Field of Timestamp Option in an IPv4 Packet
Kalangi et al. A Hybrid IP Trace Back Mechanism to Pinpoint the Attacker
CN113965351A (en) Ciphertext tracking method based on three-dimensional stream fingerprint

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20201120

Termination date: 20210726

CF01 Termination of patent right due to non-payment of annual fee