CN109547443A - A kind of detection method of the hidden channel of network storage type - Google Patents

A kind of detection method of the hidden channel of network storage type Download PDF

Info

Publication number
CN109547443A
CN109547443A CN201811430859.0A CN201811430859A CN109547443A CN 109547443 A CN109547443 A CN 109547443A CN 201811430859 A CN201811430859 A CN 201811430859A CN 109547443 A CN109547443 A CN 109547443A
Authority
CN
China
Prior art keywords
cluster
channel
data
point
value
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201811430859.0A
Other languages
Chinese (zh)
Other versions
CN109547443B (en
Inventor
杨婉霞
冯全
王咏梅
杨梅
李红岭
刘燕
杨森
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Gansu Agricultural University
Original Assignee
Gansu Agricultural University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Gansu Agricultural University filed Critical Gansu Agricultural University
Priority to CN201811430859.0A priority Critical patent/CN109547443B/en
Publication of CN109547443A publication Critical patent/CN109547443A/en
Application granted granted Critical
Publication of CN109547443B publication Critical patent/CN109547443B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L65/00Network arrangements, protocols or services for supporting real-time applications in data packet communication
    • H04L65/60Network streaming of media packets
    • H04L65/65Network streaming protocols, e.g. real-time transport protocol [RTP] or real-time control protocol [RTCP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/70Reducing energy consumption in communication networks in wireless communication networks

Landscapes

  • Engineering & Computer Science (AREA)
  • Multimedia (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention belongs to field of information security technology, and in particular to a kind of detection method of the hidden channel of network storage type.This method includes establishing RTP Differential time stamp fitting of a polynomial model;The cluster feature of resulting model result is selected and extracted;, can be simple using clustering algorithm to determine whether there are steganography, detection that is quick and being accurately realized the hidden channel of network storage type.

Description

A kind of detection method of the hidden channel of network storage type
Technical field
The invention belongs to field of information security technology, and in particular to a kind of detection method of the hidden channel of network storage type.
Background technique
The rapid development of Internet technology and the safe transmission of widely available urgently information are as ensureing, this is also to traditional Information transmission security scheme based on cryptographic technique proposes bigger challenge.Main cause be cryptographic technique be will be to be passed Defeated information scramble is to achieve the purpose that secrecy, however, the messy code feature exactly shown after information encryption makes confidential information Existence be exposed, this just excite supervisor decode information enthusiasm and desire.The ciphertext of encryption is once decrypted, just No safety can be sayed.Secondly, the safety of cryptographic technique is built upon mathematic(al) manipulation and mathematics particular problem is difficult by principle analysis On the basis of solving, with the arrival in quantum computer epoch, least good exhaustive computations prime factor speed is enhanced N number of The order of magnitude can crack RSA key within the limited time.As it can be seen that the protection for private information, is paying attention to protection transmission While the information content, it more should be noted and its existence covered up.In this scenario, the hidden channel application of network and give birth to.Network is hidden Channel is to make illegal information flow (usually using disclosed communication data as one hidden communication channel of vector construction Secret information) escape regular security control mechanism detection, the other side of communication is safely passed to, to push information security The fast development and application of technology.
In the building of hidden channel, carrier is basis, and information steganography is means, good carrier and suitable steganographic algorithm Combining could make the building of hidden channel more hidden.As it can be seen that the selection of carrier is very crucial.Due to there is a large amount of stream in network Media data needs real-time Transmission, and RTP/RTCP agreement provides critical services thus, becomes as the master of the hidden channel build of network Want one of object and carrier.Especially each RTP data grouping is by protocol headers (head) and valid data (payload) two Part forms.Therefore, the hidden channel of network can be constructed using the redundant field of network protocol or valid data as load.Due to network Hidden channel is that secret information is embedded in the redundant field of network protocol, is difficult safety equipment and detection device in network Identification, therefore there is very strong concealment.Even if private communication channel is found, the special mechanism that building person uses makes the hidden of transmission Secret information is unlikely to be cracked.Even if secondly, the study found that data packet carries 1bit data, then in 1 year, one Network private communication channel can illegally steal the information of 26GB from a large-scale website, and practical value is high.As it can be seen that as main One of streaming media transmission protocol, RTP/RTCP is widely used in the building of the hidden channel of network.How research utilizes RTP/ The redundancy of rtcp protocol carries out Information hiding and detection, is development trend and research emphasis place.
Summary of the invention
Regarding to the issue above and the deficiencies in the prior art, the present invention provides a kind of detection sides of hidden channel of network storage type Method, method includes the following steps:
1. establishing RTP Differential time stamp fitting of a polynomial model: defining the data point of the serial number X-axis of Channel message, y-axis Data be message time stamp difference value, it is assumed that the timestamp difference sequence of w+1 message window in communication process is calculated as (d1, d2 ..., dW) (w >=1), it can thus be concluded that set P={ i, di to match point;) | i=1,2 ..., w;W >=1 }, P is report The set for the time difference sequence that literary serial number and message are sent, recycles fitting of a polynomial to obtain interchannel RTP timestamp difference Multinomial model;
2. to step 1. obtained in the cluster feature of model result selected and extracted: using formulaCalculate the absolute value area of normal c (x) He two channel matched curve of steganography h (x), and with This is as clustering object;
3. using clustering algorithm to determine whether there are steganography:
A, it calculates separately between normal channel and w length of window timestamp difference sequence between normal channel and stego-channel Matched curve area discrepancy degree { Sd};
B, from clustering object { SdIn repeatedly choose initial value, find most suitable k central point as initial value { C1, C2,…Ck};
C, formula is pressedCalculate remaining each data point With initial center point distance R (i, k), the nearest data point of distance center point is referred in cluster representated by the central point;
D, formula is usedCalculate the central point of each cluster, wherein NkIndicate cluster CkMiddle data point Number;SdiIndicate cluster CkIn all data point;
E, step c is repeated, until error sum of squares criterion function starts convergence, i.e. the value of cluster centre no longer becomes d Change, obtains the cluster centre point μ of each cluster of data sourcekWith the distance R of each data source to each cluster centrek
F, according to formulaEach data source is calculated to each cluster centre μkDistance RkMean value, In, i=1,2 ..., n, NkIndicate cluster μkThe number of central point;
G, the M for the data point that will be compared and the M of normal data points are compared, if do not changed, for normal channel, such as It changes, is then convert channel.
Further, the step 1. in polynomial fitting method be least square method, that is, the timestamp for setting actual measurement is poor Fraction sequence data are { dk(k=1,2,3 ..., w), w is window data points, with a polynomial functionIndicate fitting Function, then:Wherein j=0,1,3 ..., k,It is dkEstimated value, Observation point square is at a distance from estimation pointMake model of fit and actual observed value each point residual error (or from Difference) EkWeighted sum of squares reach minimum, i.e.,Value reach minimum, to seek Parameter value therein.
Further, the step 1. in fitting of a polynomial number be 3-7 times, preferably 5 times.
The beneficial effects of the present invention are:
1. simple, detection that is quick and being accurately realized the hidden channel of network storage type;
Detailed description of the invention
Fig. 1 normal channel and the difference sequence matched curve of stego-channel RTP timestamp;
Mean variation of each point that Fig. 2 window w is 50 to each cluster centre distance;
Mean variation of each point that Fig. 3 window w is 100 to each cluster centre distance;
Fig. 4 initial clustering and the comparison of secondary cluster result.
Specific embodiment
The technical scheme in the embodiments of the invention will be clearly and completely described below, it is clear that described implementation Example is only a part of the invention, rather than the whole invented.Based on the embodiments of the present invention, ordinary skill people Member's every other embodiment obtained without making creative work, shall fall within the protection scope of the present invention.
A kind of detection method of the hidden channel of network storage type of embodiment 1
1. establishing RTP Differential time stamp fitting of a polynomial model: defining the data point of the serial number X-axis of Channel message, y-axis Data be message time stamp difference value, it is assumed that the timestamp difference sequence of w+1 message window in communication process is calculated as (d1, d2 ..., dW) (w >=1), it can thus be concluded that set P={ i, di to match point;) | i=1,2 ..., w;W >=1 }, P is report The set for the time difference sequence that literary serial number and message are sent, recycles fitting of a polynomial to obtain interchannel RTP timestamp difference Multinomial model, polynomial fitting method is least square method, that is, sets the timestamp difference number sequence column data of actual measurement as { dk} (k=1,2,3 ..., w), w is window data points, with a polynomial functionIndicate fitting function, then:Wherein j=0,1,3 ..., k,It is dkEstimated value, observation point with The distance of estimation point square isMake model of fit and actual observed value in residual error (or deviation) E of each pointkPlus Power quadratic sum reaches minimum, i.e.,Value reach minimum, fitting number is 5 times, is intended It is as shown in Figure 1 to close result;
2. to step 1. obtained in the cluster feature of model result selected and extracted: using formulaCalculate the absolute value area of normal c (x) He two channel matched curve of steganography h (x), and with This is as clustering object, such as Fig. 3, and the average value of normal channel data point to each cluster centre distance is constant after cluster for the first time, and What the value of stego-channel always changed;
3. using clustering algorithm to determine whether there are steganography:
A, it calculates separately between normal channel and w length of window timestamp difference sequence between normal channel and stego-channel Matched curve area discrepancy degree { Sd};
B, from clustering object { SdIn repeatedly choose initial value, find most suitable k central point as initial value { C1, C2,…Ck};
C, formula is pressedCalculate remaining each data point With initial center point distance R (i, k), the nearest data point of distance center point is referred in cluster representated by the central point;
D, formula is usedCalculate the central point of each cluster, wherein NkIndicate cluster CkMiddle data point Number;SdiIndicate cluster CkIn all data point;
E, step c is repeated, until error sum of squares criterion function starts convergence, i.e. the value of cluster centre no longer becomes d Change, obtains the cluster centre point μ of each cluster of data sourcekWith the distance R of each data source to each cluster centrek
F, according to formulaEach data source is calculated to each cluster centre μkDistance RkMean value, In, i=1,2 ..., n, NkIndicate cluster μkThe number of central point, such as Fig. 4 have obtained clustering more accurate cluster result than for the first time;
G, the M for the data point that will be compared and the M of normal data points are compared, if do not changed, for normal channel, such as It changes, is then convert channel.

Claims (3)

1.一种网络存储型隐信道的检测方法,其特征在于,该方法包括以下步骤:1. a detection method of network storage type covert channel, is characterized in that, this method comprises the following steps: ①建立RTP差分时间戳多项式拟合模型:定义信道报文的序号为X轴的数据点,y轴的数据为报文时间戳的差分值,假设通信过程中的w+1个报文窗口的时间戳差分序列计为(d1,d2,…,dW)(w≥1),由此可得待拟合点的集合P={i,di;)|i=1,2,...,w;w≥1},P为报文序号和报文发送的时间差分序列的集合,再利用多项式拟合得到信道间RTP时间戳差分的多项式模型;①Establish the RTP differential timestamp polynomial fitting model: define the serial number of the channel message as the data point on the X axis, and the data on the y axis as the differential value of the message timestamp. The timestamp difference sequence is counted as (d1, d2, ..., dW) (w≥1), from which we can obtain the set of points to be fitted P={i,di;)|i=1,2,..., w; w≥1}, P is the set of message sequence numbers and time difference sequences sent by the message, and then use polynomial fitting to obtain the polynomial model of the RTP timestamp difference between channels; ②对步骤①中所得的模型结果的聚类特征进行选择和提取:采用公式计算正常c(x)和隐写h(x)两信道拟合曲线的绝对值面积,并以此作为聚类对象;②Select and extract the clustering features of the model results obtained in step ①: using the formula Calculate the absolute value area of the normal c(x) and steganographic h(x) two-channel fitting curves, and use this as the clustering object; ③利用聚类算法来判断是否存在隐写:③Using the clustering algorithm to determine whether there is steganography: a、分别计算正常信道之间及正常信道与隐写信道之间w窗口长度时间戳差分序列拟合曲线面积差异度{Sd};a. Calculate the area difference {S d } of the fitting curve of the w window length timestamp difference sequence between the normal channels and between the normal channel and the steganographic channel respectively; b、从聚类对象{Sd}中多次选取初值,找到最合适的k个中心点作为初始值{C1,C2,…Ck};b. Select the initial value from the clustering object {S d } for many times, and find the most suitable k center points as the initial value {C 1 , C 2 ,...C k }; c、按公式计算剩余每个数据点与初始中心点的距离R(i,k),将距离中心点最近的数据点归类到该中心点所代表的簇中;c. According to the formula Calculate the distance R(i,k) between each remaining data point and the initial center point, and classify the data points closest to the center point into the cluster represented by the center point; d、用公式计算出每个簇的中心点,其中,Nk表示簇Ck中数据点的个数;Sdi表示簇Ck中所有的数据点;d. Use the formula Calculate the center point of each cluster, where N k represents the number of data points in cluster C k ; S di represents all data points in cluster C k ; e、重复步骤c,d直到误差平方和准则函数开始收敛为止,即聚类中心的值不再变化,得到数据源每个簇的聚类中心点μk和每个数据源到各聚类中心的距离Rke. Repeat steps c and d until the error sum of squares criterion function begins to converge, that is, the value of the cluster center does not change, and the cluster center point μ k of each cluster of the data source and each data source to each cluster center are obtained. the distance R k ; f、依据公式计算每个数据源到各聚类中心μk的距离Rk的均值,其中,i=1,2,…,n,Nk表示簇μk中心点的个数;f. According to the formula Calculate the mean value of the distance R k from each data source to each cluster center μ k , where i=1,2,...,n, N k represents the number of center points of the cluster μ k ; g、将要对比的数据点的M与正常数据点的M做比较,如果未变化,则为正常通道,如有变化,则为隐蔽通道。g. Compare the M of the data points to be compared with the M of the normal data points. If there is no change, it is a normal channel, and if there is a change, it is a covert channel. 2.如权利要求1所述的一种网络存储型隐信道的检测方法,其特征在于,所述步骤①中的多项式拟合方法是最小二乘法,即设实测的时间戳差分数序列数据为{dk}(k=1,2,3,...,w),w为窗口数据点数,用一个多项式函数表示拟合函数,则:其中j=0,1,3,...,k,是dk的估计值,观测点与估计点的距离的平方为使拟合模型与实际观测值在各点的残差(或离差)Ek的加权平方和达到最小,即的值达到最小,以求取其中的参数值。2. the detection method of a kind of network storage type covert channel as claimed in claim 1, is characterized in that, the polynomial fitting method in described step 1. is the least squares method, namely set the time stamp difference sub-sequence data of actual measurement to be. {d k }(k=1,2,3,...,w), w is the number of window data points, using a polynomial function represents the fitting function, then: where j=0,1,3,...,k, is the estimated value of d k , and the square of the distance between the observation point and the estimated point is The weighted sum of squares of the residual (or dispersion) E k of the fitted model and the actual observation value at each point is minimized, that is to the minimum value of , to obtain the parameter value in it. 3.如权利要求1所述的一种网络存储型隐信道的检测方法,其特征在于,所述步骤①中的多项式拟合次数为3-7次,优选为5次。3. The method for detecting a network storage type covert channel according to claim 1, wherein the polynomial fitting order in step ① is 3-7 times, preferably 5 times.
CN201811430859.0A 2018-11-28 2018-11-28 A Detection Method of Network Storage Type Covert Channel Expired - Fee Related CN109547443B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201811430859.0A CN109547443B (en) 2018-11-28 2018-11-28 A Detection Method of Network Storage Type Covert Channel

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811430859.0A CN109547443B (en) 2018-11-28 2018-11-28 A Detection Method of Network Storage Type Covert Channel

Publications (2)

Publication Number Publication Date
CN109547443A true CN109547443A (en) 2019-03-29
CN109547443B CN109547443B (en) 2023-04-25

Family

ID=65850637

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811430859.0A Expired - Fee Related CN109547443B (en) 2018-11-28 2018-11-28 A Detection Method of Network Storage Type Covert Channel

Country Status (1)

Country Link
CN (1) CN109547443B (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110324210A (en) * 2019-08-06 2019-10-11 杭州安恒信息技术股份有限公司 The detection method and device of private communication channel communication are carried out based on ICMP agreement
CN110392050A (en) * 2019-07-18 2019-10-29 北京理工大学 A Construction Method of Storage Covert Channel Based on Timestamp
CN110912921A (en) * 2019-11-29 2020-03-24 广东工业大学 An industrial control system safety data verification system and method

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20090129009A (en) * 2008-06-12 2009-12-16 주식회사 케이티 Hidden station problem detection method, adaptive RTS / CTS switching method and cancellation method
US7920705B1 (en) * 2006-07-26 2011-04-05 Rockwell Collins, Inc. System and method for convert channel detection
CN102594619A (en) * 2012-02-15 2012-07-18 南京理工大学常熟研究院有限公司 Network covert channel detecting method
CN104753617A (en) * 2015-03-17 2015-07-01 中国科学技术大学苏州研究院 Detection method of time-sequence type covert channel based on neural network
CN105847250A (en) * 2016-03-22 2016-08-10 甘肃农业大学 VoIP stream media multi-dimensional information steganography real time detection method
WO2017185433A1 (en) * 2016-04-25 2017-11-02 深圳大学 Steganalysis method based on hamming distance distribution

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7920705B1 (en) * 2006-07-26 2011-04-05 Rockwell Collins, Inc. System and method for convert channel detection
KR20090129009A (en) * 2008-06-12 2009-12-16 주식회사 케이티 Hidden station problem detection method, adaptive RTS / CTS switching method and cancellation method
CN102594619A (en) * 2012-02-15 2012-07-18 南京理工大学常熟研究院有限公司 Network covert channel detecting method
CN104753617A (en) * 2015-03-17 2015-07-01 中国科学技术大学苏州研究院 Detection method of time-sequence type covert channel based on neural network
CN105847250A (en) * 2016-03-22 2016-08-10 甘肃农业大学 VoIP stream media multi-dimensional information steganography real time detection method
WO2017185433A1 (en) * 2016-04-25 2017-11-02 深圳大学 Steganalysis method based on hamming distance distribution

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
周雪;: "基于VoIP的隐蔽通信系统的研究与设计" *
杨婉霞,等: "网络存储隐蔽信道检测的改进与优化仿真" *
杨永周;: "隐蔽通信及安全检测防护技术探究" *

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110392050A (en) * 2019-07-18 2019-10-29 北京理工大学 A Construction Method of Storage Covert Channel Based on Timestamp
CN110392050B (en) * 2019-07-18 2020-11-27 北京理工大学 A Construction Method of Timestamp-Based Storage Hidden Channel
CN110324210A (en) * 2019-08-06 2019-10-11 杭州安恒信息技术股份有限公司 The detection method and device of private communication channel communication are carried out based on ICMP agreement
CN110912921A (en) * 2019-11-29 2020-03-24 广东工业大学 An industrial control system safety data verification system and method
CN110912921B (en) * 2019-11-29 2022-02-15 广东工业大学 Safety data verification system and method for industrial control system

Also Published As

Publication number Publication date
CN109547443B (en) 2023-04-25

Similar Documents

Publication Publication Date Title
CN109327308B (en) A quantum key distribution method and system with two-way identity authentication function
CN107124268B (en) Privacy set intersection calculation method capable of resisting malicious attacks
KR101351012B1 (en) Method and apparatus for authentication user in multiparty quantum communications
CN103581173B (en) Safe data transmission method, system and device based on industrial Ethernet
JP6384314B2 (en) Information processing method, information processing program, and information processing apparatus
CN103581175B (en) A Safe Data Aggregation Method
CN109547443A (en) A kind of detection method of the hidden channel of network storage type
JP2016131335A (en) Information processing method, information processing program, and information processing apparatus
CN112185395B (en) Federal voiceprint recognition method based on differential privacy
CN102012980B (en) Security Detection Method for Text Information Hiding Based on Homomorphic Encryption System
WO2014029169A1 (en) Communication method utilizing fingerprint information for authentication
CN116049897B (en) Verifiable privacy protection federal learning method based on linear homomorphic hash and signcryption
CN107070664A (en) A kind of quantum authorization management method based on EPR pairs and entanglement transfer
CN103763114A (en) Combined quantum broadcast communication monitoring method based on partially entangled GHZ channel
ATE347706T1 (en) METHOD AND DEVICE FOR IDENTIFYING AN AUTHORIZED PERSON BY MEANS OF UNPREDICTABLE, ONCE-USEABLE PASSWORDS
CN114866222A (en) Ciphertext data statistical analysis system and method supporting privacy protection
CN103227800A (en) Quantum secure communication wiretap detection method based on five-qubit Cluster state
CN105553980A (en) Safety fingerprint identification system and method based on cloud computing
CN111082937B (en) Bidirectional identity authentication method based on single photon
CN113141247A (en) Homomorphic encryption method, device and system and readable storage medium
CN112651042A (en) Intersection solving method based on trusted third-party private data
CN103051457A (en) Method for establishing safety communication of network groups
CN104753935A (en) Verification method of multiparticle quantum private comparison protocol
CN101888383B (en) Method for implementing extensible trusted SSH
CN104821879B (en) A kind of encryption method in electric power system data transfer

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20230425