CN109547443A - A kind of detection method of the hidden channel of network storage type - Google Patents

A kind of detection method of the hidden channel of network storage type Download PDF

Info

Publication number
CN109547443A
CN109547443A CN201811430859.0A CN201811430859A CN109547443A CN 109547443 A CN109547443 A CN 109547443A CN 201811430859 A CN201811430859 A CN 201811430859A CN 109547443 A CN109547443 A CN 109547443A
Authority
CN
China
Prior art keywords
point
channel
cluster
value
data
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201811430859.0A
Other languages
Chinese (zh)
Other versions
CN109547443B (en
Inventor
杨婉霞
冯全
王咏梅
杨梅
李红岭
刘燕
杨森
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Gansu Agricultural University
Original Assignee
Gansu Agricultural University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Gansu Agricultural University filed Critical Gansu Agricultural University
Priority to CN201811430859.0A priority Critical patent/CN109547443B/en
Publication of CN109547443A publication Critical patent/CN109547443A/en
Application granted granted Critical
Publication of CN109547443B publication Critical patent/CN109547443B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L65/00Network arrangements, protocols or services for supporting real-time applications in data packet communication
    • H04L65/60Network streaming of media packets
    • H04L65/65Network streaming protocols, e.g. real-time transport protocol [RTP] or real-time control protocol [RTCP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/70Reducing energy consumption in communication networks in wireless communication networks

Landscapes

  • Engineering & Computer Science (AREA)
  • Multimedia (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention belongs to field of information security technology, and in particular to a kind of detection method of the hidden channel of network storage type.This method includes establishing RTP Differential time stamp fitting of a polynomial model;The cluster feature of resulting model result is selected and extracted;, can be simple using clustering algorithm to determine whether there are steganography, detection that is quick and being accurately realized the hidden channel of network storage type.

Description

A kind of detection method of the hidden channel of network storage type
Technical field
The invention belongs to field of information security technology, and in particular to a kind of detection method of the hidden channel of network storage type.
Background technique
The rapid development of Internet technology and the safe transmission of widely available urgently information are as ensureing, this is also to traditional Information transmission security scheme based on cryptographic technique proposes bigger challenge.Main cause be cryptographic technique be will be to be passed Defeated information scramble is to achieve the purpose that secrecy, however, the messy code feature exactly shown after information encryption makes confidential information Existence be exposed, this just excite supervisor decode information enthusiasm and desire.The ciphertext of encryption is once decrypted, just No safety can be sayed.Secondly, the safety of cryptographic technique is built upon mathematic(al) manipulation and mathematics particular problem is difficult by principle analysis On the basis of solving, with the arrival in quantum computer epoch, least good exhaustive computations prime factor speed is enhanced N number of The order of magnitude can crack RSA key within the limited time.As it can be seen that the protection for private information, is paying attention to protection transmission While the information content, it more should be noted and its existence covered up.In this scenario, the hidden channel application of network and give birth to.Network is hidden Channel is to make illegal information flow (usually using disclosed communication data as one hidden communication channel of vector construction Secret information) escape regular security control mechanism detection, the other side of communication is safely passed to, to push information security The fast development and application of technology.
In the building of hidden channel, carrier is basis, and information steganography is means, good carrier and suitable steganographic algorithm Combining could make the building of hidden channel more hidden.As it can be seen that the selection of carrier is very crucial.Due to there is a large amount of stream in network Media data needs real-time Transmission, and RTP/RTCP agreement provides critical services thus, becomes as the master of the hidden channel build of network Want one of object and carrier.Especially each RTP data grouping is by protocol headers (head) and valid data (payload) two Part forms.Therefore, the hidden channel of network can be constructed using the redundant field of network protocol or valid data as load.Due to network Hidden channel is that secret information is embedded in the redundant field of network protocol, is difficult safety equipment and detection device in network Identification, therefore there is very strong concealment.Even if private communication channel is found, the special mechanism that building person uses makes the hidden of transmission Secret information is unlikely to be cracked.Even if secondly, the study found that data packet carries 1bit data, then in 1 year, one Network private communication channel can illegally steal the information of 26GB from a large-scale website, and practical value is high.As it can be seen that as main One of streaming media transmission protocol, RTP/RTCP is widely used in the building of the hidden channel of network.How research utilizes RTP/ The redundancy of rtcp protocol carries out Information hiding and detection, is development trend and research emphasis place.
Summary of the invention
Regarding to the issue above and the deficiencies in the prior art, the present invention provides a kind of detection sides of hidden channel of network storage type Method, method includes the following steps:
1. establishing RTP Differential time stamp fitting of a polynomial model: defining the data point of the serial number X-axis of Channel message, y-axis Data be message time stamp difference value, it is assumed that the timestamp difference sequence of w+1 message window in communication process is calculated as (d1, d2 ..., dW) (w >=1), it can thus be concluded that set P={ i, di to match point;) | i=1,2 ..., w;W >=1 }, P is report The set for the time difference sequence that literary serial number and message are sent, recycles fitting of a polynomial to obtain interchannel RTP timestamp difference Multinomial model;
2. to step 1. obtained in the cluster feature of model result selected and extracted: using formulaCalculate the absolute value area of normal c (x) He two channel matched curve of steganography h (x), and with This is as clustering object;
3. using clustering algorithm to determine whether there are steganography:
A, it calculates separately between normal channel and w length of window timestamp difference sequence between normal channel and stego-channel Matched curve area discrepancy degree { Sd};
B, from clustering object { SdIn repeatedly choose initial value, find most suitable k central point as initial value { C1, C2,…Ck};
C, formula is pressedCalculate remaining each data point With initial center point distance R (i, k), the nearest data point of distance center point is referred in cluster representated by the central point;
D, formula is usedCalculate the central point of each cluster, wherein NkIndicate cluster CkMiddle data point Number;SdiIndicate cluster CkIn all data point;
E, step c is repeated, until error sum of squares criterion function starts convergence, i.e. the value of cluster centre no longer becomes d Change, obtains the cluster centre point μ of each cluster of data sourcekWith the distance R of each data source to each cluster centrek
F, according to formulaEach data source is calculated to each cluster centre μkDistance RkMean value, In, i=1,2 ..., n, NkIndicate cluster μkThe number of central point;
G, the M for the data point that will be compared and the M of normal data points are compared, if do not changed, for normal channel, such as It changes, is then convert channel.
Further, the step 1. in polynomial fitting method be least square method, that is, the timestamp for setting actual measurement is poor Fraction sequence data are { dk(k=1,2,3 ..., w), w is window data points, with a polynomial functionIndicate fitting Function, then:Wherein j=0,1,3 ..., k,It is dkEstimated value, Observation point square is at a distance from estimation pointMake model of fit and actual observed value each point residual error (or from Difference) EkWeighted sum of squares reach minimum, i.e.,Value reach minimum, to seek Parameter value therein.
Further, the step 1. in fitting of a polynomial number be 3-7 times, preferably 5 times.
The beneficial effects of the present invention are:
1. simple, detection that is quick and being accurately realized the hidden channel of network storage type;
Detailed description of the invention
Fig. 1 normal channel and the difference sequence matched curve of stego-channel RTP timestamp;
Mean variation of each point that Fig. 2 window w is 50 to each cluster centre distance;
Mean variation of each point that Fig. 3 window w is 100 to each cluster centre distance;
Fig. 4 initial clustering and the comparison of secondary cluster result.
Specific embodiment
The technical scheme in the embodiments of the invention will be clearly and completely described below, it is clear that described implementation Example is only a part of the invention, rather than the whole invented.Based on the embodiments of the present invention, ordinary skill people Member's every other embodiment obtained without making creative work, shall fall within the protection scope of the present invention.
A kind of detection method of the hidden channel of network storage type of embodiment 1
1. establishing RTP Differential time stamp fitting of a polynomial model: defining the data point of the serial number X-axis of Channel message, y-axis Data be message time stamp difference value, it is assumed that the timestamp difference sequence of w+1 message window in communication process is calculated as (d1, d2 ..., dW) (w >=1), it can thus be concluded that set P={ i, di to match point;) | i=1,2 ..., w;W >=1 }, P is report The set for the time difference sequence that literary serial number and message are sent, recycles fitting of a polynomial to obtain interchannel RTP timestamp difference Multinomial model, polynomial fitting method is least square method, that is, sets the timestamp difference number sequence column data of actual measurement as { dk} (k=1,2,3 ..., w), w is window data points, with a polynomial functionIndicate fitting function, then:Wherein j=0,1,3 ..., k,It is dkEstimated value, observation point with The distance of estimation point square isMake model of fit and actual observed value in residual error (or deviation) E of each pointkPlus Power quadratic sum reaches minimum, i.e.,Value reach minimum, fitting number is 5 times, is intended It is as shown in Figure 1 to close result;
2. to step 1. obtained in the cluster feature of model result selected and extracted: using formulaCalculate the absolute value area of normal c (x) He two channel matched curve of steganography h (x), and with This is as clustering object, such as Fig. 3, and the average value of normal channel data point to each cluster centre distance is constant after cluster for the first time, and What the value of stego-channel always changed;
3. using clustering algorithm to determine whether there are steganography:
A, it calculates separately between normal channel and w length of window timestamp difference sequence between normal channel and stego-channel Matched curve area discrepancy degree { Sd};
B, from clustering object { SdIn repeatedly choose initial value, find most suitable k central point as initial value { C1, C2,…Ck};
C, formula is pressedCalculate remaining each data point With initial center point distance R (i, k), the nearest data point of distance center point is referred in cluster representated by the central point;
D, formula is usedCalculate the central point of each cluster, wherein NkIndicate cluster CkMiddle data point Number;SdiIndicate cluster CkIn all data point;
E, step c is repeated, until error sum of squares criterion function starts convergence, i.e. the value of cluster centre no longer becomes d Change, obtains the cluster centre point μ of each cluster of data sourcekWith the distance R of each data source to each cluster centrek
F, according to formulaEach data source is calculated to each cluster centre μkDistance RkMean value, In, i=1,2 ..., n, NkIndicate cluster μkThe number of central point, such as Fig. 4 have obtained clustering more accurate cluster result than for the first time;
G, the M for the data point that will be compared and the M of normal data points are compared, if do not changed, for normal channel, such as It changes, is then convert channel.

Claims (3)

1. a kind of detection method of the hidden channel of network storage type, which is characterized in that method includes the following steps:
1. establishing RTP Differential time stamp fitting of a polynomial model: defining the data point of the serial number X-axis of Channel message, the number of y-axis According to the difference value stabbed for message time, it is assumed that the timestamp difference sequence of w+1 message window in communication process be calculated as (d1, D2 ..., dW) (w >=1), it can thus be concluded that set P={ i, di to match point;) | i=1,2 ..., w;W >=1 }, P is message sequence Number and message send time difference sequence set, recycle fitting of a polynomial obtain the more of interchannel RTP timestamp difference Item formula model;
2. to step 1. obtained in the cluster feature of model result selected and extracted: using formulaCalculate the absolute value area of normal c (x) He two channel matched curve of steganography h (x), and with This is as clustering object;
3. using clustering algorithm to determine whether there are steganography:
A, it calculates separately between normal channel and w length of window timestamp difference sequence is fitted between normal channel and stego-channel Area under the curve diversity factor { Sd};
B, from clustering object { SdIn repeatedly choose initial value, find most suitable k central point as initial value { C1,C2,…Ck};
C, formula is pressedCalculate remaining each data point and initial The nearest data point of distance center point is referred in cluster representated by the central point by the distance R (i, k) of central point;
D, formula is usedCalculate the central point of each cluster, wherein NkIndicate cluster CkThe number of middle data point; SdiIndicate cluster CkIn all data point;
E, step c is repeated, until error sum of squares criterion function starts convergence, i.e. the value of cluster centre no longer changes d, obtains To the cluster centre point μ of each cluster of data sourcekWith the distance R of each data source to each cluster centrek
F, according to formulaEach data source is calculated to each cluster centre μkDistance RkMean value, wherein i =1,2 ..., n, NkIndicate cluster μkThe number of central point;
G, the M for the data point that will be compared and the M of normal data points are compared, if do not changed, for normal channel, if any change Change, is then convert channel.
2. a kind of detection method of the hidden channel of network storage type as described in claim 1, which is characterized in that the step 1. in Polynomial fitting method be least square method, that is, set the timestamp difference number sequence column data of actual measurement as { dk(k=1,2, 3 ..., w), w are window data points, with a polynomial functionIndicate fitting function, then:Wherein j=0,1,3 ..., k,It is dkEstimated value, observation point with The distance of estimation point square isMake model of fit and actual observed value in residual error (or deviation) E of each pointkPlus Power quadratic sum reaches minimum, i.e.,Value reach minimum, to seek parameter therein Value.
3. a kind of detection method of the hidden channel of network storage type as described in claim 1, which is characterized in that the step 1. in Fitting of a polynomial number be 3-7 times, preferably 5 times.
CN201811430859.0A 2018-11-28 2018-11-28 Network storage type hidden channel detection method Active CN109547443B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201811430859.0A CN109547443B (en) 2018-11-28 2018-11-28 Network storage type hidden channel detection method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811430859.0A CN109547443B (en) 2018-11-28 2018-11-28 Network storage type hidden channel detection method

Publications (2)

Publication Number Publication Date
CN109547443A true CN109547443A (en) 2019-03-29
CN109547443B CN109547443B (en) 2023-04-25

Family

ID=65850637

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811430859.0A Active CN109547443B (en) 2018-11-28 2018-11-28 Network storage type hidden channel detection method

Country Status (1)

Country Link
CN (1) CN109547443B (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110324210A (en) * 2019-08-06 2019-10-11 杭州安恒信息技术股份有限公司 The detection method and device of private communication channel communication are carried out based on ICMP agreement
CN110392050A (en) * 2019-07-18 2019-10-29 北京理工大学 A kind of construction method of the Use of Covert Storage Channels based on timestamp
CN110912921A (en) * 2019-11-29 2020-03-24 广东工业大学 Safety data verification system and method for industrial control system

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20090129009A (en) * 2008-06-12 2009-12-16 주식회사 케이티 Method for detecting hidden station problem, to apply and cancel adapatable rts/cts exchage method
US7920705B1 (en) * 2006-07-26 2011-04-05 Rockwell Collins, Inc. System and method for convert channel detection
CN102594619A (en) * 2012-02-15 2012-07-18 南京理工大学常熟研究院有限公司 Network covert channel detecting method
CN104753617A (en) * 2015-03-17 2015-07-01 中国科学技术大学苏州研究院 Detection method of time-sequence type covert channel based on neural network
CN105847250A (en) * 2016-03-22 2016-08-10 甘肃农业大学 VoIP stream media multi-dimensional information steganography real time detection method
WO2017185433A1 (en) * 2016-04-25 2017-11-02 深圳大学 Steganalysis method based on hamming distance distribution

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7920705B1 (en) * 2006-07-26 2011-04-05 Rockwell Collins, Inc. System and method for convert channel detection
KR20090129009A (en) * 2008-06-12 2009-12-16 주식회사 케이티 Method for detecting hidden station problem, to apply and cancel adapatable rts/cts exchage method
CN102594619A (en) * 2012-02-15 2012-07-18 南京理工大学常熟研究院有限公司 Network covert channel detecting method
CN104753617A (en) * 2015-03-17 2015-07-01 中国科学技术大学苏州研究院 Detection method of time-sequence type covert channel based on neural network
CN105847250A (en) * 2016-03-22 2016-08-10 甘肃农业大学 VoIP stream media multi-dimensional information steganography real time detection method
WO2017185433A1 (en) * 2016-04-25 2017-11-02 深圳大学 Steganalysis method based on hamming distance distribution

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
周雪;: "基于VoIP的隐蔽通信系统的研究与设计" *
杨婉霞,等: "网络存储隐蔽信道检测的改进与优化仿真" *
杨永周;: "隐蔽通信及安全检测防护技术探究" *

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110392050A (en) * 2019-07-18 2019-10-29 北京理工大学 A kind of construction method of the Use of Covert Storage Channels based on timestamp
CN110392050B (en) * 2019-07-18 2020-11-27 北京理工大学 Method for constructing hidden storage channel based on timestamp
CN110324210A (en) * 2019-08-06 2019-10-11 杭州安恒信息技术股份有限公司 The detection method and device of private communication channel communication are carried out based on ICMP agreement
CN110912921A (en) * 2019-11-29 2020-03-24 广东工业大学 Safety data verification system and method for industrial control system
CN110912921B (en) * 2019-11-29 2022-02-15 广东工业大学 Safety data verification system and method for industrial control system

Also Published As

Publication number Publication date
CN109547443B (en) 2023-04-25

Similar Documents

Publication Publication Date Title
CN103581173B (en) Safe data transmission method, system and device based on industrial Ethernet
KR101351012B1 (en) Method and apparatus for authentication user in multiparty quantum communications
CN109547443A (en) A kind of detection method of the hidden channel of network storage type
CN107438230B (en) Safe wireless ranging
CN103581175B (en) A kind of safe data aggregation method
CN101005361B (en) Server and software protection method and system
CN108092771A (en) A kind of anti-tamper controlled quantum safety direct communication method and system
WO2014029169A1 (en) Communication method utilizing fingerprint information for authentication
CN100421372C (en) Method of safety transmitting key
JP2016131335A (en) Information processing method, information processing program and information processing device
CN113079008B (en) Data communication method, device and system
CN108599934A (en) It is a kind of to test safe and secret Enhancement Method for quantum key distribution
Beigi et al. Quantum achievability proof via collision relative entropy
CN105162797A (en) Bidirectional authentication method based on video surveillance system
CN101202631A (en) System and method for identification authentication based on cipher key and timestamp
CN104767624A (en) Remote protocol authentication method based on biological features
CN106612265A (en) Instant messaging method and server
Kang et al. Controlled mutual quantum entity authentication using entanglement swapping
CN109617686A (en) A kind of improved Key Exchange Protocol algorithm based on lattice
CN111416712B (en) Quantum secret communication identity authentication system and method based on multiple mobile devices
CN101741544A (en) Time-lag chaos iteration-based digital signature method and device
CN109922022A (en) Internet of Things communication means, platform, terminal and system
CN105978684B (en) Safe communication system and method based on open Limited Feedback and dynamic matrix coding
Ullah et al. An efficient lightweight image encryption scheme using multichaos
CN1305250C (en) Safe quantum communication method

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant