CN109547443B - Network storage type hidden channel detection method - Google Patents

Network storage type hidden channel detection method Download PDF

Info

Publication number
CN109547443B
CN109547443B CN201811430859.0A CN201811430859A CN109547443B CN 109547443 B CN109547443 B CN 109547443B CN 201811430859 A CN201811430859 A CN 201811430859A CN 109547443 B CN109547443 B CN 109547443B
Authority
CN
China
Prior art keywords
data
cluster
point
fitting
center
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201811430859.0A
Other languages
Chinese (zh)
Other versions
CN109547443A (en
Inventor
杨婉霞
冯全
王咏梅
杨梅
李红岭
刘燕
杨森
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Gansu Agricultural University
Original Assignee
Gansu Agricultural University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Gansu Agricultural University filed Critical Gansu Agricultural University
Priority to CN201811430859.0A priority Critical patent/CN109547443B/en
Publication of CN109547443A publication Critical patent/CN109547443A/en
Application granted granted Critical
Publication of CN109547443B publication Critical patent/CN109547443B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L65/00Network arrangements, protocols or services for supporting real-time applications in data packet communication
    • H04L65/60Network streaming of media packets
    • H04L65/65Network streaming protocols, e.g. real-time transport protocol [RTP] or real-time control protocol [RTCP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/70Reducing energy consumption in communication networks in wireless communication networks

Landscapes

  • Engineering & Computer Science (AREA)
  • Multimedia (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention belongs to the technical field of information security, and particularly relates to a detection method of a network storage type hidden channel. Establishing an RTP differential time stamp polynomial fitting model; selecting and extracting the clustering features of the obtained model result; whether steganography exists or not is judged by using a clustering algorithm, and detection of network storage type hidden channels can be simply, rapidly and accurately achieved.

Description

Network storage type hidden channel detection method
Technical Field
The invention belongs to the technical field of information security, and particularly relates to a detection method of a network storage type hidden channel.
Background
The rapid development and wide popularization of internet technology are urgent to ensure the secure transmission of information, which also provides greater challenges for the traditional information transmission security scheme based on the password technology. The main reason is that the cryptography is to scramble the information to be transmitted for confidentiality, however, it is the scrambling characteristic of the information after encryption that exposes the existence of confidential information, which excites enthusiasm and desire of a monitor to crack the information. Once encrypted ciphertext is decrypted, there is no security aspect. Secondly, by principle analysis, the security of the cryptographic technology is based on the fact that mathematical transformation and mathematical specific problems are difficult to solve, and with the advent of the quantum computer era, the least-appreciated exhaustive calculation quality factor speed is improved by N orders of magnitude, and an RSA key can be cracked in a limited time. It can be seen that, for protection of private information, attention is paid to disguising the existence of the transmitted information while focusing on protecting the content of the information. In this scenario, network hidden channel applications occur. The network hidden channel is a hidden communication channel constructed by taking the public communication data as a carrier, so that illegal information flow (usually secret information) can evade the detection of a conventional safety control mechanism and is safely transmitted to a communication counterpart, thereby promoting the rapid development and application of the information safety technology.
In the construction of the hidden channel, the carrier is the basis, the information hidden writing is the means, and the combination of the good carrier and the proper hidden writing algorithm can make the construction of the hidden channel more hidden. It can be seen that the choice of carrier is critical. Because of the large amount of streaming media data in the network that needs to be transmitted in real time, the RTP/RTCP protocol provides important services for this purpose, and becomes one of the main objects and carriers for constructing hidden channels of the network. In particular, each RTP data packet consists of two parts, a protocol header (head) and payload (payload). Thus, the network hidden channel can be constructed with redundant fields or valid data of the network protocol as the payload. Because the network hidden channel embeds the hidden information in the redundant field of the network protocol, the security device and the detection device in the network are difficult to identify, so the network hidden channel has strong hidden property. Even if the hidden channel is found, the special mechanism adopted by the constructor can prevent the transmitted hidden information from being cracked. Secondly, research discovers that even if a data packet carries 1bit of data, a network hidden channel can illegally steal 26GB of information from a large website within one year, and the practical value is extremely high. It can be seen that RTP/RTCP is widely used for the construction of hidden channels in networks as one of the main streaming media transmission protocols. Research on how to utilize redundancy of RTP/RTCP protocol for information hiding and detection is a development trend and a focus of research.
Disclosure of Invention
In order to solve the above problems and the shortcomings of the prior art, the present invention provides a method for detecting a network storage type hidden channel, which includes the following steps:
(1) establishing an RTP differential time stamp polynomial fitting model: defining a data point with a serial number of a channel message being an X-axis, wherein data of a y-axis is a differential value of message time stamps, and assuming that a time stamp differential sequence of w+1 message windows in a communication process is (d 1, d2, …, dW) (w is more than or equal to 1), thereby obtaining a set P= { i, di of points to be fitted; ) I=1, 2, w; w is more than or equal to 1}, P is a set of a message sequence number and a time difference sequence sent by a message, and then polynomial fitting is utilized to obtain a polynomial model of RTP timestamp difference between channels;
(2) selecting and extracting the clustering features of the model results obtained in the step (1): using the formula
Figure BDA0001882675430000021
Calculating absolute value areas of two channel fitting curves of normal c (x) and hidden h (x), and taking the absolute value areas as clustering objects;
(3) using a clustering algorithm to determine whether steganography exists:
a. calculating the area difference { S } of the w window length time stamp difference sequence fitting curve between the normal channels and the hidden channels d };
b. From clustered objects { S d Selecting initial values for multiple times, finding the most suitable k center points as initial values { C }, and 1 ,C 2 ,…C k };
c. according to the formula
Figure BDA0001882675430000022
Calculating the distance R (i, k) between each data point and the initial center point, and classifying the data point closest to the center point into a cluster represented by the center point;
d. by the formula
Figure BDA0001882675430000023
Calculating the center point of each cluster, wherein N k Representing cluster C k The number of data points; s is S di Representing cluster C k Is included in the database;
e. repeating steps c, d untilThe error square sum criterion function begins to converge, namely the value of the cluster center is not changed any more, so as to obtain the cluster center point mu of each cluster of the data source k And the distance R from each data source to each cluster center k
f. According to the formula
Figure BDA0001882675430000024
Calculating mu of each data source to each clustering center k Distance R of (2) k Wherein i=1, 2, …, N k Representing cluster mu k The number of center points;
g. the M of the data points to be compared is compared with the M of the normal data points, and if the data points are unchanged, the data points are normal channels, and if the data points are changed, the data points are hidden channels.
Further, the polynomial fitting method in the step (1) is a least square method, i.e. the measured timestamp difference fraction sequence data is set as { d } k (k=1, 2,3,., w), w is the number of window data points, using a polynomial function
Figure BDA0001882675430000025
Representing a fitting function, then: />
Figure BDA0001882675430000026
Where j= 0,1,3,..>
Figure BDA0001882675430000027
Is d k Is the square of the distance between the observation point and the estimated point +.>
Figure BDA0001882675430000028
Residual errors (or deviations) E of fitting model and actual observed value at each point k The weighted sum of squares of (2) is minimized, i.e. +.>
Figure BDA0001882675430000031
The value of (2) is minimized to find the parameter value therein.
Further, the degree of polynomial fitting in the step (1) is 3 to 7, preferably 5.
The invention has the beneficial effects that:
(1) the detection of the network storage type hidden channel is simply, quickly and accurately realized;
drawings
FIG. 1 is a graph of RTP timestamp differential sequence fitting of a normal channel and a hidden channel;
the window w of FIG. 2 is the average change of the distances from each point to the center of each cluster of 50;
FIG. 3 is a graph of the average change in distance from each point of window w to the center of each cluster of 100;
fig. 4 compares the primary clustering with the secondary clustering results.
DETAILED DESCRIPTION OF EMBODIMENT (S) OF INVENTION
The technical solutions of the embodiments of the present invention will be clearly and completely described below, and it is apparent that the described embodiments are only a part of the present invention, not the whole invention. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
Embodiment 1A method for detecting a hidden channel in a network storage type
(1) Establishing an RTP differential time stamp polynomial fitting model: defining a data point with a serial number of a channel message being an X-axis, wherein data of a y-axis is a differential value of message time stamps, and assuming that a time stamp differential sequence of w+1 message windows in a communication process is (d 1, d2, …, dW) (w is more than or equal to 1), thereby obtaining a set P= { i, di of points to be fitted; ) I=1, 2, w; w is more than or equal to 1}, P is a set of a message sequence number and a time difference sequence sent by the message, and then polynomial fitting is utilized to obtain a polynomial model of RTP timestamp difference between channels, wherein the polynomial fitting method is a least square method, namely, the actually measured timestamp difference fraction sequence data is set as { d } k (k=1, 2,3,., w), w is the number of window data points, using a polynomial function
Figure BDA0001882675430000032
Representing a fitting function, then:
Figure BDA0001882675430000033
where j= 0,1,3,..>
Figure BDA0001882675430000034
Is d k Is the square of the distance between the observation point and the estimated point +.>
Figure BDA0001882675430000035
Residual errors (or deviations) E of fitting model and actual observed value at each point k The weighted sum of squares of (2) is minimized, i.e. +.>
Figure BDA0001882675430000036
The number of fitting times is 5 times, and the fitting result is shown in figure 1;
(2) selecting and extracting the clustering features of the model results obtained in the step (1): using the formula
Figure BDA0001882675430000037
Calculating the absolute value area of the fitting curves of the normal c (x) and the hidden h (x) channels, and taking the absolute value area as a clustering object, wherein the average value of the distances from the data points of the normal channels to the centers of all clusters after primary clustering is unchanged, and the value of the hidden channel is always changed as shown in fig. 3;
(3) using a clustering algorithm to determine whether steganography exists:
a. calculating the area difference { S } of the w window length time stamp difference sequence fitting curve between the normal channels and the hidden channels d };
b. From clustered objects { S d Selecting initial values for multiple times, finding the most suitable k center points as initial values { C }, and 1 ,C 2 ,…C k };
c. according to the formula
Figure BDA0001882675430000041
Calculating the distance R (i, k) between each data point and the initial center point, and classifying the data point closest to the center point into a cluster represented by the center point;
d. by the formula
Figure BDA0001882675430000042
Calculating the center point of each cluster, wherein N k Representing cluster C k The number of data points; s is S di Representing cluster C k Is included in the database;
e. repeating the steps c and d until the square error sum criterion function begins to converge, namely the value of the cluster center is not changed any more, so as to obtain the cluster center point mu of each cluster of the data source k And the distance R from each data source to each cluster center k
f. According to the formula
Figure BDA0001882675430000043
Calculating mu of each data source to each clustering center k Distance R of (2) k Wherein i=1, 2, …, N k Representing cluster mu k The number of the center points is as shown in fig. 4, so that a clustering result more accurate than that of the primary clustering is obtained;
g. the M of the data points to be compared is compared with the M of the normal data points, and if the data points are unchanged, the data points are normal channels, and if the data points are changed, the data points are hidden channels.

Claims (3)

1. The method for detecting the network storage type hidden channel is characterized by comprising the following steps:
(1) establishing an RTP differential time stamp polynomial fitting model: defining a data point with a serial number of a channel message being an X-axis, wherein data of a y-axis is a differential value of message time stamps, and assuming that a time stamp differential sequence of w+1 message windows in a communication process is (d 1, d2, …, dW) (w is more than or equal to 1), thereby obtaining a set P= { i, di of points to be fitted; ) I=1, 2, w; w is more than or equal to 1}, P is a set of a message sequence number and a time difference sequence sent by a message, and then polynomial fitting is utilized to obtain a polynomial model of RTP timestamp difference between channels;
(2) selecting and extracting the clustering features of the model results obtained in the step (1): using the formula
Figure FDA0004133650950000011
Calculating absolute value areas of two channel fitting curves of normal c (x) and hidden h (x), and taking the absolute value areas as clustering objects;
(3) using a clustering algorithm to determine whether steganography exists:
a. calculating the area difference { S } of the w window length time stamp difference sequence fitting curve between the normal channels and the hidden channels d };
b. From clustered objects { S d Selecting initial values for multiple times, finding the most suitable k center points as initial values { C }, and 1 ,C 2 ,…C k };
c. according to the formula
Figure FDA0004133650950000012
Calculating the distance R (i, k) between each data point and the initial center point, and classifying the data point closest to the center point into a cluster represented by the center point;
d. by the formula
Figure FDA0004133650950000013
Calculating the center point of each cluster, wherein N k Representing cluster C k The number of data points; s is S di Representing cluster C k Is included in the database;
e. repeating the steps c and d until the square error sum criterion function begins to converge, namely the value of the cluster center is not changed any more, so as to obtain the cluster center point mu of each cluster of the data source k And the distance R from each data source to each cluster center k
f. According to the formula
Figure FDA0004133650950000014
Calculating mu of each data source to each clustering center k Distance R of (2) k Wherein i=1, 2, …, N k Representing cluster mu k The number of center points;
g. the M of the data points to be compared is compared with the M of the normal data points, and if the data points are unchanged, the data points are normal channels, and if the data points are changed, the data points are hidden channels.
2. The method of claim 1, wherein the polynomial fitting method in step (1) is a least squares method, i.e., the measured time stamp difference score sequence data is { d } k (k=1, 2,3,., w), w is the number of window data points, using a polynomial function
Figure FDA0004133650950000015
Representing a fitting function, then:
Figure FDA0004133650950000021
where j= 0,1,3,..>
Figure FDA0004133650950000022
Is d k Is the square of the distance between the observation point and the estimated point +.>
Figure FDA0004133650950000023
Residual error E of fitting model and actual observed value at each point k The weighted sum of squares of (2) is minimized, i.e. +.>
Figure FDA0004133650950000024
The value of (2) is minimized to find the parameter value therein.
3. The method of claim 1, wherein the degree of fitting of the polynomial in the step (1) is 3-7, preferably 5.
CN201811430859.0A 2018-11-28 2018-11-28 Network storage type hidden channel detection method Active CN109547443B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201811430859.0A CN109547443B (en) 2018-11-28 2018-11-28 Network storage type hidden channel detection method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811430859.0A CN109547443B (en) 2018-11-28 2018-11-28 Network storage type hidden channel detection method

Publications (2)

Publication Number Publication Date
CN109547443A CN109547443A (en) 2019-03-29
CN109547443B true CN109547443B (en) 2023-04-25

Family

ID=65850637

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811430859.0A Active CN109547443B (en) 2018-11-28 2018-11-28 Network storage type hidden channel detection method

Country Status (1)

Country Link
CN (1) CN109547443B (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110392050B (en) * 2019-07-18 2020-11-27 北京理工大学 Method for constructing hidden storage channel based on timestamp
CN110324210B (en) * 2019-08-06 2020-12-25 杭州安恒信息技术股份有限公司 Detection method and device for covert channel communication based on ICMP (Internet control protocol)
CN110912921B (en) * 2019-11-29 2022-02-15 广东工业大学 Safety data verification system and method for industrial control system

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20090129009A (en) * 2008-06-12 2009-12-16 주식회사 케이티 Method for detecting hidden station problem, to apply and cancel adapatable rts/cts exchage method
US7920705B1 (en) * 2006-07-26 2011-04-05 Rockwell Collins, Inc. System and method for convert channel detection
CN102594619A (en) * 2012-02-15 2012-07-18 南京理工大学常熟研究院有限公司 Network covert channel detecting method
CN104753617A (en) * 2015-03-17 2015-07-01 中国科学技术大学苏州研究院 Detection method of time-sequence type covert channel based on neural network
CN105847250A (en) * 2016-03-22 2016-08-10 甘肃农业大学 VoIP stream media multi-dimensional information steganography real time detection method
WO2017185433A1 (en) * 2016-04-25 2017-11-02 深圳大学 Steganalysis method based on hamming distance distribution

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7920705B1 (en) * 2006-07-26 2011-04-05 Rockwell Collins, Inc. System and method for convert channel detection
KR20090129009A (en) * 2008-06-12 2009-12-16 주식회사 케이티 Method for detecting hidden station problem, to apply and cancel adapatable rts/cts exchage method
CN102594619A (en) * 2012-02-15 2012-07-18 南京理工大学常熟研究院有限公司 Network covert channel detecting method
CN104753617A (en) * 2015-03-17 2015-07-01 中国科学技术大学苏州研究院 Detection method of time-sequence type covert channel based on neural network
CN105847250A (en) * 2016-03-22 2016-08-10 甘肃农业大学 VoIP stream media multi-dimensional information steganography real time detection method
WO2017185433A1 (en) * 2016-04-25 2017-11-02 深圳大学 Steganalysis method based on hamming distance distribution

Non-Patent Citations (4)

* Cited by examiner, † Cited by third party
Title
周雪 ; .基于VoIP的隐蔽通信系统的研究与设计.安徽电子信息职业技术学院学报.2016,(06),全文. *
杨婉霞,等.《计算机工程与设计》.2013,第第34卷卷(第第8期期),全文. *
杨永周 ; .隐蔽通信及安全检测防护技术探究.通讯世界.2016,(21),全文. *
梁竣 ; .网络存储隐蔽信道检测的改进与优化仿真.计算机仿真.2017,(02),全文. *

Also Published As

Publication number Publication date
CN109547443A (en) 2019-03-29

Similar Documents

Publication Publication Date Title
CN109547443B (en) Network storage type hidden channel detection method
CN112543187B (en) Industrial Internet of things safety data sharing method based on edge block chain
CN109840425B (en) File encryption method and device
CN111797431B (en) Encrypted data anomaly detection method and system based on symmetric key system
JP2016131335A (en) Information processing method, information processing program and information processing device
Camara et al. Distortion‐Free Watermarking Approach for Relational Database Integrity Checking
CN112417494A (en) Power block chain system based on trusted computing
CN101977319A (en) Method for generating and authenticating hidden video tags based on video characteristics and digital signatures
CN115242369B (en) Federal learning privacy protection method and device based on multi-key homomorphic encryption
Karimi et al. Enhancing security and confidentiality on mobile devices by location-based data encryption
CN113079177B (en) Remote sensing data sharing method based on time and decryption frequency limitation
CN117454442A (en) Anonymous security and traceable distributed digital evidence obtaining method and system
US7920705B1 (en) System and method for convert channel detection
CN1458749A (en) Safe quantum communication method
CN114978711B (en) Dynamic key symmetric encryption data transmission method and system
CN116886276A (en) Data transmission method and system based on dynamic key
CN116127429A (en) Data right determining method based on symbol mapping coding and block chain
CN111371727A (en) Detection method for NTP protocol covert communication
CN112153078B (en) Encryption method and system based on time release
Yingkai et al. A kind of identity authentication under cloud computing environment
CN114844637B (en) Innovative application method based on quantum encryption technology in cloud network fusion
CN113328863B (en) Mobile equipment data acquisition method and system based on zero-knowledge proof
CN117675200B (en) Identity-based verifiable data aggregation analysis system under assistance of SGX
CN117294537B (en) Computer network security protection method and system applying quantum encryption
CN113628017B (en) Quantum sealed auction method based on quantum public key cryptography

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant