CN109547443B - Network storage type hidden channel detection method - Google Patents
Network storage type hidden channel detection method Download PDFInfo
- Publication number
- CN109547443B CN109547443B CN201811430859.0A CN201811430859A CN109547443B CN 109547443 B CN109547443 B CN 109547443B CN 201811430859 A CN201811430859 A CN 201811430859A CN 109547443 B CN109547443 B CN 109547443B
- Authority
- CN
- China
- Prior art keywords
- data
- cluster
- point
- fitting
- center
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L65/00—Network arrangements, protocols or services for supporting real-time applications in data packet communication
- H04L65/60—Network streaming of media packets
- H04L65/65—Network streaming protocols, e.g. real-time transport protocol [RTP] or real-time control protocol [RTCP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/70—Reducing energy consumption in communication networks in wireless communication networks
Landscapes
- Engineering & Computer Science (AREA)
- Multimedia (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention belongs to the technical field of information security, and particularly relates to a detection method of a network storage type hidden channel. Establishing an RTP differential time stamp polynomial fitting model; selecting and extracting the clustering features of the obtained model result; whether steganography exists or not is judged by using a clustering algorithm, and detection of network storage type hidden channels can be simply, rapidly and accurately achieved.
Description
Technical Field
The invention belongs to the technical field of information security, and particularly relates to a detection method of a network storage type hidden channel.
Background
The rapid development and wide popularization of internet technology are urgent to ensure the secure transmission of information, which also provides greater challenges for the traditional information transmission security scheme based on the password technology. The main reason is that the cryptography is to scramble the information to be transmitted for confidentiality, however, it is the scrambling characteristic of the information after encryption that exposes the existence of confidential information, which excites enthusiasm and desire of a monitor to crack the information. Once encrypted ciphertext is decrypted, there is no security aspect. Secondly, by principle analysis, the security of the cryptographic technology is based on the fact that mathematical transformation and mathematical specific problems are difficult to solve, and with the advent of the quantum computer era, the least-appreciated exhaustive calculation quality factor speed is improved by N orders of magnitude, and an RSA key can be cracked in a limited time. It can be seen that, for protection of private information, attention is paid to disguising the existence of the transmitted information while focusing on protecting the content of the information. In this scenario, network hidden channel applications occur. The network hidden channel is a hidden communication channel constructed by taking the public communication data as a carrier, so that illegal information flow (usually secret information) can evade the detection of a conventional safety control mechanism and is safely transmitted to a communication counterpart, thereby promoting the rapid development and application of the information safety technology.
In the construction of the hidden channel, the carrier is the basis, the information hidden writing is the means, and the combination of the good carrier and the proper hidden writing algorithm can make the construction of the hidden channel more hidden. It can be seen that the choice of carrier is critical. Because of the large amount of streaming media data in the network that needs to be transmitted in real time, the RTP/RTCP protocol provides important services for this purpose, and becomes one of the main objects and carriers for constructing hidden channels of the network. In particular, each RTP data packet consists of two parts, a protocol header (head) and payload (payload). Thus, the network hidden channel can be constructed with redundant fields or valid data of the network protocol as the payload. Because the network hidden channel embeds the hidden information in the redundant field of the network protocol, the security device and the detection device in the network are difficult to identify, so the network hidden channel has strong hidden property. Even if the hidden channel is found, the special mechanism adopted by the constructor can prevent the transmitted hidden information from being cracked. Secondly, research discovers that even if a data packet carries 1bit of data, a network hidden channel can illegally steal 26GB of information from a large website within one year, and the practical value is extremely high. It can be seen that RTP/RTCP is widely used for the construction of hidden channels in networks as one of the main streaming media transmission protocols. Research on how to utilize redundancy of RTP/RTCP protocol for information hiding and detection is a development trend and a focus of research.
Disclosure of Invention
In order to solve the above problems and the shortcomings of the prior art, the present invention provides a method for detecting a network storage type hidden channel, which includes the following steps:
(1) establishing an RTP differential time stamp polynomial fitting model: defining a data point with a serial number of a channel message being an X-axis, wherein data of a y-axis is a differential value of message time stamps, and assuming that a time stamp differential sequence of w+1 message windows in a communication process is (d 1, d2, …, dW) (w is more than or equal to 1), thereby obtaining a set P= { i, di of points to be fitted; ) I=1, 2, w; w is more than or equal to 1}, P is a set of a message sequence number and a time difference sequence sent by a message, and then polynomial fitting is utilized to obtain a polynomial model of RTP timestamp difference between channels;
(2) selecting and extracting the clustering features of the model results obtained in the step (1): using the formulaCalculating absolute value areas of two channel fitting curves of normal c (x) and hidden h (x), and taking the absolute value areas as clustering objects;
(3) using a clustering algorithm to determine whether steganography exists:
a. calculating the area difference { S } of the w window length time stamp difference sequence fitting curve between the normal channels and the hidden channels d };
b. From clustered objects { S d Selecting initial values for multiple times, finding the most suitable k center points as initial values { C }, and 1 ,C 2 ,…C k };
c. according to the formulaCalculating the distance R (i, k) between each data point and the initial center point, and classifying the data point closest to the center point into a cluster represented by the center point;
d. by the formulaCalculating the center point of each cluster, wherein N k Representing cluster C k The number of data points; s is S di Representing cluster C k Is included in the database;
e. repeating steps c, d untilThe error square sum criterion function begins to converge, namely the value of the cluster center is not changed any more, so as to obtain the cluster center point mu of each cluster of the data source k And the distance R from each data source to each cluster center k ;
f. According to the formulaCalculating mu of each data source to each clustering center k Distance R of (2) k Wherein i=1, 2, …, N k Representing cluster mu k The number of center points;
g. the M of the data points to be compared is compared with the M of the normal data points, and if the data points are unchanged, the data points are normal channels, and if the data points are changed, the data points are hidden channels.
Further, the polynomial fitting method in the step (1) is a least square method, i.e. the measured timestamp difference fraction sequence data is set as { d } k (k=1, 2,3,., w), w is the number of window data points, using a polynomial functionRepresenting a fitting function, then: />Where j= 0,1,3,..>Is d k Is the square of the distance between the observation point and the estimated point +.>Residual errors (or deviations) E of fitting model and actual observed value at each point k The weighted sum of squares of (2) is minimized, i.e. +.>The value of (2) is minimized to find the parameter value therein.
Further, the degree of polynomial fitting in the step (1) is 3 to 7, preferably 5.
The invention has the beneficial effects that:
(1) the detection of the network storage type hidden channel is simply, quickly and accurately realized;
drawings
FIG. 1 is a graph of RTP timestamp differential sequence fitting of a normal channel and a hidden channel;
the window w of FIG. 2 is the average change of the distances from each point to the center of each cluster of 50;
FIG. 3 is a graph of the average change in distance from each point of window w to the center of each cluster of 100;
fig. 4 compares the primary clustering with the secondary clustering results.
DETAILED DESCRIPTION OF EMBODIMENT (S) OF INVENTION
The technical solutions of the embodiments of the present invention will be clearly and completely described below, and it is apparent that the described embodiments are only a part of the present invention, not the whole invention. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
Embodiment 1A method for detecting a hidden channel in a network storage type
(1) Establishing an RTP differential time stamp polynomial fitting model: defining a data point with a serial number of a channel message being an X-axis, wherein data of a y-axis is a differential value of message time stamps, and assuming that a time stamp differential sequence of w+1 message windows in a communication process is (d 1, d2, …, dW) (w is more than or equal to 1), thereby obtaining a set P= { i, di of points to be fitted; ) I=1, 2, w; w is more than or equal to 1}, P is a set of a message sequence number and a time difference sequence sent by the message, and then polynomial fitting is utilized to obtain a polynomial model of RTP timestamp difference between channels, wherein the polynomial fitting method is a least square method, namely, the actually measured timestamp difference fraction sequence data is set as { d } k (k=1, 2,3,., w), w is the number of window data points, using a polynomial functionRepresenting a fitting function, then:where j= 0,1,3,..>Is d k Is the square of the distance between the observation point and the estimated point +.>Residual errors (or deviations) E of fitting model and actual observed value at each point k The weighted sum of squares of (2) is minimized, i.e. +.>The number of fitting times is 5 times, and the fitting result is shown in figure 1;
(2) selecting and extracting the clustering features of the model results obtained in the step (1): using the formulaCalculating the absolute value area of the fitting curves of the normal c (x) and the hidden h (x) channels, and taking the absolute value area as a clustering object, wherein the average value of the distances from the data points of the normal channels to the centers of all clusters after primary clustering is unchanged, and the value of the hidden channel is always changed as shown in fig. 3;
(3) using a clustering algorithm to determine whether steganography exists:
a. calculating the area difference { S } of the w window length time stamp difference sequence fitting curve between the normal channels and the hidden channels d };
b. From clustered objects { S d Selecting initial values for multiple times, finding the most suitable k center points as initial values { C }, and 1 ,C 2 ,…C k };
c. according to the formulaCalculating the distance R (i, k) between each data point and the initial center point, and classifying the data point closest to the center point into a cluster represented by the center point;
d. by the formulaCalculating the center point of each cluster, wherein N k Representing cluster C k The number of data points; s is S di Representing cluster C k Is included in the database;
e. repeating the steps c and d until the square error sum criterion function begins to converge, namely the value of the cluster center is not changed any more, so as to obtain the cluster center point mu of each cluster of the data source k And the distance R from each data source to each cluster center k ;
f. According to the formulaCalculating mu of each data source to each clustering center k Distance R of (2) k Wherein i=1, 2, …, N k Representing cluster mu k The number of the center points is as shown in fig. 4, so that a clustering result more accurate than that of the primary clustering is obtained;
g. the M of the data points to be compared is compared with the M of the normal data points, and if the data points are unchanged, the data points are normal channels, and if the data points are changed, the data points are hidden channels.
Claims (3)
1. The method for detecting the network storage type hidden channel is characterized by comprising the following steps:
(1) establishing an RTP differential time stamp polynomial fitting model: defining a data point with a serial number of a channel message being an X-axis, wherein data of a y-axis is a differential value of message time stamps, and assuming that a time stamp differential sequence of w+1 message windows in a communication process is (d 1, d2, …, dW) (w is more than or equal to 1), thereby obtaining a set P= { i, di of points to be fitted; ) I=1, 2, w; w is more than or equal to 1}, P is a set of a message sequence number and a time difference sequence sent by a message, and then polynomial fitting is utilized to obtain a polynomial model of RTP timestamp difference between channels;
(2) selecting and extracting the clustering features of the model results obtained in the step (1): using the formulaCalculating absolute value areas of two channel fitting curves of normal c (x) and hidden h (x), and taking the absolute value areas as clustering objects;
(3) using a clustering algorithm to determine whether steganography exists:
a. calculating the area difference { S } of the w window length time stamp difference sequence fitting curve between the normal channels and the hidden channels d };
b. From clustered objects { S d Selecting initial values for multiple times, finding the most suitable k center points as initial values { C }, and 1 ,C 2 ,…C k };
c. according to the formulaCalculating the distance R (i, k) between each data point and the initial center point, and classifying the data point closest to the center point into a cluster represented by the center point;
d. by the formulaCalculating the center point of each cluster, wherein N k Representing cluster C k The number of data points; s is S di Representing cluster C k Is included in the database;
e. repeating the steps c and d until the square error sum criterion function begins to converge, namely the value of the cluster center is not changed any more, so as to obtain the cluster center point mu of each cluster of the data source k And the distance R from each data source to each cluster center k ;
f. According to the formulaCalculating mu of each data source to each clustering center k Distance R of (2) k Wherein i=1, 2, …, N k Representing cluster mu k The number of center points;
g. the M of the data points to be compared is compared with the M of the normal data points, and if the data points are unchanged, the data points are normal channels, and if the data points are changed, the data points are hidden channels.
2. The method of claim 1, wherein the polynomial fitting method in step (1) is a least squares method, i.e., the measured time stamp difference score sequence data is { d } k (k=1, 2,3,., w), w is the number of window data points, using a polynomial functionRepresenting a fitting function, then:where j= 0,1,3,..>Is d k Is the square of the distance between the observation point and the estimated point +.>Residual error E of fitting model and actual observed value at each point k The weighted sum of squares of (2) is minimized, i.e. +.>The value of (2) is minimized to find the parameter value therein.
3. The method of claim 1, wherein the degree of fitting of the polynomial in the step (1) is 3-7, preferably 5.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201811430859.0A CN109547443B (en) | 2018-11-28 | 2018-11-28 | Network storage type hidden channel detection method |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201811430859.0A CN109547443B (en) | 2018-11-28 | 2018-11-28 | Network storage type hidden channel detection method |
Publications (2)
Publication Number | Publication Date |
---|---|
CN109547443A CN109547443A (en) | 2019-03-29 |
CN109547443B true CN109547443B (en) | 2023-04-25 |
Family
ID=65850637
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201811430859.0A Active CN109547443B (en) | 2018-11-28 | 2018-11-28 | Network storage type hidden channel detection method |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN109547443B (en) |
Families Citing this family (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110392050B (en) * | 2019-07-18 | 2020-11-27 | 北京理工大学 | Method for constructing hidden storage channel based on timestamp |
CN110324210B (en) * | 2019-08-06 | 2020-12-25 | 杭州安恒信息技术股份有限公司 | Detection method and device for covert channel communication based on ICMP (Internet control protocol) |
CN110912921B (en) * | 2019-11-29 | 2022-02-15 | 广东工业大学 | Safety data verification system and method for industrial control system |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR20090129009A (en) * | 2008-06-12 | 2009-12-16 | 주식회사 케이티 | Method for detecting hidden station problem, to apply and cancel adapatable rts/cts exchage method |
US7920705B1 (en) * | 2006-07-26 | 2011-04-05 | Rockwell Collins, Inc. | System and method for convert channel detection |
CN102594619A (en) * | 2012-02-15 | 2012-07-18 | 南京理工大学常熟研究院有限公司 | Network covert channel detecting method |
CN104753617A (en) * | 2015-03-17 | 2015-07-01 | 中国科学技术大学苏州研究院 | Detection method of time-sequence type covert channel based on neural network |
CN105847250A (en) * | 2016-03-22 | 2016-08-10 | 甘肃农业大学 | VoIP stream media multi-dimensional information steganography real time detection method |
WO2017185433A1 (en) * | 2016-04-25 | 2017-11-02 | 深圳大学 | Steganalysis method based on hamming distance distribution |
-
2018
- 2018-11-28 CN CN201811430859.0A patent/CN109547443B/en active Active
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7920705B1 (en) * | 2006-07-26 | 2011-04-05 | Rockwell Collins, Inc. | System and method for convert channel detection |
KR20090129009A (en) * | 2008-06-12 | 2009-12-16 | 주식회사 케이티 | Method for detecting hidden station problem, to apply and cancel adapatable rts/cts exchage method |
CN102594619A (en) * | 2012-02-15 | 2012-07-18 | 南京理工大学常熟研究院有限公司 | Network covert channel detecting method |
CN104753617A (en) * | 2015-03-17 | 2015-07-01 | 中国科学技术大学苏州研究院 | Detection method of time-sequence type covert channel based on neural network |
CN105847250A (en) * | 2016-03-22 | 2016-08-10 | 甘肃农业大学 | VoIP stream media multi-dimensional information steganography real time detection method |
WO2017185433A1 (en) * | 2016-04-25 | 2017-11-02 | 深圳大学 | Steganalysis method based on hamming distance distribution |
Non-Patent Citations (4)
Title |
---|
周雪 ; .基于VoIP的隐蔽通信系统的研究与设计.安徽电子信息职业技术学院学报.2016,(06),全文. * |
杨婉霞,等.《计算机工程与设计》.2013,第第34卷卷(第第8期期),全文. * |
杨永周 ; .隐蔽通信及安全检测防护技术探究.通讯世界.2016,(21),全文. * |
梁竣 ; .网络存储隐蔽信道检测的改进与优化仿真.计算机仿真.2017,(02),全文. * |
Also Published As
Publication number | Publication date |
---|---|
CN109547443A (en) | 2019-03-29 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN109547443B (en) | Network storage type hidden channel detection method | |
CN112543187B (en) | Industrial Internet of things safety data sharing method based on edge block chain | |
CN109840425B (en) | File encryption method and device | |
CN111797431B (en) | Encrypted data anomaly detection method and system based on symmetric key system | |
JP2016131335A (en) | Information processing method, information processing program and information processing device | |
Camara et al. | Distortion‐Free Watermarking Approach for Relational Database Integrity Checking | |
CN112417494A (en) | Power block chain system based on trusted computing | |
CN101977319A (en) | Method for generating and authenticating hidden video tags based on video characteristics and digital signatures | |
CN115242369B (en) | Federal learning privacy protection method and device based on multi-key homomorphic encryption | |
Karimi et al. | Enhancing security and confidentiality on mobile devices by location-based data encryption | |
CN113079177B (en) | Remote sensing data sharing method based on time and decryption frequency limitation | |
CN117454442A (en) | Anonymous security and traceable distributed digital evidence obtaining method and system | |
US7920705B1 (en) | System and method for convert channel detection | |
CN1458749A (en) | Safe quantum communication method | |
CN114978711B (en) | Dynamic key symmetric encryption data transmission method and system | |
CN116886276A (en) | Data transmission method and system based on dynamic key | |
CN116127429A (en) | Data right determining method based on symbol mapping coding and block chain | |
CN111371727A (en) | Detection method for NTP protocol covert communication | |
CN112153078B (en) | Encryption method and system based on time release | |
Yingkai et al. | A kind of identity authentication under cloud computing environment | |
CN114844637B (en) | Innovative application method based on quantum encryption technology in cloud network fusion | |
CN113328863B (en) | Mobile equipment data acquisition method and system based on zero-knowledge proof | |
CN117675200B (en) | Identity-based verifiable data aggregation analysis system under assistance of SGX | |
CN117294537B (en) | Computer network security protection method and system applying quantum encryption | |
CN113628017B (en) | Quantum sealed auction method based on quantum public key cryptography |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |