CN112235309B - Multi-scale detection system for hidden channel of cloud platform network - Google Patents

Multi-scale detection system for hidden channel of cloud platform network Download PDF

Info

Publication number
CN112235309B
CN112235309B CN202011121041.8A CN202011121041A CN112235309B CN 112235309 B CN112235309 B CN 112235309B CN 202011121041 A CN202011121041 A CN 202011121041A CN 112235309 B CN112235309 B CN 112235309B
Authority
CN
China
Prior art keywords
detection
network
data
covert channel
channel
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202011121041.8A
Other languages
Chinese (zh)
Other versions
CN112235309A (en
Inventor
唐彰国
李焕洲
喻瑾
张健
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Sichuan Normal University
Original Assignee
Sichuan Normal University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Sichuan Normal University filed Critical Sichuan Normal University
Priority to CN202011121041.8A priority Critical patent/CN112235309B/en
Publication of CN112235309A publication Critical patent/CN112235309A/en
Application granted granted Critical
Publication of CN112235309B publication Critical patent/CN112235309B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network

Abstract

The invention discloses a cloud platform network covert channel multi-scale detection system in the technical field of network security. The data acquisition module and the data preprocessing module run in each cloud server and collect multi-scale network environment parameters in each cloud server. The covert channel detection engine operates in a covert channel detection and analysis center, constructs a multi-scale detection vector to carry out covert channel comprehensive analysis, and displays the detection condition through a visualization module. According to the method, a network communication mechanism and a network topology structure in the cloud platform are combined, network environment parameters in the cloud server are collected, a cloud platform covert channel detection method is formulated according to multiple scales such as form parameters, statistical parameters and flow models of data packets, data streams and conversation streams, the detection accuracy of the network covert channel is improved, and the potential safety hazard of the network covert channel under the cloud platform is solved.

Description

Multi-scale detection system for hidden channel of cloud platform network
Technical Field
The invention relates to the technical field of network security, in particular to a cloud platform network covert channel multi-scale detection system.
Background
Cloud computing networks, as an extension of traditional internet networks, have a network environment that is compromised from many aspects. Data leakage is a great hazard to be faced by the cloud platform. The network covert channel is a covert communication technology established by taking a legal network communication channel as a carrier, and can be used as a C & C channel and a confidential data transmission channel.
The network environment, the network data flow and the traditional internet have certain difference due to the network morphology, the topological structure, the communication mechanism, the network virtualization technology and other specificities of the cloud computing network. At present, hidden channel detection on a cloud platform mainly aims at virtual machine co-resident attack by using memory sharing, and hidden channel detection using network traffic as a carrier is lacked.
Based on the above, the invention designs a multi-scale detection system for a hidden channel of a cloud platform network, so as to solve the above mentioned problems.
Disclosure of Invention
The invention aims to provide a cloud platform network covert channel multi-scale detection system, which takes network flow in a cloud server as a main detection object, combines a network communication mechanism and a network topological structure in a cloud platform, collects network environment parameters in the cloud server through an acquisition module and a preprocessing module, and formulates a cloud platform covert channel detection method according to multiple scales such as form parameters, statistical parameters, flow models and the like of data packets, data streams and conversation streams, so that the detection accuracy of a network covert channel is improved, and the potential safety hazard of the network covert channel under the cloud platform is solved.
In order to achieve the purpose, the invention provides the following technical scheme: a cloud platform network hidden channel multi-scale detection system comprises a data acquisition module, a data preprocessing module, a hidden channel detection engine and a visualization module, wherein the data acquisition module runs in each cloud server and is used for acquiring network flow in the cloud server in real time, the data preprocessing module runs in each cloud server and is used for collecting morphological parameters, statistical parameters and network environment parameters of multiple scales of a flow model in each cloud server and transmitting the morphological parameters, the statistical parameters and the network environment parameters to a hidden channel detection and analysis center, the hidden channel detection engine runs in the hidden channel detection and analysis center and constructs hidden channel detection vectors from the morphological parameters, the statistical parameters and the multiple scales of the flow model to comprehensively analyze the network environment of the cloud server and judge whether a hidden channel exists or not, the visualization module operates in the covert channel detection and analysis center, and associates time and session information according to a detection result to form a detection report.
Preferably, the data preprocessing module preprocesses the acquired network data, identifies a network protocol thereof, acquires a data packet, a data stream, and a communication session, extracts key values of the data packet, the data stream, and the communication session, uniquely identifies the key values by using an ID number, a source IP address, a destination IP address, a port number, and communication time communication session information of the cloud server, constitutes detection metadata, and sends the detection metadata to the covert channel detection and analysis center.
The covert channel detection engine analyzes the detection metadata, constructs covert channel detection vectors with various scales of morphological parameters, statistical parameters and flow models according to prior knowledge, performs comprehensive analysis and judges whether a covert channel exists or not.
And the visual module is used for obtaining a detection analysis report including hidden channel multi-scale detection association, time period detection conditions and attack behavior analysis according to the detection result by combining the cloud server position information and the communication session information.
Preferably, the method further comprises a detection method of the cloud platform network covert channel multi-scale detection system, and the specific steps are as follows:
s1: acquiring acquired network environment knowledge through a data acquisition module, configuring parameters of the data acquisition module, and acquiring network flow in a cloud server from a network interface by each data acquisition module;
s2: preprocessing the acquired network data through a data preprocessing module running in the cloud server, identifying a network protocol of the network data, and acquiring a data packet, a data stream and a communication session;
s3: a data preprocessing module operating in a cloud server extracts key values of data packets, data streams and communication sessions, unique identification is carried out by using a cloud server ID number and communication session information such as a source IP address, a destination IP address, a port number and communication time, detection metadata are formed and stored in a json format, and preprocessed data are sent to a covert channel detection and analysis center;
s4: the hidden channel detection engine operating in the hidden channel detection analysis center firstly receives json format data, analyzes detection metadata, constructs hidden channel detection vectors of various scales such as data packets, data streams, communication sessions and the like according to prior knowledge, performs comprehensive analysis, and judges whether hidden channels exist or not.
Preferably, in the data acquisition module, the data acquisition method includes the following steps:
s1.1: acquiring detection environment knowledge comprising a cloud server ID number, a cloud server network interface and a cloud server IP address;
s1.2: configuring acquisition parameters including acquired network interfaces and data cache marks;
s1.3: and acquiring network data according to the acquisition parameters.
Preferably, in the data preprocessing module, the data preprocessing method includes the following steps:
s2.1: deep analysis is carried out on the acquired network data, and the network protocol of the acquired data is judged according to the prior knowledge of the data packet port and the single packet protocol semantic network protocol;
s2.2: acquiring a data packet and a data stream, and carrying out session stream recombination to acquire a communication session stream;
s2.3: extracting a data packet head and a load field, the flow distribution condition of data streams, the data packet quantity of session streams and a packet sending frequency key value, and carrying out unique marking by using an IP address, a port number, communication time communication session information and a cloud server ID number to form detection metadata;
s2.4: and storing the detection metadata in a json format, and sending the detection metadata to a covert channel detection analysis center.
Preferably, in the hidden channel detection engine, the network hidden channel multi-scale detection method includes the following steps:
s3.1: checking the mark information, judging whether the hidden channel detection is carried out or not, if the detection is carried out, outputting an identification result, and if the detection is not carried out, entering the next step;
s3.2: extracting morphological parameters, statistical parameters and flow models of a data packet, a data stream and a conversation stream of data to be detected;
s3.3: comparing normal network data from a plurality of scales of morphological parameters, statistical parameters and a flow model to construct a detection vector for carrying out network covert channel detection;
s3.4: and adjusting the weight proportion according to the detection result, and performing multi-scale detection fusion judgment to obtain the detection result.
Preferably, in the hidden channel detection engine, the method for detecting the form parameter scale of the network hidden channel comprises the following steps:
s3.5: receiving detection metadata and acquiring a network data packet;
s3.6: performing pattern matching on the data packet according to the signature characteristic value of the covert channel tool, if the matching is successful, entering S3.8, and if the matching is failed, entering S3.7;
s3.7: comparing the protocol normal data packets, and constructing a detection vector from the aspects of field length and a protocol key value;
s3.8: comprehensively analyzing the existence of the network covert channel;
in the covert channel detection engine, the method for detecting the statistical parameter scale of the network covert channel comprises the following steps:
s3.9: receiving detection metadata and acquiring a key value of a session flow;
s3.10: constructing a detection vector from multiple dimensions such as a package sending frequency, a package sending interval, the number of fixed character data packages and the like;
s3.11: comparing with normal conversation flow, analyzing whether network hidden channel exists or not.
Preferably, in the hidden channel detection engine, the method for detecting the traffic model scale of the network hidden channel comprises the following steps:
s3.12: receiving detection metadata and acquiring a key value of a data stream;
s3.13: counting the distribution of data flow, including average flow rate, maximum flow rate and minimum flow rate of input flow and output flow;
s3.14: and (4) comparing the distribution condition of normal data flow, counting the times of flow mutation conditions and a threshold value of the detected data flow, and comprehensively analyzing the network covert channel.
Preferably, in the hidden channel detection engine, the network hidden channel multi-scale fusion determination method includes the following steps:
s3.15: acquiring a multi-scale detection result of a network hidden channel of a cloud server;
s3.16: according to the results of the network covert channel form parameter scale detection and the network covert channel statistical parameter scale detection, the weights of the network covert channel form parameter scale detection and the network covert channel statistical parameter scale detection are adjusted to obtain the suspicious degree of the network covert channel in the first stage;
s3.17: and adjusting the weights of the suspicious degree of the network hidden channel in the first stage and the result of the scale detection of the traffic model of the network hidden channel based on the data stream to obtain the final suspicious degree of the network hidden channel.
Preferably, in the visualization module, the network covert channel detection visualization method includes the following steps:
s4.1: acquiring a multi-scale detection result of a hidden channel;
s4.2: acquiring an alarm data packet, an IP address, a port number, packet sending time and a session period of a session flow according to the detection result, calculating the flow rate change, the number of data packets and the number of session flows of the alarm data flow, and calculating the alarm times and change trends of the same cloud server in one hour, one week and other time periods;
s4.3: and forming a detection report according to the information, and displaying the harm degree of the cloud server receiving the network covert channel at low, medium and high risks.
Compared with the prior art, the invention has the beneficial effects that:
(1) a multi-scale network environment parameter acquisition framework is designed and constructed, and the resource occupation of a cloud platform is reduced. The novel hidden channel detection framework is provided by combining a topological framework of a cloud platform, network environment knowledge such as form parameters, statistical parameters, flow models and the like of data packets, data streams and conversation streams is acquired from a cloud server through an acquisition module and a preprocessing module, network hidden channel detection is performed in a centralized mode, system overhead of each cloud server is effectively reduced, and bandwidth occupation ratio of data flow in a cloud platform network is reduced.
(2) A network covert channel multi-scale detection engine is constructed, and the detection accuracy of the cloud platform network covert channel is improved. A multi-scale detection idea is adopted, and a multi-scale detection vector is constructed from morphological parameters, statistical parameters and flow models of a data packet, a data stream and a conversation stream, so that the depth and the breadth of network covert channel detection are increased, the detection accuracy of a network covert channel is improved, and the network environment safety under the cloud background of everything is maintained.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings used in the description of the embodiments will be briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art that other drawings can be obtained according to the drawings without creative efforts.
FIG. 1 is a multi-scale detection system framework of a hidden channel of a cloud platform network according to an embodiment of the present invention;
FIG. 2 is a flow chart of multi-scale detection of a hidden channel in a cloud platform network according to an embodiment of the present invention;
FIG. 3 is a flow chart of data collection provided by an embodiment of the present invention;
FIG. 4 is a flow chart of multi-scale detection of a network covert channel according to an embodiment of the present invention;
FIG. 5 is a flow chart of the detection of the form parameter scale of the network hidden channel according to the embodiment of the present invention;
FIG. 6 is a flow chart of the statistical parameter scale detection for a network covert channel according to an embodiment of the present invention;
fig. 7 is a flowchart of a network covert channel traffic model scale detection provided in an embodiment of the present invention.
In the drawings, the components represented by the respective reference numerals are listed below:
1. a data acquisition module; 2. a data preprocessing module; 3. a covert channel detection engine; 4. a visualization module; 5. a cloud server; 6. and a covert channel detection analysis center.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Example 1
Referring to fig. 1, the present invention provides a technical solution: a cloud platform network hidden channel multi-scale detection system comprises a data acquisition module 1, a data preprocessing module 2, a hidden channel detection engine 3 and a visualization module 4, wherein the data acquisition module 1 runs in each cloud server 5 and is used for acquiring network flow in the cloud server 5 in real time, the data preprocessing module 2 runs in each cloud server 5 and is used for collecting morphological parameters, statistical parameters and network environment parameters of various scales of a flow model in each cloud server 5 and transmitting the morphological parameters, the statistical parameters and the network environment parameters to a hidden channel detection and analysis center 6, the hidden channel detection engine 3 runs in the hidden channel detection and analysis center 6 and constructs hidden channel detection vectors from the morphological parameters, the statistical parameters and the flow model in various scales to comprehensively analyze the network environment of the cloud server 5, and judging whether a hidden channel exists or not, wherein the visualization module 4 operates in the hidden channel detection analysis center 6, and associates time and session information according to a detection result to form a detection report.
As shown in fig. 2, the detection process of the invention for the cloud platform network covert channel is as follows:
s1: acquiring acquisition network environment knowledge, configuring parameters of acquisition modules, and acquiring the network flow in the cloud server 5 from the network interface by each acquisition module.
S2: the preprocessing module running in the cloud server 5 preprocesses the acquired network data, identifies the network protocol thereof, and acquires a data packet, a data stream, and a communication session.
S3: a preprocessing module operated in the cloud server 5 extracts key values of data packets, data streams and communication sessions, performs unique identification by using the ID number of the cloud server 5 and communication session information such as a source IP address, a destination IP address, a port number, communication time and the like to form detection metadata, stores the detection metadata in a json format, and sends preprocessed data to a covert channel detection center.
S4: the covert channel detection engine 3 operating in the detection center firstly receives json format data, analyzes detection metadata, constructs covert channel detection vectors with various scales such as data packets, data streams, communication sessions and the like according to priori knowledge, performs comprehensive analysis, and judges whether covert channels exist or not.
According to the method, the network flow of the cloud platform is acquired in a distributed mode, lightweight detection metadata are collected for unified detection, a multi-scale detection concept is adopted, multi-scale detection vectors are constructed from morphological parameters, statistical parameters, flow models and the like of data packets, data streams and conversation streams, the depth and the breadth of detection of the network covert channel are increased, the detection accuracy of the network covert channel is improved, and the network environment safety under the cloud background of everything is maintained.
In the data acquisition module 1, as shown in fig. 3, the data acquisition process includes the following steps:
s1.1: and acquiring detection environment knowledge including the ID number of the cloud server 5, the network interface of the cloud server 5, the IP address of the cloud server 5 and the like.
S1.2: and configuring acquisition parameters including acquired network interfaces, data cache marks and the like.
S1.3: and acquiring network data according to the acquisition parameters.
In the data preprocessing module 2, the data preprocessing flow includes the following contents:
s2.1: deep analysis is carried out on the acquired network data, and the network protocol of the acquired data is judged according to the prior knowledge of the network protocols such as data packet ports, single packet protocol semantics and the like.
S2.2: and acquiring the data packet and the data stream, and performing session stream recombination to acquire the communication session stream.
S2.3: extracting key values such as a data packet header, a load field, a data flow distribution condition of a data flow, a data packet quantity of a session flow, a packet sending frequency and the like, and carrying out unique marking by using communication session information such as an IP address, a port number, communication time and the like and an ID number of the cloud server 5 to form detection metadata.
S2.4: the detection metadata is stored in a json format and is sent to the covert channel detection and analysis center 6.
In the covert channel detection engine 3, as shown in fig. 4, the network covert channel multiscale detection process includes the following steps:
s3.1: checking the mark information, judging whether the hidden channel detection is carried out or not, if the detection is carried out, outputting an identification result, and if the detection is not carried out, entering the next step;
s3.2: extracting morphological parameters, statistical parameters and flow models of a data packet, a data stream and a conversation stream of data to be detected;
s3.3: comparing normal network data from multiple scales such as morphological parameters, statistical parameters, flow models and the like, constructing a detection vector, and carrying out network covert channel detection.
S3.4: and adjusting the weight proportion according to the detection result, and performing multi-scale detection fusion judgment to obtain the detection result.
In the covert channel detection engine 3, as shown in fig. 5, the network covert channel morphological parameter dimension detection process includes the following contents:
s3.5: and receiving the detection metadata to obtain a network data packet.
S3.6: and (4) carrying out pattern matching on the data packet according to the signature characteristic value of the covert channel tool, if the matching is successful, entering the step 4, and if the matching is failed, entering the step 3.
S3.7: and comparing the normal protocol data packets, and constructing a detection vector from the aspects of field length, protocol key values and the like.
S3.8: and comprehensively analyzing the existence of the network covert channel.
In the blind channel detection engine 3, as shown in fig. 6, the network blind channel statistical parameter scale detection process includes the following contents:
s3.9: and receiving the detection metadata and acquiring a key value of the session flow.
S3.10: and constructing a detection vector from multiple dimensions such as packet sending frequency, packet sending interval, fixed character data packet quantity and the like.
S3.11: comparing with normal conversation flow, analyzing whether network hidden channel exists or not.
In the hidden channel detection engine 3, as shown in fig. 7, the network hidden channel traffic model scale detection process includes the following contents:
s3.12: and receiving the detection metadata and acquiring a key value of the data stream.
S3.13: and the distribution of the statistical data flow comprises the average flow rate, the maximum flow rate, the minimum flow rate and the like of the input flow and the output flow.
S3.14: and (4) comparing the distribution condition of normal data flow, counting the times of flow mutation conditions and a threshold value of the detected data flow, and comprehensively analyzing the network covert channel.
In the hidden channel detection engine 3 engine, the flow of the network hidden channel multi-scale fusion judgment comprises the following contents:
s3.15: acquiring a multi-scale detection result of a network covert channel of a cloud server 5;
s3.16: according to the results of the form parameter scale detection of the network covert channel and the statistical parameter scale detection of the network covert channel, the weights of the form parameter scale detection and the statistical parameter scale detection of the network covert channel are adjusted to obtain the suspicious degree of the network covert channel in the first stage;
s3.17: and adjusting the weights of the suspicious degree of the network hidden channel in the first stage and the result of the scale detection of the traffic model of the network hidden channel based on the data stream to obtain the final suspicious degree of the network hidden channel.
In the visualization module 4, the network covert channel detection visualization process includes the following contents:
s4.1: and acquiring a multi-scale detection result of the hidden channel.
S4.2: and acquiring an alarm data packet and an IP address, a port number, packet sending time and a session period of the session flow according to the detection result, calculating the flow rate change, the number of the data packets and the number of the session flows of the alarm data flow, and calculating the alarm times and change trends of the same cloud server 5 in one hour, one week and other time periods.
S4.3: and forming a detection report according to the information, and displaying the harm degree of the cloud server 5 receiving the network covert channel at low, medium and high risk.
In the description herein, references to the description of "one embodiment," "an example," "a specific example" or the like are intended to mean that a particular feature, structure, material, or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of the invention. In this specification, the schematic representations of the terms used above do not necessarily refer to the same embodiment or example. Furthermore, the particular features, structures, materials, or characteristics described may be combined in any suitable manner in any one or more embodiments or examples.
The preferred embodiments of the invention disclosed above are intended to be illustrative only. The preferred embodiments are not intended to be exhaustive or to limit the invention to the precise embodiments disclosed. Obviously, many modifications and variations are possible in light of the above teaching. The embodiments were chosen and described in order to best explain the principles of the invention and the practical application, to thereby enable others skilled in the art to best utilize the invention. The invention is limited only by the claims and their full scope and equivalents.

Claims (6)

1. A cloud platform network covert channel multiscale detection system is characterized in that: comprises a data acquisition module, a data preprocessing module, a covert channel detection engine and a visualization module,
the data acquisition module runs in each cloud server and is used for acquiring network traffic in the cloud server in real time,
the data preprocessing module runs in each cloud server and is used for collecting morphological parameters, statistical parameters and network environment parameters of various scales of a flow model of data packets, data streams and conversation streams in each cloud server and transmitting the morphological parameters, the statistical parameters and the network environment parameters to the covert channel detection and analysis center,
the covert channel detection engine operates in the covert channel detection analysis center, a covert channel detection vector is constructed from a plurality of scales of morphological parameters, statistical parameters and a flow model, the network environment of the cloud server is comprehensively analyzed, whether a covert channel exists or not is judged,
the visualization module operates in the covert channel detection and analysis center, and associates time and session information according to a detection result to form a detection report;
in the covert channel detection engine, the network covert channel multi-scale detection method comprises the following steps:
s3.1: checking the mark information, judging whether the hidden channel detection is carried out or not, if the detection is carried out, outputting an identification result, and if the detection is not carried out, entering the next step;
s3.2: extracting morphological parameters, statistical parameters and flow models of a data packet, a data stream and a conversation stream of data to be detected;
s3.3: comparing normal network data from a plurality of scales of morphological parameters, statistical parameters and a flow model to construct a detection vector for carrying out network covert channel detection;
s3.4: according to the detection result, adjusting the weight proportion, and performing multi-scale detection fusion judgment to obtain a detection result;
the method for detecting the form parameter scale of the network covert channel comprises the following steps:
s3.5: receiving detection metadata and acquiring a network data packet;
s3.6: performing pattern matching on the data packet according to the signature characteristic value of the covert channel tool, if the matching is successful, entering S3.8, and if the matching is failed, entering S3.7;
s3.7: comparing the protocol normal data packets, and constructing a detection vector from the aspects of field length and a protocol key value;
s3.8: comprehensively analyzing the existence of the network covert channel;
the method for detecting the statistical parameter scale of the network covert channel comprises the following steps:
s3.9: receiving detection metadata and acquiring a key value of a session flow;
s3.10: constructing a detection vector from multiple dimensions such as a packet sending frequency, a packet sending interval, the number of fixed character data packets and the like;
s3.11: comparing the normal conversation flow, and comprehensively analyzing whether a network hidden channel exists or not;
the method for detecting the scale of the network covert channel flow model comprises the following steps:
s3.12: receiving detection metadata and acquiring a key value of a data stream;
s3.13: counting the distribution of data flow, including average flow rate, maximum flow rate and minimum flow rate of input flow and output flow;
s3.14: comparing the distribution condition of normal data flow, counting the times of flow mutation condition and threshold value of the detected data flow, and comprehensively analyzing the network hidden channel;
the multi-scale fusion judgment method of the network covert channel comprises the following steps:
s3.15: acquiring a multi-scale detection result of a network hidden channel of a cloud server;
s3.16: according to the results of the network covert channel form parameter scale detection and the network covert channel statistical parameter scale detection, the weights of the network covert channel form parameter scale detection and the network covert channel statistical parameter scale detection are adjusted to obtain the suspicious degree of the network covert channel in the first stage;
s3.17: and adjusting the weights of the suspicious degree of the network hidden channel in the first stage and the result of the scale detection of the traffic model of the network hidden channel based on the data stream to obtain the final suspicious degree of the network hidden channel.
2. The cloud platform network covert channel multiscale detection system of claim 1, wherein: the data preprocessing module preprocesses the acquired network data, identifies a network protocol of the network data, acquires a data packet, a data stream and a communication session, extracts key values of the data packet, the data stream and the communication session, uniquely identifies the key values by using an ID (identity) number, a source IP address, a destination IP address, a port number and communication time communication session information of a cloud server to form detection metadata, and sends the detection metadata to the covert channel detection analysis center;
the covert channel detection engine analyzes the detection metadata, and according to prior knowledge, forms covert channel detection vectors with various scales of morphological parameters, statistical parameters and a flow model, performs comprehensive analysis and judges whether a covert channel exists or not;
and the visual module is used for obtaining a detection analysis report including hidden channel multi-scale detection association, time period detection conditions and attack behavior analysis according to the detection result by combining the cloud server position information and the communication session information.
3. The cloud platform network covert channel multiscale detection system of claim 1, wherein: the method for detecting the cloud platform network covert channel multi-scale detection system comprises the following specific steps:
s1: acquiring acquired network environment knowledge through a data acquisition module, configuring parameters of the data acquisition module, and acquiring network flow in a cloud server from a network interface by each data acquisition module;
s2: preprocessing the acquired network data through a data preprocessing module running in the cloud server, identifying a network protocol of the network data, and acquiring a data packet, a data stream and a communication session;
s3: a data preprocessing module operating in a cloud server extracts key values of data packets, data streams and communication sessions, unique identification is carried out by using a cloud server ID number and communication session information such as a source IP address, a destination IP address, a port number and communication time, detection metadata are formed and stored in a json format, and preprocessed data are sent to a covert channel detection and analysis center;
s4: the hidden channel detection engine operating in the hidden channel detection analysis center firstly receives json format data, analyzes detection metadata, constructs hidden channel detection vectors of various scales such as data packets, data streams, communication sessions and the like according to prior knowledge, performs comprehensive analysis, and judges whether hidden channels exist or not.
4. The cloud platform network covert channel multiscale detection system of claim 1, wherein: in the data acquisition module, the data acquisition method comprises the following steps:
s1.1: acquiring detection environment knowledge comprising a cloud server ID number, a cloud server network interface and a cloud server IP address;
s1.2: configuring acquisition parameters including acquired network interfaces and data cache marks;
s1.3: and acquiring network data according to the acquisition parameters.
5. The cloud platform network covert channel multiscale detection system of claim 1, wherein: in the data preprocessing module, the data preprocessing method comprises the following steps:
s2.1: deeply analyzing the acquired network data, and judging the network protocol of the acquired data according to the port of the data packet and the priori knowledge of the semantic network protocol of the single packet protocol;
s2.2: acquiring a data packet and a data stream, and carrying out session stream recombination to acquire a communication session stream;
s2.3: extracting a data packet head and a load field, the flow distribution condition of data streams, the data packet quantity of session streams and a packet sending frequency key value, and uniquely marking by using an IP address, a port number, communication time communication session information and a cloud server ID number to form detection metadata;
s2.4: and storing the detection metadata in a json format, and sending the detection metadata to a covert channel detection analysis center.
6. The cloud platform network covert channel multiscale detection system of claim 1, wherein: in the visualization module, the network covert channel detection visualization method comprises the following steps:
s4.1: acquiring a multi-scale detection result of a hidden channel;
s4.2: acquiring an alarm data packet, an IP address, a port number, packet sending time and a session period of a session flow according to the detection result, calculating the flow rate change, the number of data packets and the number of session flows of the alarm data flow, and calculating the alarm times and change trends of the same cloud server in one hour, one week and other time periods;
s4.3: and forming a detection report according to the information, and displaying the harm degree of the cloud server receiving the network covert channel at low, medium and high risks.
CN202011121041.8A 2020-10-19 2020-10-19 Multi-scale detection system for hidden channel of cloud platform network Active CN112235309B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011121041.8A CN112235309B (en) 2020-10-19 2020-10-19 Multi-scale detection system for hidden channel of cloud platform network

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011121041.8A CN112235309B (en) 2020-10-19 2020-10-19 Multi-scale detection system for hidden channel of cloud platform network

Publications (2)

Publication Number Publication Date
CN112235309A CN112235309A (en) 2021-01-15
CN112235309B true CN112235309B (en) 2022-05-06

Family

ID=74118629

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011121041.8A Active CN112235309B (en) 2020-10-19 2020-10-19 Multi-scale detection system for hidden channel of cloud platform network

Country Status (1)

Country Link
CN (1) CN112235309B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115134168A (en) * 2022-08-29 2022-09-30 成都盛思睿信息技术有限公司 Method and system for detecting cloud platform hidden channel based on convolutional neural network

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108270716A (en) * 2016-12-30 2018-07-10 绵阳灵先创科技有限公司 A kind of audit of information security method based on cloud computing
CN110336806A (en) * 2019-06-27 2019-10-15 四川大学 A kind of covert communications detection method of combination session behavior and correspondence
CN110708327A (en) * 2019-10-15 2020-01-17 北京丁牛科技有限公司 Method and device for constructing hidden channel based on ZeroNet
CN111756671A (en) * 2019-03-26 2020-10-09 上海全好数码科技有限公司 Hybrid association-based Fast-Flux botnet attack detection system

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9183353B2 (en) * 2013-09-16 2015-11-10 Dynosense, Corp. System for real-time tracking of medication use by a user
CN104009885B (en) * 2014-05-22 2018-08-03 北京大学 The virtual machine based on convert channel is the same as staying detection method under a kind of cloud environment
US10367677B2 (en) * 2016-05-13 2019-07-30 Telefonaktiebolaget Lm Ericsson (Publ) Network architecture, methods, and devices for a wireless communications network
CN107689958B (en) * 2017-09-03 2021-07-13 中国南方电网有限责任公司 Network audit subsystem applied to cloud audit system
CN111586075B (en) * 2020-05-26 2022-06-14 国家计算机网络与信息安全管理中心 Hidden channel detection method based on multi-scale stream analysis technology

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108270716A (en) * 2016-12-30 2018-07-10 绵阳灵先创科技有限公司 A kind of audit of information security method based on cloud computing
CN111756671A (en) * 2019-03-26 2020-10-09 上海全好数码科技有限公司 Hybrid association-based Fast-Flux botnet attack detection system
CN110336806A (en) * 2019-06-27 2019-10-15 四川大学 A kind of covert communications detection method of combination session behavior and correspondence
CN110708327A (en) * 2019-10-15 2020-01-17 北京丁牛科技有限公司 Method and device for constructing hidden channel based on ZeroNet

Also Published As

Publication number Publication date
CN112235309A (en) 2021-01-15

Similar Documents

Publication Publication Date Title
CN112085039B (en) ICMP hidden channel detection method based on random forest
CN102315974B (en) Stratification characteristic analysis-based method and apparatus thereof for on-line identification for TCP, UDP flows
CN101645806B (en) Network flow classifying system and network flow classifying method combining DPI and DFI
CN104937886B (en) Log analysis device, information processing method
CN105429977B (en) Deep packet inspection device abnormal flow monitoring method based on comentropy measurement
CN101741744B (en) Network flow identification method
CN107733851A (en) DNS tunnels Trojan detecting method based on communication behavior analysis
CN103067218B (en) A kind of express network packet content analytical equipment
CN106453392A (en) Whole-network abnormal flow identification method based on flow characteristic distribution
CN102035698A (en) HTTP tunnel detection method based on decision tree classification algorithm
CN112822189A (en) Traffic identification method and device
CN111935063B (en) Abnormal network access behavior monitoring system and method for terminal equipment
CN108632269A (en) Detecting method of distributed denial of service attacking based on C4.5 decision Tree algorithms
CN110430224A (en) A kind of communication network anomaly detection method based on random block models
CN111586075B (en) Hidden channel detection method based on multi-scale stream analysis technology
CN107404398A (en) A kind of networks congestion control judgement system
CN105959321A (en) Passive identification method and apparatus for network remote host operation system
CN108833430B (en) Topology protection method of software defined network
CN112235309B (en) Multi-scale detection system for hidden channel of cloud platform network
CN104021348B (en) Real-time detection method and system of dormant P2P (Peer to Peer) programs
CN103281158A (en) Method for detecting communication granularity of deep web and detection equipment thereof
CN115776449A (en) Train Ethernet communication state monitoring method and system
CN105577438B (en) A kind of network flow body constructing method based on MapReduce
CN105812280B (en) A kind of classification method and electronic equipment
CN112055007B (en) Programmable node-based software and hardware combined threat situation awareness method

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant