CN112615713A - Detection method and device of hidden channel, readable storage medium and electronic equipment - Google Patents

Detection method and device of hidden channel, readable storage medium and electronic equipment Download PDF

Info

Publication number
CN112615713A
CN112615713A CN202011529236.6A CN202011529236A CN112615713A CN 112615713 A CN112615713 A CN 112615713A CN 202011529236 A CN202011529236 A CN 202011529236A CN 112615713 A CN112615713 A CN 112615713A
Authority
CN
China
Prior art keywords
channel
type
transmission
sample
subset
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202011529236.6A
Other languages
Chinese (zh)
Other versions
CN112615713B (en
Inventor
申勇
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Neusoft Group Shanghai Co ltd
Neusoft Corp
Original Assignee
Neusoft Group Shanghai Co ltd
Neusoft Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Neusoft Group Shanghai Co ltd, Neusoft Corp filed Critical Neusoft Group Shanghai Co ltd
Priority to CN202011529236.6A priority Critical patent/CN112615713B/en
Publication of CN112615713A publication Critical patent/CN112615713A/en
Application granted granted Critical
Publication of CN112615713B publication Critical patent/CN112615713B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/002Countermeasures against attacks on cryptographic mechanisms

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The present disclosure relates to a method, an apparatus, a readable storage medium and an electronic device for detecting a hidden channel, so as to improve the accuracy of detecting a target channel type of a channel to be detected, the method comprising: acquiring a target network protocol type of a channel to be detected; determining a transmission characteristic set of a channel to be detected according to the type of a target network protocol; and determining the target channel type of the channel to be detected according to the transmission characteristic set and a hidden channel detection model corresponding to the target network protocol type, wherein the target channel type comprises a hidden channel and a non-hidden channel.

Description

Detection method and device of hidden channel, readable storage medium and electronic equipment
Technical Field
The present disclosure relates to the field of network data security technologies, and in particular, to a method and an apparatus for detecting a hidden channel, a readable storage medium, and an electronic device.
Background
The hidden channel is often found in an APT (Advanced Persistent Threat) attack, is a common attack channel in the APT attack, and mainly occurs in attack links such as control command transmission and data stealing in the APT attack. The hidden channel belongs to a malicious data transmission channel in APT attack and is also one of important means for network attack black yield profit making. A network attacker may use a covert channel to avoid detection of security products such as firewalls and IDS (intrusion detection systems) and the like, so as to steal data from a target host through an undetectable network, and for a network monitoring device and a network administrator, the flow rate when data is acquired through the covert channel is a normal flow rate, and therefore, the network monitoring device and the network administrator cannot judge whether the channel is the covert channel by the flow rate when data is acquired. That is, an illegal user can perform network communication using a covert channel.
The existence of covert channels is a significant threat to the network operating system. Therefore, for a network operating system with a high security level, a function of covert channel detection is required, and data transmission actions in network attacks are discovered in time to ensure data security in the network. In the related art, the covert channel cannot be accurately detected, so that the data security in the network cannot be ensured.
Disclosure of Invention
The present disclosure is directed to a method and an apparatus for detecting a hidden channel, a readable storage medium, and an electronic device, to solve the problems in the related art.
In order to achieve the above object, the present disclosure provides a method for detecting a hidden channel, including:
acquiring a target network protocol type of a channel to be detected;
determining a transmission characteristic set of the channel to be detected according to the target network protocol type;
determining a target channel type of the channel to be detected according to the transmission characteristic set and a concealed channel detection model corresponding to the target network protocol type, wherein the target channel type comprises a concealed channel and a non-concealed channel;
the hidden channel detection model corresponding to the target network protocol type is generated in the following generation mode:
performing random feature extraction in each transmission feature sample set of a known channel type of the target network protocol type to obtain at least one type of transmission feature sample subset corresponding to each transmission feature sample set of the known channel type, wherein the transmission feature sample set comprises a plurality of features, and a first preset number of features obtained by extraction each time form one type of transmission feature sample subset;
aiming at each type of transmission characteristic sample subset of the transmission characteristic sample set with the known channel type, taking each transmission characteristic sample subset in the type of transmission characteristic sample subset as an input parameter, taking a known channel type corresponding to each transmission characteristic sample subset as an output parameter, and training to obtain a sub-classification module;
and generating the hidden channel detection model according to the plurality of sub-classification modules obtained by training.
Optionally, the generating manner of the hidden channel detection model further includes:
performing multiple times of random sample data extraction in a sample data set to obtain a plurality of sample data subsets, wherein the sample data set comprises a plurality of sample data of the target network protocol type, each transmission characteristic sample set is sample data, and a second preset number of sample data obtained by extraction each time form one sample data subset;
the performing random feature extraction in each transmission feature sample set of a known channel type of the target network protocol type to obtain at least one type of transmission feature sample subset corresponding to each transmission feature sample set of the known channel type, includes:
for each sample data subset, performing random feature extraction once in each transmission feature sample set of a known channel type included in the sample data subset to obtain a class of transmission feature sample subsets corresponding to each transmission feature sample set of the known channel type in the sample data subset;
for each type of transmission characteristic sample subset of the transmission characteristic sample set of the known channel type, training to obtain a sub-classification module by using each transmission characteristic sample subset in the type of transmission characteristic sample subset as an input parameter and using a known channel type corresponding to each transmission characteristic sample subset as an output parameter, the method comprising:
and aiming at each sample data subset, training to obtain a sub-classification module by taking each transmission characteristic sample subset in a class of transmission characteristic sample subsets corresponding to each transmission characteristic sample set of a known channel type in the sample data subset as an input parameter and taking a specified channel type corresponding to each transmission characteristic sample subset as an output parameter.
Optionally, the transmission feature sample set is extracted by:
and extracting features from the channel transmission data corresponding to each known channel type of the target network protocol type according to the feature extraction dimension corresponding to the target network protocol type to obtain a transmission feature sample set of the target network protocol type corresponding to the known channel type.
Optionally, the extracting, according to the feature extraction dimension corresponding to the target network protocol type, a feature from the channel transmission data corresponding to each known channel type of the target network protocol type to obtain a transmission feature sample set of the target network protocol type corresponding to the known channel type includes:
combining the extracted features of different dimensions to obtain a transmission feature original sample set of the target network protocol type corresponding to the known channel type;
determining a kini coefficient for each feature in the original sample set of transmission features;
and according to the sequence of the Gini coefficients from small to large, generating a transmission characteristic sample set by utilizing the first M characteristics, wherein M is an integer which is larger than zero and smaller than the total number of the characteristics in the transmission characteristic original sample set.
Optionally, the extracting, according to the feature extraction dimension corresponding to the target network protocol type, a feature from the channel transmission data corresponding to each known channel type of the target network protocol type to obtain a transmission feature sample set of the target network protocol type corresponding to the known channel type further includes:
determining N-M characteristics as characteristics to be cleaned according to the sequence of the kini coefficients from small to large, wherein N is the total number of the characteristics in the original transmission characteristic sample set;
carrying out cluster analysis on the known channel types corresponding to the original sample set of the characteristics to be cleaned and the transmission characteristics, and outputting a cluster result;
acquiring a feature to be reserved, which is determined by a user according to the clustering result of the feature to be cleaned;
and generating a transmission feature sample set by using the first M features and the features to be reserved.
Optionally, the transmission feature set includes multiple types of transmission feature subsets;
the determining the transmission characteristic set of the channel to be detected according to the target network protocol type includes:
and aiming at each sub-classification module in the hidden channel detection model corresponding to the target network protocol type, determining a transmission feature subset corresponding to the sub-classification module of the channel to be detected according to the features included in the transmission feature sample subset input during training of the sub-classification module.
Optionally, the determining the channel type of the channel to be detected according to the transmission feature set and the hidden channel detection model corresponding to the target network protocol type includes:
for each sub-classification module, inputting the transmission characteristic subset of the channel to be detected, which corresponds to the sub-classification module, to the sub-classification module to obtain a classification result output by the sub-classification module;
and determining the channel type of the channel to be detected according to the classification result output by the plurality of sub-classification modules.
Optionally, the determining the target channel type of the channel to be detected according to the classification output by the plurality of sub-classification modules includes:
determining the classification result with the largest occurrence frequency in the classification results output by the plurality of sub-classification modules as the target channel type of the channel to be detected; or
And if the number of the classification results representing that the channel to be detected is a non-hidden channel is greater than or equal to a third preset number in the classification results output by the plurality of sub-classification modules, determining that the target channel type of the channel to be detected is the non-hidden channel.
Optionally, the transmission feature set includes features extracted based on a session.
A second aspect of the present disclosure provides a detection apparatus for a hidden channel, including:
the acquisition module is used for acquiring the target network protocol type of the channel to be detected;
the first determining module is used for determining the transmission characteristic set of the channel to be detected according to the target network protocol type;
a second determining module, configured to determine a target channel type of the channel to be detected according to the transmission feature set and a hidden channel detection model corresponding to the target network protocol type, where the target channel type includes a hidden channel and a non-hidden channel;
the hidden channel detection model corresponding to the target network protocol type is generated in the following generation mode:
performing random feature extraction in each transmission feature sample set of a known channel type of the target network protocol type to obtain at least one type of transmission feature sample subset corresponding to each transmission feature sample set of the known channel type, wherein the transmission feature sample set comprises a plurality of features, and a first preset number of features obtained by extraction each time form one type of transmission feature sample subset;
aiming at each type of transmission characteristic sample subset of the transmission characteristic sample set with the known channel type, taking each transmission characteristic sample subset in the type of transmission characteristic sample subset as an input parameter, taking a known channel type corresponding to each transmission characteristic sample subset as an output parameter, and training to obtain a sub-classification module;
and generating the hidden channel detection model according to the plurality of sub-classification modules obtained by training.
A third aspect of the present disclosure provides a computer readable storage medium having stored thereon a computer program which, when executed by a processor, performs the steps of any of the methods provided by the first aspect of the present disclosure.
A fourth aspect of the present disclosure provides an electronic device, comprising:
a memory having a computer program stored thereon;
a processor for executing the computer program in the memory to implement the steps of any of the methods provided by the first aspect of the disclosure.
According to the technical scheme, at least one type of transmission characteristic sample subset is obtained through random characteristic extraction, and at least one sub-classification module in the hidden channel detection model is obtained through training of the at least one type of transmission characteristic sample subset, so that the difference of each sub-classification module can be enhanced, the hidden channel detection model can have high overfitting resistance, and the accuracy of the hidden channel detection model is improved. The hidden channel detection model with higher precision is used for detecting the channel to be detected, so that the type of the target channel of the channel to be detected can be accurately detected. In addition, a hidden channel detection model is generated for each network protocol type in advance, and when the channel type of the channel to be detected is detected, the hidden channel detection model corresponding to the target network protocol type of the channel to be detected can be used for detection, so that the detection accuracy of the target channel type of the channel to be detected is further improved, and the data security in the network is further improved.
Additional features and advantages of the disclosure will be set forth in the detailed description which follows.
Drawings
The accompanying drawings, which are included to provide a further understanding of the disclosure and are incorporated in and constitute a part of this specification, illustrate embodiments of the disclosure and together with the description serve to explain the disclosure without limiting the disclosure. In the drawings:
fig. 1 is a flow chart illustrating a method of blind channel detection in accordance with an exemplary embodiment.
Fig. 2 is a block diagram illustrating an apparatus for detecting a covert channel according to an exemplary embodiment.
FIG. 3 is a block diagram illustrating an electronic device in accordance with an example embodiment.
Detailed Description
In the current network security products, the detection of the hidden channel is mainly based on a rule matching method, and whether the channel is the hidden channel is determined according to the rule matching result by performing rule matching on a data packet or a session transmitted in the channel. For example, the distribution of data packets or sessions transmitted in a hidden channel obeys poisson distribution, if the distribution of data packets or sessions transmitted in the channel conforms to poisson distribution, the channel is determined to be a hidden channel, otherwise, the channel is determined to be a non-hidden channel. However, when the method of rule matching is used to detect the hidden channel, the hidden channel which is newly appeared and does not meet the rule matching cannot be detected. Therefore, in the related art, there may be a missing detection of the covert channel, that is, the covert channel cannot be accurately detected, so that data security in the network cannot be ensured.
In view of this, the present disclosure provides a method and an apparatus for detecting a hidden channel, a readable storage medium, and an electronic device, so as to improve the accuracy of detecting the hidden channel.
The following detailed description of specific embodiments of the present disclosure is provided in connection with the accompanying drawings. It should be understood that the detailed description and specific examples, while indicating the present disclosure, are given by way of illustration and explanation only, not limitation.
Fig. 1 is a flow chart illustrating a method of blind channel detection in accordance with an exemplary embodiment. As shown in fig. 1, the method for detecting a hidden channel may include the following steps.
In step 101, a target network protocol type of a channel to be detected is obtained.
In the present disclosure, the device performing the detection method of the hidden channel may be a gateway-type security product, for example, a firewall. Illustratively, the gateway security product analyzes a communication protocol of a channel to be detected to determine a target network protocol type of the channel to be detected. Wherein, the target network protocol type can be one of HTTP protocol, DNS protocol and ICMP protocol. It should be understood that the technology of analyzing the communication protocol of the channel to determine the type of the target network protocol belongs to a more mature technology, and the disclosure does not limit this technology in detail.
In step 102, a transmission characteristic set of the channel to be detected is determined according to the target network protocol type.
In practical application, the feature extraction dimensions corresponding to different network protocol types are different, and therefore, in the present disclosure, after a target network protocol type is determined, a transmission feature set of a channel to be detected needs to be determined according to the target network protocol type, where the transmission feature set is composed of transmission features extracted from channel transmission data of the channel to be detected.
In step 103, a target channel type of the channel to be detected is determined according to the transmission feature set and a hidden channel detection model corresponding to the target network protocol type, where the target channel type includes a hidden channel and a non-hidden channel.
The hidden channel detection module corresponding to the target network protocol type can be generated in the following generation mode:
firstly, random feature extraction is carried out in each transmission feature sample set of a known channel type of a target network protocol type to obtain at least one type of transmission feature sample subset corresponding to each transmission feature sample set of the known channel type, wherein the transmission feature sample set comprises a plurality of features, and a first preset number of features obtained by extraction each time form a type of transmission feature sample subset.
Illustratively, the first preset number is an integer greater than or equal to 2 and less than a total number of features included in the set of transmission feature samples. The value range of the first preset number may be [0.6 × total number of features, 0.8 × total number of features ]. For example, 20 features included in each transmission feature sample set, 12 features are randomly extracted from each transmission feature sample set at a time to form a type of transmission feature sample subset. And aiming at each transmission characteristic sample set, each transmission characteristic sample subset formed by each random characteristic extraction is aimed at, each characteristic included in the transmission characteristic sample subset is different, and at least two different transmission characteristic sample subsets exist.
In a possible manner, any two types of transmission feature sample subsets in the composed transmission feature sample subsets are different, that is, the rules of random feature extraction are different each time. And the number of the formed transmission characteristic sample subsets is the same as the number of the sub-classification modules included in the hidden channel detection model.
Then, for each type of transmission characteristic sample subset of the transmission characteristic sample set with known channel type, each transmission characteristic sample subset in the type of transmission characteristic sample subset is used as an input parameter, a known channel type corresponding to each transmission characteristic sample subset is used as an output parameter, and a sub-classification module is obtained through training.
For example, assuming that the transmission characteristic sample sets are 50, the channel type of each transmission characteristic sample set is known, for example, the channel type of the 2n +1 th transmission characteristic sample set is a concealed channel, and the channel type of the 2n +2 th transmission characteristic sample set is a non-concealed channel. Each transmission characteristic sample set comprises a plurality of characteristics, each transmission characteristic sample set is randomly extracted three times, a first preset number of characteristics are extracted each time to form a class of transmission characteristic sample subsets, and each class of transmission characteristic sample subsets comprises 50 transmission characteristic sample subsets. For example, for each transmission feature sample set, a type of transmission feature sample subset obtained by the first random extraction is recorded as a transmission feature sample subset 1, a type of transmission feature sample subset obtained by the second random extraction is recorded as a transmission feature sample subset 2, and a type of transmission feature sample subset obtained by the third random extraction is recorded as a transmission feature sample subset 3. That is, each of the 50 transmission feature sample sets corresponds to three types of transmission feature sample subsets, and each of the transmission feature sample subsets corresponding to each of the transmission feature sample sets includes one transmission feature sample subset, that is, 50 transmission feature sample subsets 1, 50 transmission feature sample subsets 2, and 50 transmission feature sample subsets 3 are finally obtained, and the channel type of each of the transmission feature sample subsets is also known. For example, the channel type of the 2n +1 th transmission characteristic sample subset 1 in the 50 transmission characteristic sample subsets 1 is a blind channel, and the channel type of the 2n +2 th transmission characteristic sample subset 1 is a non-blind channel; the channel type of the 2n +1 th transmission characteristic sample subset 2 in the 50 transmission characteristic sample subsets 2 is a concealed channel, and the channel type of the 2n +2 th transmission characteristic sample subset 2 is a non-concealed channel; and the channel type of the 2n +1 transmission characteristic sample subset 3 in the 50 transmission characteristic sample subsets 3 is a concealed channel, and the channel type of the 2n +2 transmission characteristic sample subset 3 is a non-concealed channel. Wherein, the value range of n is [0,24 ].
Then, for each transmission feature sample subset 1 in the 50 transmission feature sample subsets 1, the transmission feature sample subset 1 is used as an input parameter, and a known channel type corresponding to the transmission feature sample subset 1 is used as an output parameter, and a sub-classification module is obtained through training. Thus, three sub-classification modules can be trained finally. For example, when the 2n +1 th transmission feature sample subset 1 is used as an input parameter, a hidden channel is used as an output parameter, and a sub-classification module is trained.
And finally, generating a hidden channel detection model according to the plurality of sub-classification modules obtained by training.
It is noted that in the present disclosure, a blind channel detection model may be generated in advance for each network protocol type. Since the manner of generating the covert channel detection model corresponding to each network protocol type is similar, the present disclosure only shows a specific manner of generating the covert channel detection model corresponding to the target network protocol type. Those skilled in the art can generate the hidden channel detection model corresponding to other network protocol types by referring to the specific way of generating the hidden channel detection model corresponding to the target network protocol type, which is not described in detail in this disclosure.
By adopting the technical scheme, at least one type of transmission characteristic sample subset is obtained through random characteristic extraction, and at least one sub-classification module in the hidden channel detection model is obtained through training of the at least one type of transmission characteristic sample subset, so that the difference of each sub-classification module can be enhanced, the hidden channel detection model can have high overfitting resistance, and the accuracy of the hidden channel detection model is improved. The hidden channel detection model with higher precision is used for detecting the channel to be detected, so that the type of the target channel of the channel to be detected can be accurately detected. In addition, a hidden channel detection model is generated for each network protocol type in advance, and when the channel type of the channel to be detected is detected, the hidden channel detection model corresponding to the target network protocol type of the channel to be detected can be used for detection, so that the detection accuracy of the target channel type of the channel to be detected is further improved, and the data security in the network is further improved.
In order to make those skilled in the art better understand the method for detecting a hidden channel provided by the embodiments of the present disclosure, the method for detecting a hidden channel provided by the embodiments of the present disclosure is described below as a complete embodiment.
The following describes in detail a method of generating a hidden channel detection model.
First, a method of generating a transmission feature sample set will be described.
For example, according to the feature extraction dimension corresponding to the target network protocol type, the feature may be extracted from the channel transmission data corresponding to each known channel type of the target network protocol type, so as to obtain a transmission feature sample set of the target network protocol type corresponding to the known channel type.
As described above, the feature extraction dimensions for different network protocol types are different. For example, the feature extraction dimension corresponding to the HTTP network protocol type may include an upload byte number, a download byte number, a load ratio, a request traffic packet number, a response traffic packet number, and the like. During data transmission, a data packet (hereinafter referred to as a traffic packet) includes not only data to be actually transmitted, but also communication protocol content, such as header information of the communication protocol. The duty ratio refers to a ratio of a size of data actually to be transmitted included in one traffic packet to a size of the data packet. For another example, the feature extraction dimension corresponding to the DNS network protocol type may include a request packet load ratio, a response packet load ratio, a domain name length, a number of sub-domain names, and the like. For another example, the feature extraction dimension corresponding to the ICMP network protocol type may include the number of traffic packets, the size of the traffic packets, and whether the load is the same. Here, the payload refers to data actually to be transmitted included in the traffic packet.
After determining the feature extraction dimension corresponding to the target network protocol type, acquiring channel transmission data corresponding to each known channel type of the target network protocol type, and extracting features from the channel transmission data. It should be noted that a session includes a plurality of traffic packets, and therefore, in order to enrich the extracted features to better characterize the data transmitted in the channel, in the present disclosure, the features may be extracted based on the session to form a transmission feature sample set.
For the purpose of extracting features based on sessions, each session needs to be identified first. The session identification modes corresponding to different network protocol types are also different. For example, in the channel of the HTTP protocol, an HTTP session can be determined by three-way handshake, four-way waving and RESET mechanisms. In the channel of the DNS protocol, a session is composed of a DNS request packet and a DNS response packet, and thus, a DNS session can be determined by the DNS request packet and the DNS response packet. In the channel of the ICMP protocol, an ICMP session can be determined by checking data. It should be noted that the present disclosure does not specifically limit the way in which a session is identified.
For each network protocol type, a tunnel for that network protocol type may be pre-constructed, for example, an HTTP tunnel is constructed to acquire covert channel transmission data (hereinafter abbreviated as HTTP tunnel data) from the HTTP tunnel, the HTTP tunneling data may include one or more HTTP sessions and extract features from the HTTP tunneling data according to a feature extraction dimension corresponding to the HTTP network protocol type, taking the corresponding channel type of the constructed HTTP network protocol type as a transmission characteristic sample set of the hidden channel, and acquiring legitimate channel transmission data (hereinafter referred to as HTTP channel data) from a legitimate channel of the HTTP network protocol type, the HTTP channel data may include one or more HTTP sessions and extract features from the HTTP channel data according to feature extraction dimensions corresponding to HTTP network protocol types, and constructing a transmission characteristic sample set taking the corresponding channel type of the HTTP network protocol type as a non-hidden channel. Similarly, a DNS tunnel may also be constructed, and a transmission characteristic sample set in which the channel type corresponding to the DNS network protocol type is a hidden channel, and a transmission characteristic sample set in which the channel type corresponding to the DNS network protocol type is a non-hidden channel, and so on may be constructed.
In one embodiment, a set of transmission feature samples may be generated directly from the extracted features, the set of transmission feature samples including only the extracted features.
In another embodiment, in order to enrich the feature dimensions included in the transmission feature sample set, the extracted features of different dimensions may be combined to obtain a transmission feature sample set with richer dimensions. For example, taking the HTTP network protocol type as an example, the number of request traffic packets and the number of response traffic packets may be extracted, and then the two dimensional features may be combined, for example, a ratio of the number of request traffic packets to the total number of traffic packets is obtained according to the number of request traffic packets and the number of response traffic packets, and the like.
In a further embodiment, the features may also be cleaned, taking into account that the classification of features in some dimensions is not significant, i.e. the detection of channel type is not significant. For example, the extracted features of different dimensions may be combined to obtain a transmission feature original sample set with richer dimensions, a kini coefficient of each feature in the transmission feature original sample set is determined, and the transmission feature sample set is generated by using the first M features according to the sequence of the kini coefficients from small to large, where M is an integer greater than zero and smaller than the total number of features in the transmission feature original sample set.
In the present disclosure, uncertainty of each feature is characterized by using a kini coefficient, wherein the smaller the kini coefficient is, the lower the classification uncertainty based on the feature is, i.e., the more obvious the classification effect based on the feature is. Therefore, in one possible approach, after determining the kini coefficient giving each feature, according to the sequence of the kini coefficients from small to large, the first M features are used to generate a transmission feature sample set, that is, the generated transmission feature sample set only includes the first M features with obvious classification effect.
In another possible mode, after the kini coefficient of each feature is determined, the last N-M features are determined to be the features to be cleaned according to the sequence of the kini coefficients from small to large, wherein N is the total number of the features in the original sample set of the sample transmission features, the features to be cleaned and the known channel types corresponding to the original sample set of the transmission features are subjected to cluster analysis, a clustering result is output, the features to be reserved, which are determined by a user according to the clustering result of the features to be cleaned, are obtained, and the transmission feature sample set is generated by using the first M features and the features to be reserved.
In this manner, N-M may be an integer of 5% N or 10% N. In addition, in this embodiment, first, a multi-dimensional clustering method in the related art is adopted to cluster all the features to be cleaned to obtain a feature clustering result, and then, a known channel type corresponding to the original sample set of the transmission features is displayed in the feature clustering result to obtain a final clustering result. The channel type of each feature to be cleaned can be displayed in the clustering result, so that a user can determine the feature capable of forming an obvious clustering cluster as a feature to be reserved according to the channel type displayed in the clustering result, and send the feature to be reserved to the device executing the hidden channel detection method, so that the device can determine the feature to be reserved from the feature to be cleaned, and further generate a transmission feature sample set according to the first M features and the feature to be reserved.
At this point, each set of transmission characteristic samples of known channel types of the target network protocol type may be determined in any of the manners described above.
After the transmission feature sample sets are obtained, random feature extraction may be performed on the transmission feature sample sets in the manner described above to obtain at least one type of transmission feature sample subset corresponding to each transmission feature sample set, and the sub-classification module is trained by using the at least one type of transmission feature sample subset.
In one embodiment, to further enhance the diversity of the trained sub-classification modules, the set of transmission feature samples may also be randomly sampled. For example, each determined transmission characteristic sample set may be used as one sample data, and a sample data set may be constructed based on a plurality of sample data, that is, the sample data set includes a plurality of transmission characteristic sample sets.
Firstly, performing multiple times of random sample data extraction in a sample data set to obtain a plurality of sample data subsets, wherein a second preset number of sample data obtained by extraction at each time form one sample data subset.
The second preset number may be an integer of 0.8 × total number of sample data. For the sample data subset formed by each random sample data extraction, the sample data included in the sample data subset is different, and the two sample data subsets formed by any two random sample data extractions are different, that is, the rules of each random sample data extraction are different. And the number of the sample data subsets is the same as the number of the sub-classification modules included in the hidden channel detection model. Thus, the plurality of sample data subsets obtained by random extraction are different and have differences.
Then, for each sample data subset, random feature extraction is performed once in each transmission feature sample set of a known channel type included in the sample data subset, so as to obtain a class of transmission feature sample subsets corresponding to each transmission feature sample set of a known channel type in the sample data subset.
Then, for each sample data subset, each transmission characteristic sample subset in a class of transmission characteristic sample subsets corresponding to each transmission characteristic sample set of known channel types included in the sample data subset is used as an input parameter, a specified channel type corresponding to each transmission characteristic sample subset is used as an output parameter, and a sub-classification module is obtained through training.
For example, assuming that the number of transmission characteristic sample sets is 50, i.e., the number of sample data is 50, 40 sample data are extracted as one sample data subset at a time. Assuming that the number of the sub-classification modules is 3, the number of times of random sample data extraction is 3, and three sample data subsets can be obtained and respectively marked as a sample data subset 1, a sample data subset 2, and a sample data subset 3, where each sample data subset includes 40 sample data, that is, each sample data subset includes 40 transmission feature sample sets. Then, each transmission characteristic sample set in the 40 transmission characteristic sample sets included in the sample data subset 1 is subjected to one-time random characteristic sampling to obtain 40 transmission characteristic sample subsets 1. Similarly, each of the 40 transmission characteristic sample sets included in the sample data subset 2 is subjected to one-time random characteristic sampling to obtain 40 transmission characteristic sample subsets 2, and each of the 40 transmission characteristic sample sets included in the sample data subset 3 is subjected to one-time random characteristic sampling to obtain 40 transmission characteristic sample subsets. In this embodiment, the rules for random feature extraction adopted in different sample data subsets are different. For example, the rule of random feature extraction used in the sample data subset 1, the rule of random feature extraction used in the sample data subset 2, and the rule of random feature extraction used in the sample data subset 3 are different from each other, so as to ensure that the transmission feature sample subset 1 corresponding to the sample data subset 1 is different from the transmission feature sample subset 2 corresponding to the sample data subset 2, and the transmission feature sample subset 3 corresponding to the sample data subset 3, and that the transmission feature sample subset 2 corresponding to the sample data subset 2 is different from the transmission feature sample subset 3 corresponding to the sample data subset 3.
And then, training the sub-classification module 1 by using the 40 transmission characteristic sample subsets 1 corresponding to the sample data subset 1. Similarly, the sub-classification module 2 is trained by using the 40 transmission characteristic sample subsets 2 corresponding to the sample data subset 2, and the sub-classification module 3 is trained by using the 40 transmission characteristic sample subsets 3 corresponding to the sample data subset 3. In the training process, each transmission characteristic sample subset in each type of transmission characteristic sample subset is used as an input parameter, and a known channel type corresponding to the transmission characteristic sample subset is used as an output parameter for training.
It should be noted that, it is also possible to perform three times of random feature extraction on each transmission feature sample set to obtain three types of transmission feature sample subsets, and then perform three times of extraction on the sample data to obtain three sample data subsets, so that each sample data subset corresponds to three types of transmission feature sample subsets. When the sub-classification module is trained, aiming at each sample data subset, a class of transmission characteristic sample subset in the sample data subset and a known channel type corresponding to each transmission characteristic sample subset in the class of transmission characteristic sample subset are utilized to train one sub-classification module. Wherein, different sub-classification modules adopt different sample data subsets and different classes of transmission characteristic sample subsets for training.
In the present disclosure, the algorithm of the sub-classification module may be determined according to the total number of features included in the transmission feature sample set. Illustratively, if the total number of features is large (e.g., greater than or equal to a first threshold), then the support vector machine algorithm may be selected as the algorithm of the sub-classification module. If the total number of features is small (e.g., less than a first threshold), then the decision tree algorithm may be selected as the algorithm for the sub-classification module. The present disclosure does not specifically limit this.
After different sub-classification modules are obtained through training, the plurality of sub-classification modules are utilized to generate a hidden channel detection model.
By adopting the scheme, the features included in the transmission feature sample set are randomly extracted to obtain at least one type of transmission feature sample subset, the sample data included in the sample data set is randomly extracted to obtain a plurality of sample data subsets, and different sub-classification modules are trained by using different sample data subsets and different types of transmission feature sample subsets, so that the difference of different sub-classification modules is further enhanced, and the accuracy of the covert channel detection model is further improved.
It is worth noting that after the covert channel detection model is generated, it can also be integrated into a security product. Because the machine learning training language is incompatible with the firewall back-end language, the hidden channel model obtained by the machine learning training needs to be read into the memory in a data structure mode. Taking the decision tree as an example, in the memory, the decision tree hierarchy can be judged in a goto coding mode, and if the leaf nodes are reached, the detection result is returned, so that the solidification of the decision tree model is realized.
When the channel type of the channel to be detected is detected by using the hidden channel detection model generated based on the generation mode, the transmission feature set of the channel to be detected also comprises a plurality of types of transmission feature subsets. For example, the blind channel detection model includes three sub-classification modules, and the transmission feature set includes three types of transmission feature sub-sets.
The specific implementation of step 102 in fig. 1 for determining the transmission feature set of the channel to be detected according to the target network protocol type includes:
and aiming at each sub-classification module in the hidden channel detection model corresponding to the target network protocol type, determining a transmission characteristic subset corresponding to the sub-classification module of the channel to be detected according to the characteristics included in the transmission characteristic sample subset input when the sub-classification module is trained.
Illustratively, the hidden channel detection model includes three sub-classification modules, which are denoted as sub-classification module 1, sub-classification module 2, and sub-classification module 3, respectively. Respectively determining the characteristics of a transmission characteristic sample subset 1 used in training the sub-classification module 1, the characteristics of a transmission characteristic sample subset 2 used in training the sub-classification module 2 and the characteristics of a transmission characteristic sample subset 3 used in training the sub-classification module 3, then extracting a class of transmission characteristic subset from the session transmitted by the channel to be detected according to the characteristics of the transmission characteristic sample subset 1, extracting another class of transmission characteristic subset from the session transmitted by the channel to be detected according to the characteristics of the transmission characteristic sample subset 2 and extracting another class of transmission characteristic subset from the session transmitted by the channel to be detected according to the characteristics of the transmission characteristic sample subset 3.
For example, the transmission characteristic sample subset 1 includes characteristics of an upload byte number and a download byte number, the transmission characteristic sample subset 2 includes characteristics of a download byte number and a load proportion, the transmission characteristic sample subset 3 includes an upload byte number and a load proportion, then the upload byte number characteristic, the download byte number characteristic and the load proportion of transmission data are extracted from a session transmitted by a channel to be detected, then the transmission characteristic subset 1 corresponding to the sub-classification module 1 of the channel to be detected is generated according to the upload byte number characteristic and the download byte number characteristic, the transmission characteristic subset 2 corresponding to the sub-classification module 2 of the channel to be detected is generated according to the download byte number and the load proportion, and the transmission characteristic subset 3 corresponding to the sub-classification module 3 of the channel to be detected is generated according to the upload byte number and the load proportion.
Accordingly, the specific implementation manner of determining the channel type of the channel to be detected according to the transmission feature set and the hidden channel detection model corresponding to the target network protocol type in step 103 in fig. 1 may be:
firstly, aiming at each sub-classification module, inputting a transmission characteristic subset of a channel to be detected and corresponding to the sub-classification module into the sub-classification module so as to obtain a classification result output by the sub-classification module.
Illustratively, the transmission feature subset 1 is input into the sub-classification module 1 to obtain a classification result, the transmission feature subset 2 is input into the sub-classification module 2 to obtain a classification result, and the transmission feature subset 3 is input into the sub-classification module 3 to obtain a classification result.
And then, determining the channel type of the channel to be detected according to the classification result output by the plurality of sub-classification modules.
In one possible mode, the classification result with the largest occurrence number in the classification results output by the plurality of sub-classification modules is determined as the target channel type of the channel to be detected. For example, the number of the sub-classification modules is 20, and the 20 sub-classification modules output 20 classification results. And if 15 classification results in the 20 classification results represent that the channel to be detected is a hidden channel, determining that the target channel type of the channel to be detected is the hidden channel.
In another possible approach, considering that the network security detection has a high requirement for concealing channel false alarms, a mechanism for processing false alarms needs to be strengthened. For example, in the classification results output by the plurality of sub-classification modules, if the number of classification results representing that the channel to be detected is the non-hidden channel is greater than or equal to a third preset number, it is determined that the target channel type of the channel to be detected is the non-hidden channel.
For example, if more than 15% of the classification results output by the sub-classification modules are preset to indicate that the channel to be detected is a non-hidden channel, it is determined that the target channel type of the channel to be detected is a non-hidden channel. That is, if the number of classification results characterizing the channel to be detected as the non-hidden channel is greater than or equal to 3 among the 20 classification results, it is determined that the target channel type of the channel to be detected is the non-hidden channel if the third preset number is 15% × 20 ═ 3. Therefore, the false detection risk of the hidden channel can be effectively reduced.
Based on the same inventive concept, the disclosure also provides a detection device of the covert channel. Fig. 2 is a block diagram illustrating an apparatus for detecting a covert channel according to an exemplary embodiment. As shown in fig. 2, the apparatus 200 for detecting a hidden channel may include:
an obtaining module 201, configured to obtain a target network protocol type of a channel to be detected;
a first determining module 202, configured to determine a transmission feature set of the channel to be detected according to the target network protocol type;
a second determining module 203, configured to determine a target channel type of the channel to be detected according to the transmission feature set and a hidden channel detection model corresponding to the target network protocol type, where the target channel type includes a hidden channel and a non-hidden channel;
the hidden channel detection model corresponding to the target network protocol type is generated in the following generation mode:
performing random feature extraction in each transmission feature sample set of a known channel type of the target network protocol type to obtain at least one type of transmission feature sample subset corresponding to each transmission feature sample set of the known channel type, wherein the transmission feature sample set comprises a plurality of features, and a first preset number of features obtained by extraction each time form one type of transmission feature sample subset;
aiming at each type of transmission characteristic sample subset of the transmission characteristic sample set with the known channel type, taking each transmission characteristic sample subset in the type of transmission characteristic sample subset as an input parameter, taking a known channel type corresponding to each transmission characteristic sample subset as an output parameter, and training to obtain a sub-classification module;
and generating the hidden channel detection model according to the plurality of sub-classification modules obtained by training.
Optionally, the generating manner of the hidden channel detection model further includes:
performing multiple times of random sample data extraction in a sample data set to obtain a plurality of sample data subsets, wherein the sample data set comprises a plurality of sample data of the target network protocol type, each transmission characteristic sample set is sample data, and a second preset number of sample data obtained by extraction each time form one sample data subset;
the performing random feature extraction in each transmission feature sample set of a known channel type of the target network protocol type to obtain at least one type of transmission feature sample subset corresponding to each transmission feature sample set of the known channel type, includes:
for each sample data subset, performing random feature extraction once in each transmission feature sample set of a known channel type included in the sample data subset to obtain a class of transmission feature sample subsets corresponding to each transmission feature sample set of the known channel type in the sample data subset;
for each type of transmission characteristic sample subset of the transmission characteristic sample set of the known channel type, training to obtain a sub-classification module by using each transmission characteristic sample subset in the type of transmission characteristic sample subset as an input parameter and using a known channel type corresponding to each transmission characteristic sample subset as an output parameter, the method comprising:
and aiming at each sample data subset, training to obtain a sub-classification module by taking each transmission characteristic sample subset in a class of transmission characteristic sample subsets corresponding to the transmission characteristic sample set of the known channel type in the sample data subset as an input parameter and taking the appointed channel type corresponding to each transmission characteristic sample subset as an output parameter.
Optionally, the transmission feature sample set is extracted by:
and extracting features from the channel transmission data corresponding to each known channel type of the target network protocol type according to the feature extraction dimension corresponding to the target network protocol type to obtain a transmission feature sample set of the target network protocol type corresponding to the known channel type.
Optionally, the extracting, according to the feature extraction dimension corresponding to the target network protocol type, a feature from the channel transmission data corresponding to each known channel type of the target network protocol type to obtain a transmission feature sample set of the target network protocol type corresponding to the known channel type includes:
combining the extracted features of different dimensions to obtain a transmission feature original sample set of the target network protocol type corresponding to the known channel type;
determining a kini coefficient for each feature in the original sample set of transmission features;
and according to the sequence of the Gini coefficients from small to large, generating a transmission characteristic sample set by utilizing the first M characteristics, wherein M is an integer which is larger than zero and smaller than the total number of the characteristics in the transmission characteristic original sample set.
Optionally, the extracting, according to the feature extraction dimension corresponding to the target network protocol type, a feature from the channel transmission data corresponding to each known channel type of the target network protocol type to obtain a transmission feature sample set of the target network protocol type corresponding to the known channel type further includes:
determining N-M characteristics as characteristics to be cleaned according to the sequence of the kini coefficients from small to large, wherein N is the total number of the characteristics in the original transmission characteristic sample set;
carrying out cluster analysis on the known channel types corresponding to the original sample set of the characteristics to be cleaned and the transmission characteristics, and outputting a cluster result;
acquiring a feature to be reserved, which is determined by a user according to the clustering result of the feature to be cleaned;
and generating a transmission feature sample set by using the first M features and the features to be reserved.
Optionally, the transmission feature set includes multiple types of transmission feature subsets; the first determining module 202 includes:
the input sub-module is used for inputting the transmission characteristic subset of the channel to be detected, which corresponds to the sub-classification module, to the sub-classification module aiming at each sub-classification module so as to obtain the classification result output by the sub-classification module;
and the determining submodule is used for determining the channel type of the channel to be detected according to the classification result output by the plurality of sub-classification modules.
Optionally, the determining sub-module is configured to:
determining the classification result with the largest occurrence frequency in the classification results output by the plurality of sub-classification modules as the target channel type of the channel to be detected; or
And if the number of the classification results representing that the channel to be detected is a non-hidden channel is greater than or equal to a third preset number in the classification results output by the plurality of sub-classification modules, determining that the target channel type of the channel to be detected is the non-hidden channel.
Optionally, the transmission feature set includes features extracted based on a session.
With regard to the apparatus in the above-described embodiment, the specific manner in which each module performs the operation has been described in detail in the embodiment related to the method, and will not be elaborated here.
FIG. 3 is a block diagram illustrating an electronic device in accordance with an example embodiment. As shown in fig. 3, the electronic device 300 may include: a processor 301 and a memory 302. The electronic device 300 may also include one or more of a multimedia component 303, an input/output (I/O) interface 304, and a communication component 305.
The processor 301 is configured to control the overall operation of the electronic device 300, so as to complete all or part of the steps in the above-mentioned method for detecting a hidden channel. The memory 302 is used to store various types of data to support operation at the electronic device 300, such as instructions for any application or method operating on the electronic device 300 and application-related data, such as contact data, transmitted and received messages, pictures, audio, video, and the like. The Memory 302 may be implemented by any type of volatile or non-volatile Memory device or combination thereof, such as Static Random Access Memory (SRAM), Electrically Erasable Programmable Read-Only Memory (EEPROM), Erasable Programmable Read-Only Memory (EPROM), Programmable Read-Only Memory (PROM), Read-Only Memory (ROM), magnetic Memory, flash Memory, magnetic disk or optical disk. The multimedia components 303 may include a screen and an audio component. Wherein the screen may be, for example, a touch screen and the audio component is used for outputting and/or inputting audio signals. For example, the audio component may include a microphone for receiving external audio signals. The received audio signal may further be stored in the memory 302 or transmitted through the communication component 305. The audio assembly also includes at least one speaker for outputting audio signals. The I/O interface 304 provides an interface between the processor 301 and other interface modules, such as a keyboard, mouse, buttons, etc. These buttons may be virtual buttons or physical buttons. The communication component 305 is used for wired or wireless communication between the electronic device 300 and other devices. Wireless Communication, such as Wi-Fi, bluetooth, Near Field Communication (NFC), 2G, 3G, 4G, NB-IOT, eMTC, or other 5G, etc., or a combination of one or more of them, which is not limited herein. The corresponding communication component 305 may therefore include: Wi-Fi module, Bluetooth module, NFC module, etc.
In an exemplary embodiment, the electronic Device 300 may be implemented by one or more Application Specific Integrated Circuits (ASICs), Digital Signal Processors (DSPs), Digital Signal Processing Devices (DSPDs), Programmable Logic Devices (PLDs), Field Programmable Gate Arrays (FPGAs), controllers, microcontrollers, microprocessors, or other electronic components for performing the above-mentioned hidden channel detection method.
In another exemplary embodiment, a computer readable storage medium comprising program instructions which, when executed by a processor, implement the steps of the covert channel detection method described above is also provided. For example, the computer readable storage medium may be the memory 302 described above comprising program instructions executable by the processor 301 of the electronic device 300 to perform the method for blind channel detection described above.
The preferred embodiments of the present disclosure are described in detail with reference to the accompanying drawings, however, the present disclosure is not limited to the specific details of the above embodiments, and various simple modifications may be made to the technical solution of the present disclosure within the technical idea of the present disclosure, and these simple modifications all belong to the protection scope of the present disclosure.
It should be noted that the various features described in the above embodiments may be combined in any suitable manner without departing from the scope of the invention. In order to avoid unnecessary repetition, various possible combinations will not be separately described in this disclosure.
In addition, any combination of various embodiments of the present disclosure may be made, and the same should be considered as the disclosure of the present disclosure, as long as it does not depart from the spirit of the present disclosure.

Claims (10)

1. A method for detecting a hidden channel, comprising:
acquiring a target network protocol type of a channel to be detected;
determining a transmission characteristic set of the channel to be detected according to the target network protocol type;
determining a target channel type of the channel to be detected according to the transmission characteristic set and a concealed channel detection model corresponding to the target network protocol type, wherein the target channel type comprises a concealed channel and a non-concealed channel;
the hidden channel detection model corresponding to the target network protocol type is generated in the following generation mode:
performing random feature extraction in each transmission feature sample set of a known channel type of the target network protocol type to obtain at least one type of transmission feature sample subset corresponding to each transmission feature sample set of the known channel type, wherein the transmission feature sample set comprises a plurality of features, and a first preset number of features obtained by extraction each time form one type of transmission feature sample subset;
aiming at each type of transmission characteristic sample subset of the transmission characteristic sample set with the known channel type, taking each transmission characteristic sample subset in the type of transmission characteristic sample subset as an input parameter, taking a known channel type corresponding to each transmission characteristic sample subset as an output parameter, and training to obtain a sub-classification module;
and generating the hidden channel detection model according to the plurality of sub-classification modules obtained by training.
2. The detection method of claim 1, wherein the hidden channel detection model is generated in a manner further comprising:
performing multiple times of random sample data extraction in a sample data set to obtain a plurality of sample data subsets, wherein the sample data set comprises a plurality of sample data of the target network protocol type, each transmission characteristic sample set is sample data, and a second preset number of sample data obtained by extraction each time form one sample data subset;
the performing random feature extraction in each transmission feature sample set of a known channel type of the target network protocol type to obtain at least one type of transmission feature sample subset corresponding to each transmission feature sample set of the known channel type, includes:
for each sample data subset, performing random feature extraction once in each transmission feature sample set of a known channel type included in the sample data subset to obtain a class of transmission feature sample subsets corresponding to each transmission feature sample set of the known channel type in the sample data subset;
for each type of transmission characteristic sample subset of the transmission characteristic sample set of the known channel type, training to obtain a sub-classification module by using each transmission characteristic sample subset in the type of transmission characteristic sample subset as an input parameter and using a known channel type corresponding to each transmission characteristic sample subset as an output parameter, the method comprising:
and aiming at each sample data subset, training to obtain a sub-classification module by taking each transmission characteristic sample subset in a class of transmission characteristic sample subsets corresponding to the transmission characteristic sample set of the known channel type in the sample data subset as an input parameter and taking the appointed channel type corresponding to each transmission characteristic sample subset as an output parameter.
3. The detection method according to claim 1 or 2, wherein the transmission feature sample set is extracted by:
and extracting features from the channel transmission data corresponding to each known channel type of the target network protocol type according to the feature extraction dimension corresponding to the target network protocol type to obtain a transmission feature sample set of the target network protocol type corresponding to the known channel type.
4. The method according to claim 3, wherein the extracting features from the channel transmission data corresponding to each of the known channel types of the target network protocol type according to the feature extraction dimension corresponding to the target network protocol type to obtain the transmission feature sample set of the target network protocol type corresponding to the known channel type includes:
combining the extracted features of different dimensions to obtain a transmission feature original sample set of the target network protocol type corresponding to the known channel type;
determining a kini coefficient for each feature in the original sample set of transmission features;
and according to the sequence of the Gini coefficients from small to large, generating a transmission characteristic sample set by utilizing the first M characteristics, wherein M is an integer which is larger than zero and smaller than the total number of the characteristics in the transmission characteristic original sample set.
5. The method according to claim 4, wherein the extracting features from the channel transmission data corresponding to each known channel type of the target network protocol type according to the feature extraction dimension corresponding to the target network protocol type to obtain a transmission feature sample set of the target network protocol type corresponding to the known channel type further comprises:
determining N-M characteristics as characteristics to be cleaned according to the sequence of the kini coefficients from small to large, wherein N is the total number of the characteristics in the original transmission characteristic sample set;
carrying out cluster analysis on the known channel types corresponding to the original sample set of the characteristics to be cleaned and the transmission characteristics, and outputting a cluster result;
acquiring a feature to be reserved, which is determined by a user according to the clustering result of the feature to be cleaned;
and generating a transmission feature sample set by using the first M features and the features to be reserved.
6. The detection method of claim 1, wherein the transmission feature set comprises a plurality of types of transmission feature subsets;
the determining the transmission characteristic set of the channel to be detected according to the target network protocol type includes:
and aiming at each sub-classification module in the hidden channel detection model corresponding to the target network protocol type, determining a transmission feature subset corresponding to the sub-classification module of the channel to be detected according to the features included in the transmission feature sample subset input during training of the sub-classification module.
7. The detection method according to claim 6, wherein the determining the channel type of the channel to be detected according to the transmission feature set and the hidden channel detection model corresponding to the target network protocol type includes:
for each sub-classification module, inputting the transmission characteristic subset of the channel to be detected, which corresponds to the sub-classification module, to the sub-classification module to obtain a classification result output by the sub-classification module;
and determining the channel type of the channel to be detected according to the classification result output by the plurality of sub-classification modules.
8. An apparatus for detecting a hidden channel, comprising:
the acquisition module is used for acquiring the target network protocol type of the channel to be detected;
the first determining module is used for determining the transmission characteristic set of the channel to be detected according to the target network protocol type;
a second determining module, configured to determine a target channel type of the channel to be detected according to the transmission feature set and a hidden channel detection model corresponding to the target network protocol type, where the target channel type includes a hidden channel and a non-hidden channel;
the hidden channel detection model corresponding to the target network protocol type is generated in the following generation mode:
performing random feature extraction in each transmission feature sample set of a known channel type of the target network protocol type to obtain at least one type of transmission feature sample subset corresponding to each transmission feature sample set of the known channel type, wherein the transmission feature sample set comprises a plurality of features, and a first preset number of features obtained by extraction each time form one type of transmission feature sample subset;
aiming at each type of transmission characteristic sample subset of the transmission characteristic sample set with the known channel type, taking each transmission characteristic sample subset in the type of transmission characteristic sample subset as an input parameter, taking a known channel type corresponding to each transmission characteristic sample subset as an output parameter, and training to obtain a sub-classification module;
and generating the hidden channel detection model according to the plurality of sub-classification modules obtained by training.
9. A computer-readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out the steps of the method according to any one of claims 1 to 7.
10. An electronic device, comprising:
a memory having a computer program stored thereon;
a processor for executing the computer program in the memory to carry out the steps of the method of any one of claims 1 to 7.
CN202011529236.6A 2020-12-22 2020-12-22 Method and device for detecting hidden channel, readable storage medium and electronic equipment Active CN112615713B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011529236.6A CN112615713B (en) 2020-12-22 2020-12-22 Method and device for detecting hidden channel, readable storage medium and electronic equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011529236.6A CN112615713B (en) 2020-12-22 2020-12-22 Method and device for detecting hidden channel, readable storage medium and electronic equipment

Publications (2)

Publication Number Publication Date
CN112615713A true CN112615713A (en) 2021-04-06
CN112615713B CN112615713B (en) 2024-02-23

Family

ID=75244149

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011529236.6A Active CN112615713B (en) 2020-12-22 2020-12-22 Method and device for detecting hidden channel, readable storage medium and electronic equipment

Country Status (1)

Country Link
CN (1) CN112615713B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115134168A (en) * 2022-08-29 2022-09-30 成都盛思睿信息技术有限公司 Method and system for detecting cloud platform hidden channel based on convolutional neural network

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2016061742A1 (en) * 2014-10-21 2016-04-28 Intellectual Ventures Hong Kong Limited Automatic profiling framework of cross-vm covert channel capacity
CN110781922A (en) * 2019-09-27 2020-02-11 北京淇瑀信息科技有限公司 Sample data generation method and device for machine learning model and electronic equipment
WO2020119481A1 (en) * 2018-12-11 2020-06-18 深圳先进技术研究院 Network traffic classification method and system based on deep learning, and electronic device
CN111478920A (en) * 2020-04-27 2020-07-31 深信服科技股份有限公司 Method, device and equipment for detecting communication of hidden channel
CN111586075A (en) * 2020-05-26 2020-08-25 国家计算机网络与信息安全管理中心 Hidden channel detection method based on multi-scale stream analysis technology

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2016061742A1 (en) * 2014-10-21 2016-04-28 Intellectual Ventures Hong Kong Limited Automatic profiling framework of cross-vm covert channel capacity
WO2020119481A1 (en) * 2018-12-11 2020-06-18 深圳先进技术研究院 Network traffic classification method and system based on deep learning, and electronic device
CN110781922A (en) * 2019-09-27 2020-02-11 北京淇瑀信息科技有限公司 Sample data generation method and device for machine learning model and electronic equipment
CN111478920A (en) * 2020-04-27 2020-07-31 深信服科技股份有限公司 Method, device and equipment for detecting communication of hidden channel
CN111586075A (en) * 2020-05-26 2020-08-25 国家计算机网络与信息安全管理中心 Hidden channel detection method based on multi-scale stream analysis technology

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
MD. AHSAN AYUB, STEVEN SMITH, AMBAREEN SIRAJ: "A Protocol Independent Approach in Network Covert Channel Detection", 《IEEE》 *
李顺谱: "基于CNN的FTP隐蔽信道检测模型", 硕士论文 *
钱玉文;宋华菊;赵邦信;张彤芳;郝劲松;: "基于校正熵的网络行为隐蔽信道的检测算法", 系统工程与电子技术, no. 06 *

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115134168A (en) * 2022-08-29 2022-09-30 成都盛思睿信息技术有限公司 Method and system for detecting cloud platform hidden channel based on convolutional neural network

Also Published As

Publication number Publication date
CN112615713B (en) 2024-02-23

Similar Documents

Publication Publication Date Title
CN110855661B (en) WebShell detection method, device, equipment and medium
Garcia et al. Distributed real-time SlowDoS attacks detection over encrypted traffic using Artificial Intelligence
US8015605B2 (en) Scalable monitor of malicious network traffic
CN110611640A (en) DNS protocol hidden channel detection method based on random forest
CN113347210A (en) DNS tunnel detection method and device and electronic equipment
US11729189B1 (en) Virtual security appliances for eliciting attacks
CN113472791B (en) Attack detection method and device, electronic equipment and readable storage medium
Zhong et al. Stealthy malware traffic-not as innocent as it looks
CN112437062B (en) ICMP tunnel detection method, device, storage medium and electronic equipment
WO2019190403A1 (en) An industrial control system firewall module
CN113765846B (en) Intelligent detection and response method and device for network abnormal behaviors and electronic equipment
CN111464510B (en) Network real-time intrusion detection method based on rapid gradient lifting tree classification model
CN113965393B (en) Botnet detection method based on complex network and graph neural network
CN112615713A (en) Detection method and device of hidden channel, readable storage medium and electronic equipment
Cambiaso et al. A network traffic representation model for detecting application layer attacks
CN111797401B (en) Attack detection parameter acquisition method, device, equipment and readable storage medium
CN109474567B (en) DDOS attack tracing method and device, storage medium and electronic equipment
CN116112287B (en) Network attack organization tracking method and device based on space-time correlation
CN115190056B (en) Method, device and equipment for identifying and analyzing programmable flow protocol
Xie et al. MRFM: A timely detection method for DDoS attacks in IoT with multidimensional reconstruction and function mapping
CN113297577B (en) Request processing method and device, electronic equipment and readable storage medium
KR20200056029A (en) Anonymous network analysis system using passive fingerprinting and method thereof
CN114553513A (en) Communication detection method, device and equipment
CN115225301A (en) D-S evidence theory-based hybrid intrusion detection method and system
CN114024770A (en) Trojan intrusion detection method and device, electronic equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant