CN112615713B - Method and device for detecting hidden channel, readable storage medium and electronic equipment - Google Patents

Method and device for detecting hidden channel, readable storage medium and electronic equipment Download PDF

Info

Publication number
CN112615713B
CN112615713B CN202011529236.6A CN202011529236A CN112615713B CN 112615713 B CN112615713 B CN 112615713B CN 202011529236 A CN202011529236 A CN 202011529236A CN 112615713 B CN112615713 B CN 112615713B
Authority
CN
China
Prior art keywords
channel
transmission
sample
type
feature
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202011529236.6A
Other languages
Chinese (zh)
Other versions
CN112615713A (en
Inventor
申勇
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Neusoft Group Shanghai Co ltd
Neusoft Corp
Original Assignee
Neusoft Group Shanghai Co ltd
Neusoft Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Neusoft Group Shanghai Co ltd, Neusoft Corp filed Critical Neusoft Group Shanghai Co ltd
Priority to CN202011529236.6A priority Critical patent/CN112615713B/en
Publication of CN112615713A publication Critical patent/CN112615713A/en
Application granted granted Critical
Publication of CN112615713B publication Critical patent/CN112615713B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/002Countermeasures against attacks on cryptographic mechanisms

Abstract

The disclosure relates to a method and a device for detecting a hidden channel, a readable storage medium and an electronic device, so as to improve the detection accuracy of a target channel type of a channel to be detected, wherein the method comprises the following steps: acquiring a target network protocol type of a channel to be detected; determining a transmission characteristic set of a channel to be detected according to the type of the target network protocol; and determining the target channel type of the channel to be detected according to the transmission characteristic set and a hidden channel detection model corresponding to the target network protocol type, wherein the target channel type comprises a hidden channel and a non-hidden channel.

Description

Method and device for detecting hidden channel, readable storage medium and electronic equipment
Technical Field
The disclosure relates to the technical field of network data security, in particular to a method and a device for detecting a hidden channel, a readable storage medium and electronic equipment.
Background
The hidden channel is common in an APT (Advanced Persistent Threat ) attack, is a common attack channel in an APT attack, and mainly occurs in attack links such as control command transmission, data theft and the like in the APT attack. The hidden channel belongs to a malicious data transmission channel in APT attack, and is also one of important means for network attack black-producing and profit-making. Network attackers use hidden channels to avoid detection of security products such as firewalls and IDS (intrusion detection system, intrusion detection systems) to steal data from a target host through an undetectable network, and for network monitoring devices and network administrators, the traffic when data is acquired through the hidden channels is normal traffic, so the network monitoring devices and network administrators cannot determine whether the channel is a hidden channel by the traffic when data is acquired. That is, an illegal user can perform network communication using a hidden channel.
The presence of hidden channels is a significant threat to the network operating system. Therefore, for a network operating system with high security level, the system needs to have a function of detecting a hidden channel, and timely discover data transmission actions in a network attack, so as to ensure data security in the network. In the related art, the hidden channel cannot be accurately detected, so that the data security in the network cannot be ensured.
Disclosure of Invention
The disclosure aims to provide a method and a device for detecting a hidden channel, a readable storage medium and an electronic device, so as to solve the problems in the related art.
In order to achieve the above object, the present disclosure provides a method for detecting a hidden channel, including:
acquiring a target network protocol type of a channel to be detected;
determining a transmission characteristic set of the channel to be detected according to the target network protocol type;
determining a target channel type of the channel to be detected according to the transmission characteristic set and a hidden channel detection model corresponding to the target network protocol type, wherein the target channel type comprises a hidden channel and a non-hidden channel;
the hidden channel detection model corresponding to the target network protocol type is generated by the following generation mode:
Performing random feature extraction in each transmission feature sample set of a known channel type of the target network protocol type to obtain at least one type of transmission feature sample subset corresponding to each transmission feature sample set of the known channel type, wherein the transmission feature sample set comprises a plurality of features, and a first preset number of features obtained by each extraction form one type of transmission feature sample subset;
aiming at each transmission characteristic sample subset of the transmission characteristic sample set with the known channel type, taking each transmission characteristic sample subset in the transmission characteristic sample subset as an input parameter, taking the known channel type corresponding to each transmission characteristic sample subset as an output parameter, and training to obtain a sub-classification module;
and generating the hidden channel detection model according to the multiple sub-classification modules obtained through training.
Optionally, the generating manner of the hidden channel detection model further includes:
carrying out multiple random sample data extraction in a sample data set to obtain multiple sample data subsets, wherein the sample data set comprises multiple sample data of the target network protocol type, each transmission characteristic sample set is one sample data, and a second preset number of sample data obtained by each extraction form one sample data subset;
The random feature extraction is performed in each transmission feature sample set of the known channel type of the target network protocol type, so as to obtain at least one class of transmission feature sample subset corresponding to each transmission feature sample set of the known channel type, including:
for each sub-set of sample data, performing a random feature extraction on each transmission feature sample set of a known channel type included in the sub-set of sample data to obtain a class of transmission feature sample sub-sets corresponding to each transmission feature sample set of the known channel type in the sub-set of sample data;
the training to obtain a sub-classification module includes:
and aiming at each sample data subset, taking each transmission characteristic sample subset in a class of transmission characteristic sample subsets corresponding to each transmission characteristic sample set of known channel types included in the sample data subset as an input parameter, taking the designated channel type corresponding to each transmission characteristic sample subset as an output parameter, and training to obtain a sub-classification module.
Optionally, the transmission characteristic sample set is extracted by the following way:
and extracting features from channel transmission data corresponding to each known channel type of the target network protocol type according to the feature extraction dimension corresponding to the target network protocol type, so as to obtain a transmission feature sample set corresponding to the known channel type of the target network protocol type.
Optionally, the extracting a feature from the channel transmission data corresponding to each known channel type of the target network protocol type according to the feature extracting dimension corresponding to the target network protocol type to obtain a transmission feature sample set corresponding to the known channel type of the target network protocol type, including:
feature combination is carried out on the extracted features with different dimensions, and a transmission feature original sample set of the target network protocol type corresponding to the known channel type is obtained;
determining a coefficient of kurnine for each feature in the set of transmission feature raw samples;
and generating a transmission characteristic sample set by using the first M characteristics according to the sequence of the coefficient of the foundation from small to large, wherein M is an integer which is larger than zero and smaller than the total number of the characteristics in the transmission characteristic original sample set.
Optionally, the extracting a feature from the channel transmission data corresponding to each known channel type of the target network protocol type according to the feature extracting dimension corresponding to the target network protocol type to obtain a transmission feature sample set corresponding to the known channel type of the target network protocol type, and further includes:
according to the sequence from small to large of the coefficient of the radix, determining N-M characteristics as characteristics to be cleaned, wherein N is the total number of the characteristics in the original sample set of the transmission characteristics;
performing cluster analysis on the known channel types corresponding to the to-be-cleaned feature and the transmission feature original sample set, and outputting a clustering result;
acquiring to-be-retained characteristics determined by a user aiming at the clustering result of the to-be-cleaned characteristics;
and generating a transmission characteristic sample set by using the first M characteristics and the characteristics to be reserved.
Optionally, the transmission feature set comprises a subset of transmission features of multiple classes;
the determining the transmission characteristic set of the channel to be detected according to the target network protocol type includes:
and aiming at each sub-classification module in the hidden channel detection model corresponding to the target network protocol type, determining the transmission characteristic sub-set corresponding to the sub-classification module of the channel to be detected according to the characteristics included in the transmission characteristic sample sub-set input during training of the sub-classification module.
Optionally, the determining, according to the hidden channel detection model corresponding to the transmission feature set and the target network protocol type, the channel type of the channel to be detected includes:
inputting a transmission characteristic subset corresponding to the sub-classification module of the channel to be detected into the sub-classification module aiming at each sub-classification module so as to obtain a classification result output by the sub-classification module;
and determining the channel type of the channel to be detected according to the classification results output by the sub-classification modules.
Optionally, the determining the target channel type of the channel to be detected according to the classifications output by the multiple sub-classification modules includes:
determining the classification result with the largest occurrence number among the classification results output by the sub-classification modules as the target channel type of the channel to be detected; or alternatively
And in the classification results output by the sub-classification modules, if the number of the classification results representing that the channel to be detected is the non-hidden channel is larger than or equal to a third preset number, determining that the target channel type of the channel to be detected is the non-hidden channel.
Optionally, the features included in the transmission feature set are extracted based on a session.
A second aspect of the present disclosure provides a detection apparatus for a hidden channel, including:
the acquisition module is used for acquiring the target network protocol type of the channel to be detected;
the first determining module is used for determining a transmission characteristic set of the channel to be detected according to the target network protocol type;
the second determining module is used for determining a target channel type of the channel to be detected according to the transmission characteristic set and a hidden channel detection model corresponding to the target network protocol type, wherein the target channel type comprises a hidden channel and a non-hidden channel;
the hidden channel detection model corresponding to the target network protocol type is generated by the following generation mode:
performing random feature extraction in each transmission feature sample set of a known channel type of the target network protocol type to obtain at least one type of transmission feature sample subset corresponding to each transmission feature sample set of the known channel type, wherein the transmission feature sample set comprises a plurality of features, and a first preset number of features obtained by each extraction form one type of transmission feature sample subset;
aiming at each transmission characteristic sample subset of the transmission characteristic sample set with the known channel type, taking each transmission characteristic sample subset in the transmission characteristic sample subset as an input parameter, taking the known channel type corresponding to each transmission characteristic sample subset as an output parameter, and training to obtain a sub-classification module;
And generating the hidden channel detection model according to the multiple sub-classification modules obtained through training.
A third aspect of the present disclosure provides a computer readable storage medium having stored thereon a computer program which when executed by a processor performs the steps of any of the methods provided in the first aspect of the present disclosure.
A fourth aspect of the present disclosure provides an electronic device, comprising:
a memory having a computer program stored thereon;
a processor for executing the computer program in the memory to implement the steps of any of the methods provided in the first aspect of the present disclosure.
According to the technical scheme, at least one type of transmission characteristic sample subset is obtained through random characteristic extraction, and at least one sub-classification module in the hidden channel detection model is obtained through training by utilizing the at least one type of transmission characteristic sample subset, so that the difference of each sub-classification module can be enhanced, the hidden channel detection model has higher overfitting resistance, and the accuracy of the hidden channel detection model is improved. The hidden channel detection model with high accuracy is used for detecting the channel to be detected, so that the target channel type of the channel to be detected can be accurately detected. In addition, a hidden channel detection model is generated for each network protocol type in advance, and when the channel type of the channel to be detected is detected, the hidden channel detection model corresponding to the target network protocol type of the channel to be detected can be utilized for detection, so that the detection accuracy of the target channel type of the channel to be detected is further improved, and the data security in the network is further improved.
Additional features and advantages of the present disclosure will be set forth in the detailed description which follows.
Drawings
The accompanying drawings are included to provide a further understanding of the disclosure, and are incorporated in and constitute a part of this specification, illustrate the disclosure and together with the description serve to explain, but do not limit the disclosure. In the drawings:
fig. 1 is a flow chart illustrating a method of detecting a covert channel according to an exemplary embodiment.
Fig. 2 is a block diagram illustrating a hidden channel detection apparatus according to an exemplary embodiment.
Fig. 3 is a block diagram of an electronic device, according to an example embodiment.
Detailed Description
In the current network security products, a rule-based matching method is mainly adopted for detecting a hidden channel, and whether the channel is a hidden channel or not is determined according to a rule matching result by carrying out rule matching on data packets or session transmitted in the channel. For example, the distribution of data packets or sessions transmitted in a covert channel follows a poisson distribution, and if the distribution of data packets or sessions transmitted in the channel conforms to the poisson distribution, the channel is determined to be a covert channel, otherwise the channel is determined to be a non-covert channel. However, when the method of rule matching is used for detecting the hidden channel, the new hidden channel which does not meet the rule matching cannot be detected. Therefore, in the related art, there may be a missed detection of the hidden channel, that is, the hidden channel cannot be accurately detected, so that the data security in the network cannot be ensured.
In view of this, the present disclosure provides a method and apparatus for detecting a hidden channel, a readable storage medium, and an electronic device, so as to improve the accuracy of detecting a hidden channel.
Specific embodiments of the present disclosure are described in detail below with reference to the accompanying drawings. It should be understood that the detailed description and specific examples, while indicating and illustrating the disclosure, are not intended to limit the disclosure.
Fig. 1 is a flow chart illustrating a method of detecting a covert channel according to an exemplary embodiment. As shown in fig. 1, the method for detecting a hidden channel may include the following steps.
In step 101, a target network protocol type of a channel to be detected is acquired.
In the present disclosure, the device performing the detection method of the hidden channel may be a gateway-type security product, for example, a firewall. Illustratively, the gateway class security product analyzes the communication protocol of the channel to be detected to determine the target network protocol type of the channel to be detected. The target network protocol type may be one of HTTP protocol, DNS protocol, ICMP protocol. It should be appreciated that the techniques for analyzing the communication protocol of the channel to determine the type of the target network protocol are well-established and are not specifically limited by the present disclosure.
In step 102, a set of transmission characteristics of the channel to be detected is determined according to the target network protocol type.
In practical applications, the feature extraction dimensions corresponding to different network protocol types are different, so in the present disclosure, after determining a target network protocol type, a transmission feature set of a channel to be detected needs to be determined according to the target network protocol type, where the transmission feature set is composed of transmission features extracted from channel transmission data of the channel to be detected.
In step 103, according to the hidden channel detection model corresponding to the transmission feature set and the target network protocol type, determining the target channel type of the channel to be detected, wherein the target channel type comprises a hidden channel and a non-hidden channel.
The hidden channel detection module corresponding to the target network protocol type can be generated by the following generation mode:
firstly, carrying out random feature extraction in each transmission feature sample set of a known channel type of a target network protocol type to obtain at least one type of transmission feature sample subset corresponding to each transmission feature sample set of the known channel type, wherein the transmission feature sample set comprises a plurality of features, and a first preset number of features obtained by each extraction form one type of transmission feature sample subset.
The first preset number is an integer greater than or equal to 2 and less than the total number of features included in the set of transmission feature samples. The value range of the first preset number may be [0.6×feature total number, 0.8×feature total number ]. For example, 20 features included in each transmission feature sample set, 12 features are randomly extracted from each transmission feature sample set at a time, so as to form a transmission feature sample subset. For each transmission feature sample set, for each transmission feature sample subset composed of each random feature extraction, each feature included in the transmission feature sample subset is different, and there are at least two different transmission feature sample subsets.
In one possible manner, any two types of transmission feature sample subsets in the composed transmission feature sample subsets are different, that is, the rule of random feature extraction is different each time. And the number of categories of the composed transmission characteristic sample subset is the same as the number of sub-classification modules included in the hidden channel detection model.
Then, for each transmission characteristic sample subset of the transmission characteristic sample set with a known channel type, taking each transmission characteristic sample subset in the transmission characteristic sample subset as an input parameter, taking the known channel type corresponding to each transmission characteristic sample subset as an output parameter, and training to obtain a sub-classification module.
For example, assuming 50 transmission characteristic sample sets, the channel type of each transmission characteristic sample set is known, e.g., 2n+1th transmission characteristic sample set is a hidden channel, and 2n+2nd transmission characteristic sample set is a non-hidden channel. And each transmission characteristic sample set comprises a plurality of characteristics, each transmission characteristic sample set is randomly extracted three times, a first preset number of characteristics are extracted each time to form a transmission characteristic sample subset, and each transmission characteristic sample subset comprises 50 transmission characteristic sample subsets. For example, for each transmission feature sample set, a first random extraction yields a class of transmission feature sample subsets denoted as transmission feature sample subset 1, a second random extraction yields a class of transmission feature sample subsets denoted as transmission feature sample subset 2, and a third random extraction yields a class of transmission feature sample subsets denoted as transmission feature sample subset 3. That is, each of the 50 transmission feature sample sets corresponds to three kinds of transmission feature sample subsets, and each of the transmission feature sample subsets corresponds to one transmission feature sample subset, that is, 50 transmission feature sample subsets 1, 50 transmission feature sample subsets 2, and 50 transmission feature sample subsets 3 are finally obtained, and the channel type of each transmission feature sample subset is also known. For example, of the 50 transmission characteristic sample subsets 1, the channel type of 2n+1 th transmission characteristic sample subset 1 is a hidden channel, and the channel type of 2n+2 th transmission characteristic sample subset 1 is a non-hidden channel; the channel type of 2n+1th transmission characteristic sample subset 2 in the 50 transmission characteristic sample subsets 2 is a hidden channel, and the channel type of 2n+2th transmission characteristic sample subset 2 is a non-hidden channel; and the channel type of 2n+1th transmission characteristic sample subset 3 in the 50 transmission characteristic sample subsets 3 is a hidden channel, and the channel type of 2n+2th transmission characteristic sample subset 3 is a non-hidden channel. Wherein, the value range of n is [0,24].
Then, for each transmission characteristic sample subset 1 in the 50 transmission characteristic sample subsets 1, training is performed by taking the transmission characteristic sample subset 1 as an input parameter and a known channel type corresponding to the transmission characteristic sample subset 1 as an output parameter to obtain a sub-classification module. Thus, three sub-classification modules can be finally trained. For example, when 2n+1th transmission characteristic sample subset 1 is used as an input parameter, a sub-classification module is trained by using a hidden channel as an output parameter.
And finally, generating a hidden channel detection model according to the multiple sub-classification modules obtained through training.
It should be noted that, in the present disclosure, a hidden channel detection model may be generated in advance for each network protocol type. Since the manner of generating the hidden channel detection model for each network protocol type is similar, this disclosure only shows a specific manner of generating the hidden channel detection model for the target network protocol type. Those skilled in the art may refer to a specific manner of generating the hidden channel detection model corresponding to the target network protocol type to generate the hidden channel detection model corresponding to other network protocol types, which will not be described in detail in this disclosure.
By adopting the technical scheme, at least one type of transmission characteristic sample subset is obtained through random characteristic extraction, and at least one sub-classification module in the hidden channel detection model is obtained through training by utilizing the at least one type of transmission characteristic sample subset, so that the difference of each sub-classification module can be enhanced, the hidden channel detection model has higher overfitting resistance, and the accuracy of the hidden channel detection model is improved. The hidden channel detection model with high accuracy is used for detecting the channel to be detected, so that the target channel type of the channel to be detected can be accurately detected. In addition, a hidden channel detection model is generated for each network protocol type in advance, and when the channel type of the channel to be detected is detected, the hidden channel detection model corresponding to the target network protocol type of the channel to be detected can be utilized for detection, so that the detection accuracy of the target channel type of the channel to be detected is further improved, and the data security in the network is further improved.
In order to enable those skilled in the art to better understand the method for detecting a hidden channel provided by the embodiments of the present disclosure, a complete embodiment of the method for detecting a hidden channel provided by the embodiments of the present disclosure is described below.
The following describes in detail the generation method of the hidden channel detection model.
First, a method for generating a transmission characteristic sample set will be described.
For example, features may be extracted from channel transmission data corresponding to each known channel type of the target network protocol type according to feature extraction dimensions corresponding to the target network protocol type, so as to obtain a transmission feature sample set corresponding to the known channel type of the target network protocol type.
As described above, feature extraction dimensions corresponding to different network protocol types are different. For example, the feature extraction dimension corresponding to the HTTP network protocol type may include the number of uploading bytes, the number of downloading bytes, the load duty cycle, the number of request traffic packets, the number of response traffic packets, and the like. In the data transmission process, a data packet (hereinafter referred to as a traffic packet) includes, in addition to data to be actually transmitted, communication protocol contents, for example, header information of a communication protocol, and the like. The load ratio refers to the ratio of the actual size of data to be transmitted, which is included in one traffic packet, to the size of the data packet. For another example, the feature extraction dimension corresponding to a DNS network protocol type may include a request packet load ratio, a response packet load ratio, a domain name length, a number of subdomains, and so on. For another example, feature extraction dimensions corresponding to ICMP network protocol types may include the number of traffic packets, the size of the traffic packets, whether the loads are the same, and so on. Here, the load refers to data to be actually transmitted included in the traffic packet.
After determining the feature extraction dimension corresponding to the target network protocol type, obtaining channel transmission data corresponding to each known channel type of the target network protocol type, and extracting features from the channel transmission data. It is worth noting that a session includes multiple traffic packets, so in order to enrich the extracted features to better characterize the data transmitted in the channel, in the present disclosure, a set of transmission feature samples may be composed based on session extracted features.
For the purpose of extracting features based on sessions, each session needs to be identified first. The session identification modes corresponding to different network protocol types are different. For example, in the channel of the HTTP protocol, one HTTP session may be determined through three handshakes, four swipes, and RESET mechanisms. In the channel of the DNS protocol, a session is formed by combining a DNS request packet and a DNS response packet, and therefore, a DNS session can be determined by the DNS request packet and the DNS response packet. In the channel of the ICMP protocol, one ICMP session may be determined by checking the data. It should be noted that, the manner of identifying the session is not specifically limited in this disclosure.
For each network protocol type, for example, a tunnel of the network protocol type may be pre-constructed, for example, an HTTP tunnel may be constructed to obtain hidden channel transmission data (hereinafter referred to as HTTP tunnel data) from the HTTP tunnel, the HTTP tunnel data may include one or more HTTP sessions, and according to a feature extraction dimension corresponding to the HTTP network protocol type, features may be extracted from the HTTP tunnel data to construct a transmission feature sample set of which a corresponding channel type of the HTTP network protocol type is a hidden channel, and legal channel transmission data (hereinafter referred to as HTTP channel data) may be obtained from a legal channel of the HTTP network protocol type, the HTTP channel data may include one or more HTTP sessions, and according to a feature extraction dimension corresponding to the HTTP network protocol type, features may be extracted from the HTTP channel data to construct a transmission feature sample set of which a corresponding channel type of the HTTP network protocol type is a non-hidden channel. Similarly, a DNS tunnel may also be constructed, and a set of transmission characteristic samples for which the corresponding channel type of the DNS network protocol type is a hidden channel, and a set of transmission characteristic samples for which the corresponding channel type of the DNS network protocol type is a non-hidden channel, etc.
In one embodiment, a set of transmission feature samples may be generated directly from the extracted features, the set of transmission feature samples including only the extracted features.
In another embodiment, in order to enrich feature dimensions included in the transmission feature sample set, feature combinations may be performed on features of different dimensions extracted to obtain a transmission feature sample set with richer dimensions. For example, taking the HTTP network protocol type as an example, the number of request traffic packets and the number of response traffic packets may be extracted, and then the two dimensional features may be combined, for example, according to the number of request traffic packets and the number of response traffic packets, a ratio of the number of request traffic packets to the number of total traffic packets may be obtained, and so on.
In yet another embodiment, features may also be cleaned, considering that the classification effect of features of some dimensions is not obvious, i.e. the detection of channel types is not significant. For example, features of different dimensions extracted can be combined to obtain an original sample set of transmission features with richer dimensions, a coefficient of a basis for each feature in the original sample set of transmission features is determined, and the first M features are utilized to generate the original sample set of transmission features according to the order of the coefficient of basis from small to large, wherein M is an integer greater than zero and less than the total number of features in the original sample set of transmission features.
In the present disclosure, uncertainty of each feature is characterized by a coefficient of kunning, wherein the smaller the coefficient of kunning, the lower the uncertainty of classification based on the feature, i.e., the more pronounced the classification based on the feature. Thus, in one possible way, after determining the coefficient of the basis of which each feature is given, the first M features are used to generate a set of transmission feature samples according to the order of the coefficients of basis of which the coefficients of basis are from small to large, i.e. the generated set of transmission feature samples only includes the first M features with a relatively pronounced classification effect.
In another possible mode, after the coefficient of the foundation of each feature is determined, determining N-M features as features to be cleaned according to the sequence from small to large of the coefficient of the foundation, wherein N is the total number of features in the original sample set of the sample transmission features, performing cluster analysis on the features to be cleaned and known channel types corresponding to the original sample set of the transmission features, outputting a clustering result, acquiring features to be reserved determined by a user aiming at the clustering result of the features to be cleaned, and generating a sample set of the transmission features by utilizing the first M features and the features to be reserved.
In this embodiment, N-M may be 5% N or an integer of 10% N. In this embodiment, first, a multidimensional clustering manner in a related technology is adopted to perform clustering on all features to be cleaned to obtain a feature clustering result, and then known channel types corresponding to an original sample set of transmission features are displayed in the feature clustering result to obtain a final clustering result. The method comprises the steps that a channel type of each feature to be cleaned can be displayed in a clustering result, so that a user can determine the features capable of forming an obvious clustering cluster as features to be reserved according to the channel type displayed in the clustering result, and send the features to be reserved to equipment for executing a detection method of the hidden channel, so that the equipment can determine the features to be reserved from the features to be cleaned, and further generate a transmission feature sample set according to the previous M features and the features to be reserved.
Thus, each set of transmission characteristic samples of the known channel type of the target network protocol type can be determined according to any of the above modes.
After the transmission characteristic sample sets are obtained, random characteristic extraction can be performed on the transmission characteristic sample sets in the manner described above, so as to obtain at least one type of transmission characteristic sample subset corresponding to each transmission characteristic sample set, and training the sub-classification module by using the at least one type of transmission characteristic sample subset.
In one embodiment, to further enhance the variability of each sub-classification module trained, the set of transmission feature samples may also be randomly sampled. For example, each of the above-determined transmission characteristic sample sets may be regarded as one sample data, and the sample data set may be constituted based on a plurality of sample data, i.e., a plurality of transmission characteristic sample sets are included in the sample data set.
Firstly, carrying out random sample data extraction for a plurality of times in a sample data set to obtain a plurality of sample data subsets, wherein a second preset number of sample data obtained by each extraction form one sample data subset.
The second preset number may be an integer of 0.8 of the total number of sample data. For the sample data subsets formed by each random sample data extraction, the sample data included in the sample data subsets are different, and the two sample data subsets formed by any two random sample data extraction are different, that is, the rule of each random sample data extraction is different. And, the number of sample data subsets is the same as the number of sub-classification modules included in the hidden channel detection model. Thus, the multiple sample data subsets obtained by random extraction are all different and have differences.
Then, for each sub-set of sample data, a random feature extraction is performed on each set of transmission feature samples of known channel types included in the sub-set of sample data to obtain a class of sub-sets of transmission feature samples corresponding to each set of transmission feature samples of known channel types in the sub-set of sample data.
And then, aiming at each sample data subset, taking each transmission characteristic sample subset in a class of transmission characteristic sample subsets corresponding to each transmission characteristic sample set of known channel types included in the sample data subset as an input parameter, taking the designated channel type corresponding to each transmission characteristic sample subset as an output parameter, and training to obtain a sub-classification module.
For example, assuming that the number of transmission characteristic sample sets is 50, i.e., the number of sample data is 50, 40 sample data are extracted at a time as one sample data subset. Assuming that the number of sub-classification modules is 3, the number of random sample data extraction times is 3, three sample data subsets may be obtained and respectively denoted as sample data subset 1, sample data subset 2 and sample data subset 3, wherein each sample data subset includes 40 sample data, i.e. each sample data subset includes 40 transmission characteristic sample sets. Then, random feature sampling is performed once on each of the 40 transmission feature sample sets included in the sample data subset 1 to obtain 40 transmission feature sample subsets 1. Similarly, each of the 40 transmission feature sample sets included in the sample data subset 2 is subjected to random feature sampling once to obtain 40 transmission feature sample subsets 2, and each of the 40 transmission feature sample sets included in the sample data subset 3 is subjected to random feature sampling once to obtain 40 transmission feature sample subsets. Wherein in this embodiment the rules for random feature extraction employed in the different sample data subsets are different. For example, the rule of random feature extraction used in the sample data subset 1, the rule of random feature extraction used in the sample data subset 2, and the rule of random feature extraction used in the sample data subset 3 are all different, so as to ensure that the transmission feature sample subset 1 corresponding to the sample data subset 1 is different from the transmission feature sample subset 2 corresponding to the sample data subset 2, and the transmission feature sample subset 3 corresponding to the sample data subset 3 is different from the transmission feature sample subset 2 corresponding to the sample data subset 3.
And then training the sub-classification module 1 by using 40 transmission characteristic sample subsets 1 corresponding to the sample data subsets 1. Similarly, sub-classification module 2 is trained with 40 transmission feature sample subsets 2 corresponding to sample data subsets 2, and sub-classification module 3 is trained with 40 transmission feature sample subsets 3 corresponding to sample data subsets 3. In the training process, each transmission characteristic sample subset in each transmission characteristic sample subset is used as an input parameter, and a known channel type corresponding to the transmission characteristic sample subset is used as an output parameter for training.
It should be noted that, three random feature extraction may be performed on each transmission feature sample set to obtain three transmission feature sample subsets, and then three sample data subsets are obtained by three extraction of sample data, so that each sample data subset corresponds to three transmission feature sample subsets. When training the sub-classification module, aiming at each sample data subset, training the sub-classification module by utilizing a transmission characteristic sample subset in the sample data subset and a known channel type corresponding to each transmission characteristic sample subset in the transmission characteristic sample subset. Wherein, different sub-classification modules adopt different sample data subsets and different transmission characteristic sample subsets for training.
In the present disclosure, the algorithm of the sub-classification module may be determined from the total number of features included in the transmission feature sample set. For example, if the total number of features is large (e.g., greater than or equal to a first threshold), a support vector machine algorithm may be selected as the algorithm of the sub-classification module. If the total number of features is small (e.g., less than a first threshold), a decision tree algorithm may be selected as the algorithm for the sub-classification module. The present disclosure is not particularly limited thereto.
After training to obtain different sub-classification modules, the plurality of sub-classification modules are utilized to generate a hidden channel detection model.
By adopting the scheme, the characteristics included in the transmission characteristic sample set are randomly extracted to obtain at least one type of transmission characteristic sample set, the sample data included in the sample data set are randomly extracted to obtain a plurality of sample data subsets, and different sub-classification modules are trained by utilizing different sample data subsets and different types of transmission characteristic sample subsets, so that the difference of the different sub-classification modules is further enhanced, and the accuracy of a hidden channel detection model is further improved.
It is worth noting that after the hidden channel detection model is generated, the hidden channel detection model may also be integrated into the security product. Because the machine learning training language is incompatible with the firewall back-end language, the hidden channel model obtained by machine learning training needs to be read into the memory in a data structure mode. Taking decision tree as an example, in the memory, the decision tree level can be judged in a goto coding mode, and if the decision tree reaches a leaf node, a detection result is returned, so that the solidification of the decision tree model is realized.
When the channel type of the channel to be detected is detected by using the hidden channel detection model generated based on the generation mode, the transmission characteristic set of the channel to be detected also comprises a plurality of transmission characteristic subsets. For example, the hidden channel detection model includes three sub-classification modules, and the transmission feature set includes three types of transmission feature subsets.
Step 102 in fig. 1 includes determining, according to the target network protocol type, a transmission characteristic set of a channel to be detected, where the specific embodiment includes:
aiming at each sub-classification module in the hidden channel detection model corresponding to the target network protocol type, determining a transmission characteristic subset corresponding to the sub-classification module of the channel to be detected according to the characteristics included in the transmission characteristic sample subset input during training of the sub-classification module.
Illustratively, the hidden channel detection model includes three sub-classification modules, denoted as sub-classification module 1, sub-classification module 2, and sub-classification module 3, respectively. The method comprises the steps of respectively determining the characteristics included in a transmission characteristic sample subset 1 used in training a sub-classification module 1, the characteristics included in a transmission characteristic sample subset 2 used in training a sub-classification module 2 and the characteristics included in a transmission characteristic sample subset 3 used in training a sub-classification module 3, then extracting one type of transmission characteristic subset from a session of channel transmission to be detected according to the characteristics included in the transmission characteristic sample subset 1, extracting another type of transmission characteristic subset from the session of channel transmission to be detected according to the characteristics included in the transmission characteristic sample subset 2, and extracting another type of transmission characteristic subset from the session of channel transmission to be detected according to the characteristics included in the transmission characteristic sample subset 3.
For example, the transmission characteristic sample subset 1 includes the characteristics of the uploading byte number and the downloading byte number, the transmission characteristic sample subset 2 includes the characteristics of the downloading byte number and the loading duty ratio, the transmission characteristic sample subset 3 includes the uploading byte number and the loading duty ratio, the uploading byte number characteristic, the downloading byte number characteristic and the loading duty ratio of the transmission data are extracted from the session of the channel to be detected, then the transmission characteristic subset 1 corresponding to the sub-classification module 1 of the channel to be detected is generated according to the uploading byte number characteristic and the downloading byte number characteristic, the transmission characteristic subset 2 corresponding to the sub-classification module 2 of the channel to be detected is generated according to the downloading byte number and the loading duty ratio, and the transmission characteristic subset 3 corresponding to the sub-classification module 3 of the channel to be detected is generated according to the uploading byte number and the loading duty ratio.
Accordingly, in step 103 in fig. 1, according to the hidden channel detection model corresponding to the transmission feature set and the target network protocol type, the specific implementation manner of determining the channel type of the channel to be detected may be:
firstly, aiming at each sub-classification module, inputting a transmission characteristic subset of a channel to be detected, which corresponds to the sub-classification module, into the sub-classification module so as to obtain a classification result output by the sub-classification module.
Illustratively, the transmission feature subset 1 is input into the sub-classification module 1 to obtain a classification result, the transmission feature subset 2 is input into the sub-classification module 2 to obtain a classification result, and the transmission feature subset 3 is input into the sub-classification module 3 to obtain a classification result.
And then, determining the channel type of the channel to be detected according to the classification results output by the sub-classification modules.
In one possible manner, the classification result with the largest occurrence number among the classification results output by the plurality of sub-classification modules is determined as the target channel type of the channel to be detected. For example, the number of sub-classification modules is 20, and the 20 sub-classification modules output 20 classification results. If 15 classification results in the 20 classification results indicate that the channel to be detected is a hidden channel, determining that the target channel type of the channel to be detected is a hidden channel.
In another possible manner, considering that network security detection has high requirements on false alarms of a hidden channel, a mechanism for handling false alarms needs to be enhanced. For example, in the classification results output by the multiple sub-classification modules, if the number of classification results indicating that the channel to be detected is a non-hidden channel is greater than or equal to a third preset number, determining that the target channel type of the channel to be detected is a non-hidden channel.
For example, if the classification result output by the sub-classification module is preset to be more than 15% to indicate that the channel to be detected is a non-hidden channel, determining that the target channel type of the channel to be detected is the non-hidden channel. That is, the third preset number is 15% ×20=3, and if the number of classification results indicating that the channel to be detected is a non-hidden channel is greater than or equal to 3 in the 20 classification results, it is determined that the target channel type of the channel to be detected is a non-hidden channel. Therefore, the false detection risk of the hidden channel can be effectively reduced.
Based on the same inventive concept, the disclosure also provides a detection device for a hidden channel. Fig. 2 is a block diagram illustrating a hidden channel detection apparatus according to an exemplary embodiment. As shown in fig. 2, the detection apparatus 200 for a hidden channel may include:
an obtaining module 201, configured to obtain a target network protocol type of a channel to be detected;
a first determining module 202, configured to determine a transmission feature set of the channel to be detected according to the target network protocol type;
a second determining module 203, configured to determine, according to the transmission feature set and a hidden channel detection model corresponding to the target network protocol type, a target channel type of the channel to be detected, where the target channel type includes a hidden channel and a non-hidden channel;
The hidden channel detection model corresponding to the target network protocol type is generated by the following generation mode:
performing random feature extraction in each transmission feature sample set of a known channel type of the target network protocol type to obtain at least one type of transmission feature sample subset corresponding to each transmission feature sample set of the known channel type, wherein the transmission feature sample set comprises a plurality of features, and a first preset number of features obtained by each extraction form one type of transmission feature sample subset;
aiming at each transmission characteristic sample subset of the transmission characteristic sample set with the known channel type, taking each transmission characteristic sample subset in the transmission characteristic sample subset as an input parameter, taking the known channel type corresponding to each transmission characteristic sample subset as an output parameter, and training to obtain a sub-classification module;
and generating the hidden channel detection model according to the multiple sub-classification modules obtained through training.
Optionally, the generating manner of the hidden channel detection model further includes:
carrying out multiple random sample data extraction in a sample data set to obtain multiple sample data subsets, wherein the sample data set comprises multiple sample data of the target network protocol type, each transmission characteristic sample set is one sample data, and a second preset number of sample data obtained by each extraction form one sample data subset;
The random feature extraction is performed in each transmission feature sample set of the known channel type of the target network protocol type, so as to obtain at least one class of transmission feature sample subset corresponding to each transmission feature sample set of the known channel type, including:
for each sub-set of sample data, performing a random feature extraction on each transmission feature sample set of a known channel type included in the sub-set of sample data to obtain a class of transmission feature sample sub-sets corresponding to each transmission feature sample set of the known channel type in the sub-set of sample data;
the training to obtain a sub-classification module includes:
and aiming at each sample data subset, taking each transmission characteristic sample subset in a class of transmission characteristic sample subsets corresponding to the transmission characteristic sample sets of known channel types included in the sample data subset as an input parameter, taking the designated channel type corresponding to each transmission characteristic sample subset as an output parameter, and training to obtain a sub-classification module.
Optionally, the transmission characteristic sample set is extracted by the following way:
and extracting features from channel transmission data corresponding to each known channel type of the target network protocol type according to the feature extraction dimension corresponding to the target network protocol type, so as to obtain a transmission feature sample set corresponding to the known channel type of the target network protocol type.
Optionally, the extracting a feature from the channel transmission data corresponding to each known channel type of the target network protocol type according to the feature extracting dimension corresponding to the target network protocol type to obtain a transmission feature sample set corresponding to the known channel type of the target network protocol type, including:
feature combination is carried out on the extracted features with different dimensions, and a transmission feature original sample set of the target network protocol type corresponding to the known channel type is obtained;
determining a coefficient of kurnine for each feature in the set of transmission feature raw samples;
and generating a transmission characteristic sample set by using the first M characteristics according to the sequence of the coefficient of the foundation from small to large, wherein M is an integer which is larger than zero and smaller than the total number of the characteristics in the transmission characteristic original sample set.
Optionally, the extracting a feature from the channel transmission data corresponding to each known channel type of the target network protocol type according to the feature extracting dimension corresponding to the target network protocol type to obtain a transmission feature sample set corresponding to the known channel type of the target network protocol type, and further includes:
according to the sequence from small to large of the coefficient of the radix, determining N-M characteristics as characteristics to be cleaned, wherein N is the total number of the characteristics in the original sample set of the transmission characteristics;
performing cluster analysis on the known channel types corresponding to the to-be-cleaned feature and the transmission feature original sample set, and outputting a clustering result;
acquiring to-be-retained characteristics determined by a user aiming at the clustering result of the to-be-cleaned characteristics;
and generating a transmission characteristic sample set by using the first M characteristics and the characteristics to be reserved.
Optionally, the transmission feature set comprises a subset of transmission features of multiple classes; the first determining module 202 includes:
an input sub-module, configured to input, for each sub-classification module, a subset of transmission features of the channel to be detected, where the subset corresponds to the sub-classification module, so as to obtain a classification result output by the sub-classification module;
And the determining sub-module is used for determining the channel type of the channel to be detected according to the classification results output by the sub-classification modules.
Optionally, the determining submodule is configured to:
determining the classification result with the largest occurrence number among the classification results output by the sub-classification modules as the target channel type of the channel to be detected; or alternatively
And in the classification results output by the sub-classification modules, if the number of the classification results representing that the channel to be detected is the non-hidden channel is larger than or equal to a third preset number, determining that the target channel type of the channel to be detected is the non-hidden channel.
Optionally, the features included in the transmission feature set are extracted based on a session.
The specific manner in which the various modules perform the operations in the apparatus of the above embodiments have been described in detail in connection with the embodiments of the method, and will not be described in detail herein.
Fig. 3 is a block diagram of an electronic device, according to an example embodiment. As shown in fig. 3, the electronic device 300 may include: a processor 301, a memory 302. The electronic device 300 may also include one or more of a multimedia component 303, an input/output (I/O) interface 304, and a communication component 305.
The processor 301 is configured to control the overall operation of the electronic device 300 to perform all or part of the steps in the above-mentioned hidden channel detection method. The memory 302 is used to store various types of data to support operation at the electronic device 300, which may include, for example, instructions for any application or method operating on the electronic device 300, as well as application-related data, such as contact data, transceived messages, pictures, audio, video, and the like. The Memory 302 may be implemented by any type or combination of volatile or non-volatile Memory devices, such as static random access Memory (Static Random Access Memory, SRAM for short), electrically erasable programmable Read-Only Memory (Electrically Erasable Programmable Read-Only Memory, EEPROM for short), erasable programmable Read-Only Memory (Erasable Programmable Read-Only Memory, EPROM for short), programmable Read-Only Memory (Programmable Read-Only Memory, PROM for short), read-Only Memory (ROM for short), magnetic Memory, flash Memory, magnetic disk, or optical disk. The multimedia component 303 may include a screen and an audio component. Wherein the screen may be, for example, a touch screen, the audio component being for outputting and/or inputting audio signals. For example, the audio component may include a microphone for receiving external audio signals. The received audio signals may be further stored in the memory 302 or transmitted through the communication component 305. The audio assembly further comprises at least one speaker for outputting audio signals. The I/O interface 304 provides an interface between the processor 301 and other interface modules, which may be a keyboard, mouse, buttons, etc. These buttons may be virtual buttons or physical buttons. The communication component 305 is used for wired or wireless communication between the electronic device 300 and other devices. Wireless communication, such as Wi-Fi, bluetooth, near field communication (Near Field Communication, NFC for short), 2G, 3G, 4G, NB-IOT, eMTC, or other 5G, etc., or one or a combination of more of them, is not limited herein. The corresponding communication component 305 may thus comprise: wi-Fi module, bluetooth module, NFC module, etc.
In an exemplary embodiment, the electronic device 300 may be implemented by one or more application specific integrated circuits (Application Specific Integrated Circuit, abbreviated as ASIC), digital signal processor (Digital Signal Processor, abbreviated as DSP), digital signal processing device (Digital Signal Processing Device, abbreviated as DSPD), programmable logic device (Programmable Logic Device, abbreviated as PLD), field programmable gate array (Field Programmable Gate Array, abbreviated as FPGA), controller, microcontroller, microprocessor, or other electronic component for performing the above-described hidden channel detection method.
In another exemplary embodiment, a computer readable storage medium is also provided, comprising program instructions which, when executed by a processor, implement the steps of the above-described hidden channel detection method. For example, the computer readable storage medium may be the memory 302 including program instructions described above, which are executable by the processor 301 of the electronic device 300 to perform the method of detecting a covert channel described above.
The preferred embodiments of the present disclosure have been described in detail above with reference to the accompanying drawings, but the present disclosure is not limited to the specific details of the above embodiments, and various simple modifications may be made to the technical solutions of the present disclosure within the scope of the technical concept of the present disclosure, and all the simple modifications belong to the protection scope of the present disclosure.
In addition, the specific features described in the above embodiments may be combined in any suitable manner without contradiction. The various possible combinations are not described further in this disclosure in order to avoid unnecessary repetition.
Moreover, any combination between the various embodiments of the present disclosure is possible as long as it does not depart from the spirit of the present disclosure, which should also be construed as the disclosure of the present disclosure.

Claims (12)

1. A method for detecting a covert channel, comprising:
acquiring a target network protocol type of a channel to be detected;
determining a transmission characteristic set of the channel to be detected according to the target network protocol type;
determining a target channel type of the channel to be detected according to the transmission characteristic set and a hidden channel detection model corresponding to the target network protocol type, wherein the target channel type comprises a hidden channel and a non-hidden channel;
the hidden channel detection model corresponding to the target network protocol type is generated by the following generation mode:
performing random feature extraction in each transmission feature sample set of a known channel type of the target network protocol type to obtain at least one type of transmission feature sample subset corresponding to each transmission feature sample set of the known channel type, wherein the transmission feature sample set comprises a plurality of features, and a first preset number of features obtained by the same extraction in each transmission feature sample set form one type of transmission feature sample subset;
Aiming at each transmission characteristic sample subset of the transmission characteristic sample set with the known channel type, taking each transmission characteristic sample subset in the transmission characteristic sample subset as an input parameter, taking the known channel type corresponding to each transmission characteristic sample subset as an output parameter, and training to obtain a sub-classification module;
and generating the hidden channel detection model according to the multiple sub-classification modules obtained through training.
2. The detection method according to claim 1, wherein the generation mode of the hidden channel detection model further includes:
carrying out multiple random sample data extraction in a sample data set to obtain multiple sample data subsets, wherein the sample data set comprises multiple sample data of the target network protocol type, each transmission characteristic sample set is one sample data, and a second preset number of sample data obtained by each extraction form one sample data subset;
the random feature extraction is performed in each transmission feature sample set of the known channel type of the target network protocol type, so as to obtain at least one class of transmission feature sample subset corresponding to each transmission feature sample set of the known channel type, including:
For each sub-set of sample data, performing a random feature extraction on each transmission feature sample set of a known channel type included in the sub-set of sample data to obtain a class of transmission feature sample sub-sets corresponding to each transmission feature sample set of the known channel type in the sub-set of sample data;
the training to obtain a sub-classification module includes:
and aiming at each sample data subset, taking each transmission characteristic sample subset in a class of transmission characteristic sample subsets corresponding to the transmission characteristic sample sets of known channel types included in the sample data subset as an input parameter, taking the designated channel type corresponding to each transmission characteristic sample subset as an output parameter, and training to obtain a sub-classification module.
3. The detection method according to claim 1 or 2, wherein the set of transmission characteristic samples is extracted by:
And extracting features from channel transmission data corresponding to each known channel type of the target network protocol type according to the feature extraction dimension corresponding to the target network protocol type, so as to obtain a transmission feature sample set corresponding to the known channel type of the target network protocol type.
4. The method according to claim 3, wherein the extracting the feature from the channel transmission data corresponding to each of the known channel types of the target network protocol type according to the feature extraction dimension corresponding to the target network protocol type to obtain the transmission feature sample set corresponding to the known channel type of the target network protocol type includes:
feature combination is carried out on the extracted features with different dimensions, and a transmission feature original sample set of the target network protocol type corresponding to the known channel type is obtained;
determining a coefficient of kurnine for each feature in the set of transmission feature raw samples;
and generating a transmission characteristic sample set by using the first M characteristics according to the sequence of the coefficient of the foundation from small to large, wherein M is an integer which is larger than zero and smaller than the total number of the characteristics in the transmission characteristic original sample set.
5. The method according to claim 4, wherein the extracting the dimension according to the feature corresponding to the target network protocol type extracts a feature from channel transmission data corresponding to each of the known channel types of the target network protocol type to obtain a set of transmission feature samples corresponding to the known channel types of the target network protocol type, and further comprises:
according to the sequence from small to large of the coefficient of the radix, determining N-M characteristics as characteristics to be cleaned, wherein N is the total number of the characteristics in the original sample set of the transmission characteristics;
performing cluster analysis on the known channel types corresponding to the to-be-cleaned feature and the transmission feature original sample set, and outputting a clustering result;
acquiring to-be-retained characteristics determined by a user aiming at the clustering result of the to-be-cleaned characteristics;
and generating a transmission characteristic sample set by using the first M characteristics and the characteristics to be reserved.
6. The detection method according to claim 1, wherein the set of transmission features comprises a subset of transmission features of multiple classes;
the determining the transmission characteristic set of the channel to be detected according to the target network protocol type includes:
And aiming at each sub-classification module in the hidden channel detection model corresponding to the target network protocol type, determining the transmission characteristic sub-set corresponding to the sub-classification module of the channel to be detected according to the characteristics included in the transmission characteristic sample sub-set input during training of the sub-classification module.
7. The method according to claim 6, wherein the determining the channel type of the channel to be detected according to the hidden channel detection model corresponding to the transmission feature set and the target network protocol type includes:
inputting a transmission characteristic subset corresponding to the sub-classification module of the channel to be detected into the sub-classification module aiming at each sub-classification module so as to obtain a classification result output by the sub-classification module;
and determining the channel type of the channel to be detected according to the classification results output by the sub-classification modules.
8. The method according to claim 7, wherein determining the target channel type of the channel to be detected according to the classifications output by the plurality of sub-classification modules comprises:
determining the classification result with the largest occurrence number among the classification results output by the sub-classification modules as the target channel type of the channel to be detected; or alternatively
And in the classification results output by the sub-classification modules, if the number of the classification results representing that the channel to be detected is the non-hidden channel is larger than or equal to a third preset number, determining that the target channel type of the channel to be detected is the non-hidden channel.
9. The method of claim 1, wherein the set of transmission features includes features that are extracted based on a session.
10. A hidden channel detection apparatus, comprising:
the acquisition module is used for acquiring the target network protocol type of the channel to be detected;
the first determining module is used for determining a transmission characteristic set of the channel to be detected according to the target network protocol type;
the second determining module is used for determining a target channel type of the channel to be detected according to the transmission characteristic set and a hidden channel detection model corresponding to the target network protocol type, wherein the target channel type comprises a hidden channel and a non-hidden channel;
the hidden channel detection model corresponding to the target network protocol type is generated by the following generation mode:
performing random feature extraction in each transmission feature sample set of a known channel type of the target network protocol type to obtain at least one type of transmission feature sample subset corresponding to each transmission feature sample set of the known channel type, wherein the transmission feature sample set comprises a plurality of features, and a first preset number of features obtained by the same extraction in each transmission feature sample set form one type of transmission feature sample subset;
Aiming at each transmission characteristic sample subset of the transmission characteristic sample set with the known channel type, taking each transmission characteristic sample subset in the transmission characteristic sample subset as an input parameter, taking the known channel type corresponding to each transmission characteristic sample subset as an output parameter, and training to obtain a sub-classification module;
and generating the hidden channel detection model according to the multiple sub-classification modules obtained through training.
11. A computer readable storage medium, on which a computer program is stored, characterized in that the program, when being executed by a processor, implements the steps of the method according to any one of claims 1-9.
12. An electronic device, comprising:
a memory having a computer program stored thereon;
a processor for executing the computer program in the memory to carry out the steps of the method of any one of claims 1-9.
CN202011529236.6A 2020-12-22 2020-12-22 Method and device for detecting hidden channel, readable storage medium and electronic equipment Active CN112615713B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011529236.6A CN112615713B (en) 2020-12-22 2020-12-22 Method and device for detecting hidden channel, readable storage medium and electronic equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011529236.6A CN112615713B (en) 2020-12-22 2020-12-22 Method and device for detecting hidden channel, readable storage medium and electronic equipment

Publications (2)

Publication Number Publication Date
CN112615713A CN112615713A (en) 2021-04-06
CN112615713B true CN112615713B (en) 2024-02-23

Family

ID=75244149

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011529236.6A Active CN112615713B (en) 2020-12-22 2020-12-22 Method and device for detecting hidden channel, readable storage medium and electronic equipment

Country Status (1)

Country Link
CN (1) CN112615713B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115134168A (en) * 2022-08-29 2022-09-30 成都盛思睿信息技术有限公司 Method and system for detecting cloud platform hidden channel based on convolutional neural network

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2016061742A1 (en) * 2014-10-21 2016-04-28 Intellectual Ventures Hong Kong Limited Automatic profiling framework of cross-vm covert channel capacity
CN110781922A (en) * 2019-09-27 2020-02-11 北京淇瑀信息科技有限公司 Sample data generation method and device for machine learning model and electronic equipment
WO2020119481A1 (en) * 2018-12-11 2020-06-18 深圳先进技术研究院 Network traffic classification method and system based on deep learning, and electronic device
CN111478920A (en) * 2020-04-27 2020-07-31 深信服科技股份有限公司 Method, device and equipment for detecting communication of hidden channel
CN111586075A (en) * 2020-05-26 2020-08-25 国家计算机网络与信息安全管理中心 Hidden channel detection method based on multi-scale stream analysis technology

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2016061742A1 (en) * 2014-10-21 2016-04-28 Intellectual Ventures Hong Kong Limited Automatic profiling framework of cross-vm covert channel capacity
WO2020119481A1 (en) * 2018-12-11 2020-06-18 深圳先进技术研究院 Network traffic classification method and system based on deep learning, and electronic device
CN110781922A (en) * 2019-09-27 2020-02-11 北京淇瑀信息科技有限公司 Sample data generation method and device for machine learning model and electronic equipment
CN111478920A (en) * 2020-04-27 2020-07-31 深信服科技股份有限公司 Method, device and equipment for detecting communication of hidden channel
CN111586075A (en) * 2020-05-26 2020-08-25 国家计算机网络与信息安全管理中心 Hidden channel detection method based on multi-scale stream analysis technology

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
A Protocol Independent Approach in Network Covert Channel Detection;Md. Ahsan Ayub, Steven Smith, Ambareen Siraj;《IEEE》;全文 *
基于CNN的FTP隐蔽信道检测模型;李顺谱;硕士论文;全文 *
基于校正熵的网络行为隐蔽信道的检测算法;钱玉文;宋华菊;赵邦信;张彤芳;郝劲松;;系统工程与电子技术(06);全文 *

Also Published As

Publication number Publication date
CN112615713A (en) 2021-04-06

Similar Documents

Publication Publication Date Title
CN112019574B (en) Abnormal network data detection method and device, computer equipment and storage medium
CN111277587A (en) Malicious encrypted traffic detection method and system based on behavior analysis
CN111818103B (en) Traffic-based tracing attack path method in network target range
CN113347210B (en) DNS tunnel detection method and device and electronic equipment
CN110611640A (en) DNS protocol hidden channel detection method based on random forest
CN111866024A (en) Network encryption traffic identification method and device
CN111245784A (en) Method for multi-dimensional detection of malicious domain name
CN113158182A (en) Web attack detection method and device, electronic equipment and storage medium
Zhong et al. Stealthy malware traffic-not as innocent as it looks
CN112671759A (en) DNS tunnel detection method and device based on multi-dimensional analysis
Cabana et al. Threat intelligence generation using network telescope data for industrial control systems
Kebande et al. Functional requirements for adding digital forensic readiness as a security component in IoT environments
CN115426137A (en) Malicious encrypted network flow detection tracing method and system
Li et al. A method based on statistical characteristics for detection malware requests in network traffic
CN113923003A (en) Attacker portrait generation method, system, equipment and medium
CN112615713B (en) Method and device for detecting hidden channel, readable storage medium and electronic equipment
CN113765846A (en) Intelligent detection and response method and device for network abnormal behavior and electronic equipment
CN112801233B (en) Internet of things equipment honeypot system attack classification method, device and equipment
CN114972827A (en) Asset identification method, device, equipment and computer readable storage medium
CN116170227A (en) Flow abnormality detection method and device, electronic equipment and storage medium
CN114553513A (en) Communication detection method, device and equipment
CN114117430A (en) WebShell detection method, electronic device and computer-readable storage medium
CN113965393A (en) Botnet detection method based on complex network and graph neural network
CN115225301A (en) D-S evidence theory-based hybrid intrusion detection method and system
CN114070581B (en) Method and device for detecting hidden channel of domain name system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant