CN113938315A - Hidden channel detection method, device, equipment and storage medium - Google Patents
Hidden channel detection method, device, equipment and storage medium Download PDFInfo
- Publication number
- CN113938315A CN113938315A CN202111413625.7A CN202111413625A CN113938315A CN 113938315 A CN113938315 A CN 113938315A CN 202111413625 A CN202111413625 A CN 202111413625A CN 113938315 A CN113938315 A CN 113938315A
- Authority
- CN
- China
- Prior art keywords
- flow
- ssl
- hidden channel
- channel detection
- preset threshold
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 84
- 238000000034 method Methods 0.000 claims abstract description 38
- 239000013598 vector Substances 0.000 claims abstract description 31
- 238000000605 extraction Methods 0.000 claims abstract description 23
- 238000012545 processing Methods 0.000 claims abstract description 16
- 230000003993 interaction Effects 0.000 claims description 27
- 230000015654 memory Effects 0.000 claims description 11
- 238000004590 computer program Methods 0.000 claims description 10
- 230000008569 process Effects 0.000 description 14
- 238000012549 training Methods 0.000 description 14
- 230000006854 communication Effects 0.000 description 13
- 238000004891 communication Methods 0.000 description 12
- 238000013528 artificial neural network Methods 0.000 description 8
- 230000005540 biological transmission Effects 0.000 description 8
- 210000002569 neuron Anatomy 0.000 description 7
- 230000000306 recurrent effect Effects 0.000 description 6
- 230000006399 behavior Effects 0.000 description 4
- 230000009471 action Effects 0.000 description 3
- 230000009286 beneficial effect Effects 0.000 description 3
- 230000006403 short-term memory Effects 0.000 description 3
- 230000002457 bidirectional effect Effects 0.000 description 2
- 125000004122 cyclic group Chemical group 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- ZXQYGBMAQZUVMI-GCMPRSNUSA-N gamma-cyhalothrin Chemical compound CC1(C)[C@@H](\C=C(/Cl)C(F)(F)F)[C@H]1C(=O)O[C@H](C#N)C1=CC=CC(OC=2C=CC=CC=2)=C1 ZXQYGBMAQZUVMI-GCMPRSNUSA-N 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 238000012546 transfer Methods 0.000 description 2
- 230000002159 abnormal effect Effects 0.000 description 1
- 238000013135 deep learning Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000001914 filtration Methods 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 230000007774 longterm Effects 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 238000013519 translation Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/04—Architecture, e.g. interconnection topology
- G06N3/044—Recurrent networks, e.g. Hopfield networks
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/08—Learning methods
Landscapes
- Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- Theoretical Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Computing Systems (AREA)
- General Health & Medical Sciences (AREA)
- General Physics & Mathematics (AREA)
- Computational Linguistics (AREA)
- Data Mining & Analysis (AREA)
- Evolutionary Computation (AREA)
- Biomedical Technology (AREA)
- Molecular Biology (AREA)
- Artificial Intelligence (AREA)
- Life Sciences & Earth Sciences (AREA)
- Biophysics (AREA)
- Mathematical Physics (AREA)
- Software Systems (AREA)
- Health & Medical Sciences (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The disclosed embodiments relate to a covert channel detection method, apparatus, device and storage medium. The method comprises the steps of acquiring the flow of a client and a server in a handshake phase; carrying out feature extraction processing on the flow to obtain features related to a secure socket protocol (SSL) covert channel; coding the extracted features to obtain feature vectors corresponding to the features; and inputting the feature vector into a preset hidden channel detection model, and carrying out SSL hidden channel detection based on the hidden channel detection model. According to the embodiment of the disclosure, through the preset hidden channel detection model, whether the SSL hidden channel exists in the traffic is judged according to the characteristics related to the SSL hidden channel in the traffic in the handshaking stage, so that the current requirement on the SSL hidden channel detection method is met, and the detection precision can be effectively improved.
Description
Technical Field
The embodiment of the disclosure relates to the technical field of computer network security, in particular to a method, a device, equipment and a storage medium for detecting a hidden channel.
Background
The Network hidden channel can easily bypass the detection of a firewall and an Intrusion Detection System (IDS) to attack the Network, a Secure socket Protocol (SSL) is a Protocol based on Secure transmission, which applies encryption technology to protect the security of communication contents, a common firewall and Network Address Translation (NAT) device basically cannot intercept the SSL, and a Secure Hypertext Transfer Protocol (HTTPS) service based on the SSL Protocol is very popular, so that a novel hidden channel using the SSL Protocol as a bearer Protocol appears.
In the related art, a detection method based on an SSL covert channel is usually only used for detecting whether an encrypted Trojan exists in the covert channel, and the detection is performed according to behavior characteristics of known Trojan operation, but whether the SSL covert channel exists cannot be detected, that is, the prior art cannot meet the requirement of detecting the current SSL covert channel. Therefore, a detection method of the SSL hidden channel is needed to overcome the shortcomings of the existing detection method of the hidden channel.
Disclosure of Invention
In order to solve the technical problem or at least partially solve the technical problem, embodiments of the present disclosure provide a hidden channel detection method, apparatus, device and storage medium.
A first aspect of the embodiments of the present disclosure provides a method for detecting a hidden channel, where the method includes:
acquiring the flow of a client and a server in a handshake stage; carrying out feature extraction processing on the flow to obtain features related to a secure socket protocol (SSL) covert channel; coding the extracted features to obtain feature vectors corresponding to the features; and inputting the feature vector into a preset hidden channel detection model, and carrying out SSL hidden channel detection based on the hidden channel detection model.
A second aspect of the disclosed embodiments provides a hidden channel detection apparatus, comprising:
the acquisition module is used for acquiring the flow of the client and the server in a handshake phase;
the extraction module is used for carrying out feature extraction processing on the flow to obtain features related to a secure socket protocol (SSL) covert channel;
the encoding module is used for encoding the features to obtain feature vectors corresponding to the features;
and the detection module is used for inputting the feature vector into a preset hidden channel detection model and carrying out SSL hidden channel detection based on the hidden channel detection model.
A third aspect of embodiments of the present disclosure provides a computing device, which includes a memory and a processor, wherein the memory stores a computer program, and when the computer program is executed by the processor, the method of the first aspect may be implemented.
A fourth aspect of embodiments of the present disclosure provides a computer-readable storage medium having a computer program stored therein, which, when executed by a processor, may implement the method of the first aspect described above.
Compared with the prior art, the technical scheme provided by the embodiment of the disclosure has the following advantages:
according to the embodiment of the disclosure, the flow of the client and the server in the handshake phase is obtained; carrying out feature extraction processing on the flow to obtain features related to a secure socket protocol (SSL) covert channel; coding the extracted features to obtain feature vectors corresponding to the features; and inputting the feature vector into a preset hidden channel detection model, and carrying out SSL hidden channel detection based on the hidden channel detection model. According to the embodiment of the disclosure, through the preset hidden channel detection model, whether the SSL hidden channel exists in the traffic is judged according to the characteristics related to the SSL hidden channel in the traffic in the handshaking stage, so that the current requirement on the SSL hidden channel detection method is met, and the detection precision can be effectively improved.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the present disclosure and together with the description, serve to explain the principles of the disclosure.
In order to more clearly illustrate the embodiments or technical solutions in the prior art of the present disclosure, the drawings used in the description of the embodiments or prior art will be briefly described below, and it is obvious for those skilled in the art that other drawings can be obtained according to the drawings without inventive exercise.
FIG. 1 is a flow chart of a training method of a hidden channel detection model according to an embodiment of the present disclosure;
FIG. 2 is a flow chart of a covert channel detection method provided by an embodiment of the disclosure;
fig. 3 is a schematic structural diagram of a hidden channel detection apparatus according to an embodiment of the present disclosure.
Detailed Description
In order that the above objects, features and advantages of the present disclosure may be more clearly understood, aspects of the present disclosure will be further described below. It should be noted that the embodiments and features of the embodiments of the present disclosure may be combined with each other without conflict.
In the following description, numerous specific details are set forth in order to provide a thorough understanding of the present disclosure, but the present disclosure may be practiced in other ways than those described herein; it is to be understood that the embodiments disclosed in the specification are only a few embodiments of the present disclosure, and not all embodiments.
Fig. 1 is a flowchart of a training method of a hidden channel detection model according to an embodiment of the present disclosure, which may be executed by a computing device, which may be understood as any device having computing functions and processing capabilities. As shown in fig. 1, the training method of the blind channel detection model provided in this embodiment includes the following steps:
The traffic referred to in the embodiments of the present disclosure may be understood as the amount of data transmitted.
In the embodiment of the present disclosure, the positive sample may be understood as a normal flow in which the network traffic does not include the secure socket protocol SSL hidden channel, and the negative sample may be understood as an abnormal flow in which the network traffic includes the secure socket protocol SSL hidden channel, and the positive sample and the negative sample together form a data set for model training. It should be noted that the secure socket layer SSL is a secure protocol for providing security and data integrity for network communication, so as to ensure the security of data transmission on the internet, and by using a data encryption technology, it can be ensured that data is not intercepted and eavesdropped during the transmission process on the network. The covert channel described above is a communication channel that allows a process to communicate information in a form that violates the security policy of the system, and in short, a covert channel is understood to be a communication channel that is not used to communicate information in nature.
The SSL communication can be divided into a handshake phase and a data transmission phase, where the handshake phase can be understood as a process of establishing communication security parameters between the client and the server to confirm identities of the client and the server, and the client and the server do not establish a complete data connection and generate an actual data communication behavior in the handshake process, so that the handshake phase is easier to hide information compared with the data transmission phase, and most SSL hidden channels are all established in the handshake phase.
In the embodiment of the present disclosure, the performing feature extraction processing on the traffic in the handshake phase to obtain features related to the secure socket protocol SSL hidden channel includes steps S11-S12:
and S11, extracting the random number in the client hello message, the SNI (name indication field) of the server, the information quantity of the certificate, the time sequence characteristics of data interaction and the background flow from the flow.
S12, respectively based on the random number, the server name indication field SNI, the certificate information quantity, the time sequence characteristic of data interaction and the background flow in the client hello message, determining and obtaining the character repetition rate or entropy value of the random number, the occupation ratio of the server name indication field SNI being empty, the proportion of the certificate information quantity in the flow, the time sequence characteristic value of the data interaction and the proportion of the background flow in the flow.
Wherein, the Client Hello message is a Client Hello message, the Client sends the Client Hello message to the Server, the Server returns the received message (Server Hello message) of the Server after receiving the message, which is the process that the Client and the Server negotiate the security parameters in the handshake phase, the SSL hidden channel often chooses to forge the Client Hello message, the information carried by the SSL hidden channel is often hidden in the random number of 28 bytes (byte) in the Client Hello message, the random number is used for generating a symmetric secret key in the communication process, the modification of the random number field does not influence the Client Hello message, the random number field is likely to be used for constructing a hidden channel, the character repetition rate or entropy of the random number in the client hello message can be selected to evaluate the complexity of the random number, and the higher the complexity of the random number is, the larger the character repetition rate or entropy is, the higher the probability that the traffic contains the SSL hidden channel is. Thus, the character repetition rate or entropy value of the random number in the client hello message can be selected as an SSL covert channel related feature.
The Server Name Indication field (SNI) is a domain Name of a Server accessed by a client, and is used for locating and identifying a computer during data transmission, a normal message carries the SNI field, the SNI field in a hidden channel is usually empty, the Server Name Indication field SNI is empty, namely, the larger the proportion of the SNI empty field in traffic is, the higher the probability that the traffic contains the SSL hidden channel is. Thus, the duty cycle in which the server name indication field SNI is empty can be selected as an SSL hidden channel related feature.
The certificate can be understood as a message for the server and the client to perform encrypted information authentication, which includes the public key of the certificate, the validity period of the certificate, the standard deviation and other information, the information amount of the legal certificate is complete, and the certificate of the covert channel is likely to be forged, wherein there are many empty fields, that is, the information amount of the certificate is small, the smaller the information amount of the certificate in the traffic is, the greater the probability that the traffic contains the SSL covert channel is. Thus, the amount of certificate information can be chosen as an SSL covert channel related feature.
The time sequence characteristics of data interaction can be understood as some characteristics of data interaction in a certain time period, including the number of bytes in uplink and downlink, the number of data packets in uplink and downlink, the time for data interaction completion, the average data packet length, and the like, wherein the time for data interaction completion can be understood as the time from the sending of a data packet to the receiving of a corresponding replied data packet, and the average data packet length can be understood as the average data amount of a plurality of data packets with different data amounts in a certain time period. The data interaction of normal flow has a complete interaction process, a data packet sent out can receive a data packet corresponding to a reply, the data packet has a return, for example, a client sends a data packet to a server, the server receives the data packet and processes the data packet and then returns a data packet carrying reply information to the client, the content carried by a covert channel often has no data, the client sends the data packet to the server through the covert channel, the server does not necessarily reply, therefore, compared with the normal flow, the SSL covert channel has strong time sequence characteristics, the number of bytes of uplink and downlink of the covert channel is small, the number of the uplink and downlink data packets is small, the time for data interaction is short, the average data packet length is small, the time sequence characteristic value can be used for comprehensively evaluating the time sequence characteristics, and the time sequence characteristic value is small, the greater the probability that the traffic contains SSL covert channels. Thus, the timing characteristic value of the data interaction can be selected as the SSL covert channel related characteristic.
The background flow may be understood as a flow transmitted by another communication protocol than the flow transmitted by the normal communication protocol, such as a flow transmitted by a Domain Name System (DNS) protocol other than the flow transmitted by the secure hypertext transfer protocol HTTPS, where the background flow in the normal flow is within a normal range, and the hidden channel often performs a normal access behavior by using the same or different clients in a manner of traffic confusion, and confuses the flows of various different communication protocols, where the background flow in the hidden channel is usually more than the background flow in the normal flow, the number of the background flows may be evaluated by the proportion of the background flow in the flow, and the larger the proportion of the background flow in the flow, the larger the probability that the flow contains the SSL hidden channel is. Thus, the proportion of background flow in the traffic can be selected as an SSL blind channel related feature.
The traffic samples obtained from the network are often complex, and include a large amount of interference data such as redundant data packets, data packets with zero payload, unidirectional data streams, heartbeat packets, and the like, which affect the accuracy of model training, and in order to reduce the interference of the data on the model training and improve the quality of a data set, in some embodiments of the present disclosure, before extracting the features of the traffic of a client and a server in a handshake phase in the data set and obtaining the features related to a secure socket protocol SSL hidden channel, at least one of the following data may be removed from the traffic: filtering data by a redundant data packet, a data packet with zero payload, a unidirectional data stream and a heartbeat packet, wherein the redundant data packet can be understood as redundant repeated data packets; a data packet with a zero payload can be understood as a data packet with a legal message structure, but the length of effective data carried by the message and having an actual transmission effect is zero; a unidirectional data stream may be understood as a data stream for data transmission in a single direction, and bidirectional interaction is usually required for establishing a hidden channel; the heartbeat packet can be understood as a self-defined command word which regularly informs the self state of the other side between the client side and the server, and is sent according to a certain time interval, is similar to the heartbeat, and is called as the heartbeat packet.
And 103, coding the features to obtain feature vectors corresponding to the features.
In the embodiment of the disclosure, after the extraction of the features related to the SSL hidden channel is completed, the features are encoded, and an existing encoding model can be used to encode the features, so as to convert the feature information into a vector for representation, thereby obtaining a feature vector corresponding to the features.
And step 104, inputting the feature vector into a recurrent neural network for model training to obtain a hidden channel detection model.
The Recurrent Neural Network (RNN) referred to in the embodiments of the present disclosure is a Recurrent Neural Network in which sequence data is used as an input, recursion is performed in an evolution direction of the sequence, and all nodes (cyclic units) are connected in a chain manner. The time sequence of data needs to be considered in the actual detection of the hidden channel, the recurrent neural network RNN serving as a bidirectional deep network can effectively detect a time sequence in real time, the problem of the time sequence is well solved, and the process of deep learning can be understood as the process of changing weights among the interconnection of neurons.
In the embodiment of the disclosure, a Long Short-Term Memory network LSTM (Long Short-Term Memory) can be selected for model training, and the Long Short-Term Memory network LSTM is a time recurrent neural network and is specially designed for solving the Long-Term dependence problem of a general recurrent neural network RNN. The long-distance time sequence dependency relationship can be established through an LSTM gating mechanism, each neuron processes the current node to form a state variable of the neuron, an effective part of neuron processing information of the previous node is selectively reserved, and through iteration, the last neuron reaching the end of the sequence can contain neuron information in the whole sequence and the dependency relationship of adjacent neurons, so that a better global optimal solution is obtained. The sample data in the data set is trained by the neural network layer of the LSTM to finally form a model which can be used for detecting the covert channel.
Specifically, each feature vector in the positive sample and the negative sample in the data set is input into a long-short term memory network LSTM for model training, so that the model learns a weight value corresponding to each feature, the magnitude of one feature weight value reflects the confidence level of the feature in judging the traffic containing the SSL hidden channel, a corresponding preset threshold is set for the weight value of each feature, that is, the weight value corresponding to the character repetition rate or entropy of the random number in the customer greeting message is set as a first preset threshold, the weight value corresponding to the proportion that the server name indication field SNI is empty is set as a second preset threshold, the weight value corresponding to the proportion of the certificate information amount in the traffic is set as a third preset threshold, the weight value corresponding to the time sequence feature value of data interaction is set as a fourth preset threshold, and the weight value corresponding to the proportion of the background flow in the traffic is set as a fifth preset threshold, through multiple rounds of iterative training of positive samples and negative samples in the data set, the preset threshold corresponding to each characteristic is corrected to obtain the optimal solution of each preset threshold, and the model learns the conditions of comprehensively judging the existence of the SSL hidden channel in the flow according to each preset threshold, and the method comprises the following steps:
the character repetition rate or entropy value of the random number in the client greeting message is larger than a first preset threshold value; the occupation ratio of the server name indication field SNI being empty is larger than a second preset threshold; the proportion of the certificate information amount in the flow is smaller than a third preset threshold value; the time sequence characteristic value of data interaction is smaller than a fourth preset threshold value; the proportion of the background flow in the flow rate is greater than a fifth preset threshold.
The first preset threshold, the second preset threshold, the third preset threshold, the fourth preset threshold, and the fifth preset threshold referred to in the embodiments of the present disclosure are only different preset thresholds corresponding to respective features related to the SSL covert channel, and do not have other meanings.
When the characteristic vector of the input model simultaneously meets the condition, the model outputs the result that the flow contains SSL hidden channels; when the feature vectors of the input model can not meet the conditions at the same time, the model outputs the result that the traffic does not contain the SSL hidden channel.
Compared with the prior art, the technical scheme provided by the embodiment of the disclosure has the following advantages:
according to the embodiment of the disclosure, a positive sample and a negative sample are selected from network flow to form a data set for model training; extracting the flow characteristics of the client and the server in the data set in the handshake phase to obtain the characteristics related to the SSL hidden channel of the secure socket protocol; coding the features to obtain feature vectors corresponding to the features; and inputting the characteristic vector into a cyclic neural network for model training to obtain a hidden channel detection model. The embodiment of the disclosure trains the hidden channel detection model through the related characteristics of the secure socket protocol SSL hidden channel to obtain the hidden channel detection model, can be applied to the detection of the SSL hidden channel, meets the current requirement on the SSL hidden channel detection method, and can effectively improve the detection precision.
Fig. 2 is a flow chart of a method of covert channel detection provided by an embodiment of the disclosure, which may be performed by a computing device. The computing device may be understood as any device having computing functionality and processing capabilities. As shown in fig. 2, the hidden channel detection method provided in this embodiment includes the following steps:
The traffic referred to in the embodiments of the present disclosure may be understood as the amount of data transmitted.
The handshake phase of the embodiments of the present disclosure may be understood as a process of establishing communication security parameters between the client and the server, which are used to confirm identities of the client and the server, and the client and the server do not establish a complete data connection and generate an actual data communication behavior in the handshake process.
The feature extraction process in the embodiment of the disclosure is the same as the steps S11-S12 in step 102 of fig. 1, and is not described here again.
The traffic acquired from the network is often complex, and contains a large amount of interference data such as redundant data packets, data packets with zero payload, unidirectional data streams, heartbeat packets, and the like, which affect the accuracy of the detection result of the hidden channel, and in order to reduce the interference of the data on the detection result and improve the accuracy of the detection result, in some embodiments of the present disclosure, at least one of the following data may be removed from the traffic before performing feature extraction processing on the traffic to obtain features related to the secure socket protocol SSL hidden channel: redundant data packets, data packets with zero payload, unidirectional data streams, and heartbeat packets filter data, and the meaning of related data culling is already described in step 102 of fig. 1 and will not be described herein again.
And 203, coding the features to obtain feature vectors corresponding to the features.
In the embodiment of the disclosure, after the extraction of the features related to the SSL hidden channel is completed, the features are encoded, and an existing encoding model can be used to encode the features, so as to convert the feature information into a vector for representation, thereby obtaining a feature vector corresponding to the features.
And step 204, inputting the feature vector into a preset hidden channel detection model, and performing SSL hidden channel detection based on the hidden channel detection model.
In the embodiment of the present disclosure, the preset hidden channel detection model is the hidden channel detection model obtained by training in fig. 1, the feature vector is input into the hidden channel detection model, SSL hidden channel detection is performed based on the hidden channel detection model, and when the conditions are satisfied at the same time: the character repetition rate or entropy value of the random number in the client greeting message is larger than a first preset threshold value; the occupation ratio of the server name indication field SNI being empty is larger than a second preset threshold; the proportion of the certificate information amount in the flow is smaller than a third preset threshold value; the time sequence characteristic value of data interaction is smaller than a fourth preset threshold value; when the proportion of the background flow in the flow is larger than a fifth preset threshold value, the hidden channel detection model outputs a result that the flow contains an SSL hidden channel; when the input feature vectors cannot simultaneously meet the conditions, the model outputs the result that the traffic does not contain the SSL hidden channel.
Compared with the prior art, the technical scheme provided by the embodiment of the disclosure has the following advantages:
according to the embodiment of the disclosure, the flow of the client and the server in the handshake phase is obtained; carrying out feature extraction processing on the flow to obtain features related to a secure socket protocol (SSL) covert channel; coding the extracted features to obtain feature vectors corresponding to the features; and inputting the feature vector into a preset hidden channel detection model, and carrying out SSL hidden channel detection based on the hidden channel detection model. According to the embodiment of the disclosure, through the preset hidden channel detection model, whether the SSL hidden channel exists in the traffic is judged according to the characteristics related to the SSL hidden channel in the traffic in the handshaking stage, so that the current requirement on the SSL hidden channel detection method is met, and the detection precision can be effectively improved.
Fig. 3 is a schematic structural diagram of a hidden channel detection apparatus provided in an embodiment of the present disclosure, where the apparatus may be understood as the above-mentioned computing device or a part of functional modules in the above-mentioned computing device. As shown in fig. 3, the hidden channel detecting apparatus 300 includes:
an obtaining module 310, configured to obtain traffic of the client and the server in a handshake phase;
an extraction module 320, configured to perform feature extraction processing on the traffic to obtain features related to a secure socket protocol SSL hidden channel;
the encoding module 330 is configured to perform encoding processing on the features to obtain feature vectors corresponding to the features;
and the detection module 340 is configured to input the feature vector into a preset hidden channel detection model, and perform SSL hidden channel detection based on the hidden channel detection model.
Optionally, the hidden channel detecting apparatus 300 further includes:
the removing module is used for removing at least one of the following data from the flow: redundant data packets, data packets with zero payload, unidirectional data streams, heartbeat packets.
Optionally, the extracting module 320 includes:
the first extraction submodule is used for extracting the random number, the server name indication field SNI, the certificate information quantity, the time sequence characteristics of data interaction and the background flow from the flow;
and the first determining submodule is used for determining and obtaining the character repetition rate or entropy value of the random number in the client hello message, the occupation ratio of the server name indicating field SNI being empty, the proportion of the certificate information quantity in the flow, the proportion of the time sequence characteristic value of the data interaction and the proportion of the background flow in the flow respectively based on the random number, the server name indicating field SNI, the time sequence characteristic of the data interaction and the background flow in the client hello message.
Optionally, the detecting module 340 includes:
a second determining submodule, configured to determine that an SSL hidden channel exists in traffic according to the hidden channel detection model when the following conditions are met:
the character repetition rate or entropy value of the random number in the client greeting message is larger than a first preset threshold value;
the occupation ratio of the server name indication field SNI being empty is larger than a second preset threshold;
the proportion of the certificate information amount in the flow is smaller than a third preset threshold value;
the time sequence characteristic value of data interaction is smaller than a fourth preset threshold value;
the proportion of the background flow in the flow rate is greater than a fifth preset threshold.
The hidden channel detection apparatus provided in this embodiment can execute the method in any embodiment in fig. 2, and its execution manner and beneficial effect are similar, and are not described herein again.
The embodiment of the present disclosure further provides a computing device, where the computing device includes a processor and a memory, where the memory stores a computer program, and when the computer program is executed by the processor, the method in any embodiment in fig. 2 may be implemented, and an execution manner and beneficial effects of the method are similar, and are not described herein again.
The embodiment of the present disclosure provides a computer-readable storage medium, where a computer program is stored in the storage medium, and when the computer program is executed by a processor, the method of any embodiment in fig. 2 may be implemented, and the execution manner and the beneficial effect are similar, and are not described herein again.
The computer-readable storage medium described above may take any combination of one or more readable media. The readable medium may be a readable signal medium or a readable storage medium. A readable storage medium may include, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or a combination of any of the foregoing. More specific examples (a non-exhaustive list) of the readable storage medium include: an electrical connection having one or more wires, a portable disk, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
The computer programs described above may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, C + +, or the like, as well as conventional procedural programming languages, such as the "C" programming language or similar programming languages, for performing the operations of embodiments of the present disclosure. The program code may execute entirely on the user's computing device, partly on the user's device, as a stand-alone software package, partly on the user's computing device and partly on a remote computing device, or entirely on the remote computing device or server.
It is noted that, in this document, relational terms such as "first" and "second," and the like, may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
The foregoing are merely exemplary embodiments of the present disclosure, which enable those skilled in the art to understand or practice the present disclosure. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the disclosure. Thus, the present disclosure is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.
Claims (10)
1. A method for covert channel detection, the method comprising:
acquiring the flow of a client and a server in a handshake stage;
carrying out feature extraction processing on the flow to obtain features related to a secure socket protocol (SSL) covert channel;
coding the features to obtain feature vectors corresponding to the features;
and inputting the characteristic vector into a preset hidden channel detection model, and carrying out SSL hidden channel detection based on the hidden channel detection model.
2. The method of claim 1, wherein before performing the feature extraction on the traffic to obtain features related to a secure socket protocol (SSL) covert channel, the method further comprises:
removing at least one of the following data from the traffic: redundant data packets, data packets with zero payload, unidirectional data streams, heartbeat packets.
3. The method according to claim 1 or 2, wherein the performing a feature extraction process on the traffic to obtain features related to a secure socket protocol (SSL) covert channel comprises:
extracting a random number, a server name indication field SNI, certificate information quantity, time sequence characteristics of data interaction and background flow from the flow;
and respectively determining the character repetition rate or entropy value of the random number in the client greeting message, the ratio of the server name indication field SNI to be empty, the ratio of the certificate information quantity in the flow, the time sequence characteristic value of the data interaction and the ratio of the background flow in the flow based on the random number, the server name indication field SNI, the certificate information quantity, the time sequence characteristic value of the data interaction and the background flow in the client greeting message.
4. The method of claim 3, wherein the hidden channel detection model determines that an SSL hidden channel is present in the traffic when:
the character repetition rate or entropy value of the random number in the client greeting message is larger than a first preset threshold value;
the occupation ratio of the server name indication field SNI being empty is larger than a second preset threshold;
the proportion of the certificate information amount in the flow is smaller than a third preset threshold value;
the time sequence characteristic value of data interaction is smaller than a fourth preset threshold value;
the proportion of background flow in the flow is greater than a fifth preset threshold.
5. A hidden channel detection apparatus, the apparatus comprising:
the acquisition module is used for acquiring the flow of the client and the server in a handshake phase;
the extraction module is used for carrying out feature extraction processing on the flow to obtain features related to a secure socket protocol (SSL) covert channel;
the coding module is used for coding the features to obtain feature vectors corresponding to the features;
and the detection module is used for inputting the feature vector into a preset hidden channel detection model and carrying out SSL hidden channel detection based on the hidden channel detection model.
6. The apparatus of claim 5, further comprising:
the removing module is used for removing at least one of the following data from the flow: redundant data packets, data packets with zero payload, unidirectional data streams, heartbeat packets.
7. The apparatus of claim 5 or 6, wherein the extraction module comprises:
the first extraction submodule is used for extracting the random number, the server name indication field SNI, the certificate information quantity, the time sequence characteristics of data interaction and the background flow from the flow;
and the first determining submodule is used for determining and obtaining the character repetition rate or entropy value of the random number in the client hello message, the occupation ratio of the server name indicating field SNI being empty, the proportion of the certificate information quantity in the flow, the proportion of the time sequence characteristic value of the data interaction and the proportion of the background flow in the flow respectively based on the random number, the server name indicating field SNI, the time sequence characteristic of the data interaction and the background flow in the client hello message.
8. The apparatus of claim 7, wherein the detection module comprises:
a second determining submodule, configured to determine, by the hidden channel detection model, that an SSL hidden channel exists in the traffic, when the following conditions are met:
the character repetition rate or entropy value of the random number in the client greeting message is larger than a first preset threshold value;
the occupation ratio of the server name indication field SNI being empty is larger than a second preset threshold;
the proportion of the certificate information amount in the flow is smaller than a third preset threshold value;
the time sequence characteristic value of data interaction is smaller than a fourth preset threshold value;
the proportion of background flow in the flow is greater than a fifth preset threshold.
9. A computing device, comprising:
memory and processor, wherein the memory has stored therein a computer program which, when executed by the processor, implements the covert channel detection method of any of claims 1-4.
10. A computer-readable storage medium, characterized in that the storage medium has stored thereon a computer program which, when being executed by a processor, carries out the covert channel detection method as claimed in any one of claims 1-4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111413625.7A CN113938315B (en) | 2021-11-25 | 2021-11-25 | Hidden channel detection method, device, equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111413625.7A CN113938315B (en) | 2021-11-25 | 2021-11-25 | Hidden channel detection method, device, equipment and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113938315A true CN113938315A (en) | 2022-01-14 |
| CN113938315B CN113938315B (en) | 2024-06-14 |
Family
ID=79288181
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111413625.7A Active CN113938315B (en) | 2021-11-25 | 2021-11-25 | Hidden channel detection method, device, equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113938315B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115296897A (en) * | 2022-08-03 | 2022-11-04 | 中国电子科技集团公司信息科学研究院 | Covert communication method, device, storage medium and electronic equipment |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109286609A (en) * | 2018-08-22 | 2019-01-29 | 平安科技(深圳)有限公司 | Information collecting method, device, computer equipment and storage medium |
| US20200076851A1 (en) * | 2018-08-29 | 2020-03-05 | Cisco Technology, Inc. | Enforcing network endpoint policies in a cloud-based environment using a covert namespace |
| CN112217763A (en) * | 2019-07-10 | 2021-01-12 | 四川大学 | Hidden TLS communication flow detection method based on machine learning |
| CN112769811A (en) * | 2020-12-30 | 2021-05-07 | 北京天融信网络安全技术有限公司 | Method and device for updating hidden channel detection model |
-
2021
- 2021-11-25 CN CN202111413625.7A patent/CN113938315B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109286609A (en) * | 2018-08-22 | 2019-01-29 | 平安科技(深圳)有限公司 | Information collecting method, device, computer equipment and storage medium |
| US20200076851A1 (en) * | 2018-08-29 | 2020-03-05 | Cisco Technology, Inc. | Enforcing network endpoint policies in a cloud-based environment using a covert namespace |
| CN112217763A (en) * | 2019-07-10 | 2021-01-12 | 四川大学 | Hidden TLS communication flow detection method based on machine learning |
| CN112769811A (en) * | 2020-12-30 | 2021-05-07 | 北京天融信网络安全技术有限公司 | Method and device for updating hidden channel detection model |
Non-Patent Citations (1)
| Title |
|---|
| 杨皓云;王俊峰;刘嘉勇;唐彰国;: "SSL协议隐蔽通道的研究与实现", 计算机工程与应用, vol. 56, no. 20, pages 67 - 72 * |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115296897A (en) * | 2022-08-03 | 2022-11-04 | 中国电子科技集团公司信息科学研究院 | Covert communication method, device, storage medium and electronic equipment |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113938315B (en) | 2024-06-14 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111277570A (en) | Data security monitoring method and device, electronic equipment and readable medium | |
| CN111488577B (en) | Model building method and risk assessment method and device based on artificial intelligence | |
| CN101547207A (en) | Protocol identification control method and equipment based on application behavior mode | |
| CN112235264A (en) | Network traffic identification method and device based on deep migration learning | |
| CN110855632B (en) | Message detection method, device, network equipment and computer readable storage medium | |
| CN111478920A (en) | Method, device and equipment for detecting communication of hidden channel | |
| CN110611640A (en) | DNS protocol hidden channel detection method based on random forest | |
| CN111835763B (en) | DNS tunnel traffic detection method and device and electronic equipment | |
| CN108809890A (en) | Leak detection method, test server and client | |
| CN109525577B (en) | Malicious software detection method based on HTTP behavior diagram | |
| CN110022308A (en) | A kind of internet of things equipment recognition methods and system | |
| CN103780501A (en) | Peer-to-peer network traffic identification method of inseparable-wavelet support vector machine | |
| CN113938315B (en) | Hidden channel detection method, device, equipment and storage medium | |
| CN113965393B (en) | Botnet detection method based on complex network and graph neural network | |
| CN113037748A (en) | C and C channel hybrid detection method and system | |
| CN112565229A (en) | Hidden channel detection method and device | |
| CN117240560A (en) | GAN-based high-simulation honeypot implementation method and system | |
| CN111447169B (en) | Method and system for identifying malicious webpage in real time on gateway | |
| CN112688897A (en) | Traffic identification method and device, storage medium and electronic equipment | |
| CN111291078A (en) | Domain name matching detection method and device | |
| CN107948022A (en) | A kind of recognition methods of peer-to-peer network flow and identification device | |
| CN114338126A (en) | Network application identification method and device | |
| CN112615713A (en) | Detection method and device of hidden channel, readable storage medium and electronic equipment | |
| Tu et al. | DNS tunnelling detection by fusing encoding feature and behavioral feature | |
| CN114499923B (en) | ICMP simulation message generation method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |