CN113938315B - Hidden channel detection method, device, equipment and storage medium - Google Patents
Hidden channel detection method, device, equipment and storage medium Download PDFInfo
- Publication number
- CN113938315B CN113938315B CN202111413625.7A CN202111413625A CN113938315B CN 113938315 B CN113938315 B CN 113938315B CN 202111413625 A CN202111413625 A CN 202111413625A CN 113938315 B CN113938315 B CN 113938315B
- Authority
- CN
- China
- Prior art keywords
- flow
- hidden channel
- ssl
- channel detection
- hidden
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 89
- 239000013598 vector Substances 0.000 claims abstract description 31
- 238000000605 extraction Methods 0.000 claims abstract description 21
- 238000012545 processing Methods 0.000 claims abstract description 19
- 238000000034 method Methods 0.000 claims description 30
- 230000003993 interaction Effects 0.000 claims description 27
- 230000015654 memory Effects 0.000 claims description 11
- 238000004590 computer program Methods 0.000 claims description 9
- 238000012549 training Methods 0.000 description 16
- 230000006854 communication Effects 0.000 description 13
- 230000008569 process Effects 0.000 description 13
- 238000004891 communication Methods 0.000 description 12
- 238000013528 artificial neural network Methods 0.000 description 9
- 230000005540 biological transmission Effects 0.000 description 8
- 210000002569 neuron Anatomy 0.000 description 7
- 230000009471 action Effects 0.000 description 4
- 230000006399 behavior Effects 0.000 description 3
- 230000009286 beneficial effect Effects 0.000 description 3
- 125000004122 cyclic group Chemical group 0.000 description 3
- 230000000306 recurrent effect Effects 0.000 description 3
- 238000012546 transfer Methods 0.000 description 3
- 230000002457 bidirectional effect Effects 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 238000001914 filtration Methods 0.000 description 2
- ZXQYGBMAQZUVMI-GCMPRSNUSA-N gamma-cyhalothrin Chemical compound CC1(C)[C@@H](\C=C(/Cl)C(F)(F)F)[C@H]1C(=O)O[C@H](C#N)C1=CC=CC(OC=2C=CC=CC=2)=C1 ZXQYGBMAQZUVMI-GCMPRSNUSA-N 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 230000006403 short-term memory Effects 0.000 description 2
- 230000002159 abnormal effect Effects 0.000 description 1
- 238000013135 deep learning Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000007787 long-term memory Effects 0.000 description 1
- 230000007774 longterm Effects 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 238000013519 translation Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/04—Architecture, e.g. interconnection topology
- G06N3/044—Recurrent networks, e.g. Hopfield networks
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/08—Learning methods
Landscapes
- Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- Theoretical Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Computing Systems (AREA)
- General Health & Medical Sciences (AREA)
- General Physics & Mathematics (AREA)
- Computational Linguistics (AREA)
- Data Mining & Analysis (AREA)
- Evolutionary Computation (AREA)
- Biomedical Technology (AREA)
- Molecular Biology (AREA)
- Artificial Intelligence (AREA)
- Life Sciences & Earth Sciences (AREA)
- Biophysics (AREA)
- Mathematical Physics (AREA)
- Software Systems (AREA)
- Health & Medical Sciences (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The embodiment of the disclosure relates to a hidden channel detection method, a hidden channel detection device, hidden channel detection equipment and a storage medium. According to the embodiment of the disclosure, the flow of the client and the server in the handshake stage is obtained; the flow is subjected to feature extraction processing to obtain features related to SSL hidden channels of a secure socket protocol; coding the extracted features to obtain feature vectors corresponding to the features; and inputting the feature vector into a preset hidden channel detection model, and carrying out SSL hidden channel detection based on the hidden channel detection model. According to the embodiment of the disclosure, through the preset hidden channel detection model, whether the SSL hidden channel exists in the flow is judged according to the characteristics related to the SSL hidden channel in the flow in the handshake stage, so that the current requirement on the SSL hidden channel detection method is met, and the detection precision can be effectively improved.
Description
Technical Field
The embodiment of the disclosure relates to the technical field of computer network security, in particular to a hidden channel detection method, a hidden channel detection device, hidden channel detection equipment and a storage medium.
Background
The Network hidden channel can easily bypass the detection of the firewall and intrusion detection system (IntrusionDetection System, IDS) to attack the Network, the secure socket protocol (SecureSockets Layer, SSL) is a secure transmission-based protocol that applies encryption technology to protect the security of the communication content, the normal firewall and Network address translation (Network AddressTranslation, NAT) devices will not intercept it, while the SSL-based secure hypertext transfer protocol (Hypertext Transfer Protocol Secure, HTTPS) service application is very popular, so a new hidden channel using the SSL protocol as the bearer protocol has emerged.
The detection method based on the SSL hidden channel in the related art is only generally used for detecting whether an encrypted Trojan exists in the hidden channel or not, and is carried out according to the behavior characteristics of the known Trojan operation, and whether the SSL hidden channel exists or not cannot be detected, namely the prior art cannot meet the detection requirement of the current SSL hidden channel. Therefore, a method for detecting SSL hidden channels is needed to make up for the shortages of the existing hidden channel detection methods.
Disclosure of Invention
In order to solve the above technical problems or at least partially solve the above technical problems, embodiments of the present disclosure provide a hidden channel detection method, apparatus, device, and storage medium.
A first aspect of an embodiment of the present disclosure provides a hidden channel detection method, including:
acquiring the flow of a client and a server in a handshake stage; the flow is subjected to feature extraction processing to obtain features related to SSL hidden channels of a secure socket protocol; coding the extracted features to obtain feature vectors corresponding to the features; and inputting the feature vector into a preset hidden channel detection model, and carrying out SSL hidden channel detection based on the hidden channel detection model.
A second aspect of an embodiment of the present disclosure provides a hidden channel detection apparatus, the apparatus comprising:
The acquisition module is used for acquiring the flow of the client and the server in the handshake stage;
The extraction module is used for carrying out feature extraction processing on the flow to obtain features related to the SSL hidden channel of the secure socket protocol;
the coding module is used for coding the features to obtain feature vectors corresponding to the features;
And the detection module is used for inputting the feature vector into a preset hidden channel detection model and carrying out SSL hidden channel detection based on the hidden channel detection model.
A third aspect of embodiments of the present disclosure provides a computing device comprising a memory and a processor, wherein the memory stores a computer program which, when executed by the processor, performs the method of the first aspect described above.
A fourth aspect of the disclosed embodiments provides a computer readable storage medium having stored therein a computer program which, when executed by a processor, can implement the method of the first aspect described above.
Compared with the prior art, the technical scheme provided by the embodiment of the disclosure has the following advantages:
According to the embodiment of the disclosure, the flow of the client and the server in the handshake stage is obtained; the flow is subjected to feature extraction processing to obtain features related to SSL hidden channels of a secure socket protocol; coding the extracted features to obtain feature vectors corresponding to the features; and inputting the feature vector into a preset hidden channel detection model, and carrying out SSL hidden channel detection based on the hidden channel detection model. According to the embodiment of the disclosure, through the preset hidden channel detection model, whether the SSL hidden channel exists in the flow is judged according to the characteristics related to the SSL hidden channel in the flow in the handshake stage, so that the current requirement on the SSL hidden channel detection method is met, and the detection precision can be effectively improved.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the disclosure and together with the description, serve to explain the principles of the disclosure.
In order to more clearly illustrate the embodiments of the present disclosure or the solutions in the prior art, the drawings that are required for the description of the embodiments or the prior art will be briefly described below, and it will be obvious to those skilled in the art that other drawings can be obtained from these drawings without inventive effort.
Fig. 1 is a flowchart of a training method of a hidden channel detection model provided in an embodiment of the present disclosure;
fig. 2 is a flowchart of a hidden channel detection method provided in an embodiment of the present disclosure;
Fig. 3 is a schematic structural diagram of a hidden channel detection device according to an embodiment of the present disclosure.
Detailed Description
In order that the above objects, features and advantages of the present disclosure may be more clearly understood, a further description of aspects of the present disclosure will be provided below. It should be noted that, without conflict, the embodiments of the present disclosure and features in the embodiments may be combined with each other.
In the following description, numerous specific details are set forth in order to provide a thorough understanding of the present disclosure, but the present disclosure may be practiced otherwise than as described herein; it will be apparent that the embodiments in the specification are only some, but not all, embodiments of the disclosure.
Fig. 1 is a flowchart of a training method for a hidden channel detection model provided by an embodiment of the present disclosure, which may be performed by a computing device, which may be understood as any device having computing functionality and processing capabilities. As shown in fig. 1, the training method of the hidden channel detection model provided in this embodiment includes the following steps:
And 101, selecting positive samples and negative samples from the network traffic to form a data set for model training.
The flow rate referred to in the embodiments of the present disclosure may be understood as the amount of data transmitted.
The positive samples referred to in the embodiments of the present disclosure may be understood as normal traffic in network traffic that does not include the SSL hidden channel, and the negative samples may be understood as abnormal traffic in network traffic that includes the SSL hidden channel, where the positive and negative samples together form a data set for model training. It should be noted that, the secure socket SSL is a security protocol for providing security and data integrity for network communication, so as to ensure security of data transmission on the internet, and the data encryption technology is utilized to ensure that data cannot be intercepted and eavesdropped in the transmission process on the network. The above-mentioned hidden channel is a communication channel that allows a process to transmit information in a form against the security policy of the system, and in short, the hidden channel is understood to be a communication channel that is not substantially used to transmit information.
And 102, acquiring the traffic of the client and the server in the handshake stage from the data set, and performing feature extraction processing on the traffic in the handshake stage to obtain features related to the SSL hidden channel.
The SSL communication may be divided into a handshake phase and a data transmission phase, where the handshake phase may be understood as a process of establishing communication security parameters between a client and a server, and is used to confirm identities between the client and the server, where the client and the server do not establish a complete data connection and generate actual data communication behavior during the handshake process, so, compared to the data transmission phase, the handshake phase is easier to conceal information, and most SSL hidden channels are established during the handshake phase, and thus, in the embodiment of the present disclosure, features related to SSL hidden channels of a secure socket protocol by extracting features of the client and the server during the handshake phase are used as features of model training.
In the embodiment of the present disclosure, feature extraction processing is performed on traffic in a handshake phase to obtain features related to an SSL hidden channel, including steps S11-S12:
s11, extracting a random number, a server name indication field SNI, a certificate information amount, a time sequence characteristic of data interaction and a background stream from the traffic to obtain the client hello message.
S12, determining the character repetition rate or entropy value of the random number in the client hello message, the duty ratio of the server name indication field SNI to be empty, the proportion of the certificate information in the flow, the time sequence characteristic value of the data interaction and the proportion of the background flow in the flow based on the random number in the client hello message, the server name indication field SNI, the certificate information amount, the time sequence characteristic of the data interaction and the background flow respectively.
The Client Hello message, i.e., the Client Hello message, is sent to the Server by the Client, the Server returns a Server received message (Server Hello message) after receiving the Client Hello message, which is a process that the Client negotiates security parameters with the Server in a handshake phase, while the SSL hidden channel often selects to forge the Client Hello message, information carried by the SSL hidden channel is often hidden in a random number of 28 bytes (bytes) in the Client Hello message, the random number is used to generate a symmetric key in the communication process, modification of a random number field does not affect the Client Hello message itself, a random number segment is likely to be used to construct a hidden channel, the character repetition rate or entropy value of the random number in the Client Hello message can be selected to evaluate the complexity of the random number, the higher the complexity of the random number is, the larger the character repetition rate or entropy value is, and the probability of the hidden channel is contained in the flow is larger. Thus, the character repetition rate or entropy value of the random number in the client hello message can be selected as a SSL hidden channel related feature.
The server name Indication field (SERVER NAME Indication, SNI) is a domain name of a server accessed by a client and is used for locating and identifying a computer during data transmission, a normal message carries the SNI field, the SNI field in a hidden channel is usually empty, and the ratio of the SNI of the server name Indication field to the SNI is the empty, that is, the greater the proportion of the SNI-empty field in traffic, the greater the probability that the traffic contains SSL hidden channels. Thus, the duty cycle with which the server name indication field SNI is empty may be selected as an SSL hidden channel-related feature.
The certificate can be understood as a message for the server and the client to authenticate the encrypted information, including the public key of the certificate, the validity period, standard deviation and other information of the certificate, the information quantity of the legal certificate is complete, while the certificate of the hidden channel is likely to be forged, wherein a plurality of empty fields exist, namely, the information quantity of the certificate is less, the smaller the information quantity of the certificate in the flow is, and the larger the probability of containing SSL hidden channels in the flow is. Thus, the amount of certificate information may be selected as a SSL hidden channel related feature.
The time sequence characteristics of data interaction can be understood as some characteristics of data interaction in a certain period of time, including uplink and downlink byte numbers, uplink and downlink data packet numbers, time of data completion interaction, average data packet length and the like, wherein the time of data completion interaction can be understood as time from sending out one data packet to receiving a corresponding reply data packet, and the average data packet length can be understood as average data volume of a plurality of data packets with different data volumes in a certain period of time. The normal flow data interaction has a complete interaction process, a data packet is sent to receive a corresponding replied data packet, the data packet is returned, for example, a client sends a data packet to a server, the server receives and processes the data packet and returns a data packet carrying replied information to the client, the hidden channel is not necessarily replied due to the fact that the carried content of the hidden channel is always not data, the client sends the data packet to the server through the hidden channel, therefore, compared with the normal flow, the SSL hidden channel has strong time sequence characteristics, the SSL hidden channel has fewer uplink and downlink bytes, fewer uplink and downlink data packets, the time for completing the interaction of the data is shorter, the average data packet length is smaller, the time sequence characteristics can be comprehensively evaluated by using time sequence characteristic values, and the probability that the SSL hidden channel is contained in the flow is larger as the time sequence characteristic value is smaller. Thus, the timing characteristic value of the data interaction can be selected as the SSL hidden channel related characteristic.
Background flows can be understood as flows transmitted by other communication protocols than those transmitted by normal communication protocols, such as flows transmitted by domain name system (DomainName System, DNS) protocols and the like, except those transmitted by secure hypertext transfer protocol HTTPS, the background flows in normal flows are within a normal range, and hidden channels are often used for normal access behaviors by using the same client or different clients in a manner of traffic confusion, so that the flows of various different communication protocols are confused, the background flows in the hidden channels are usually more than the background flows in the normal flows, the proportion of the background flows in the flows can be used for evaluating the number of the background flows, and the larger the proportion of the background flows in the flows is, the larger the probability that the SSL hidden channels are contained in the flows is. Thus, the proportion of background flow in the traffic can be chosen as the SSL hidden channel related feature.
Traffic samples obtained from the network tend to be complex, including a large amount of redundant data, invalid data, and other interference data, such as redundant data packets, data packets with zero payload, unidirectional data flows, heartbeat packets, and the like, which affect the accuracy of model training, and to reduce the interference of these data to model training and improve the quality of the data set, in some embodiments of the present disclosure, before extracting the characteristics of the traffic of the client and the server in the handshake phase in the data set, and obtaining the characteristics related to the secure socket protocol SSL hidden channel, at least one of the following data may be removed from the traffic: filtering data by using a redundant data packet, a data packet with a zero effective load, a unidirectional data stream and a heartbeat packet, wherein the redundant data packet can be understood as redundant repeated data packets; a data packet with a zero payload can be understood as a data packet having a legal message structure, but the effective data length carried by the message and having an actual transmission effect is zero; unidirectional data flow is understood to mean a data flow with data transmission in a single direction, whereas establishing a hidden channel usually requires bidirectional interaction; a heartbeat packet is understood as a custom command word that periodically informs the other party of its own status between the client and the server, and is sent at certain intervals, similar to a heartbeat, and is called a heartbeat packet.
And 103, carrying out coding processing on the features to obtain feature vectors corresponding to the features.
In the embodiment of the disclosure, after the feature extraction related to the SSL hidden channel is completed, the feature is encoded, and the feature may be encoded by using an existing encoding model, so as to convert the feature information into a vector representation, and obtain a feature vector corresponding to the feature.
And 104, inputting the feature vector into a cyclic neural network for model training to obtain a hidden channel detection model.
The recurrent neural network (Recurrent Neural Network, RNN) referred to in the embodiments of the present disclosure is a type of recurrent neural network that recursively performs in the evolution direction of a sequence with sequence data as input, and all nodes (circulation units) are connected in a chain. The actual detection of the hidden channel needs to consider the time sequence of the data, the cyclic neural network RNN can be used as a bidirectional deep network to effectively detect the time sequence in real time, the problem of the time sequence is well solved, and the deep learning process can be understood as the process of changing the weight between the interconnection of neurons.
In the embodiment of the disclosure, a Long Short-Term Memory network LSTM (Long Short-Term Memory) can be selected for model training, and the Long-Term Memory network LSTM is a time-circulating neural network and is specifically designed for solving the Long-Term dependence problem existing in a general circulating neural network RNN. The LSTM gating mechanism can establish a long-distance time sequence dependency relationship, each neuron processes the current node to form a state variable of the neuron, the effective part of the processing information of the neuron of the previous node is selectively reserved, and the last neuron from the end of the sequence can contain the dependency relationship of the neuron information and the adjacent neurons in the whole sequence through iteration, so that a better global optimal solution is obtained. The sample data in the data set is trained by the neural network layer of the LSTM to finally form a model that can be used to detect the covert channel.
Specifically, each feature vector in the positive sample and the negative sample in the data set is input into the long-short-term memory network LSTM to perform model training, so that the model learns weight values corresponding to each feature respectively, the magnitude of one feature weight value reflects the confidence level of the feature in judging that the traffic contains an SSL hidden channel, a corresponding preset threshold is set for the weight value of each feature, that is, the weight value corresponding to the random number character repetition rate or the entropy value in the client hello message is set as a first preset threshold, the weight value corresponding to the duty ratio of the server name indication field SNI is empty is set as a second preset threshold, the weight value corresponding to the proportion of the credential information in the traffic is set as a third preset threshold, the weight value corresponding to the time sequence feature value of the data interaction is set as a fourth preset threshold, the weight value corresponding to the proportion of the background flow in the traffic is set as a fifth preset threshold, the preset threshold corresponding to each feature is corrected through multi-iteration training of the positive sample and the negative sample in the data set, and the optimal solution of each preset threshold is obtained, and the optimal solution of each preset threshold is set to the traffic is judged that the traffic is hidden channel according to the integrated condition of the SSL hidden channel:
The character repetition rate or entropy value of the random number in the client hello message is larger than a first preset threshold value; the duty cycle of the server name indication field SNI being empty is greater than a second preset threshold; the proportion of the certificate information amount in the traffic is smaller than a third preset threshold value; the time sequence characteristic value of the data interaction is smaller than a fourth preset threshold value; the proportion of the background flow in the traffic is greater than a fifth preset threshold.
The "first preset threshold, second preset threshold, third preset threshold, fourth preset threshold, and fifth preset threshold" in the embodiments of the present disclosure are merely used to distinguish between different preset thresholds corresponding to features related to SSL hidden channels, and have no other meaning.
When the feature vector input into the model simultaneously meets the conditions, the model outputs the result of the SSL hidden channel contained in the flow; when the feature vector input into the model cannot meet the conditions at the same time, the model outputs the result that the traffic does not contain SSL hidden channels.
Compared with the prior art, the technical scheme provided by the embodiment of the disclosure has the following advantages:
In the embodiment of the disclosure, a positive sample and a negative sample are selected from network traffic to form a data set for model training; extracting the flow characteristics of the client and the server in the handshake stage in the data set to obtain the characteristics related to the SSL hidden channel; coding the features to obtain feature vectors corresponding to the features; and inputting the feature vector into a cyclic neural network for model training to obtain a hidden channel detection model. According to the embodiment of the disclosure, the hidden channel detection model is obtained by training the hidden channel detection model through the related features of the secure socket protocol SSL hidden channel, so that the method can be applied to SSL hidden channel detection, the current requirements on SSL hidden channel detection methods are met, and the detection precision can be effectively improved.
Fig. 2 is a flow chart of a hidden channel detection method provided by an embodiment of the present disclosure, which may be performed by a computing device. The computing device may be understood as any device having computing functionality and processing capabilities. As shown in fig. 2, the hidden channel detection method provided in this embodiment includes the following steps:
step 201, obtain the traffic of the client and the server in the handshake stage.
The flow rate referred to in the embodiments of the present disclosure may be understood as the amount of data transmitted.
The handshake phase of the embodiments of the present disclosure may be understood as a process of establishing communication security parameters between a client and a server to confirm identities of each other, where the client and the server do not establish a complete data connection and generate actual data communication actions during handshake.
And 202, performing feature extraction processing on the flow to obtain features related to the SSL hidden channel.
The feature extraction process in the embodiment of the present disclosure is the same as steps S11 to S12 in step 102 in fig. 1, and will not be described here again.
Traffic acquired from a network tends to be complex, and contains a large amount of redundant data, invalid data and other interference data, such as redundant data packets, data packets with zero effective load, unidirectional data streams, heartbeat packets and the like, where the data affect the accuracy of the detection result of the hidden channel, and in order to reduce the interference of the data on the detection result and improve the accuracy of the detection result, in some embodiments of the present disclosure, before the feature extraction processing is performed on the traffic to obtain the feature related to the SSL hidden channel of the secure socket protocol, at least one of the following data may be removed from the traffic: the filtering of the redundant data packet, the data packet with the payload of zero, the unidirectional data stream, and the heartbeat packet, and the meaning of the relevant reject data is already described in step 102 in fig. 1, and will not be described here again.
And 203, carrying out coding processing on the features to obtain feature vectors corresponding to the features.
In the embodiment of the disclosure, after the feature extraction related to the SSL hidden channel is completed, the feature is encoded, and the feature may be encoded by using an existing encoding model, so as to convert the feature information into a vector representation, and obtain a feature vector corresponding to the feature.
And 204, inputting the feature vector into a preset hidden channel detection model, and detecting SSL hidden channels based on the hidden channel detection model.
The hidden channel detection model preset in the embodiment of the present disclosure is the hidden channel detection model obtained by training in fig. 1, the feature vector is input into the hidden channel detection model, SSL hidden channel detection is performed based on the hidden channel detection model, and when the conditions are satisfied simultaneously: the character repetition rate or entropy value of the random number in the client hello message is larger than a first preset threshold value; the duty cycle of the server name indication field SNI being empty is greater than a second preset threshold; the proportion of the certificate information amount in the traffic is smaller than a third preset threshold value; the time sequence characteristic value of the data interaction is smaller than a fourth preset threshold value; when the proportion of the background flow in the flow is larger than a fifth preset threshold value, the hidden channel detection model outputs a result of the flow containing SSL hidden channels; when the input feature vector cannot meet the conditions at the same time, the model outputs the result that the traffic does not contain SSL hidden channels.
Compared with the prior art, the technical scheme provided by the embodiment of the disclosure has the following advantages:
According to the embodiment of the disclosure, the flow of the client and the server in the handshake stage is obtained; the flow is subjected to feature extraction processing to obtain features related to SSL hidden channels of a secure socket protocol; coding the extracted features to obtain feature vectors corresponding to the features; and inputting the feature vector into a preset hidden channel detection model, and carrying out SSL hidden channel detection based on the hidden channel detection model. According to the embodiment of the disclosure, through the preset hidden channel detection model, whether the SSL hidden channel exists in the flow is judged according to the characteristics related to the SSL hidden channel in the flow in the handshake stage, so that the current requirement on the SSL hidden channel detection method is met, and the detection precision can be effectively improved.
Fig. 3 is a schematic structural diagram of a hidden channel detection apparatus according to an embodiment of the present disclosure, where the apparatus may be understood as the above-mentioned computing device or a part of functional modules in the above-mentioned computing device. As shown in fig. 3, the hidden channel detection apparatus 300 includes:
an obtaining module 310, configured to obtain traffic of the client and the server in a handshake stage;
the extracting module 320 is configured to perform feature extraction processing on the traffic to obtain features related to the SSL hidden channel;
The encoding module 330 is configured to encode the feature to obtain a feature vector corresponding to the feature;
The detection module 340 is configured to input the feature vector into a preset hidden channel detection model, and perform SSL hidden channel detection based on the hidden channel detection model.
Optionally, the hidden channel detection apparatus 300 further includes:
The rejecting module is used for rejecting at least one of the following data from the traffic: redundant data packet, data packet with zero effective load, unidirectional data flow, and heartbeat packet.
Optionally, the extracting module 320 includes:
the first extraction submodule is used for extracting random numbers, a server name indication field SNI, certificate information quantity, time sequence characteristics of data interaction and background flow in the client hello message from the flow;
The first determining submodule is used for determining and obtaining the character repetition rate or entropy value of the random number in the client hello message, the duty ratio of the server name indication field SNI, the proportion of the certificate information in the flow, the time sequence characteristic value of the data interaction and the proportion of the background flow in the flow based on the random number in the client hello message, the server name indication field SNI, the certificate information quantity, the time sequence characteristic of the data interaction and the background flow respectively.
Optionally, the detecting module 340 includes:
a second determining submodule, configured to determine that an SSL hidden channel exists in the traffic when the following condition is satisfied:
the character repetition rate or entropy value of the random number in the client hello message is larger than a first preset threshold value;
The duty cycle of the server name indication field SNI being empty is greater than a second preset threshold;
The proportion of the certificate information amount in the traffic is smaller than a third preset threshold value;
the time sequence characteristic value of the data interaction is smaller than a fourth preset threshold value;
The proportion of the background flow in the traffic is greater than a fifth preset threshold.
The implementation manner and the beneficial effects of the hidden channel detection device provided in this embodiment are similar to those of the method in any embodiment in fig. 2, and are not repeated here.
The embodiment of the present disclosure further provides a computing device, where the computing device includes a processor and a memory, where the memory stores a computer program, and when the computer program is executed by the processor, the method of any one of the embodiments of fig. 2 may be implemented, and the implementation manner and the beneficial effect are similar, and are not repeated herein.
The embodiments of the present disclosure provide a computer readable storage medium, where a computer program is stored, where when the computer program is executed by a processor, the method of any of the embodiments of fig. 2 may be implemented, and the implementation manner and the beneficial effects are similar, and are not repeated herein.
The computer readable storage media described above can employ any combination of one or more readable media. The readable medium may be a readable signal medium or a readable storage medium. The readable storage medium may include, for example, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or a combination of any of the foregoing. More specific examples (a non-exhaustive list) of the readable storage medium would include the following: an electrical connection having one or more wires, a portable disk, a hard disk, random Access Memory (RAM), read-only memory (ROM), erasable programmable read-only memory (EPROM or flash memory), optical fiber, portable compact disk read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
The computer programs described above may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, C++ or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computing device, partly on the user's device, as a stand-alone software package, partly on the user's computing device, partly on a remote computing device, or entirely on the remote computing device or server.
It should be noted that in this document, relational terms such as "first" and "second" and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
The foregoing is merely a specific embodiment of the disclosure to enable one skilled in the art to understand or practice the disclosure. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the disclosure. Thus, the present disclosure is not intended to be limited to the embodiments shown and described herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.
Claims (6)
1. A method of covert channel detection, the method comprising:
acquiring the flow of a client and a server in a handshake stage;
performing feature extraction processing on the flow to obtain features related to SSL hidden channels;
Performing coding processing on the features to obtain feature vectors corresponding to the features;
Inputting the feature vector into a preset hidden channel detection model, and carrying out SSL hidden channel detection based on the hidden channel detection model;
The processing of extracting the characteristics of the flow to obtain the characteristics related to the SSL hidden channel of the secure socket protocol comprises the following steps:
extracting random numbers, a server name indication field SNI, a certificate information amount, time sequence characteristics of data interaction and background flow in the client hello message from the flow;
Determining the character repetition rate or entropy value of the random number in the client hello message, the duty ratio of the server name indication field SNI to be empty, the proportion of the certificate information in the flow, the time sequence characteristic value of the data interaction and the proportion of the background flow in the flow based on the random number in the client hello message, the server name indication field SNI, the certificate information amount, the time sequence characteristic of the data interaction and the background flow respectively;
The hidden channel detection model determines that an SSL hidden channel is present in the traffic when the following condition is satisfied:
the character repetition rate or entropy value of the random number in the client hello message is larger than a first preset threshold value;
The duty cycle of the server name indication field SNI being empty is greater than a second preset threshold;
The proportion of the certificate information amount in the flow is smaller than a third preset threshold value;
the time sequence characteristic value of the data interaction is smaller than a fourth preset threshold value;
the proportion of the background flow in the flow is greater than a fifth preset threshold.
2. The method of claim 1, wherein before performing the feature extraction process on the traffic to obtain the feature related to the secure socket protocol SSL hidden channel, the method further comprises:
And rejecting at least one of the following data from the flow: redundant data packet, data packet with zero effective load, unidirectional data flow, and heartbeat packet.
3. A hidden channel detection apparatus, the apparatus comprising:
The acquisition module is used for acquiring the flow of the client and the server in the handshake stage;
The extraction module is used for carrying out feature extraction processing on the flow to obtain features related to the SSL hidden channel of the secure socket protocol;
the coding module is used for coding the features to obtain feature vectors corresponding to the features;
The detection module is used for inputting the characteristic vector into a preset hidden channel detection model and carrying out SSL hidden channel detection based on the hidden channel detection model;
The extraction module comprises:
The first extraction submodule is used for extracting random numbers, a server name indication field SNI, certificate information quantity, timing sequence characteristics of data interaction and background streams in the client hello message from the flow;
The first determining submodule is used for determining and obtaining the character repetition rate or entropy value of the random number in the client hello message, the duty ratio of the server name indicating field SNI, the proportion of the certificate information in the flow, the time sequence characteristic value of the data interaction and the proportion of the background flow in the flow based on the random number in the client hello message, the server name indicating field SNI, the certificate information amount, the time sequence characteristic of the data interaction and the background flow respectively;
The detection module comprises:
a second determining submodule, configured to determine that an SSL hidden channel exists in the traffic when the hidden channel detection model satisfies the following condition:
the character repetition rate or entropy value of the random number in the client hello message is larger than a first preset threshold value;
The duty cycle of the server name indication field SNI being empty is greater than a second preset threshold;
The proportion of the certificate information amount in the flow is smaller than a third preset threshold value;
the time sequence characteristic value of the data interaction is smaller than a fourth preset threshold value;
the proportion of the background flow in the flow is greater than a fifth preset threshold.
4. A device according to claim 3, characterized in that the device further comprises:
a rejection module, configured to reject at least one of the following data from the traffic: redundant data packet, data packet with zero effective load, unidirectional data flow, and heartbeat packet.
5. A computing device, comprising:
a memory and a processor, wherein the memory has stored therein a computer program which, when executed by the processor, implements the covert channel detection method of any of claims 1-2.
6. A computer readable storage medium, characterized in that the storage medium has stored therein a computer program which, when executed by a processor, implements the hidden channel detection method according to any of claims 1-2.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111413625.7A CN113938315B (en) | 2021-11-25 | 2021-11-25 | Hidden channel detection method, device, equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111413625.7A CN113938315B (en) | 2021-11-25 | 2021-11-25 | Hidden channel detection method, device, equipment and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113938315A CN113938315A (en) | 2022-01-14 |
| CN113938315B true CN113938315B (en) | 2024-06-14 |
Family
ID=79288181
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111413625.7A Active CN113938315B (en) | 2021-11-25 | 2021-11-25 | Hidden channel detection method, device, equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113938315B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115296897A (en) * | 2022-08-03 | 2022-11-04 | 中国电子科技集团公司信息科学研究院 | Covert communication method, device, storage medium and electronic equipment |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112217763A (en) * | 2019-07-10 | 2021-01-12 | 四川大学 | Hidden TLS communication flow detection method based on machine learning |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109286609A (en) * | 2018-08-22 | 2019-01-29 | 平安科技(深圳)有限公司 | Information collecting method, device, computer equipment and storage medium |
| US10742686B2 (en) * | 2018-08-29 | 2020-08-11 | Cisco Technology, Inc. | Enforcing network endpoint policies in a cloud-based environment using a covert namespace |
| CN112769811A (en) * | 2020-12-30 | 2021-05-07 | 北京天融信网络安全技术有限公司 | Method and device for updating hidden channel detection model |
-
2021
- 2021-11-25 CN CN202111413625.7A patent/CN113938315B/en active Active
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112217763A (en) * | 2019-07-10 | 2021-01-12 | 四川大学 | Hidden TLS communication flow detection method based on machine learning |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113938315A (en) | 2022-01-14 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Dong | Multi class SVM algorithm with active learning for network traffic classification | |
| CN109450842B (en) | Network malicious behavior recognition method based on neural network | |
| CN113364752B (en) | Flow abnormity detection method, detection equipment and computer readable storage medium | |
| CN111488577B (en) | Model building method and risk assessment method and device based on artificial intelligence | |
| CN112235264A (en) | Network traffic identification method and device based on deep migration learning | |
| CN101547207A (en) | Protocol identification control method and equipment based on application behavior mode | |
| CN111478920A (en) | Method, device and equipment for detecting communication of hidden channel | |
| CN110611640A (en) | DNS protocol hidden channel detection method based on random forest | |
| CN112702235B (en) | Method for automatically and reversely analyzing unknown protocol | |
| CN111835763B (en) | DNS tunnel traffic detection method and device and electronic equipment | |
| CN112822223B (en) | DNS hidden tunnel event automatic detection method and device and electronic equipment | |
| CN113938315B (en) | Hidden channel detection method, device, equipment and storage medium | |
| Hubballi et al. | BitProb: Probabilistic bit signatures for accurate application identification | |
| CN112134873B (en) | IoT network abnormal flow real-time detection method and system | |
| Zhao et al. | Edge intelligence based identification and classification of encrypted traffic of Internet of Things | |
| Bai et al. | Refined identification of hybrid traffic in DNS tunnels based on regression analysis | |
| CN113114524B (en) | Spark streaming based DNS tunnel detection method and device and electronic equipment | |
| Mimura et al. | Leaving all proxy server logs to paragraph vector | |
| CN112565229A (en) | Hidden channel detection method and device | |
| CN111291078A (en) | Domain name matching detection method and device | |
| CN111447169B (en) | Method and system for identifying malicious webpage in real time on gateway | |
| CN112688897A (en) | Traffic identification method and device, storage medium and electronic equipment | |
| CN113542222A (en) | Zero-day multi-step threat identification method based on dual-domain VAE | |
| Tu et al. | DNS tunnelling detection by fusing encoding feature and behavioral feature | |
| Luo et al. | Capturing uncertainty information and categorical characteristics for network payload grouping in protocol reverse engineering |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |