作者投稿和查稿 主编审稿 专家审稿 编委审稿 远程编辑

计算机工程 ›› 2020, Vol. 46 ›› Issue (2): 154-158,169. doi: 10.19678/j.issn.1000-3428.0053783

• 网络空间安全 • 上一篇    下一篇

基于Markov模型的HTTP参数排序隐蔽信道检测方法

沈国良1, 翟江涛1, 戴跃伟2   

  1. 1. 江苏科技大学 电子信息学院, 江苏 镇江 212003;
    2. 南京信息工程大学 计算机与软件学院, 南京 210000
  • 收稿日期:2019-01-22 修回日期:2019-03-21 发布日期:2019-04-22
  • 作者简介:沈国良(1994-),男,硕士研究生,主研方向为多媒体与信息安全;翟江涛(通信作者),副教授;戴跃伟,教授、博士生导师。
  • 基金资助:
    国家自然科学基金(61702235,61472188,61602247,U1636117);江苏省自然科学基金(BK20150472,BK20160840)。

HTTP Parameter Sorting Covert Channel Detection Method Based on Markov Model

SHEN Guoliang1, ZHAI Jiangtao1, DAI Yuewei2   

  1. 1. School of Electronics and Information, Jiangsu University of Science and Technology, Zhenjiang, Jiangsu 212003, China;
    2. School of Computer and Software, Nanjing University of Information Science and Technology, Nanjing 210000, China
  • Received:2019-01-22 Revised:2019-03-21 Published:2019-04-22

摘要: 网络隐蔽信道是利用网络协议中的保留、可选或未定义等字段在网络不同主机间建立秘密消息传输的通信信道,其中HTTP协议作为万维网上最常用的协议之一,是网络隐蔽信道的良好载体。为有效检测基于HTTP协议的隐蔽信道,提出一种基于Markov模型的隐蔽信道检测方法。以Host、Connection、Accept和User-Agent为关键字,建立数据包的Markov模型并计算其状态转移概率矩阵,利用待测数据包与正常数据包2个概率矩阵之间的相对熵,判别是否存在隐蔽信道通信。实验结果表明,当隐蔽信道中的异常数据超过70%时,该方法检测率可达97%以上。

关键词: HTTP协议, 隐蔽信道检测, Markov模型, 相对熵, 检测率

Abstract: The network covert channel is a communication channel that establishes secret message transmission between different hosts on the network by utilizing reserved,optional or undefined fields in the network protocols.HTTP protocol,as one of the most commonly used protocols on the World Wide Web,becomes a good carrier of network covert channels.In order to effectively detect the HTTP protocol-based covert channel,this paper proposes a covert channel detection method based on Markov model.Taking Host,Connection,Accept and User-Agent as keywords,this method establishes the Markov model of data packet and calculates the state transition probability matrix of this model.The relative entropy between the data packet to be tested and the normal data packet is used to determine whether the covert channel exists or not.Experimental results show that when the abnormal data in the covert channel exceeds 70%,the detection rate of this method can reach more than 97%.

Key words: HTTP protocol, covert channel detection, Markov model, relative entropy, detection rate

中图分类号: