84 results about "Covert channel" patented technology

The application provides a network attack identification method and device as well as a computer readable storage medium. The method may include the following steps: acquiring a preset type of attribute information in a target data stream; inputting the acquired attribute information into a preconfigured machine learning model for calculation, wherein the machine learning model is obtained by training sample data through a supervised learning algorithm; and identifying whether the target data stream belongs to network attacks according to a calculation result. According to the technical scheme provided by the application, the data stream that belongs to the network attacks can be effectively identified; and meanwhile, the network attacks can be identified without extracting attack features, and messages that are transmitted through covert channels, encrypted channels and other modes and belong to the network attacks can be identified.

Disclosed are communication apparatus, a SATA communication device, a system, an enhanced port multiplier and a method for, among other things, establishing a covert communication channel in a protocol-compliant link. In one embodiment, a communication apparatus includes a link interface and a supplemental message interface. The link interface is configured to communicatively couple the communication apparatus to the link for accessing a data stream passing through the link in accordance with a standardized protocol. The supplemental message interface is configured to exchange a supplemental message within the data stream to establish a covert communication channel in the link. The supplemental message supplements the standardized protocol without violating the protocol.

A one-way data communication link implementation method and system are presented. It is used to insure no covert channels exist between a transmitter system and receiver system. Covert channels can be used to pass information, for unauthorized purposes. Thus covert channels must be eliminated, if an information system or network is to be considered secure. The one-way link is an essential security tool for constructing secure information systems and networks. An example use of a one-way link is given for a system which acts as a communications front-end (CFE) module to a system it is protecting. The one-way link is use to transfer data in only a single direction from a protected system to the CFE-Module.

The invention provides a self-adaption covert communication method based on satellite channel coding, and directing at different channel encoding algorithms of block codes, RS codes, convolutional codes, serial concatenated code and the like, provides a capacity self-adaption method for secrete information embedding; further provides a channel encoding information embedding and extracting algorithm based on m sequences. By the utilization of the self-adaption covert communication method, the capacity of covert channels can be determined in a self-adaption mode according to different used channel encoding algorithms and different used communication environments; normal use of carriers containing secretes is not influenced, and main steganalysis attacks such as chi-square analysis attacks and RS analysis attacks can be resisted; under the condition that the satellite channel bit error rate is 10-3-10-5, quasi error-free transmission of secrete information can be realized.

The Time to Live (TTL) field in an IP header is used as a covert channel in a communication system. More particularly the TTL field can be used to selectively mark packets with unique identifiers as they pass through an upstream station on their way to a downstream station. In this way the source of a traffic flow at least within a particular domain can be absolutely identified. This method of performing a traceback operation doesn't utilize additional resources as it relies on functionality which already exists in the system.

The invention discloses a secret information coding and sending method based on TCP effective loads and a corresponding secret information receiving and decoding method. On a sender, an encoder encodes secret information according to a coding schedule consulted in advance; then, the secret information is sent to a receiver. On the receiver, after the receiver monitors and captures a data packet of a fixed port, a decoder carries out TCP effective load extraction on the data packet monitored and captured at the fixed port, and the secret information is obtained through decoding according to the coding schedule. The methods are designed based on a TCP, and the quality and safety of covert channel communication are guaranteed through the reliability of the TCP. High practicality is achieved, the methods can be applied to the actual communication process well, the proportion of coding to non-coding of effective length can be adjusted in a balanced mode, and the controllability of the detection resisting performance of a covert channel is achieved.

The invention relates to the field of machine learning algorithms and covert channel detection, and aims to provide an ICMP covert channel detection method based on a random forest machine learning algorithm. According to the technology, firstly, data packets of inter-network communication are captured, basic information (a source IP address, a destination IP address and the like) related to the data packets in the data packets is extracted, the information is classified, an ICMP message flow is formed according to the information, and characteristics are extracted from the corresponding ICMPmessage flow by utilizing a specific rule of the method; the method comprises the following steps: obtaining the characteristics of the ICMP message communication data flow between a source IP addressand a destination IP address, training the characteristics by using a random forest-based machine learning method, and finally obtaining a classifier for detecting an ICMP covert channel. When the method is used for ICMP covert channel detection, the calculation cost and the time cost are low, the generated ICMP flow features are strong in pertinence and high in reliability, and the ICMP covert channel can be effectively detected.

The embodiment of the application provides a detection method and detection equipment of a hidden channel. The detection method comprises the following steps: grouping HTTP (Hyper Text Transport Protocol) request flow according to source IP (Internet Protocol) addresses and target IP addresses of messages in the HTTP request flow to obtain at least one group of messages, and executing subsequent steps for a first group of messages: generating a record table corresponding to the first group of messages according to timestamps and HTTP head tags carried by the messages; performing statistics to obtain a feature value of the first group of messages according to the record table corresponding to the first group of messages; and if the feature value of the first group of messages does not belongs to a normal threshold range of the feature value, determining that a Cookie hidden channel exists in the first group of messages, wherein the normal threshold range of the feature value is trained by HTTP request flow in a history time interval. In the embodiment of the application, whether the hidden channel exists in the HTTP request flow within predetermined time or not is judged through normal ranges of feature values of normal messages, so that the detection effectiveness of the HTTP hidden channel is improved.

The invention discloses a virtual machine simultaneous-locating detection method based on a hidden channel under a cloud environment. The method includes the steps that (1) a plurality of virtual machine embodiments of the same type are deployed on a cloud platform; (2) the real hidden channel, based on the cloud platform, of virtual machine monitor share resources is selected; (3) two virtual machine embodiments are selected from the virtual machine embodiments and recorded as the virtual machine embodiment A and the virtual machine embodiment B respectively; (4) the virtual machine embodiment A and the virtual machine embodiment B serve as a sender and a receiver of the hidden channel respectively, the hidden channel is used for communication, if the communication succeeds, the virtual machine embodiment A and the virtual machine embodiment B are simultaneously located on a physical machine, and if not, the virtual machine embodiment A and the virtual machine embodiment B are not simultaneously located on the physical machine. By means of the virtual machine simultaneous-locating detection method based on the hidden channel under the cloud environment, efficiency and reliability of the simultaneous-locating detection are improved, excessive dependence on the network is avoided through the hidden channel, and the problem of simultaneous-locating detection is solved on the premise that the performance is not lowered.

The invention discloses a high-security combined covert channel synchronization method. The secrete data transmission accuracy of dual combined covert channel communication parties can be ensured. In a combined covert channel communication process, the dual communication parties modulate synchronization information into a channel under the condition of no changes in normal communication Internet protocol identification (IPID) bit rules. When transmitting secrete information, a transmitting end modulates the synchronization information into an ID bit difference value of an adjacent IP data packet according to a preset modulation method. After receiving a data packet from the transmitting end, a receiving end first extracts values of adjacent IPID bits, then calculates a difference value of the values of the adjacent IPID bits, and solves the secrete information according to a corresponding combined covert channel synchronization mode. According to the synchronization method, own redundancy characteristic of a protocol is fully utilized, and the secrete data transmission and receiving accuracy of a combined covert channel is ensured under the condition of no additionally introduced channels.

The invention discloses a time type network covert channel construction method based on discrete wavelet transform, and belongs to the technical field of network information security. According to the time type network covert channel construction method disclosed by the invention, a secret message is embedded in a wavelet domain coefficient of a normal IPD sequence, and the embedding position and intensity are controlled to reduce the time domain changes to the original carrier and the properties of the original carrier as much as possible; and the generated covert communication data streams have normal rules and features and better anti-detection property. Meanwhile, the secret message bits are embedded in a part of approximation coefficients of wavelet decomposition by adopting the odd-even quantification method, and the network noise interference can be resisted to a certain extent without importing additional synchronization cost, and the robustness is relatively good.

A method and apparatus is disclosed for performing information flow enforcement for assembly code. In one embodiment, the method comprises receiving assembly code having timing annotations with type information that enforce information flow with respect to one or more of timing-related covert and concurrent channels when statically checked as to whether the code is in violation of a security policy and performing verification with respect to information flow for the assembly code based on a security policy.

The invention discloses a DNS protocol covert channel detection method based on a random forest. According to the method, a random forest algorithm in machine learning is used to learn features; according to the method, malicious traffic of a DNS hidden channel can be quickly identified, the DNS hidden channel can be effectively detected, DNS requests and response traffic are analyzed by analyzingthe DNS traffic, feature extraction is performed on common fields for transmitting hidden information, and statistics of normal threshold ranges is performed on features; and then learning normal andabnormal DNS traffic characteristics by using a random forest model, establishing a model, and identifying whether the traffic is abnormal traffic, thereby realizing detection of a hidden channel.

The invention discloses a method and a client for realizing covert communication, and a server. The method comprises steps that agreement of design rules of an NTP protocol packet with the server is carried out; the uplink transmission data is added to an NTP request message according to the design rules of the NTP protocol packet, the NTP request message is sent to the server, so the server is enabled to analyze the NTP request message according to the design rules of the NTP protocol packet to acquire the uplink transmission data. The method is advantaged in that strong penetrating power, good crypticity and high availability are realized, communication crypticity and security are improved, and preventive bases for malicious utilization of a covert channel are provided.

A communication system comprises a covert channel detector. The covert channel detector can be used in a multi-level security system (MLS) or multiple single levels of security (MSLS). The covert channel detector detects covert channels in a cryptographic system. The cryptographic system can be used in a military radio system.

The invention relates to a video information hiding method and device based on inter-block decoupling. The method includes the following steps: (1) inputting a carrier video to be embedded and obtaining the channel parameters thereof, wherein the channel parameters include whether each block is a non-reference block, the values of non-zero DCT coefficients in each non-reference block and the embedding cost of each non-reference block; (2) carrying out steganographic coding by taking the non-zero DCT coefficients in all the non-reference blocks as the carrier of a covert channel; and (3) compressing the carrier video to be embedded, and using the lowest bit to replace and modify the non-zero DCT coefficients in all the non-reference blocks according to the channel parameters acquired in step (1) and the coding result obtained in step (2) in the process of compression to obtain a steganographic video file. The generation of the cost drift phenomenon is avoided by using the technology ofdecoupling between carrier blocks. The method and the device are especially suitable for a covert communication scenario requiring low real-time performance and high security performance.

The invention discloses a method for building a covert channel with network flow watermarking of a forward error correction code and an interleaved code, and relates to a covert channel for information secure transmission in the field of communication. The method comprises the following steps: firstly, encoding original secret information to be transmitted by an error correction code encoder, andprocessing an obtained codeword signal according to a network flow watermarking method; in a decoding stage, making a secret information receiver acquire a watermark signal from target network stream,and transmit the watermark signal to an interleaved code decoder for processing to obtain a de-transposed watermark signal; if the watermark signal is subjected to PN code spread spectrum processing,processing the watermark signal with a PN decoder; and finally, transmitting the de-transposed watermark signal or the PN decoded watermark signal to an error correction code decoder for processing to recover the original secret information. Through adoption of the method for building the covert channel with network flow watermarking of the forward error correction code and the interleaved code,the automatic error correction capability specific to the secret information is realized, and the reliability of information transmission is enhanced.

The present invention relates to a video steganography method based on motion vector local optimality preservation. Criteria for motion vector local optimality and a search algorithm for optimal candidate motion vectors are established. On this basis, by constructing a reasonable motion vector disturbance cost calculation model and selecting the most efficient steganographic codes, covert channels are established to complete steganographic insertion of secret information, and an extraction process of the secrete information is thus completed. Syndrome trellis code (STC) steganographic codes are preferably adopted. The method provided by the present invention is a motion vector field video steganography method which is based on motion vector local optimality preservation, has a high insertion efficiency and can effectively resist conventional steganalysis attacks, and is especially applicable to covert communication situations with high safety requirements.