| With the development of internet technology, network security is becoming a more and more prominent problem. Covert channel, as a new technology of information leakage among the masses of safety problems, has been paid attention by more and more researchers. But some current safety protection system and devices deployed can’t protect the network to escape the covert channel’s threats efficiently. So the research on how to detect covert channel efficiently has a good practical value. Characterized by its simplicity and easily implementation, storage covert channel is widely used by many intruders. Hence, we choose the technology of detecting storage network covert channel as the direction.In the first place, we make a comprehensive research for the covert channel from many aspects, including the model, construction methods, et al., and summarize the detection methods. By the comparison of the advantages and disadvantages of all the methods, some high efficient and simplicity methods was introduced to the detection system we implemented. According to the principle of covert channel, we divide the covert channel into two types: fixed mode-based covert channel and non-fixed mode-based covert channel. Meanwhile, we respectively design different modules to detect these two types. For the first kind, we implement a mode-based covert channel detection method through extracting a specific feature. For another kind, we mainly research on timestamp-based covert channel and ISN covert channel based on TCP protocol. To detect timestamp-based covert channel whose timestamp values is irregular, we extract some features from the timestamp using the phase space reconstruction technique. Then, we introduce the chaos theory-based covert channel detection through integrating the chaos theory. In order to deal with the ISN covert channel, we analysis the sequence number of TCP packets and find a serial correlation between the TCP packets and the states of packet. Therefore, we construct a Markov model of TCP protocol based on the correlation to detect whether the ISN covert channel exists or not..Based on the detection algorithm described in the above, we implement a prototype and evaluate it from two aspects: true positive rate, false and false negative rate. For the fixed model-based covert channel, our algorithm achieves a prefect performance that the true positive rate is 100%. For the timestamp-based covert channel and ISN covert channel, we also achieve a true positive rate beyond 90%. Furthermore, the false negative rate is still at a very low level. The evaluation results demonstrate our proposed detection algorithm performs high efficiently and has a high degree of practical value. |
PDF Full Text Request