A new concept, the security level difference of a covert channel, is presented, which means the security level span from the sender to the receiver of the covert channel. Based on this, the integrated criteria for cov...A new concept, the security level difference of a covert channel, is presented, which means the security level span from the sender to the receiver of the covert channel. Based on this, the integrated criteria for covert channel auditing are given. Whereas TCSEC (Trusted Computer System Evaluation Criteria) or CC (Common Criteria for Information Technology Security Evaluation) only use the bandwidth to evaluate the threat of covert channels, our new criteria integrate the security level difference, the bandwidth sensitive parameter, bandwidth, duration and instantaneous time of covert channels, so as to give a comprehensive evaluation of the threat of covert channels in a multilevel security system.展开更多
A covert channel is an information channel that is used by the computer process to exfiltrate data through bypassing security policies.The DNS protocol is one of the important ways to implement a covert channel.DNS co...A covert channel is an information channel that is used by the computer process to exfiltrate data through bypassing security policies.The DNS protocol is one of the important ways to implement a covert channel.DNS covert channels are easily used by attackers for malicious purposes.Therefore,an effective detection approach of the DNS covert channels is significant for computer systems and network securities.Aiming at the difficulty of the DNS covert channel identification,we propose a DNS covert channel detection method based on a stacking model.The stacking model is evaluated on a campus network and the experimental results show that the detection based on the stacking model can detect the DNS covert channels effectively.Besides,it can identify unknown covert channel traffic.The area under the curve(AUC)of the proposed method reaches 0.9901,which outperforms existing detection methods.展开更多
Aiming at the problem that virtual machine information cannot be extracted incompletely, we extend the typical information extraction model of virtual machine and propose a perception mechanism in virtualization syste...Aiming at the problem that virtual machine information cannot be extracted incompletely, we extend the typical information extraction model of virtual machine and propose a perception mechanism in virtualization system based on storage covert channel to overcome the affection of the semantic gap. Taking advantage of undetectability of the covert channel, a secure channel is established between vip and virtual machine monitor to pass data directly. The vip machine can pass the control information of malicious process to virtual machine monitor by using the VMCALL instruction and shared memory. By parsing critical information in process control structure, virtual machine monitor can terminate the malicious processes. The test results show that the proposed mechanism can clear the user-level malicious programs in the virtual machine effectively and covertly. Meanwhile, its performance overhead is about the same as that of other mainstream monitoring mode.展开更多
Based on the analysis of the covert channel's working mechanism of the internet control message protocol (ICMP) in internet protocol version 4 (IPv4) and Internet Protocol version 6 (IPv6), the ICMP covert cha...Based on the analysis of the covert channel's working mechanism of the internet control message protocol (ICMP) in internet protocol version 4 (IPv4) and Internet Protocol version 6 (IPv6), the ICMP covert channd's algorithms of the IPv4 and IPv6 are presented, which enable automatic channeling upon IPv4/v6 nodes with non-IPv4-compatible address, and the key transmission is achieved by using this channel in the embedded Internet terminal. The result shows that the covert channel's algorithm, which we implemented if, set correct, the messages of this covert channel might go through the gateway and enter the local area network.展开更多
By analyzing the basic properties of unitary transformations used in a quantum secure direct communication (QSDC) protocol, we show the main idea why a covert channel can be established within any QSDC channel which e...By analyzing the basic properties of unitary transformations used in a quantum secure direct communication (QSDC) protocol, we show the main idea why a covert channel can be established within any QSDC channel which employs unitary transformations to encode information. On the basis of the fact that the unitary transformations used in a QSDC protocol are secret and independent, a novel quantum covert channel protocol is proposed to transfer secret messages with unconditional security. The performance, including the imperceptibility, capacity and security of the proposed protocol are analyzed in detail.展开更多
Covert channel of the packet ordering is a hot research topic.Encryption technology is not enough to protect the security of both sides of communication.Covert channel needs to hide the transmission data and protect c...Covert channel of the packet ordering is a hot research topic.Encryption technology is not enough to protect the security of both sides of communication.Covert channel needs to hide the transmission data and protect content of communication.The traditional methods are usually to use proxy technology such as tor anonymous tracking technology to achieve hiding from the communicator.However,because the establishment of proxy communication needs to consume traffic,the communication capacity will be reduced,and in recent years,the tor technology often has vulnerabilities that led to the leakage of secret information.In this paper,the covert channel model of the packet ordering is applied into the distributed system,and a distributed covert channel of the packet ordering enhancement model based on data compression(DCCPOEDC)is proposed.The data compression algorithms are used to reduce the amount of data and transmission time.The distributed system and data compression algorithms can weaken the hidden statistical probability of information.Furthermore,they can enhance the unknowability of the data and weaken the time distribution characteristics of the data packets.This paper selected a compression algorithm suitable for DCCPOEDC and analyzed DCCPOEDC from anonymity,transmission efficiency,and transmission performance.According to the analysis results,it can be seen that DCCPOEDC optimizes the covert channel of the packet ordering,which saves the transmission time and improves the concealment compared with the original covert channel.展开更多
When an inaudible sound covert channel(ISCC)attack is launched inside a computer system,sensitive data are converted to inaudible sound waves and then transmitted.The receiver at the other end picks up the sound signa...When an inaudible sound covert channel(ISCC)attack is launched inside a computer system,sensitive data are converted to inaudible sound waves and then transmitted.The receiver at the other end picks up the sound signal,from which the original sensitive data can be recovered.As a forceful countermeasure against the ISCC attack,strong noise can be used to jam the channel and literally shut down any possible sound data transmission.In this paper,enhanced ISCC is proposed,whose transmission frequency can be dynamically changed.Essentially,if the transmitter detects that the covert channel is being jammed,the transmitter and receiver both will switch to another available frequency and re-establish their communications,following the proposed communications protocol.Experimental results show that the proposed enhanced ISCC can remain connected even in the presence of a strong jamming noise source.Correspondingly,a detection method based on frequency scanning is proposed to help to combat such an anti-jamming sound channel.With the proposed countermeasure,the bit error rate(BER)of the data communications over enhanced ISCC soars to more than 48%,essentially shutting down the data transmission,and thus neutralizing the security threat.展开更多
This paper proposes the concept of transaction-type covert storage channels, which are caused by database storage resources. It also proposes that the mode of auditing those channels be based on the transactions. Next...This paper proposes the concept of transaction-type covert storage channels, which are caused by database storage resources. It also proposes that the mode of auditing those channels be based on the transactions. Next, the paper analyzes and resolves the two problems arising from auditing the use of transaction-type covert storage channels in database systems: namely, the relationship between channel variables, which are altered (or viewed) by the transaction and satisfy integrity constraints in DBMS, and database states; and the circumvention of covert storage channel audit in DBMS.展开更多
Covert timing channels(CTC)exploit network resources to establish hidden communication pathways,posing signi cant risks to data security and policy compliance.erefore,detecting such hidden and dangerous threats remain...Covert timing channels(CTC)exploit network resources to establish hidden communication pathways,posing signi cant risks to data security and policy compliance.erefore,detecting such hidden and dangerous threats remains one of the security challenges. is paper proposes LinguTimeX,a new framework that combines natural language processing with arti cial intelligence,along with explainable Arti cial Intelligence(AI)not only to detect CTC but also to provide insights into the decision process.LinguTimeX performs multidimensional feature extraction by fusing linguistic attributes with temporal network patterns to identify covert channels precisely.LinguTimeX demonstrates strong e ectiveness in detecting CTC across multiple languages;namely English,Arabic,and Chinese.Speci cally,the LSTM and RNN models achieved F1 scores of 90%on the English dataset,89%on the Arabic dataset,and 88%on the Chinese dataset,showcasing their superior performance and ability to generalize across multiple languages. is highlights their robustness in detecting CTCs within security systems,regardless of the language or cultural context of the data.In contrast,the DeepForest model produced F1-scores ranging from 86%to 87%across the same datasets,further con rming its e ectiveness in CTC detection.Although other algorithms also showed reasonable accuracy,the LSTM and RNN models consistently outperformed them in multilingual settings,suggesting that deep learning models might be better suited for this particular problem.展开更多
Despite extensive research, timing channels (TCs) are still known as a principal category of threats that aim to leak and transmit information by perturbing the timing or ordering of events. Existing TC detection appr...Despite extensive research, timing channels (TCs) are still known as a principal category of threats that aim to leak and transmit information by perturbing the timing or ordering of events. Existing TC detection approaches use either signature-based approaches to detect known TCs or anomaly-based approach by modeling the legitimate network traffic in order to detect unknown TCs. Un-fortunately, in a software-defined networking (SDN) environment, most existing TC detection approaches would fail due to factors such as volatile network traffic, imprecise timekeeping mechanisms, and dynamic network topology. Furthermore, stealthy TCs can be designed to mimic the legitimate traffic pattern and thus evade anomalous TC detection. In this paper, we overcome the above challenges by presenting a novel framework that harnesses the advantages of elastic re-sources in the cloud. In particular, our framework dynamically configures SDN to enable/disable differential analysis against outbound network flows of different virtual machines (VMs). Our framework is tightly coupled with a new metric that first decomposes the timing data of network flows into a number of using the discrete wavelet-based multi-resolution transform (DWMT). It then applies the Kullback-Leibler divergence (KLD) to measure the variance among flow pairs. The appealing feature of our approach is that, compared with the existing anomaly detection approaches, it can detect most existing and some new stealthy TCs without legitimate traffic for modeling, even with the presence of noise and imprecise timekeeping mechanism in an SDN virtual environment. We implement our framework as a prototype system, OBSERVER, which can be dynamically deployed in an SDN environment. Empirical evaluation shows that our approach can efficiently detect TCs with a higher detection rate, lower latency, and negligible performance overhead compared to existing approaches.展开更多
现有存储型网络隐蔽信道的研究主要根据不同协议中不同字段来隐藏信息。在众多协议中,例如TCP、UDP协议,对其研究较多,而OSFP使用广泛却在国内研究较少。针对OSPF协议下的Hello报文进行分析可以构建网络隐蔽信道的字段。从所有可能字段...现有存储型网络隐蔽信道的研究主要根据不同协议中不同字段来隐藏信息。在众多协议中,例如TCP、UDP协议,对其研究较多,而OSFP使用广泛却在国内研究较少。针对OSPF协议下的Hello报文进行分析可以构建网络隐蔽信道的字段。从所有可能字段中选择Authentication、Router Dead Interval和Neighbor三个字段分别使用随机值模式、值调制模型和序列模式进行构建三种隐蔽信道,利用微协议技术优化信道,并将三种隐蔽信道组合成一个传输速率更高的隐蔽信道模型。经过验证,该模型具有一定的可行性和隐蔽性,可为存储型网络隐蔽信道构建技术提供一定的理论支持和技术支撑。展开更多
域名系统(domain name system,DNS)隐蔽信道是一种利用DNS协议实现数据泄露的网络攻击手段,受到诸多高级持续性威胁(advanced persistent threat,APT)组织的青睐,给网络空间安全带来了严重威胁。针对传统机器学习方法对特征依赖性强、...域名系统(domain name system,DNS)隐蔽信道是一种利用DNS协议实现数据泄露的网络攻击手段,受到诸多高级持续性威胁(advanced persistent threat,APT)组织的青睐,给网络空间安全带来了严重威胁。针对传统机器学习方法对特征依赖性强、误报率高的问题,提出一种融合多通道卷积和注意力网络的DNS隐蔽信道检测算法。该算法基于DNS请求与响应双向流,首先将残差结构和并行卷积相结合,采用不同大小的卷积核提取并融合多尺度特征信息,实现不同感受野特征的捕获;其次引入通道注意力机制增加卷积通道关键信息的提取能力,丰富网络模型的表达能力;最后采用softmax函数实现DNS隐蔽信道的检测。实验结果表明,所提模型能有效检测DNS隐蔽信道,平均准确率、精确率和召回率分别为96.42%、97.82%和96.16%,优于传统方法。展开更多
基金the National Natural Science Foundation of China (No. 60773049)the Natural Science Foundation of Jiangsu Province (No. BK2007086)+1 种基金the Fundamental Research Project of the Natural Science in Colleges of Jiangsu Province (No. 07KJB520016)the Person with Ability Project of Jiangsu University (No. 07JDG053), China
文摘A new concept, the security level difference of a covert channel, is presented, which means the security level span from the sender to the receiver of the covert channel. Based on this, the integrated criteria for covert channel auditing are given. Whereas TCSEC (Trusted Computer System Evaluation Criteria) or CC (Common Criteria for Information Technology Security Evaluation) only use the bandwidth to evaluate the threat of covert channels, our new criteria integrate the security level difference, the bandwidth sensitive parameter, bandwidth, duration and instantaneous time of covert channels, so as to give a comprehensive evaluation of the threat of covert channels in a multilevel security system.
基金National Key Research and Development Project(2016QY04W0901)and(2016QY04W0903).
文摘A covert channel is an information channel that is used by the computer process to exfiltrate data through bypassing security policies.The DNS protocol is one of the important ways to implement a covert channel.DNS covert channels are easily used by attackers for malicious purposes.Therefore,an effective detection approach of the DNS covert channels is significant for computer systems and network securities.Aiming at the difficulty of the DNS covert channel identification,we propose a DNS covert channel detection method based on a stacking model.The stacking model is evaluated on a campus network and the experimental results show that the detection based on the stacking model can detect the DNS covert channels effectively.Besides,it can identify unknown covert channel traffic.The area under the curve(AUC)of the proposed method reaches 0.9901,which outperforms existing detection methods.
基金Supported by the National High Technology Research and Development Program of China (863 Program) (2009AA012200)Henan Province Science and Technology Funding Projects ( SP09JH11158)
文摘Aiming at the problem that virtual machine information cannot be extracted incompletely, we extend the typical information extraction model of virtual machine and propose a perception mechanism in virtualization system based on storage covert channel to overcome the affection of the semantic gap. Taking advantage of undetectability of the covert channel, a secure channel is established between vip and virtual machine monitor to pass data directly. The vip machine can pass the control information of malicious process to virtual machine monitor by using the VMCALL instruction and shared memory. By parsing critical information in process control structure, virtual machine monitor can terminate the malicious processes. The test results show that the proposed mechanism can clear the user-level malicious programs in the virtual machine effectively and covertly. Meanwhile, its performance overhead is about the same as that of other mainstream monitoring mode.
基金Supported by the National Natural Science Foun-dation of China (90104005 ,66973034)
文摘Based on the analysis of the covert channel's working mechanism of the internet control message protocol (ICMP) in internet protocol version 4 (IPv4) and Internet Protocol version 6 (IPv6), the ICMP covert channd's algorithms of the IPv4 and IPv6 are presented, which enable automatic channeling upon IPv4/v6 nodes with non-IPv4-compatible address, and the key transmission is achieved by using this channel in the embedded Internet terminal. The result shows that the covert channel's algorithm, which we implemented if, set correct, the messages of this covert channel might go through the gateway and enter the local area network.
基金Supported by the National Natural Science Foundation of China under Grant Nos.61170272, 61272514, 61003287, and 61070163Asia Foresight Program under National Natural Science Foundation of China under Grant No.61161140320+4 种基金the Specialized Research Fund for the Doctoral Program of Higher Education under Grant No.20100005120002the Fok Ying Tong Education Foundation under Grant No.131067the Shandong Provincial Natural Science Foundation, China under Grant No.ZR2011FM023the Shandong Province Outstanding Research Award Fund for Young Scientists of China under Grant No.BS2011DX034the Fundamental Research Funds for the Central Universities under Grant No.BUPT2012RC0221
文摘By analyzing the basic properties of unitary transformations used in a quantum secure direct communication (QSDC) protocol, we show the main idea why a covert channel can be established within any QSDC channel which employs unitary transformations to encode information. On the basis of the fact that the unitary transformations used in a QSDC protocol are secret and independent, a novel quantum covert channel protocol is proposed to transfer secret messages with unconditional security. The performance, including the imperceptibility, capacity and security of the proposed protocol are analyzed in detail.
基金This work is sponsored by the National Natural Science Foundation of China Grant No.61100008Natural Science Foundation of Heilongjiang Province of China under Grant No.LC2016024+1 种基金Natural Science Foundation of the Jiangsu Higher Education Institutions Grant No.17KJB520044Six Talent Peaks Project in Jiangsu Province No.XYDXX-108.
文摘Covert channel of the packet ordering is a hot research topic.Encryption technology is not enough to protect the security of both sides of communication.Covert channel needs to hide the transmission data and protect content of communication.The traditional methods are usually to use proxy technology such as tor anonymous tracking technology to achieve hiding from the communicator.However,because the establishment of proxy communication needs to consume traffic,the communication capacity will be reduced,and in recent years,the tor technology often has vulnerabilities that led to the leakage of secret information.In this paper,the covert channel model of the packet ordering is applied into the distributed system,and a distributed covert channel of the packet ordering enhancement model based on data compression(DCCPOEDC)is proposed.The data compression algorithms are used to reduce the amount of data and transmission time.The distributed system and data compression algorithms can weaken the hidden statistical probability of information.Furthermore,they can enhance the unknowability of the data and weaken the time distribution characteristics of the data packets.This paper selected a compression algorithm suitable for DCCPOEDC and analyzed DCCPOEDC from anonymity,transmission efficiency,and transmission performance.According to the analysis results,it can be seen that DCCPOEDC optimizes the covert channel of the packet ordering,which saves the transmission time and improves the concealment compared with the original covert channel.
基金This work was supported partly by the National Natural Science Foundation of China under Grant No.61971200partly by Zhejiang Lab under Grants No.2021LE0AB01 and No.2021PC0AC01+3 种基金partly by the Major Scientific Research Project of Zhejiang Lab under Grant No.2021LE0AC01partly by the Key Technologies R&D Program of Jiangsu(Prospective and Key Technologies for Industry)under Grant No.BE2021003partly by the National Key Research and Development Program of China under Grant No.2019QY0705by the Guangdong Provincial Key Laboratory of Short-Range Wireless Detection and Communication under Grants No.2014B030301010 and No.2017B030314003.
文摘When an inaudible sound covert channel(ISCC)attack is launched inside a computer system,sensitive data are converted to inaudible sound waves and then transmitted.The receiver at the other end picks up the sound signal,from which the original sensitive data can be recovered.As a forceful countermeasure against the ISCC attack,strong noise can be used to jam the channel and literally shut down any possible sound data transmission.In this paper,enhanced ISCC is proposed,whose transmission frequency can be dynamically changed.Essentially,if the transmitter detects that the covert channel is being jammed,the transmitter and receiver both will switch to another available frequency and re-establish their communications,following the proposed communications protocol.Experimental results show that the proposed enhanced ISCC can remain connected even in the presence of a strong jamming noise source.Correspondingly,a detection method based on frequency scanning is proposed to help to combat such an anti-jamming sound channel.With the proposed countermeasure,the bit error rate(BER)of the data communications over enhanced ISCC soars to more than 48%,essentially shutting down the data transmission,and thus neutralizing the security threat.
文摘This paper proposes the concept of transaction-type covert storage channels, which are caused by database storage resources. It also proposes that the mode of auditing those channels be based on the transactions. Next, the paper analyzes and resolves the two problems arising from auditing the use of transaction-type covert storage channels in database systems: namely, the relationship between channel variables, which are altered (or viewed) by the transaction and satisfy integrity constraints in DBMS, and database states; and the circumvention of covert storage channel audit in DBMS.
基金This study is financed by the European Union-NextGenerationEU,through the National Recovery and Resilience Plan of the Republic of Bulgaria,Project No.BG-RRP-2.013-0001.
文摘Covert timing channels(CTC)exploit network resources to establish hidden communication pathways,posing signi cant risks to data security and policy compliance.erefore,detecting such hidden and dangerous threats remains one of the security challenges. is paper proposes LinguTimeX,a new framework that combines natural language processing with arti cial intelligence,along with explainable Arti cial Intelligence(AI)not only to detect CTC but also to provide insights into the decision process.LinguTimeX performs multidimensional feature extraction by fusing linguistic attributes with temporal network patterns to identify covert channels precisely.LinguTimeX demonstrates strong e ectiveness in detecting CTC across multiple languages;namely English,Arabic,and Chinese.Speci cally,the LSTM and RNN models achieved F1 scores of 90%on the English dataset,89%on the Arabic dataset,and 88%on the Chinese dataset,showcasing their superior performance and ability to generalize across multiple languages. is highlights their robustness in detecting CTCs within security systems,regardless of the language or cultural context of the data.In contrast,the DeepForest model produced F1-scores ranging from 86%to 87%across the same datasets,further con rming its e ectiveness in CTC detection.Although other algorithms also showed reasonable accuracy,the LSTM and RNN models consistently outperformed them in multilingual settings,suggesting that deep learning models might be better suited for this particular problem.
文摘Despite extensive research, timing channels (TCs) are still known as a principal category of threats that aim to leak and transmit information by perturbing the timing or ordering of events. Existing TC detection approaches use either signature-based approaches to detect known TCs or anomaly-based approach by modeling the legitimate network traffic in order to detect unknown TCs. Un-fortunately, in a software-defined networking (SDN) environment, most existing TC detection approaches would fail due to factors such as volatile network traffic, imprecise timekeeping mechanisms, and dynamic network topology. Furthermore, stealthy TCs can be designed to mimic the legitimate traffic pattern and thus evade anomalous TC detection. In this paper, we overcome the above challenges by presenting a novel framework that harnesses the advantages of elastic re-sources in the cloud. In particular, our framework dynamically configures SDN to enable/disable differential analysis against outbound network flows of different virtual machines (VMs). Our framework is tightly coupled with a new metric that first decomposes the timing data of network flows into a number of using the discrete wavelet-based multi-resolution transform (DWMT). It then applies the Kullback-Leibler divergence (KLD) to measure the variance among flow pairs. The appealing feature of our approach is that, compared with the existing anomaly detection approaches, it can detect most existing and some new stealthy TCs without legitimate traffic for modeling, even with the presence of noise and imprecise timekeeping mechanism in an SDN virtual environment. We implement our framework as a prototype system, OBSERVER, which can be dynamically deployed in an SDN environment. Empirical evaluation shows that our approach can efficiently detect TCs with a higher detection rate, lower latency, and negligible performance overhead compared to existing approaches.
文摘现有存储型网络隐蔽信道的研究主要根据不同协议中不同字段来隐藏信息。在众多协议中,例如TCP、UDP协议,对其研究较多,而OSFP使用广泛却在国内研究较少。针对OSPF协议下的Hello报文进行分析可以构建网络隐蔽信道的字段。从所有可能字段中选择Authentication、Router Dead Interval和Neighbor三个字段分别使用随机值模式、值调制模型和序列模式进行构建三种隐蔽信道,利用微协议技术优化信道,并将三种隐蔽信道组合成一个传输速率更高的隐蔽信道模型。经过验证,该模型具有一定的可行性和隐蔽性,可为存储型网络隐蔽信道构建技术提供一定的理论支持和技术支撑。
文摘域名系统(domain name system,DNS)隐蔽信道是一种利用DNS协议实现数据泄露的网络攻击手段,受到诸多高级持续性威胁(advanced persistent threat,APT)组织的青睐,给网络空间安全带来了严重威胁。针对传统机器学习方法对特征依赖性强、误报率高的问题,提出一种融合多通道卷积和注意力网络的DNS隐蔽信道检测算法。该算法基于DNS请求与响应双向流,首先将残差结构和并行卷积相结合,采用不同大小的卷积核提取并融合多尺度特征信息,实现不同感受野特征的捕获;其次引入通道注意力机制增加卷积通道关键信息的提取能力,丰富网络模型的表达能力;最后采用softmax函数实现DNS隐蔽信道的检测。实验结果表明,所提模型能有效检测DNS隐蔽信道,平均准确率、精确率和召回率分别为96.42%、97.82%和96.16%,优于传统方法。
