摘要
攻击者可以将生成的任意信息隐藏在ICMP的有效负载中传递出去,构成了ICMP负载隐通道。在分析ICMP数据流熵标准差和熵值分布特性的基础上,提出了基于信息熵的样本集缩减策略。为提高采用标准支持向量机(SVM)的学习能力与推广能力,建立了若干选取规则,构造出一种有效的混合核函数。最后采用混合SVM结合信息熵的方法检测ICMP隐通道,取得了较快的分类速度和较高的检测率。实验结果表明,采用混合SVM结合信息熵检测ICMP隐通道的方法,是有效的、可行的。
Attackers can generate any information hidden in the payload of ICMP to structure a covert channel.This paper found that 95% of the ICMP packets did not contain covert channel after the analysis of the ICMP data flow distribution characteristics of entropy.Therefore,proposed a method to prune the large training set with entropy.The learning ability and generalization ability of SVM could't work well when used it to detect ICMP covert channel using a single kernel function.It could give some regulations according to which to select a kernel.Based on these regulations,constructed mixtures of kernels.Lastly,it performed well in speed and detection rate when used information entropy and mixture SVM to detect ICMP covert channel.Preliminary experiment results show that the method is efficiently and feasible.
出处
《计算机应用研究》
CSCD
北大核心
2010年第11期4312-4315,共4页
Application Research of Computers
基金
安徽科技学院科研基金资助项目(ZRC2008176)
安徽科技学院教研项目(X200829))
关键词
控制报文协议
隐通道
支持向量机
信息熵
ICMP
covert channel
support vector machine
information entropy
