基于灰度图像转化的时间型隐蔽信道检测方法

Covert timing channel detection method based on grayscale image transformation

时间型网络隐蔽信道是一种隐蔽性极高的信息泄露方式.其作为APT攻击的主要通信手段,对网络安全产生了极大威胁.目前针对隐蔽信道的检测方法通用性不足、误检率高,且人工提取流量特征耗时耗力.本文提出了一种基于灰度图像转化的检测方法.该方法将报文到达时间间隔归一化,转换成像素值,再将其转为灰度图像,由此把一维序列分类问题转成二维图像分类问题.本文使用卷积神经网络自动获取图像特征,并利用卷积块注意力模块,从空间与通道两个维度进行特征自适应优化.本文用合法流量和隐蔽信道流量组成的数据集训练网络,所得到的二分类模型用于判别被检测流量是否为时间型隐蔽信道流量.最后将提出的方法与现有的4种检测方法做对比.实验结果表明,本文方法具有更高的精确率和召回率,所得模型的通用性更好且误检率更低.

Network covert timing channel is a highly concealed method of information leakage.As the main communication method of APT attack,it poses a great threat to network security.The current detection methods for covert channel are insufficient generality,have high false detection rate,and manual extraction of features is time-consuming.This paper proposes a detection method based on grayscale image transformation.This method normalizes the inter-arrival time sequence of packets,and converts them into pixel values,and then converts into a grayscale image,thereby transforming a problem of one-dimensional sequence classification into a problem of two-dimensional image classification.The authors use the Convolutional Neural Networks to automatically acquire image features,and use the Convolutional Block Attention Module to optimize the feature adaptively from two dimensions of space and channel.The authors train the network with the data set composed of legitimate traffic and covert channel traffic,and the obtained binary classifier can be used to judge whether the detected traffic is covert timing channel traffic.Finally,the proposed approach is compared with the four existing detection methods.The experimental results show that the proposed method has higher precision and recall rate,and the proposed model has better generality and lower false detection rate.