以網路通訊協定為基礎之隱密性通道特徵分析

Pattern Analysis for Covert Channel Features Based on Internet Protocols

近年來網際網路的使用率呈現爆炸，使得駭客得以利用系統漏洞或是通訊協定的疏漏等問題，發展出複雜且多樣化的入侵攻擊技巧，如阻絕服務攻擊、病毒攻擊、惡意木馬程式等。而隱密性通道的發展勢必成為未來木馬程式相互溝通的橋樑，由於該通道所產生之封包完全符合通訊協定所制定的封包格式，使得防火牆或入侵偵測系統不易察覺與防範。本研究主要採用DARPA dataset與四種具代表性之隱密性通道軟體所產生之封包記錄檔為基礎，藉由有效的華德分群法與k-means分群法進行兩階段分群，來區別出正常封包與隱密性通道封包所產生之特徵，並對於如何防制隱密性通道提出相關建議。

With the growth of Internet technology utilization, hackers can take advantages of security holes of the systems and protocols to develop some complex and various intrusion skills, such as denial of service(DoS), virus and Trojan horse attacks. A covert channel has been always playing a role in bridging these intrusion skills, especially in Trojan horse. Because all the packets produced by covert channels are to employ the standard protocol specifications, these legal but furtive packets are hard to be detected by firewalls and intrusion detection systems. The proposed scheme uses a two-step clustering method, including Ward’s clustering and k-means clustering, to deal with the normal and abnormal packets using DARPA dataset and four kinds of covert channel software tools. These experimental results can be further a practical reference for preventing the covert channel attack.