抗隐蔽通道的网络隔离通信方案

doi:10.11959/j.issn.1000-436x.2014.11.011

Abstract

Abstract:

With the rapid development of network technologies，real-time information exchanging between heterogeneous networks becomes more frequently.To effectively guarantee the secure and real-time information exchanging crossing different networks，a network isolation communication scheme (NICS) is proposed to resist against covert channel.A newly theoretical model of NICS is designed and proved based on the information theory，and followed with a specific solution.Security analysis indicates that the NICS is able to effectively solve problems of the potential packet lengths’ covert channel (PLCC) and the status covert channel (SCC) in most of the existing work; and，given similar amount of information for exchanging，the NICS can achieve equivalent security degree with the physical isolation in terms of resisting against the covert channel.

Key words: network isolation, covert channel, length of the data packet, status information

Feng-hua LI,Miao-miao TAN,Kai FAN,Kui GENG,Fu ZHAO. Network isolation communication scheme to resist against covert channel[J]. Journal on Communications, 2014, 35(11): 96-106.

Figures/Tables 6

函数名	描述
verifyp	若收到依据源网络遵循的通讯协议的数据，则校验通过返回True，否则返回False verifyp(data，protocol:INSULATE) ?
	Result=(data∈DATA)∧(isvalid(protocol)) ?
	将进入隔离控制装置的的数据拆分为固定长度是L_s的作业分组，返回拆分后的作业分组个数N
split	split(data，L_data，L_s:INSULATE)?
	result=L_data/L_s?
fill	若数据分组长度小于固定长度，则填充，填充后固定长度返回True，否则返回False fill(r_n，L_s:INSULATE) ?
	result=(length(r₁)=length(r_n)) ?
	为第i个数据分组构造分组头，若分组头属于HEADER则返回True，否则返回False creath(packetID，length(r_i)，state，sockID:INSULATE) ?
	r_i∈PACKETR
	list1=＜packetID＞
creath	list2=＜length(r_i)＞
	list3=state
	list4=sockID
	header_i= list1^list2^list3^list4
	result=(header_i∈HEADER) ?
	为第i个数据分组添加已构造好的分组头，并返回总长度N
	addh(r_i，header_i:INSULATE) ?
addh	r_i∈PACKETRlist1=header_i
	list2=r_i
	result= list1^list2?
verifyw	对收到的作业分组r进行校验，通过返回True，否则返回False verifyw(r:INSULATE) ?
	result(r∈PACKETW∧isright(CRC(r))) ?
correctw	对收到的作业分组r进行纠错，得出正确数据返回True，否则返回False correctw (r:INSULATE) ?
	result(r∈PACKETW∧isright(ECC(r))) ?
sort	将收到的所有作业分组按照分组头中的作业分组序号进行排序，排序完成返回True，否则返回false sort(r₁，r₂，…，r_n:INSULATE) ?
	result=(issorted(r₁，r₂，…，r_n)) ?
	将作业分组中的分组头控制信息及尾部的校验码、纠错码等信息去掉，取出其中的有效数据载荷部分，返回有效数据长度N
delhdr	delete(r:INSULATE) ?
	result=(length_valid(r)) ?
defill	若数据分组有效载荷长度小于固定长度，则去掉填充，去填充后长度为有效数据载荷部分长度则返回True，否则返回False defill(r_n，llength_valid(r_n) :INSULATE) ?
	result=(length_valid(r_n)=length_off(r_n)) ?
	将已经去掉分组头及尾部的已排好序的有效数据载荷部分组合，返回组合后的总数据长度N
	combine(r₁，r₂，…，r_n:INSULATE) ?
	list1=r₁
combine	list2=r₂…
	listn=r_n
	data= list1^list2^…^listn
	result=#data?

References 25

[1]	LIU J Y ， FANG Y J ， ZHANG D H . PROFIBUS-DP and HART protocol conversion and the gateway development[A]. Proceeding of 2nd IEEE Conference on Industrial Electronics and Applications(ICIEA)[C]. Harbin，China. 2007， 15--20.
[2]	DONG G S ， LIU ZH J ， ZHAO D . A security domain isolation and data exchange system based on VMM[A]. Proceeding of 3rd International Conference on Signal Processing and Communication Systems (ICSPCS)[C].. Omaha，NE，USA 2009. 1-5.
[3]	DU J ， LIU P P . Design and implementation of efficient one-way isolation system based on PF_RING[A]. Proceeding of 2012 Fourth International Conference on Multimedia Information Networking and Security(MINES)[C]. Nanjing，China， 2012. 105-108.
[4]	LAMPSON B W . A note on the confinement problem[J]. Communications of the ACM. 1973，16(10): 613-615.
[5]	National Computer Security Center，DoD，Trusted Computer System Evaluation Criteria[R]. National Computer Security Center，Washington，DC，USA， 1985.
[6]	ZHAI G S ， ZHANG Y F ， LIU C Y ，et al. Automatic identification of covert channels inside linux kernel based on source codes[A]. Proceedings of the 2nd International Conference on Interaction Sciences:Information Technology，Culture and Human (ICIS’09)[C]. Seoul，Korea， 2009. 440-445.
[7]	MOSKOWITZ S I ， NEWMAN R E ， CREPEAU P D ，et al. Covert channels and anonym zing networks[A]. Proceedings of the 2003 ACM Workshop on Privacy in the Electronic Society[C]. New York，NY，USA， 2013. 79-88.
[8]	WANG Y ， FERRAIUOLO A ， SUH G E . Timing channel protection for a shared memory controller[A]. Proceeding of 2014 IEEE 20th International Symposium on High Performance Computer Architecture (HPCA)[C]. Orlando，FL，USA， 2014. 225-236.
[9]	JI L P ， JIANG W H ， DAI B Y . A novel covert channel based on length of messages[A]. Proceedings of International Symposium on Information Engineering and Electronic Commerce (IEEC '09)[C]. Ternopil，Ukraine， 2009. 551-554.
[10]	LI S ， EPHREMIDES A . A covert channel in mac protocols based on splitting algorithms[A]. Proceeding of Wireless Communications and Networking Conference[C]. New Orleans，LA，USA， 2005. 1168-1173.
[11]	QU H P ， SU P R ， FENG D G . A typical noisy covert channel in the IP protocol[A]. Proceeding of 38th Annual 2004 International Carnahan Conference on Security Technology[C]. Albuquerque，NM，USA， 2004. 189-192.
[12]	WANG Z H ， LEE R B . Covert and side channels due to processor architecture[A]. Proceedings of 22nd Annual Computer Security Applications Conference (ACSAC ’06)[C]. Miami Beach，FL，USA. 2006. 293-302.
[13]	M.A.PADLIPSKY M A ， SNOW D W ， KARGER P A . Limitations of End-to-End Encryption in Secure Computer Networks[R]. ESDTR-78-158，Mitre Corporation，August 1978.
[14]	GENNUSO K . Disconnect from the Internet -Whale's e-Gap In-Depth.GSEC Practical Assignment Version 1.2f[S]. 2001.
[15]	LINDSKOG S ， GRINNEMO K J ， BRUNSTROM A . Data protection based on physical separation:concepts and application scenarios[A]. Proceedings of the 2005 International Conference on Computational Science and Its Applications(ICCSA'05)[C].Singapore. 2005. 1331-1340.
[16]	WU H Y ， TAN C X ， WANG H H . Building a high-performance communication framework for network isolation system[A]. Proceedings of IEEE International Conference on Networking，Sensing and Control(ICNSC)[C]. Sanya，China， 2008. 1086-1091.
[17]	方勇，刘嘉勇 . 信息系统安全导论[M]. 北京: 电子工业出版社， 2003. FNAG Y ， LIU J Y . Introduction to Information System Security[M]. Beijing: Publishing House of Electronics IndustryPress， 2003.
[18]	YU S S ， PENG Y ， ZHAN Y J ，et al. Session mechanism research based on agent in NetGAP[A]. Proceedings of International Symposium on Intelligent Information Technology Application Workshops(IITAW’08)[C]. Shanghai，China， 2008. 395-398
[19]	章思宇，邹福泰，王鲁华等. 基于 DNS 的隐蔽通道流量检测[J]. 通信学报， 2013，34(5): 143-151. ZHANG S Y ， ZOU F T ， WANG N H ，et al. Detecting DNS-based covert channel on live traffic[J]. Journal on Communications， 2013，34(5): 143-151.
[20]	GIRLING C . Covert channels in LAN's[J]. IEEE Transactions on Software Engineering， 1987，13(2): 292-296.
[21]	钱玉文，李勇，王执铨 . 网络包长度隐蔽信道的建模与仿真[J]. 系统仿真学报， 2010，22(7): 1773-1781. QIAN Y W ， LI Y ， WANG Z Q . Modeling and simulation of covert channel based on network packet length[J]. Journal of System Simulation， 2010，22(7): 1773-1781.
[22]	OMAR S N ， AHMEDY I ， NGADI M A . Indirect DNS covert channel based on name reference for minima length distribution[A]. Proceedings of International Conference on Information Technology and Multimedia (ICIM)[C].Kuala Lumpur，Malaysia. 2011. 1-6.
[23]	SPIVEY J M.The Z Notation:A Reference Manual . International Series in Computer Science[M]. Prentice-Hall，New York，NY，USA. 1992.
[24]	WANG P ， LIU S S ， YAN L X ，et al. Net gap among different security level networks[A]. Proceedings of 2012 Fourth International Conference on Multimedia Information Networking and Security (MINES)[C]. Nanjing，China， 2012. 4-7.
[25]	YU S S ， ZHAN Y J ， CAI Q L ，et al. A Reflective NetGAP logic framework design[A]. Proceeding of Workshop on Power Electronics and Intelligent Transportation System(PEITS '08)[C]. 2008. 565-568.

Metrics

Recommended 0

No Suggested Reading articles found!

隔离机制			相关性能
隔离机制	高安全性	高实时性	数据传输高可靠性	抗PLCC	抗SCC
完全隔离	√	×	×	√	√
硬件卡隔离	×	×	×	√	√
数据转播隔离	×	×	×	×	×
空气开关隔离	×	×	×	√	×
安全通道隔离	√	√	√	×	×
NICS	√	√	√	√	√

Network isolation communication scheme to resist against covert channel

RichHTML

PDF

Knowledge

Cited

Abstract

Cite this article

share this article

Figures/Tables 6

References 25

Related Articles 14

Metrics

Recommended 0

[1]	Weijie MAI, Weili LIU, Jinghui ZHONG. Self-adaptive differential evolution algorithm based on population state information [J]. Journal on Communications, 2023, 44(6): 34-46.
[2]	Leixiao LI, Jinze DU, Hao LIN, Haoyu GAO, Yanyan YANG, Jing GAO. Research progress of blockchain network covert channel [J]. Journal on Communications, 2022, 43(9): 209-223.
[3]	Fenghua LI, Chaoyang LI, Chao GUO, Zifu LI, Liang FANG, Yunchuan GUO. Survey on key technologies of covert channel in ubiquitous network environment [J]. Journal on Communications, 2022, 43(4): 186-201.
[4]	Jiawen DIAO, Binxing FANG, Xiang CUI, Zhongru WANG, Ruiling GAN, Lin FENG, Hai JIANG. Survey of DNS covert channel [J]. Journal on Communications, 2021, 42(5): 164-178.
[5]	Meng ZHANG,Haoliang SUN,Peng YANG. Identification of DNS covert channel based on improved convolutional neural network [J]. Journal on Communications, 2020, 41(1): 169-179.
[6]	Yanfeng LI,Liping DING,Jingzheng WU,Qiang CUI,Xuehua LIU,Bei GUAN. Research on a new network covert channel model in blockchain environment [J]. Journal on Communications, 2019, 40(5): 67-78.
[7]	Weijie LIU,Li’na WANG,Danlei WANG,Zhengguang YIN,Nan FU. Virtual machine co-residency method on cloud computing platform [J]. Journal on Communications, 2018, 39(11): 116-128.
[8]	. Network isolation communication scheme to resist against covert channel [J]. Journal on Communications, 2014, 35(11): 11-97.
[9]	Si-yu ZHANG,Fu-tai1 ZOU,Lu-hua WANG,Ming CHEN. Detecting DNS-based covert channel on live traffic [J]. Journal on Communications, 2013, 34(5): 143-151.
[10]	. Detecting DNS-based covert channel on live traffic [J]. Journal on Communications, 2013, 34(5): 17-151.
[11]	Jing-zheng WU,Li-ping Ding,Yong-ji WANG. Research on key problems of covert channel in cloud computing [J]. Journal on Communications, 2011, 32(9A): 184-203.
[12]	Yun-chuan GUO,Yuan ZHOU,Li DING,Li GUO. Simulation analysis of probabilistic covert channels based on probabilistic interference [J]. Journal on Communications, 2009, 30(2): 60-65.
[13]	Hai-tao ZENG,Yong-ji WANG,Li RUAN,Wei ZU,Jia-yong CAI. Covert channel mitigation method for secure real-time database using capacity metric [J]. Journal on Communications, 2008, 29(8): 47-57.
[14]	Zhi-dan YANG,Ke-sheng LIU,Yu CHEN,Jian-xiong CHEN. Random incremental ISN algorithm of protocol steganography against statistical steganalysis [J]. Journal on Communications, 2008, 29(11A): 34-40.