A Covert Tunnel Based on HTTP Protocol and Its Detection Method

doi:10.3969/j.issn.1006-2475.2019.06.003

Abstract

Abstract: The attack-defense game of covert tunnels has lasted for more than 30 years. The main detection methods of existing covert tunnels include the detection of message data and structure, detection based on flow statistics and detection based on machine learning. With the development of relevant technologies, more and more covert tunnes are constructed through the application layer protocol. Firstly, this paper designs a covert tunnel based on HTTP protocol. The tunnel uses backdoor program to carry out concealed communication, and encrypts the communication data to make it more concealed. The experiment shows that the tunnel can bypass the firewall, 360 guard, and other security equipments. Secondly, this paper analyzes the structure and flow characteristics of this type of tunnel and proposes a detection method to extract high-distinction features for the structural features and statistical features of the message. Finally, machine learning method is selected for detection. Both SVM and decision tree can accurately detect this kind of covert tunnel, and have low false alarm rate and missing alarm rate.

Key words: covert tunnel, webshell, machine learning

CLC Number:

TP391

ZHAO Qi1,2, JIANG Chao-hui1,2, ZHOU Xue-mei1,2, SONG Zi-hua1,2. A Covert Tunnel Based on HTTP Protocol and Its Detection Method[J]. Computer and Modernization, 2019, 0(06): 16-.

References

［1］孙丽雅,刘思琦. 2018年7月计算机病毒疫情分析［J］. 信息网络安全, 2018(9):106.
［2］巫祺炜,施勇,薛质. 基于OpenVPN识别的APT隐蔽隧道检测［J］. 信息安全与通信保密, 2015(12):112-115.
［3］ GITHUB. 给我一句话的时间——那些一句话后［EB/OL］. (2016-05-31)［2019-03-05］. http://xuelinf.github.io/2016/05/31/给我一句话的时间-PHP后门溯源.
［4］王永杰,刘京菊. 基于DNS协议的隐蔽通道原理及性能分析［J］. 计算机工程, 2014,40(7):102-105.
［5］章思宇,邹福泰,王鲁华,等. 基于DNS的隐蔽通道流量检测［J］. 通信学报, 2013(5):143-151.
［6］王传安. 基于信息熵SVM的ICMP隐蔽通道检测研究［D］. 镇江:江苏大学, 2009.
［7］兰景宏,刘胜利,李晔,等. 一种基于多层联合分析的HTTP隧道木马检测方法［J］. 计算机应用研究, 2016(1):240-244.
［8］马文岩. HTTP协议上几种新的应用层隐蔽通道［J］. 计算机光盘软件与应用, 2014,17(15):179-180.
［9］强亮,李斌,胡铭曾. 基于HTTP协议的网络隐蔽通道研究［J］. 计算机工程, 2005(15):224-225.
［10］HUANG L D, LIU J, LONG S Y. Design and implementation of lightweight RMI framework based on http tunnel［C］// Proceedings of 2014 2nd International Conference on Teaching and Computational Science(ICTCS 2014). 2014:4.
［11］赵晓丽.基于语义分析的网页病毒检测研究［D］. 青岛:中国海洋大学, 2010.
［12］谢慧,严承华,陈泽茂,等. 基于HTTP协议的跳频隐蔽通道技术研究［J］. 电子技术应用, 2010(10):102-105.
［13］薛晋康,许士博,吴兴龙. 基于流量分析的网络隐蔽通道检测模型［J］. 计算机工程, 2002(12):46-48.
［14］杨鹏,赵辉,鲍忠贵. 网络时间隐蔽通道的拟合模型特性研究［J］. 计算机科学, 2017,44(1):145-148.
［15］DUSI M, CROTTI M, GRINGOLI F, et al. Tunnel hunter: Detecting application-layer tunnels with statistical fingerprinting［J］. Computer Networks, 2009,53(1):81-97.
［16］罗友强. 基于通信行为分析的DNS隧道木马检测技术研究［D］. 郑州:解放军信息工程大学, 2017.
［17］王宜菲,杨亚磊,饶孟良. 基于C4.5的HTTP隧道检测技术研究［J］. 计算机工程与计, 2012,33(2):493-497.
［18］WANG F, HUANG L, CHEN Z, et al. A novel Web tunnel detection method based on protocol behaviors［C］// International Conference on Security and Privacy in Communication Systems. 2013:234-251.
［19］WRENCH P M, IRWIN B V W. Towards a PHP webshell taxonomy using deobfuscation-assisted similarity analysis［C］// 2015 Information Security for South Africa. 2015:1-8.
［20］NAZARIO J. PhoneyC: A virtual client honeypot［C］// Proceedings of the 2nd USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET). 2009:6.
［21］杜海章,方勇． PHP webshell实时动态检测［J］. 网络安全技术与应用, 2014,13(12):120-121.
［22］王文清,彭国军,陈震杭,等. 基于组合策略的webshell检测框架［J］. 计算机工程与设计, 2018,39(4):907-911.
［23］徐国天. 基于Referer字段递归分析的网页挂马检验方法研究［J］. 刑事技术, 2016,41(6):431-436.
［24］张慧琳,邹维,韩心慧. 网页木马机理与防御技术［J］. 软件学报, 2013,24(4):843-858.
［25］张玉冲,王松杰,李洋. 基于信息熵的数据流加密判断算法［J］. 计算机与数字工程, 2014,42(4):555-558.
［26］陈利,张利,班晓芳,等. 基于信息熵的加密会话检测方法［J］. 计算机科学, 2015,42(1):142-143.
［27］龚利,史杨. 基于DEDECMS内容管理系统的课程网站系统实现［J］. 电脑知识与技术, 2014(23):5406-5410.
［28］GITHUB.Python-string-similarity［EB/OL］. ［2019-03-05］. https://github.com/luozhouyang/python-string-similarity.

[1]	SUN Xiao-chuan, LU Tian-liang. Application of Data Weighting Optimization Based on Clustering in Crime Prediction [J]. Computer and Modernization, 2019, 0(06): 55-.
[2]	WANG Lei. An Abstract Action Tree Construction Algorithm Based on Demonstration Trajectories [J]. Computer and Modernization, 2016, 0(6): 85-90.