CN113347119B - A method, device, device and storage medium for sending data packets - Google Patents

Abstract

The embodiment of the invention discloses a method, a device, equipment and a storage medium for sending a data packet, belonging to the technical field of communication. The method comprises the following steps: acquiring a target data packet to be sent; changing the designated field of the header data in the target data packet to obtain the target data packet with the changed header data; and transmitting the target data packet after the header data is changed based on a preset transmission time interval. By adopting the invention, the safety of the data transmission process can be improved.

Description

A method, device, device and storage medium for sending data packets

technical field

The present application relates to the technical field of communications, and in particular to a method, device, device and storage medium for sending data packets.

Background technique

The covert channel is an abnormal data transmission path between the data sender and the data receiver. Some network attackers can leak the private data stored in the data server to the outside world through the covert channel.

The covert channel includes a covert timing channel and a covert storage channel, wherein the covert timing channel transmits data by modulating the time of system behavior, so that the data receiving end can read the data by observing the behavior of the system. For example, data can be transmitted by controlling the sending time interval between multiple consecutive data packets. For example, if the sending time interval of two adjacent data packets is shorter, it can represent 0, and if the sending time interval is longer, it can represent 1. In this way, data reception The terminal can obtain the data transmitted through the concealed timing channel according to the receiving time interval corresponding to each data packet. The covert storage channel transmits data by writing the data to be transmitted in the header of the normal data packet. For example, the data can be written in some specific fields in the header, so that the data receiving end can read the data packet. specific fields in the header to get data transmitted over a covert storage channel.

In related technical means, corresponding detection methods will be set on security devices such as firewalls and intrusion-prevention systems (IPS) to detect whether there is a covert channel in the path of current data transmission. Generally, these security devices can also Realize the functions that can be realized by switches and routers. Wherein, the detection method may be set according to a known modulation method of a covert channel. When the security device receives the data packet to be sent, it can analyze the data packet to be sent to obtain the header corresponding to the data packet. In this way, a specific field in the header corresponding to the data packet is detected to determine whether there is a covert storage channel at present, and the sending time interval of each adjacent data packet is also detected to determine whether there is a covert timing channel.

In the process of implementing the present application, the inventors found that the related technology has at least the following problems:

In related technologies, if it is determined that there is a covert channel between the data sending end and the data receiving end during the data transmission process, the data transmission will be terminated for the safety of the data information, which improves the security of the data during the transmission process, but It will affect the normal data transmission.

Contents of the invention

In order to solve the problem of service processing failure in the related art, the embodiments of the present invention provide a method, device, device and storage medium for sending data packets. Described technical scheme is as follows:

In the first aspect, a method for sending a data packet is provided, the method comprising: obtaining a target data packet to be sent; changing the specified field of the header data in the target data packet to obtain the target data packet after changing the header data; based on Preset the sending time interval, and send the target data packet after changing the header data.

The solution shown in the embodiment of the present application can be applied in the process of data transmission, and can prevent data leakage caused by a possible covert channel between the data sending end and the data receiving end. Wherein, a data forwarding device can also be included between the data sending end and the data receiving end, and a data transmission link can be established between the data sending end and the data receiving end through the data forwarding device, such as TCP (Transmission Control Protocol, Transmission Control Protocol) connect. The solution shown in the embodiment of the present invention can be arranged on the data sending end or data forwarding device, wherein the data forwarding device can also be a security device, such as a firewall device, IPS device, etc. In the present invention, the solution can be arranged on the data forwarding device Take the above as an example to describe the scheme in detail. After the data forwarding device obtains the target data packet transmitted through the data transmission link, it can change the specified field of the header data in the target data packet, and then send the target data packet with the changed header data according to the preset sending time interval Send, so that by actively changing the specified field of the header data in the target data packet, the data transmitted through the covert storage channel can be destroyed, and by sending the target data packet after changing the header data at a preset sending time interval, the covert timing channel can be prevented Data transmission is realized by controlling the sending time interval of data packets.

In a possible implementation manner, changing the specified field of the header data in the target data packet includes: acquiring a target change value, and changing the specified field of the header data in the target data packet based on the target change value.

In the scheme shown in the embodiment of this application, the specified field of the header data in the target data packet can be changed according to the target change value, for example, the value of the specified field can be replaced with the target change value, or the value of the specified field can be added or subtracted Go to the target to change the value. Wherein, for different data transmission links, corresponding target modification values may be different. In this way, even if there is a covert storage channel in the data transmission link, changing the specified field of the header data in the target data packet through the target change value can destroy the data transmitted through the covert storage channel, so that the covert storage channel can only transmit invalid data, The security of data transmission is improved.

In a possible implementation manner, before changing the specified field of the header data in the target data packet, it further includes: obtaining data source information included in the header data in the target data packet; and determining that the data source information is preset data source information.

Wherein, the preset data source information can be set by a technician, and the preset data source information can be the data source information corresponding to a data sending device (such as a data storage server) with high confidentiality stored, and the data source information can be An IP (Internet Protocol, Internet Protocol) address, a MAC (Media Access Control Address, Media Access Control Address) address, etc. corresponding to the data storage server.

In the solution shown in the embodiment of the present application, after the target data packet is acquired, it may be determined whether the data source information corresponding to the target data packet is the preset data source information. If it is determined that the data source information corresponding to the target data packet is the preset data source information, it can be determined that the target data packet comes from a data sending device stored with high confidentiality. Therefore, before changing the specified field in the target data packet, it can be determined whether the target data packet comes from a data sending device with high confidentiality stored in it. If it comes from a data sending device with high confidentiality, the target data can be The specified field in the packet can be changed, so that only the target data packet sent by the data sending device involving high confidentiality can be changed, the number of changed data packets can be reduced, and the computing resources occupied by the changed data packet can be reduced.

In a possible implementation manner, obtaining the target change value includes: obtaining the target TCP connection identifier corresponding to the header data of the target data packet, and determining whether there is a target TCP connection in the pre-stored correspondence between the TCP connection identifier and the change value If there is a target TCP connection ID in the corresponding relationship, then determine the target change value corresponding to the target TCP connection ID based on the corresponding relationship, if there is no target TCP connection ID in the corresponding relationship, then generate a random value, and determine the random value as the target TCP Change the value of the target corresponding to the connection ID, and add the target TCP connection ID and random value to the corresponding relationship.

Among them, in a TCP connection, the information of the corresponding data sending end and the data receiving end will not change, and each TCP packet will carry the information of the data sending end and the data receiving end, therefore, the data sending end and the data receiving end can be combined The information of the data receiving end is used as an identifier of a TCP connection. For example, a hash value can be generated from the information of the data sending end and the data receiving end according to a preset sequence, and the generated hash value can be determined as the TCP connection identifier. In this way, a unique corresponding TCP connection identifier can be determined for each TCP connection, and the corresponding TCP connection identifier can be determined in each TCP data packet sent in one TCP connection.

In the solution shown in the embodiment of the present application, the corresponding relationship between the TCP connection identifier and the modified value can be preset by the technician, for example, a corresponding relationship table between the TCP connection identifier and the modified value can be preset. After the target data packet is obtained, the target TCP connection identifier corresponding to the header data of the target data packet may be obtained, and then the target TCP connection identifier is searched in the correspondence table. Wherein, if the target TCP connection ID is found, the target change value corresponding to the target TCP connection ID can be determined in the correspondence table. If the target TCP connection ID is not found, it means that the currently received target data packet is sent by a newly established TCP connection. Therefore, a random value can be generated as the corresponding target update value, and the generated random value is connected to the target TCP The ID is added to the correspondence between the TCP connection ID and the changed value. In this way, each TCP connection can correspond to a unique change value, and the change value is randomly generated. Even if the change policy corresponding to the specified field in the data packet is leaked, the corresponding change value cannot be determined, that is, the data receiving end cannot recover Changing the data packet before the specified field can improve the security during data transmission.

In a possible implementation manner, based on the target change value, changing the specified field of the header data in the target data packet includes: adding the value of the sequence number seq (sequence number, sequence number) in the TCP header of the target data packet to Target change value; replace the value of the window size size in the TCP header with other values except the highest bit with the target change value; if it is determined that the value of the kind field in the TCP header is experiment, replace the corresponding value of the experiment Replaced with the target change value; if it is determined that the length of the MTU (maximum transmission unit, maximum transmission unit) value in the IP header of the target packet is less than the preset length threshold, then the identification value in the IP header is replaced with the target change value.

In the scheme shown in the embodiment of the present application, by adding the value of the sequence number seq (sequence number, sequence number) in the TCP header of the target data packet to the target change value; If it is determined that the value of the kind field in the TCP header is experiment, replace the corresponding value of the experiment with the target change value, so that the TCP header that may carry data information can be replaced The message is changed, and by determining whether the length of the MTU value in the IP header of the target data packet is less than the preset length threshold, if the length of the MTU value is less than the preset length threshold, the identification field in the IP header may carry data information, Therefore, the value in the identification field in the IP header can be replaced with the target modification value, so that even if there is a hidden storage link in the data transmission link, the hidden storage channel can be changed by changing the fields that may carry data information in the header data The transmitted data improves the security of data transmission.

In a possible implementation, the method further includes: when receiving the response data packet sent by the data receiving end corresponding to the target data packet, subtracting the target change value from the value of the ack field in the TCP header of the response data packet .

In the solution shown in the embodiment of the present application, in the TCP connection, seq may indicate the offset of data sent this time, and ack (acknowledgment number, acknowledgment number) indicates the amount of data that has been received. seq can prevent out-of-sequence, duplicate data, etc., and the next data sender can send data according to the amount of data that has been received indicated by ack. However, since the target change value is added to the value of seq when sending the target data packet, in order to ensure the normal sending of the data, when the corresponding response data packet is received, the ack value of the response data packet can be subtracted from the corresponding The target change value for .

In a possible implementation, the specified field of the header data in the target data packet is changed, including: determining whether the reserved (reserved) flag bit in the TCP header is 0; if it is determined that the reserved flag bit in the TCP header If it is not 0, set the reserved flag position to 0. Determine whether the urg (urgent, emergency) flag in the TCP header is 0; if it is determined that the urg flag in the TCP header is 0, then set the value of the urgnet pointer (urgent pointer) field in the TCP header to 0.

The scheme shown in the embodiment of the present application can determine whether the reserved flag bit in the TCP header is 0, because in the process of normal TCP packet transmission, reserved is generally set to 0, so when the reserved flag bit is not When it is 0, the reserved flag can be set to 0. And it can be determined whether the urg flag in the TCP header is 0; if it is determined that the urg flag in the TCP header is 0, it means that the current urgnet pointer field is not used, so the value of the field of the urgnet pointer in the TCP header can be set to is 0. In this way, malicious programs can be prevented from implementing a covert storage channel through the reserved flag position.

In a possible implementation, based on the preset sending time interval, before sending the target data packet after changing the header data, it includes: obtaining the target TCP connection identifier corresponding to the header data of the target data packet, and connecting the TCP connection identifier and the sending queue In the corresponding relationship, determine whether there is a target TCP connection ID; if there is a target TCP connection ID, then in the corresponding relationship, determine the target sending queue corresponding to the target TCP connection ID; if there is no target TCP connection ID, generate a target TCP The target sending queue corresponding to the connection ID, and correspondingly adding the target TCP connection ID and the target sending queue in the corresponding relationship; after obtaining the target data packet after changing the header data, adding the target data packet after changing the header data to the target sending queue.

In the solution shown in the embodiment of the present application, after the target data packet is obtained, the target TCP connection identifier corresponding to the header data of the target data packet can be obtained, and then in the corresponding relationship between the TCP connection identifier and the sending queue, it is determined whether there is a target TCP Connection ID. Wherein, the corresponding relationship between the TCP connection identifier and the sending queue can be set in advance by a technician, for example, a corresponding relationship table between the TCP connection identifier and the sending queue can be set in advance. After determining the target TCP connection mark corresponding to the header data of the target data packet like this, it can be determined whether the correspondence table records the target TCP connection mark, if there is a target TCP connection mark, it can be determined that the TCP connection corresponding to the current target data packet The corresponding target send queue is established. If there is no target TCP connection identifier, it means that the currently acquired target data packet is a data packet sent by a newly established TCP connection, and the corresponding target sending queue has not been established for the TCP connection at present, so a new sending queue can be established. As the target sending queue corresponding to this TCP connection. In this way, after obtaining the target data packet with changed header data, the target data packet with changed header data can be directly added to the target sending queue, and the sending of the target data packet can be controlled through the target sending queue.

In a possible implementation, the method further includes: if the number of data packets included in the target sending queue does not reach the preset number threshold after adding the target data packet after changing the header data to the target sending queue , the data packets in the target sending queue will be sent sequentially based on the preset sending time interval; if the data packets with changed header data are added to the target sending queue, the number of data packets included in the target sending queue has reached If the number threshold is set, each data packet is sent sequentially based on the enqueue order of each data packet in the target sending queue.

In the scheme shown in the embodiment of the present application, after adding the target data packet after changing the header data to the target sending queue, the number of data packets included in the current target sending queue can be determined. If the data included in the target sending queue is determined When the number of packets does not reach the preset number threshold, each data packet in the target sending queue may be sent sequentially according to a preset sending time interval. If it is determined that the number of data packets included in the target sending queue reaches the preset number threshold, each data packet in the target sending queue may be sent out directly according to the enqueue order of each data packet in the target sending queue. This is because, if the number of data packets included in the target sending queue reaches the preset number threshold, if the data packets are still sent according to the corresponding sending time interval, it may cause the later data packets in the target sending queue to correspond to The sending delay is longer. Therefore, the number of data packets included in the target sending queue can reach a preset number threshold, and each data packet in the target sending queue can be directly sent, thereby reducing the sending delay corresponding to each data packet.

In a possible implementation, the method further includes: determining the corresponding acquisition sequence of the target data packet in the target TCP connection to which it belongs; if the acquisition sequence satisfies the preset recording condition, recording the corresponding receiving time of the target data packet and the header data of the target data packet; based on the acquisition time and header data of each data packet corresponding to the recorded target TCP connection, determine whether there is a covert channel in the target TCP connection; if it is determined that there is a covert channel in the target TCP connection, then the recorded The acquisition time and header data of each data packet corresponding to the target TCP connection are sent to the audit terminal.

In the solution shown in the embodiment of the present application, after the target data packet is acquired, the corresponding acquisition order of the target data packet in the target TCP connection to which it belongs can be determined, and the acquisition order can be the number of the target data packet sent in the target TCP connection. packets. Then it can be determined whether the acquisition sequence corresponding to the target data packet satisfies the preset recording condition. If the preset recording conditions are met, the receiving time corresponding to the target data packet and the header data of the target data packet can be recorded, and then the target TCP connection can be determined based on the recorded acquisition time and header data of each data packet corresponding to the target TCP connection Whether there is a covert channel in . Wherein, in order to reduce the computing resources occupied by whether there is a covert channel in the target TCP connection, the acquisition time and header data corresponding to the data packets may be recorded every preset number of data packets. The corresponding preset recording condition may be to determine whether the acquisition sequence is a multiple of the preset number. If it is determined that there is a covert channel in the target TCP connection, the acquisition time and header data of the data packet recorded on the target TCP connection may be sent to the audit terminal for auditing again.

In a possible implementation, based on the recorded acquisition time and header data of each data packet corresponding to the target TCP connection, determining whether there is a covert channel in the target TCP connection includes: Obtain the time, calculate the average difference of the sending time interval corresponding to each data packet, and determine the average number of times corresponding to the visible characters in each data packet; determine whether the target TCP connection meets the covert channel based on the average difference and the average number of times corresponding to the target TCP connection A detection condition; if the target TCP connection satisfies the covert channel detection condition, it is determined that there is a covert channel in the target TCP connection.

In the scheme shown in the embodiment of the present application, the average sending time interval corresponding to each data packet can be calculated according to the acquisition time of each data packet corresponding to the target TCP connection, and then the sending time corresponding to each data packet can be determined according to the average sending time interval. The average difference of the time interval, and then detect the average number of visible characters in the corresponding header data of each data packet. In this way, it can be determined whether there is a hidden storage channel and a hidden timing channel in the target TCP connection according to the average difference of the sending time interval of each data packet corresponding to the target TCP connection and the average number of times of visible characters.

In a possible implementation, based on the average difference and the average number of times corresponding to each data packet, determining whether the target TCP connection meets the covert channel detection condition includes: if it is determined that the average difference corresponding to the target TCP connection is less than or equal to the preset average difference The threshold value is based on the first weight value corresponding to the average difference and the second weight value corresponding to the average number of times, and the weighted summation of the average difference and the average number of times corresponding to the target TCP connection is carried out to obtain the first indication value after the weighted summation; If the first indication value is greater than the preset first indication value threshold, it is determined that the target TCP connection satisfies the covert channel detection condition.

In the solution shown in the embodiment of the present application, it can first be determined whether the average difference corresponding to the target TCP connection is greater than the preset average difference threshold, and if it is determined that the average difference corresponding to the target TCP connection is less than or equal to the preset average difference threshold, at least it can explain There is no problem with the network transmitting the data. Therefore, it can be determined whether there is a covert channel in the target TCP connection by referring to the average difference and the average number of times. The average difference of the sending time interval of the data packets corresponding to the target TCP connection and the average number of times of visible characters can be weighted and summed by the preset first weight value and the second weight value respectively to obtain the first indication value. The first indication value may be used to indicate the possibility that there is a covert channel in the target TCP connection. If the first indication value is greater than the preset first indication value threshold, it is determined that the target TCP connection meets the covert channel detection condition, that is, there may be a hidden channel in the target TCP connection. There are covert passages.

In a possible implementation manner, based on the average sending time interval and the average number of times corresponding to each data packet, determining whether the target TCP connection meets the covert channel detection condition includes: if it is determined that the average difference corresponding to the target TCP connection is greater than the average difference threshold, Then detect the current network state; if the current network state is an abnormal network state, the average number of times corresponding to the target TCP connection is multiplied by the preset coefficient value to obtain the multiplied second indication value; if the second indication value If it is greater than the preset second indication value threshold, it is determined that the target TCP connection satisfies the covert channel detection condition.

In the solution shown in the embodiment of the present application, if it is determined that the average difference corresponding to the target TCP connection is greater than the preset time interval threshold, there is a problem in the current network or there may be a hidden timing channel. Therefore, you can first determine whether the current network status is normal, for example, you can determine the packet loss rate and delay corresponding to the current network. If the current network status is determined to be an abnormal network status, it is of little significance to detect the covert timing channel. Therefore, it is only possible to detect whether there is a covert storage channel in the target TCP connection. The average number of visible characters corresponding to the target TCP connection can be multiplied by a preset coefficient value to obtain a multiplied second indicator value. If the second indicator value is greater than the preset second indicator value threshold, the target is determined The TCP connection meets the covert channel detection conditions.

In a second aspect, a device for sending a data packet is provided, which includes: an acquisition module, configured to acquire a target data packet to be sent; a modification module, configured to modify a specified field of header data in the target data packet, to obtain A target data packet after changing the header data; a sending module, configured to send the target data packet after changing the header data based on a preset sending time interval.

In a possible implementation, the change module is used to:

Gets the target change value, based on the target change value, changes the specified field of the header data in the target packet.

In a possible implementation manner, the device further includes a determining module, configured to:

Obtain the data source information included in the header data in the target data packet;

The data source information is determined as preset data source information.

In a possible implementation, the modification module is configured to: obtain the target TCP connection identifier corresponding to the header data of the target data packet, and determine whether there is a target TCP connection identifier in the pre-stored correspondence between the TCP connection identifier and the modified value. Connection identifier; if there is a target TCP connection identifier in the corresponding relationship, then determine the target change value corresponding to the target TCP connection identifier based on the corresponding relationship, if there is no target TCP connection identifier in the corresponding relationship, then generate a random value, and determine the random value as the target The target change value corresponding to the TCP connection ID, and the target TCP connection ID and the random value are added to the corresponding relationship.

In a possible implementation, the change module is configured to: add the value of the sequence number seq in the TCP header of the target data packet to the target change value; subtract the value of the acknowledgment number ack in the TCP header from the target change value; replace the value of the window size size in the TCP header with the target change value except for the highest bit; if it is determined that the value of the kind field in the TCP header is experiment, replace the corresponding value of the experiment with Target change value; if it is determined that the length of the MTU value in the IP header of the target data packet is less than the preset length threshold, then replace the identification value in the IP header with the target change value.

In a possible implementation, the modification module is configured to: when receiving the response data packet sent by the data receiving end corresponding to the target data packet, subtract the value of the ack field in the TCP header of the response data packet from the target Change the value.

In a possible implementation, the changing module is configured to: determine whether the reserved flag bit in the TCP header is 0; if it is determined that the reserved flag bit in the TCP header is not 0, set the reserved flag bit to 0 . Determine whether the urg flag in the TCP header is 0; if it is determined that the urg flag in the TCP header is 0, set the value of the urgnet pointer field in the TCP header to 0.

In a possible implementation, the sending module is also used to: obtain the target TCP connection identifier corresponding to the header data of the target data packet, and determine whether there is a target TCP connection identifier in the corresponding relationship between the TCP connection identifier and the sending queue ; If there is a target TCP connection ID, then in the corresponding relationship, determine the target sending queue corresponding to the target TCP connection ID; if there is no target TCP connection ID, then generate the target TCP connection ID corresponding target sending queue, and in the corresponding relationship Correspondingly add the target TCP connection identifier and the target sending queue; the sending module is also used to: add the target data packet after changing the header data to the target sending queue; the sending module is used to: if the target packet after changing the header data After the data packets are added to the target sending queue, if the number of data packets included in the target sending queue does not reach the preset number threshold, each data packet in the target sending queue will be sent sequentially based on the preset sending time interval.

In a possible implementation manner, the sending module is also used for: if the number of data packets included in the target sending queue has reached the preset number after adding the data packet after changing the header data to the target sending queue When the threshold is set, each data packet is sent sequentially based on the enqueuing order of each data packet in the target sending queue.

In a possible implementation, the device further includes a detection module, configured to: determine the corresponding acquisition sequence of the target data packet in the target TCP connection to which it belongs; if the acquisition sequence satisfies the preset recording condition, record the target data packet Corresponding receiving time and the header data of the target data packet; based on the acquisition time and header data of each data packet corresponding to the target TCP connection of the record, determine whether there is a covert channel in the target TCP connection; if it is determined that there is a covert channel in the target TCP connection, Then, the recorded acquisition time and header data of each data packet corresponding to the target TCP connection are sent to the audit terminal.

In a possible implementation, the detection module is configured to: calculate the average difference of the sending time intervals corresponding to each data packet based on the recorded acquisition time of each data packet corresponding to the target TCP connection, and determine the There are average times corresponding to visible characters; based on the average difference and average times corresponding to the target TCP connection, determine whether the target TCP connection meets the covert channel detection condition; if the target TCP connection meets the covert channel detection condition, determine that there is a covert channel in the target TCP connection .

In a possible implementation, the detection module is configured to: if it is determined that the average difference corresponding to the target TCP connection is less than or equal to the preset average difference threshold, based on the first weight value corresponding to the average difference and the The second weight value is weighted and summed the average difference and average times corresponding to the target TCP connection to obtain the first indicator value after the weighted sum; if the first indicator value is greater than the preset first indicator value threshold, the target is determined The TCP connection meets the covert channel detection conditions.

In a possible implementation, the detection module is configured to: detect the current network state if it is determined that the average difference corresponding to the target TCP connection is greater than the average difference threshold; The average number of times corresponding to the TCP connection is multiplied by the preset coefficient value to obtain a multiplied second indicator value; if the second indicator value is greater than the preset second indicator value threshold, it is determined that the target TCP connection meets the covert channel detection condition .

In a third aspect, a computer device is provided, the computer device includes a memory and a processor, the memory is used to store computer instructions; the processor executes the computer instructions stored in the memory, so that the computer device executes sending data packets as provided in the first aspect above Methods.

A fourth aspect provides a computer-readable storage medium, which is characterized in that the computer-readable storage medium stores computer program codes, and when the computer program codes are executed by a computer device, the computer device executes the sending method provided in the first aspect above Packet method.

In a fifth aspect, a computer program product containing instructions is provided, and when it is run on a computing device, it causes the computing device to execute the method of the above-mentioned first aspect and possible implementations thereof, or enables the computing device to implement the above-mentioned second aspect and the functionality of the device for its possible implementations.

The beneficial effects brought by the technical solution provided by the embodiments of the present invention are:

In the embodiment of the present invention, after the target data packet to be sent is acquired, the target data packet is not sent directly, but the specified field of the corresponding header data of the target data packet is changed first, so that even if the current data transmission chain There is a hidden storage channel in the road, and the data transmitted through the hidden storage channel can be destroyed by modifying the specified field. And the target data packet after changing the header data can be sent to the data receiving end through the preset sending time interval. In this way, the sending time of each data packet can be unified, and the transmission time interval of the hidden timing channel control data packet can be avoided to transmit data. It can be seen that the application of the present application can prevent additional data from being transmitted through the covert channel, and can send the data that normally needs to be transmitted to the data receiving end.

Description of drawings

FIG. 1 is a schematic diagram of a data transmission system provided by an embodiment of the present invention;

Fig. 2 is a flow chart of a method for sending data packets provided by an embodiment of the present invention;

Fig. 3 is a flow chart of a method for sending data packets provided by an embodiment of the present invention;

FIG. 4 is a schematic structural diagram of a sending data packet provided by an embodiment of the present invention;

Fig. 5 is a schematic structural diagram of a computer device provided by an embodiment of the present invention.

detailed description

In order to make the purpose, technical solution and advantages of the present application clearer, the implementation manners of the present application will be further described in detail below in conjunction with the accompanying drawings.

The following first introduces the system architecture involved in the embodiment of the present invention and the concepts involved in terms.

A method for sending data packets provided by an embodiment of the present invention can be applied to a data transmission system. As shown in FIG. , computers and other devices that can access the Internet, the data forwarding device can be a security device, such as a firewall device, IPS device, etc., which can realize the functions of routers and switches, etc., and the data sending end can send data to the data receiving end The device can be a mobile phone, computer, server, etc. Among them, a data transmission link, such as a TCP connection, can be established between the data receiving end, the data forwarding device, and the data sending end, and the data sending end can transmit the data with transmission to the data receiving end through the data forwarding device.

An embodiment of the present invention provides a method for sending a data packet, and the execution subject of the method may be a data sending end or a data forwarding device.

When a reliable connection is established between the data sending end and the data receiving end, the TCP connection can generally be used to transmit data. TCP is a connection-oriented, reliable, and byte-stream-based transport layer communication protocol. A transport protocol specially designed to provide reliable end-to-end byte streams on the Internet.

As shown in FIG. 2, the embodiment of the present invention provides a method for sending a data packet, and the processing flow of the method may include the following steps:

Step 201. Obtain a target data packet to be sent.

Wherein, in the method for sending data packets provided in the present application, the corresponding execution subject may be a data sending end, or may be a data forwarding device. In this method embodiment, the data packet method provided by this application can be described in detail by taking the corresponding execution subject as a data forwarding device as an example, and the thresholds in other cases are similar and will not be described again.

In implementation, before the data sending end sends data packets to the data receiving end, it can establish a TCP connection with the data receiving end. After establishing the TCP connection, the data to be transmitted can be divided into multiple TCP segments according to the existing TCP protocol. slice (TCP data packet), and then send each TCP data packet to the data forwarding device in turn. The data to be sent and the TCP header may be included in the TCP data packet, wherein the structure of the TCP header is shown in Table 1. The Source Port (source port number) field may record the data source information of the data to be sent, that is, the source address port corresponding to the sent data. In addition, the data source information may also include a source address IP and a source address MAC, where the source address IP may be obtained from the header of the IP packet. The source MAC address can be obtained from the header of the Ethernet frame. The corresponding target data packet may also include information of the corresponding data receiving end of the data to be sent, which may include destination address IP, destination address MAC and destination address port. The data forwarding device can send the TCP data packet to the corresponding data receiving end according to the destination address IP, destination address MAC, destination address port, and the like.

Table I

Whenever the data forwarding device receives the data packet sent by the server, it can determine whether the data packet is a TCP data packet, and if it is determined that the received data packet is a TCP data packet, then the TCP data packet can be determined as the target data packet to be sent , and then the specified field in the message data in the target data packet can be changed, that is, the following steps 202-203 are performed.

Step 202: Modify the specified field of the header data in the target data packet to obtain the target data packet after the header data is changed.

Wherein, the target data packet may be any TCP data packet received by the data forwarding device to be sent. Because in the covert storage channel, the data information is carried in the designated field of the header corresponding to the data packet. Therefore, in this application, the data stored in the specified field of the header data in the target data packet can be changed, wherein the specified field can be preset by a technician, and can be a commonly used field in a covert storage channel. For example, it can include: Identification in the IP header, seq (sequence number, serial number) in the TCP header, and ack (acknowledgment number, determination number) in the TCP header shown in Table 1, flags (signature) in the TCP header bit), the windows size (window size) in the TCP header, the urgnet pointer (urgent pointer) in the TCP header, the options data (option data) in the TCP header, etc.

In practice, after obtaining the target data packet, the above-mentioned specified fields can be changed to obtain the target data packet after changing the header data. In this way, by changing the specified field of the header data in the target data packet, the hidden storage channel can be destroyed. transmitted data, so that the covert storage channel can only transmit invalid data.

Optionally, in order to reduce the calculation load of the data forwarding device, the data forwarding device may only process the target data packets from the specified data sending end. For example, the specified data sending end may be a data storage server corresponding to stored data with high confidentiality. Taking the office network of an enterprise as an example, multiple data storage servers can be set up in the office network. Different data storage servers are used to store different data of the enterprise, and some of the data stored in the data storage servers are relatively confidential within the enterprise High data, for example, relevant information of employees, account passwords of corporate office systems, etc. Therefore, the data forwarding device can only process data packets from the data storage server corresponding to the data with high confidentiality stored, thereby reducing the number of data packets that the data forwarding device needs to process, thereby reducing the calculation load of the data forwarding device. Therefore, before modifying the specified field of the header data in the target data packet, the data source information included in the header data of the target data packet can also be obtained, and the data source information is determined to be the data source information corresponding to the specified private data.

The header data of the TCP data packet includes data source information corresponding to the TCP data packet, that is, the source address IP, source address MAC, and source address port corresponding to the TCP data packet. Therefore, in the data forwarding device, the address IP, address MAC, address port, etc. corresponding to each designated data storage server may be preset. Whenever the data forwarding device receives a TCP data packet, the source address IP, source address MAC and source address port corresponding to the TCP data packet can be compared with the preset address IP, address MAC and address port through the preset filter , and if the comparison results are consistent, the process of changing the specified field of the header data in the target data packet can be performed. If the comparison is inconsistent, it means that the currently received TCP data packet does not belong to the specified data storage server. Therefore, the TCP data packet can be directly forwarded without processing the data packet.

In addition, since the sending of data packets has a relatively high requirement on time delay, in order to improve the processing speed of changing the specified field of header data, multiple processing processes can be started in advance in the data forwarding device. For the target data packets filtered by the filter, the target data packets may be added to the shared processing queue. Each processing process can sequentially obtain data packets from the shared processing queue, and change specified fields in header data of the obtained data packets. In this way, the data packets are processed simultaneously by multiple processing processes, so that the processing speed of changing the specified field of the header data in the data packets can be improved as a whole, so that the sending delay of each data packet can be ensured.

If the fields in the header data are only changed at will, it may affect the normal transmission of TCP packets, so this application also provides a method for changing the specified fields in the header data, as follows: Get the target Change Value, Based on Target Change Value, changes the specified field of header data in the target packet.

Wherein, the target change value corresponding to each TCP connection may be a randomly generated value. Because in a TCP connection, the corresponding data sender and data receiver remain unchanged, that is, in a TCP, the source address IP, destination address IP, source address MAC, destination The address MAC, source address port, and destination address port are the same, so the connection identifier corresponding to the corresponding TCP connection can be determined through the above parameters. For example, the hash value of the above parameters may be calculated, and the corresponding hash value may be determined as the identifier of the corresponding TCP connection.

Therefore, after each TCP data packet is obtained, the TCP connection identifier corresponding to the TCP connection to which the TCP data packet belongs can be determined. A corresponding random number can be generated for each TCP connection identifier, and the corresponding random number is determined as the change value corresponding to the TCP connection identifier, and added to the corresponding relationship between the TCP connection identifier and the change value. Therefore, after determining the target TCP connection ID corresponding to the TCP data packet, it can be determined whether there is a target TCP connection ID in the corresponding relationship between the TCP connection ID and the change value, and if there is a target TCP connection ID, then determine the corresponding target in the corresponding relationship Change the value. If there is no target TCP connection ID in the correspondence between the TCP connection ID and the change value, it can be determined that the currently received TCP packet belongs to a newly established TCP connection, so a random number can be generated for the target TCP connection ID, and the random number can be determined Change the value of the target corresponding to the currently received TCP data packet, and then add the generated random number and the target TCP connection ID to the corresponding relationship between the TCP connection ID and the changed value.

After the target change value is determined, based on the target change value, the process of changing the specified field of the header data in the target packet is as follows:

The header data in the target data packet may include a TCP header and an IP header. The specified fields in the TCP header can be seq, ack, reserved flag in flags, windows size, urgnet pointer, and optionsdata. The specified field in the IP header may be identification (identification). Further, the method of changing each field is as follows:

For the TCP header, add the value of the sequence number seq in the TCP header of the target data packet to the target change value, and replace the other values in the window size value in the TCP header except the highest bit with the target change value. Among them, since the value of windows size is hexadecimal, you can first convert the hexadecimal value to decimal, and then replace the decimal value with other values other than the highest bit with the target change value to get Change the decimal value, and then convert the changed decimal value to hexadecimal to get the changed windows size value. In addition, it may also be determined whether the value of kind in the TCP header is experiment, and if it is determined that the value of kind in the TCP header is experiment, replace the corresponding value of experiment with the target change value. In addition, if it is determined that the reserved flag bit in the TCP header is not 0, the reserved flag bit is set to 0. It can also be determined whether the urg flag bit in the TCP header is 0, if it is determined that the urg flag bit in the TCP header is 0, it means that the current urgnet pointer field is not used, then the value of the field of the urgnet pointer in the TCP header can be set to is 0.

In the TCP connection, seq can indicate the offset of the data sent this time, and ack indicates the amount of data that has been received. seq can prevent out-of-sequence, duplicate data, etc., and the next data sender can send data according to the amount of data that has been received indicated by ack. However, since the target change value is added to the value of seq when sending the target data packet, in order to ensure the normal sending of the data, when the corresponding response data packet is received, the ack value of the response data packet can be subtracted from the corresponding The target change value for .

For example, for each TCP connection, the corresponding relationship between the port information in the TCP packet sent in the TCP connection and the target change value can be recorded, and when the corresponding response message is received, the port information carried in the response message can be obtained, and then According to the corresponding relationship, the corresponding target change value is determined, and then the corresponding target change value is subtracted from the ack value in the response message.

For the IP header, if it is determined that the length of the MTU (Maximum Transmission Unit, maximum transmission unit) value in the IP header of the target packet is less than the preset length threshold, then the Identification value in the IP header is replaced with the target change value. This is because when it is determined that the length of the MTU in the IP header is less than the preset length threshold, it means that the IP packet has not been spliced, and when the IP packet is not spliced, the Identification field does not indicate any meaning, so in order to prevent concealment The transmission channel transmits data in the Identification field, and the value of the Identification field can be set to a random number.

In addition, after modifying the specified fields above, the checksum in the TCP header can be recalculated. The specific calculation process belongs to the prior art and will not be repeated here. As shown in Table 2 below, Table 2 changes the TCP header data before and after the specified field.

Table II

Step 203, based on the preset sending time interval, sending the target data packet after changing the header data.

In the covert timing channel, data can be transmitted by controlling the sending time interval between data packets. Therefore, in this application, after changing the header data of the target data packet, the sending time interval of each data packet can be controlled to ensure that the sending time interval corresponding to each data packet is the preset sending time interval, thereby avoiding concealment Timing channel implementation.

In an achievable manner, a corresponding TCP sending queue can be established for each TCP connection, and then the data packets included in each TCP sending queue are sent according to a preset sending time interval, so that for each The sending time interval of each TCP data packet under the TCP connection is consistent. Among them, the process of establishing a TCP sending queue for each TCP connection is as follows:

Obtain the target TCP connection mark corresponding to the TCP header of the target data packet, in the corresponding relationship between the TCP connection mark and the delayed sending queue, determine whether there is a target TCP connection mark; if there is a target TCP connection mark, then in the corresponding relationship, determine the The target delayed sending queue corresponding to the target TCP connection ID; if there is no target TCP connection ID, then generate the target delayed sending queue corresponding to the target TCP connection ID, and correspondingly add the target TCP connection ID and the target sending queue in the corresponding relationship.

In order to facilitate the control of the TCP data packets corresponding to each TCP connection, a corresponding sending queue can be set for each TCP, so that it can be sent according to the sending queue corresponding to each TCP connection. In this way, after obtaining the target TCP connection identifier corresponding to the target data packet, it is possible to determine whether there is a corresponding target TCP connection identifier in the corresponding relationship between the TCP connection identifier and the sending queue. If it is determined in the corresponding relationship that there is a target TCP connection identifier , then determine the corresponding target sending queue. If there is no target TCP connection identifier in the corresponding relationship, it can be determined that the currently received TCP packet belongs to the TCP packet corresponding to the newly established TCP connection, so a corresponding target sending queue can be established according to the target TCP connection identifier, and The target TCP connection ID and the target sending queue are added to the corresponding relationship.

In this way, after obtaining the target data packet with the changed header data, the target data packet with the changed header data can be added to the target sending queue. Then send the data packets in the target sending queue according to the preset sending time interval. Since each TCP connection corresponds to a unique sending queue, and the data packets in each sending queue are sent out according to a fixed sending time interval, the sending time interval of the TCP data packets for each TCP connection will be consistent, In this way, the situation of transmitting data by controlling the sending time interval of data packets can be avoided.

In addition, if the number of data packets included in the target sending queue does not reach the preset number threshold after adding the target data packets after changing the header data to the target sending queue, they will be sent sequentially based on the preset sending time interval Each data packet of the target sending queue; if the number of data packets included in the target sending queue has reached the preset number threshold after adding the data packet after changing the header data to the target sending queue, based on the The enqueue sequence of each data packet, each data packet is sent sequentially.

This is because in the TCP connection, the sending delay requirement for each TCP data packet is relatively high, so when the number of data packets to be sent included in the sending queue reaches the preset number threshold, if you continue to follow the preset If the data packets in the sending queue are sent at the sending time interval of , it may cause a longer delay in sending the packets that are arranged later in the sending queue. Therefore, after each TCP data packet is added to the corresponding sending queue, the number of TCP data packets included in the current sending queue can be determined, and if it is not greater than the preset number threshold, it can be set according to the preset time interval Each TCP data packet in the sending queue is sent, that is, after sending a TCP data packet, after a preset time interval, the corresponding next TCP data packet is sent. If the number of TCP data packets included in the sending queue is greater than the preset number threshold, each data packet in the sending queue can no longer be sent according to the preset time interval, that is, after sending a TCP data packet, Send the corresponding next TCP packet directly without waiting for the preset time interval. In this way, the time interval for sending TCP data packets can be controlled while ensuring the delay in sending TCP data packets, thereby avoiding data transmission through a hidden timing channel.

In the embodiment of the present invention, after the target data packet to be sent is acquired, the target data packet is not sent directly, but the specified field of the corresponding header data of the target data packet is changed first, so that even if the current data transmission chain There is a hidden storage channel in the road, and the data transmitted through the hidden storage channel can be destroyed by modifying the specified field. And the target data packet after changing the header data can be sent to the data receiving end through the preset sending time interval. In this way, the sending time of each data packet can be unified, and the transmission time interval of the hidden timing channel control data packet can be avoided to transmit data. It can be seen that the application of the present application can prevent additional data from being transmitted through the covert channel, and can send the data that normally needs to be transmitted to the data receiving end.

In the present application, a method for detecting whether there is a covert channel in the data transmission link is also provided, as shown in FIG. 3 , the method includes:

Step 301. Determine the corresponding receiving sequence of the target data packets in the target TCP connection to which they belong.

Since the covert channel includes a covert storage channel and a covert timing channel, since in this application, the message data of the sent data packet has been modified, if it is necessary to detect the covert storage channel, it is necessary to check the Modify the packet data for detection. Therefore, in the present application, before modifying the message data corresponding to the target data packet, the message data corresponding to the corresponding target data packet can be recorded. The covert memory channel can then be detected based on the recorded message data. However, if the corresponding message data is recorded and detected for each acquired data packet, excessive processing resources of the processor and the memory will be occupied. Therefore, for a TCP connection, corresponding packet data can be recorded every preset number. At the same time, the acquisition time corresponding to the data packet can also be recorded for subsequent detection of the hidden timing channel.

In an implementation, an analyzer may be set for detecting covert channels. After obtaining the TCP data packet each time, the TCP connection identifier corresponding to the TCP data packet can be determined, and then the acquisition sequence of the TCP data packet corresponding to the TCP connection identifier is received.

In this application, the information of each TCP data packet can be recorded through the TCP connection identifier corresponding to the data packet, wherein, the TCP connection identifier can be, through the source address IP, destination address IP, source address in the header data corresponding to the TCP data packet The hash value determined by address MAC, destination address MAC, source address port, and destination address port. A TCP connection information tracking table may be preset in the data forwarding device. Wherein, the TCP connection information tracking table may include information corresponding to each TCP connection, message reception times, TCP connection session (session) times, random value, latest message receiving time, status value, etc. When the data forwarding device receives a new TCP connection identifier, it can add the corresponding TCP connection identifier in the table, and then record the state information of the TCP data packet corresponding to the TCP connection identifier. As shown in Table 3.

Table three

Wherein, each time the data forwarding device obtains a TCP data packet, it can determine whether there is a TCP connection identifier corresponding to the currently obtained TCP data packet in the current TCP connection information tracking table. The information corresponding to the identifier is updated. For example, 1 may be added to the number of times the message is received, and it is determined whether the Flags in the header of the TCP data packet is SYN. If it is SYN, 1 may be added to the number of times of the TCP connection session. If the Flags in the header of the TCP data packet is FIN, the random value can be updated. It is also possible to record the corresponding message receiving time of the currently acquired data packet, and determine the corresponding status value. If there is no corresponding TCP connection identifier in the TCP connection information tracking table, the corresponding TCP connection identifier may be added to the table, and then the TCP connection information corresponding to the TCP connection identifier is recorded.

Step 302, if the receiving sequence meets the preset recording condition, record the receiving time corresponding to the target data packet and the header data of the target data packet.

After obtaining the receiving sequence corresponding to the target data packets, it may be determined whether the corresponding receiving sequence satisfies a preset recording condition. For example, for a TCP connection, the acquisition time and header data of the corresponding data packet may be recorded every 9 times. In this way, the recording condition can be set to judge that the received order of the data packets is a multiple of 10. In this way, for a TCP connection, the analyzer can respectively record the acquisition time and header data corresponding to the 10th, 20th, 30th, ... 10×N data packets sent in the TCP connection, where N is a positive integer . If it is determined that the receiving sequence of the target data packets satisfies the preset recording condition, the acquisition time and header data of the target data packets may be recorded according to the TCP connection identifier corresponding to the target data packets.

Step 303, based on the recorded receiving time and header data of each data packet corresponding to the target TCP connection, determine whether there is a covert channel in the target TCP connection.

After the analyzer records the corresponding acquisition time and header data according to the TCP connection identifier corresponding to the target data packet, it can obtain all the acquisition time and header data corresponding to the TCP connection identifier, so as to determine whether the target TCP connection corresponding to the TCP connection identifier is Covert channels exist for detection.

Wherein, the process of detecting whether there is a covert channel in the target TCP connection can be as follows: based on the recorded acquisition time of each data packet corresponding to the target TCP connection, calculate the average difference of the sending time intervals corresponding to each data packet, and determine each data packet The average number of times corresponding to visible characters exists in the package; based on the average difference and the average number of times corresponding to the target TCP connection, determine whether the target TCP connection meets the covert channel detection condition; if the target TCP connection meets the covert channel detection condition, determine that there is Covert passage.

Among them, the covert channel can be divided into a covert storage channel and a covert timing channel.

For the detection of the covert timing channel, the average difference corresponding to the sending time interval of each data packet can be determined according to the sending time interval of each data packet corresponding to the target TCP connection, and the target can be determined according to the average difference corresponding to the sending time interval of each data packet There is a covert timing channel in the TCP connection. This is because if the data is transmitted through the covert timing channel, it is necessary to control the sending time corresponding to each data packet, so that the sending interval corresponding to each data packet will be different, and the corresponding average difference will be relatively large. For the detection of the covert storage channel, the average number of visible characters in each data packet corresponding to the target TCP connection can be determined. This is because if data is transmitted through a covert storage channel, characters need to be stored in the header data, so if there is a covert storage channel in the TCP connection, there will be more visible characters in the TCP header, so the visible characters can be detected by detecting If the corresponding average number of times is large, it means that other data may be carried in the TCP header, that is, there may be a hidden storage channel in the current TCP connection.

Since when sending data packets, the corresponding network conditions will also affect the average difference of the sending interval duration corresponding to each data packet, so after calculating the average difference of sending interval duration corresponding to each TCP data packet in the target TCP connection each time, you can It is determined whether the corresponding average difference is greater than a preset average difference threshold, and if it is greater than the preset average difference threshold, the current network state may be detected first. For example, the packet loss rate and transmission delay corresponding to the corresponding data sender can be determined according to the data source information corresponding to the target TCP connection. If it is determined that the packet loss rate is greater than or equal to the preset packet loss rate threshold, and/or the transmission delay is greater than or equal to the preset transmission delay threshold, it can be determined that the current network status is not good and belongs to an abnormal network state. If the packet rate is less than the preset packet loss rate threshold, and/or the transmission delay is less than the preset transmission delay threshold, it can be determined that the current network state is a normal network state.

If it is determined that the current network is in a normal state, or the average difference of the sending interval is less than the preset average difference threshold, then the corresponding processing for determining whether the target TCP connection satisfies the covert channel detection condition can be as follows: If it is determined that the target TCP connection corresponds to is less than or equal to the preset average difference threshold, based on the first weight value corresponding to the average difference and the second weight value corresponding to the average times, the average difference and the average times corresponding to the target TCP connection are weighted and summed to obtain The weighted and summed first indicator value; if the first indicator value is greater than the preset first indicator value threshold, it is determined that the target TCP connection satisfies the covert channel detection condition.

In this application, it can be determined whether there is a covert channel in the corresponding target TCP connection by combining the average difference of the average sending time interval of each data packet corresponding to the target TCP connection and the number of visible characters appearing in each data packet. Wherein, the visible characters may be characters in the range of 36 to 126 in the ASCII value. Determining the average difference of the sending time interval can be based on the corresponding sending time of each TCP data packet and the number of TCP data packets sent in the target TCP connection to determine the corresponding average sending time interval, and then determine the corresponding sending time interval according to the average sending time interval Average difference. Determining the average number of occurrences of visible characters can be determined by first determining the number of occurrences of visible characters corresponding to each TCP packet, and then determining the corresponding average number of occurrences of visible characters according to the number of TCP packets sent by the target TCP connection. Wherein, the number of TCP data packets sent in the target TCP connection can be recorded in the above Table 3. The first weight value corresponding to the average difference between the technician and the preset sending time interval, and the second weight value corresponding to the average number of times visible characters appear. After determining the average difference corresponding to the target TCP and the average number of visible characters, the average difference and the average number of visible characters are weighted and summed according to the first weight value and the second weight value to obtain the first indication value. The first indication value may be used to indicate whether a covert channel exists in the current target TCP connection. If the first indicator value is greater than the preset first indicator value threshold, it is determined that the target TCP connection satisfies the covert channel detection condition, wherein the first weight value, the second weight value and the first indicator value threshold can be determined by the technician based on experience It is set in advance, and its specific value is not limited here.

If it is determined that the current network is in an abnormal state, then the corresponding process of determining whether the target TCP connection meets the covert channel detection condition can be as follows: if it is determined that the average difference corresponding to the target TCP connection is greater than the average difference threshold, then detect the current network state; If the current network state is an abnormal network state, multiply the average number of times corresponding to the target TCP connection by the preset coefficient value to obtain a multiplied second indication value; if the second indication value is greater than the preset second indication value threshold, it is determined that the target TCP connection meets the covert channel detection condition.

If it is determined that the current network is in an abnormal state, it means that the current large average difference is caused by the jitter of the network condition, and it is meaningless to detect the hidden timing channel at this time. Therefore, it is only possible to detect whether there is a covert storage channel in the target TCP connection. The average number of consecutive characters corresponding to the target TCP connection can be multiplied by the preset coefficient value to obtain the multiplied second indicator value. If the second indicator value is greater than the preset second indicator value threshold, the target is determined The TCP connection meets the covert channel detection conditions. Wherein, the second indication value is used to indicate whether there is a covert channel in the current target TCP, and both the coefficient value and the second indication value can be preset by technicians based on experience, and their specific values are not limited here.

Step 304, if it is determined that there is a covert channel in the target TCP connection, send the recorded receiving time and header data of each data packet corresponding to the target TCP connection to the audit terminal.

In implementation, if there is a covert channel in the current corresponding target TCP connection, the receiving time and header data of each data packet corresponding to the recorded target TCP connection can be sent to the audit terminal, and the audit terminal will check again whether there is a covert channel in the target TCP connection. Channel inspection, for example, can be manually reviewed by technicians.

In the embodiment of the present invention, after the target data packet to be sent is acquired, the target data packet is not sent directly, but the specified field of the corresponding header data of the target data packet is changed first, so that even if the current data transmission chain There is a hidden storage channel in the road, and the data transmitted through the hidden storage channel can be destroyed by modifying the specified field. And the target data packet after changing the header data can be sent to the data receiving end through the preset sending time interval. In this way, the sending time of each data packet can be unified, and the transmission time interval of the hidden timing channel control data packet can be avoided to transmit data. It can be seen that the application of the present application can prevent additional data from being transmitted through the covert channel, and can send the data that normally needs to be transmitted to the data receiving end.

All the above optional technical solutions may be combined in any way to form optional embodiments of the present disclosure, which will not be repeated here.

Based on the same technical concept, the embodiment of the present invention also provides a device for sending data packets, as shown in Figure 4, the device includes:

The obtaining module 410 is used to obtain the target data packet to be sent; specifically, the obtaining function in the above step 201 and other implicit steps can be realized;

The modification module 420 is used to modify the specified field of the header data in the target data packet to obtain the target data packet after the header data is changed; specifically, the modification function of the above-mentioned step 202 and other implicit steps can be realized;

The sending module 430 is configured to send the target data packet after changing the header data based on a preset sending time interval. Specifically, the sending function in the above step 203 and other implicit steps can be realized.

Optionally, the changing module 420 is configured to:

Acquire a target change value, and change a specified field of header data in the target data packet based on the target change value.

Optionally, the device also includes a determination module, configured to:

Obtain the data source information included in the header data in the target data packet;

It is determined that the data source information is preset data source information.

Optionally, the changing module 420 is configured to:

Obtain the target TCP connection identifier corresponding to the header data of the target data packet, and determine whether there is a target TCP connection identifier in the correspondence between the pre-stored TCP connection identifier and the modified value;

If the target TCP connection identifier exists in the correspondence, determine the target change value corresponding to the target TCP connection identifier based on the correspondence, and if the target TCP connection identifier does not exist in the correspondence, generate A random value, determining the random value as a target modification value corresponding to the target TCP connection identifier, and adding the target TCP connection identifier and the random value to the corresponding relationship.

Optionally, the changing module 420 is configured to:

adding the value of the sequence number seq in the TCP header of the target packet to the target change value;

replacing other numerical values except the highest bit in the value of the window size size in the TCP header with the target change value;

If it is determined that the value of the kind field in the TCP header is experiment, replacing the corresponding value of the experiment with the target modification value;

If it is determined that the length of the MTU value in the IP header of the target data packet is less than the preset length threshold, then replace the identification value in the IP header with the target modification value.

Optionally, the changing module 420 is also used for:

When receiving the response data packet sent by the data receiving end corresponding to the target data packet, the value of the ack field in the TCP header of the response data packet is subtracted from the target modification value.

Optionally, the changing module 420 is configured to:

Determine whether the reserved flag bit in the TCP header is 0;

If it is determined that the reserved flag bit in the TCP header is not 0, then set the reserved flag position to 0;

Determine whether the urg flag in the TCP header is 0;

If it is determined that the urg flag bit in the TCP header is 0, then set the value of the urgnet pointer field in the TCP header to 0.

Optionally, the sending module 430 is also used for:

Obtain the target TCP connection identifier corresponding to the header data of the target data packet, and determine whether the target TCP connection identifier exists in the corresponding relationship between the TCP connection identifier and the sending queue;

If there is the target TCP connection identifier, in the corresponding relationship, determine the target sending queue corresponding to the target TCP connection identifier;

If the target TCP connection identifier does not exist, generate a target sending queue corresponding to the target TCP connection identifier, and correspondingly add the target TCP connection identifier and the target sending queue in the correspondence;

The sending module is also used to add the target data packet after changing the header data to the target sending queue;

The sending module is configured to: if the number of data packets included in the target sending queue does not reach a preset number threshold after adding the target data packet after the header data is changed to the target sending queue, Then, each data packet in the target sending queue will be sent sequentially based on the preset sending time interval.

Optionally, the sending module is also used for:

If the number of data packets included in the target sending queue has reached the preset number threshold after adding the data packet after the header data is changed to the target sending queue, based on the target sending queue The enqueue order of each data packet in the data packet is sent sequentially.

Optionally, the device also includes a detection module for:

Determine the corresponding acquisition sequence of the target data packet in the target TCP connection to which it belongs;

If the acquisition sequence satisfies a preset recording condition, recording the receiving time corresponding to the target data packet and the header data of the target data packet;

Based on the recorded acquisition time and header data of each data packet corresponding to the target TCP connection, determine whether there is a covert channel in the target TCP connection;

If it is determined that the covert channel exists in the target TCP connection, the recorded acquisition time and header data of each data packet corresponding to the target TCP connection are sent to the audit terminal.

Optionally, the detection module is used for:

Based on the recorded acquisition time of each data packet corresponding to the target TCP connection, calculate the average difference of the sending time interval corresponding to each data packet, and determine the average number of times corresponding to visible characters in each data packet;

Based on the average difference and the average number of times corresponding to the target TCP connection, determine whether the target TCP connection satisfies the covert channel detection condition;

If the target TCP connection satisfies the covert channel detection condition, determine that the covert channel exists in the target TCP connection.

Optionally, the detection module is used for:

If it is determined that the average difference corresponding to the target TCP connection is less than or equal to the preset average difference threshold, based on the first weight value corresponding to the average difference and the second weight value corresponding to the average number of times, the target TCP Connecting the corresponding average difference and the number of averages for weighted summation to obtain the first indicator value after weighted summation;

If the first indication value is greater than a preset first indication value threshold, it is determined that the target TCP connection satisfies a covert channel detection condition.

Optionally, the detection module is used for:

If it is determined that the average difference corresponding to the target TCP connection is greater than the average difference threshold, then detecting the current network state;

If the current network state is an abnormal network state, multiplying the average number of times corresponding to the target TCP connection by a preset coefficient value to obtain a multiplied second indication value;

If the second indication value is greater than the preset second indication value threshold, it is determined that the target TCP connection satisfies a covert channel detection condition.

The division of the modules in the embodiment of the present application is schematic, and it is only a logical function division. In actual implementation, there may be other division methods. In addition, each functional module in each embodiment of the present application can be integrated into one In the processor, it may exist separately physically, or two or more modules may be integrated into one module. The above-mentioned integrated modules can be implemented in the form of hardware or in the form of software function modules.

If the integrated module is realized in the form of a software function module and sold or used as an independent product, it can be stored in a computer-readable storage medium. Based on this understanding, the technical solution of the present application is essentially or part of the contribution to the prior art or all or part of the technical solution can be embodied in the form of a software product, and the computer software product is stored in a storage medium , including several instructions for enabling a terminal device (which may be a personal computer, a mobile phone, or a network device, etc.) or a processor (processor) to execute all or part of the steps of the method in each embodiment of the present application. The above-mentioned storage medium includes: U disk, mobile hard disk, read-only memory (read-only memory, ROM), random access memory (random access memory, RAM), magnetic disk or optical disk, and various media capable of storing program codes.

It should be noted that, the acquisition module 410, modification module 420, and sending module 430 mentioned above may be implemented by a processor, or implemented by a processor in cooperation with a memory or a transceiver.

The device for sending data packets provided by the above embodiments only uses the division of the above-mentioned functional modules as an example to illustrate when sending data packets. In practical applications, the above-mentioned function allocation can be completed by different functional modules according to needs. The internal structure is divided into different functional modules to complete all or part of the functions described above. In addition, the device for sending a data packet provided by the above embodiment and the embodiment of the method for sending a data packet belong to the same idea, and its specific implementation process is detailed in the method embodiment, and will not be repeated here.

The embodiment of the present application also provides a computing device for sending data packets. FIG. 5 exemplarily provides a possible architectural diagram of a computing device 500 . As shown in FIG. 5 , the computer device 500 may be applied in the data transmission system shown in FIG. 1 , for example, may be a data sending end or a data forwarding device in the data transmission system shown in FIG. 1 . It is used to execute the operations performed by the data sending end or the data forwarding device in Fig. 2-Fig. 3 . As shown in FIG. 5 , a computer device 500 may include a processor 510 , a memory 520 coupled to the processor 510 , and a transceiver 530 . The processor 510 may be a CPU (central processing unit, central processing unit), an NP (network processor, network processor) or a combination of CPU and NP. The processor may further include hardware chips. The aforementioned hardware chip may be ASIC, PLD or a combination thereof. The above-mentioned PLD can be CPLD (complex programming logic device, complex programmable logic device), FPGA (field programmable gate array, field programmable logic gate array), GAL (generic array logic, general array logic) or any combination thereof. Processor 510 may refer to one processor, or may include multiple processors. Memory 520 can comprise volatile memory (volatile memory), such as RAM; Memory also can comprise nonvolatile memory (non-volatile memory), such as ROM, flash memory (flash memory), HDD (hard diskdrive, hard disk drive) ) or SSD (solid state disk, solid state disk); the storage may also include a combination of the above types of storage. The storage 520 may refer to one storage, or may include multiple storages. In one embodiment, computer-readable instructions are stored in the memory 520 , and the computer-readable instructions may include multiple software modules, such as an acquisition module 521 , a modification module 522 , and a sending module 523 . After executing each software module, the processor 510 may perform corresponding operations according to instructions of each software module. In this embodiment, an operation performed by a software module actually refers to an operation performed by the processor 510 according to an instruction of the software module. For example, the acquiring module 521 is configured to acquire the target data packet to be sent. The modification module 522 is configured to modify the specified field of the header data in the target data packet to obtain the target data packet after the header data is modified. The sending module 523 is configured to send the target data packet after changing the header data based on a preset sending time interval.

In addition, after the processor 510 executes the computer-readable instructions in the memory 520, it can perform all operations that can be performed by the data sending end or the data forwarding device according to the instructions of the computer-readable instructions. For example, the operations performed by the data sending end or the data forwarding device in the embodiment corresponding to FIG. 2-FIG. 3 .

In the above-mentioned embodiments, all or part may be implemented by software, hardware, firmware or any combination thereof, and when software is used, all or part may be implemented in the form of a computer program product. The computer program product includes one or more computer instructions. When the computer program instructions are loaded and executed on the device, all or part of the processes or functions according to the embodiments of the present invention will be generated. The computer instructions may be stored in or transmitted from one computer-readable storage medium to another computer-readable storage medium, for example, the computer instructions may be transmitted from a website, computer, server, or data center Transmission to another website site, computer, server, or data center by wired (eg, coaxial cable, optical fiber, DSL) or wireless (eg, infrared, wireless, microwave, etc.) means. The computer-readable storage medium may be any available medium that can be accessed by the device, or a data storage device including a server, a data center, and the like integrated with one or more available media. The available medium may be a magnetic medium (such as a floppy disk, a hard disk, and a magnetic tape, etc.), an optical medium (such as a digital video disk (Digital Video Disk, DVD), etc.), or a semiconductor medium (such as a solid-state hard disk, etc.).

Those of ordinary skill in the art can understand that all or part of the steps for implementing the above embodiments can be completed by hardware, and can also be completed by instructing related hardware through a program. The program can be stored in a computer-readable storage medium. The above-mentioned The storage medium mentioned may be a read-only memory, a magnetic disk or an optical disk, and the like.

The above is only an embodiment of the present invention, and is not intended to limit the application. Any modifications, equivalent replacements, improvements, etc. made within the spirit and principles of the application shall be included in the protection scope of the application. Inside.

Claims (22)

1. A method for sending data packets, characterized in that the method comprises: Obtain the target data packet to be sent; Obtain the target TCP connection identifier corresponding to the header data of the target data packet, and determine whether there is a target TCP connection identifier in the correspondence between the pre-stored TCP connection identifier and the modified value; If the target TCP connection identifier exists in the correspondence, determine the target change value corresponding to the target TCP connection identifier based on the correspondence, and if the target TCP connection identifier does not exist in the correspondence, generate a random value, determining the random value as a target modification value corresponding to the target TCP connection identifier, and adding the target TCP connection identifier and the random value to the corresponding relationship, based on the target modification value, altering specified fields of header data in said target data packet; Based on the preset sending interval, send the target data packet after changing the header data. 2. The method according to claim 1, wherein, before the specified field of the header data in the target packet is changed based on the target change value, the method further comprises: Obtain the data source information included in the header data in the target data packet; It is determined that the data source information is preset data source information. 3. The method according to claim 1, wherein said changing the specified field of header data in said target packet based on said target change value comprises: adding the value of the sequence number seq in the TCP header of the target packet to the target change value; replacing other numerical values except the highest bit in the value of the window size size in the TCP header with the target change value; If it is determined that the value of the kind field in the TCP header is experiment, replacing the corresponding value of the experiment with the target modification value; If it is determined that the length of the MTU value in the IP header of the target data packet is less than the preset length threshold, then replace the identification value in the IP header with the target change value. 4. method according to claim 3, is characterized in that, described method also comprises: When receiving the response data packet sent by the data receiving end corresponding to the target data packet, the value of the ack field in the TCP header of the response data packet is subtracted from the target change value. 5. The method according to claim 1, wherein, before sending the target data packet after changing the header data based on the preset sending time interval, the method further comprises: Obtain the target TCP connection identifier corresponding to the header data of the target data packet, and determine whether the target TCP connection identifier exists in the corresponding relationship between the TCP connection identifier and the sending queue; If there is the target TCP connection identifier, in the corresponding relationship, determine the target sending queue corresponding to the target TCP connection identifier; If the target TCP connection identifier does not exist, generate a target sending queue corresponding to the target TCP connection identifier, and correspondingly add the target TCP connection identifier and the target sending queue in the correspondence; After the header data is changed, the method further includes: adding the target data packet after changing the header data to the target sending queue; The sending of the target data packet after changing the header data based on the preset sending time interval includes: If after adding the target data packet after changing the header data to the target sending queue, the number of data packets included in the target sending queue does not reach the preset number threshold, then based on the preset sending time Each data packet in the target sending queue is sent sequentially at intervals. 6. The method according to claim 5, further comprising: If the number of data packets included in the target sending queue has reached the preset number threshold after adding the target data packet after the header data is changed to the target sending queue, based on the target sending queue The enqueue order of each data packet in the data packet is sent sequentially. 7. The method according to claim 1, further comprising: Determine the corresponding acquisition sequence of the target data packet in the target TCP connection to which it belongs; If the acquisition sequence satisfies a preset recording condition, recording the receiving time corresponding to the target data packet and the header data of the target data packet; Based on the recorded acquisition time and header data of each data packet corresponding to the target TCP connection, determine whether there is a covert channel in the target TCP connection; If it is determined that the covert channel exists in the target TCP connection, the recorded acquisition time and header data of each data packet corresponding to the target TCP connection are sent to the audit terminal. 8. The method according to claim 7, wherein, determining whether there is a covert channel in the target TCP connection based on the acquisition time of each data packet corresponding to the recorded target TCP connection and header data, including : Based on the recorded acquisition time of each data packet corresponding to the target TCP connection, calculate the average difference of the sending time interval corresponding to each data packet, and determine the average number of times corresponding to visible characters in each data packet; Based on the average difference and the average number of times corresponding to the target TCP connection, determine whether the target TCP connection satisfies the covert channel detection condition; If the target TCP connection satisfies the covert channel detection condition, determine that the covert channel exists in the target TCP connection. 9. The method according to claim 8, wherein, determining whether the target TCP connection satisfies the covert channel detection condition based on the average difference and the average number of times corresponding to the target TCP connection comprises: If it is determined that the average difference corresponding to the target TCP connection is less than or equal to the preset average difference threshold, based on the first weight value corresponding to the average difference and the second weight value corresponding to the average number of times, the target TCP Connecting the corresponding average difference and the number of averages for weighted summation to obtain the first indicator value after weighted summation; If the first indication value is greater than a preset first indication value threshold, it is determined that the target TCP connection satisfies a covert channel detection condition. 10. The method according to claim 8, wherein, determining whether the target TCP connection satisfies the covert channel detection condition based on the average difference and the average number of times corresponding to the target TCP connection comprises: If it is determined that the average difference corresponding to the target TCP connection is greater than the average difference threshold, then detecting the current network state; If the current network state is an abnormal network state, multiplying the average number of times corresponding to the target TCP connection by a preset coefficient value to obtain a multiplied second indication value; If the second indication value is greater than the preset second indication value threshold, it is determined that the target TCP connection satisfies a covert channel detection condition. 11. A device for sending data packets, characterized in that the device comprises: An acquisition module, configured to acquire a target data packet to be sent; The modification module is used to obtain the target TCP connection identifier corresponding to the header data of the target data packet, and determine whether there is a target TCP connection identifier in the corresponding relationship between the pre-stored TCP connection identifier and the modification value; if in the corresponding relationship There is the target TCP connection identifier, then determine the target modification value corresponding to the target TCP connection identifier based on the correspondence relationship, if the target TCP connection identifier does not exist in the correspondence relationship, then generate a random value, and change the The random value is determined as the target modification value corresponding to the target TCP connection identifier, and the target TCP connection identifier and the random value are added to the corresponding relationship, and based on the target modification value, the target data packet is changed The specified fields in the header data; The sending module is configured to send the target data packet after changing the header data based on the preset sending time interval. 12. The device according to claim 11, characterized in that the device further comprises a determining module, configured to: Obtain the data source information included in the header data in the target data packet; It is determined that the data source information is preset data source information. 13. The device according to claim 11, wherein the modification module is configured to: adding the value of the sequence number seq in the TCP header of the target packet to the target change value; replacing other numerical values except the highest bit in the value of the window size size in the TCP header with the target change value; If it is determined that the value of the kind field in the TCP header is experiment, replacing the corresponding value of the experiment with the target modification value; If it is determined that the length of the MTU value in the IP header of the target data packet is less than the preset length threshold, then replace the identification value in the IP header with the target change value. 14. The device according to claim 13, wherein the modification module is further used for: When receiving the response data packet sent by the data receiving end corresponding to the target data packet, the value of the ack field in the TCP header of the response data packet is subtracted from the target change value. 15. The device according to claim 11, wherein the sending module is also used for: Obtain the target TCP connection identifier corresponding to the header data of the target data packet, and determine whether the target TCP connection identifier exists in the corresponding relationship between the TCP connection identifier and the sending queue; If there is the target TCP connection identifier, in the corresponding relationship, determine the target sending queue corresponding to the target TCP connection identifier; If the target TCP connection identifier does not exist, generate a target sending queue corresponding to the target TCP connection identifier, and correspondingly add the target TCP connection identifier and the target sending queue in the correspondence; adding the target data packet after changing the header data to the target sending queue; If after adding the target data packet after changing the header data to the target sending queue, the number of data packets included in the target sending queue does not reach the preset number threshold, then based on the preset sending time Each data packet in the target sending queue is sent sequentially at intervals. 16. The device according to claim 15, wherein the sending module is also used for: If the number of data packets included in the target sending queue has reached the preset number threshold after adding the target data packet after the header data is changed to the target sending queue, based on the target sending queue The enqueue order of each data packet in the data packet is sent sequentially. 17. The device according to claim 11, characterized in that the device further comprises a detection module for: Determine the corresponding acquisition sequence of the target data packet in the target TCP connection to which it belongs; If the acquisition sequence satisfies a preset recording condition, recording the receiving time corresponding to the target data packet and the header data of the target data packet; Based on the recorded acquisition time and header data of each data packet corresponding to the target TCP connection, determine whether there is a covert channel in the target TCP connection; If it is determined that the covert channel exists in the target TCP connection, the recorded acquisition time and header data of each data packet corresponding to the target TCP connection are sent to the audit terminal. 18. The device according to claim 17, wherein the detection module is configured to: Based on the recorded acquisition time of each data packet corresponding to the target TCP connection, calculate the average difference of the sending time interval corresponding to each data packet, and determine the average number of times corresponding to visible characters in each data packet; Based on the average difference and the average number of times corresponding to the target TCP connection, determine whether the target TCP connection satisfies the covert channel detection condition; If the target TCP connection satisfies the covert channel detection condition, determine that the covert channel exists in the target TCP connection. 19. The device according to claim 18, wherein the detection module is configured to: If it is determined that the average difference corresponding to the target TCP connection is less than or equal to the preset average difference threshold, based on the first weight value corresponding to the average difference and the second weight value corresponding to the average number of times, the target TCP Connecting the corresponding average difference and the number of averages for weighted summation to obtain the first indicator value after the weighted summation; If the first indication value is greater than a preset first indication value threshold, it is determined that the target TCP connection satisfies a covert channel detection condition. 20. The device according to claim 18, wherein the detection module is configured to: If it is determined that the average difference corresponding to the target TCP connection is greater than the average difference threshold, then detecting the current network state; If the current network state is an abnormal network state, multiplying the average number of times corresponding to the target TCP connection by a preset coefficient value to obtain a multiplied second indication value; If the second indication value is greater than the preset second indication value threshold, it is determined that the target TCP connection satisfies a covert channel detection condition. 21. A computer device, characterized in that the computer device includes a memory and a processor, and the memory is used to store computer instructions; The processor executes the computer instructions stored in the memory to cause the computer device to perform the method of any one of claims 1 to 10 above. 22. A computer-readable storage medium, characterized in that the computer-readable storage medium stores computer program codes, and when the computer program codes are executed by a computer device, the computer device executes the above claims 1 to 10 any one of the methods described.

Images