HTTP cookie covert channel is a covert communication method that encodes malicious information in cookie fields to escape regulatory audits. It is difficult to detect this kind of covert channel according to the cookie content because cookie fields are mainly encoded in custom modes. To effectively identify the HTTP cookie covert channel, this paper proposes a detection method based on the interaction features of the session flow. First, we split the HTTP session flow into fine-grained “interaction process” subflows to comprehensively describe the communication process of the cookie. Then, we compare and analyze the differences between HTTP cookie covert channels and normal cookie communications based on the interaction process, design three types of 7-dimensional features, and build the detection model combined with the machine learning algorithm. Experimental results show that our method can effectively detect HTTP cookie covert channels, and the detection rate can reach 99%. We also prove that our method has advantages in stability and time performance compared with the existing detection methods through experiment and analysis. In addition, our method has certain practicability in the simulation environment with imbalanced data.

中文翻译：

---

基于会话流交互特征的HTTP Cookie隐蔽通道检测

HTTP cookie隐蔽通道是一种隐蔽的通信方法，将恶意信息编码在cookie字段中以逃避监管审计。由于cookie字段主要采用自定义方式编码，因此根据cookie内容很难检测到这种隐蔽通道。为了有效识别HTTP cookie隐蔽通道，提出一种基于会话流交互特征的检测方法。首先，我们将HTTP会话流拆分为细粒度的“交互过程”子流，以全面描述cookie的通信过程。然后，我们基于交互过程比较分析了HTTP cookie隐蔽通道与普通cookie通信的差异，设计了三类7维特征，并结合机器学习算法构建了检测模型。实验结果表明，我们的方法可以有效地检测HTTP cookie隐蔽通道，检测率可以达到99%。我们还通过实验和分析证明我们的方法与现有的检测方法相比在稳定性和时间性能方面具有优势。此外，我们的方法在数据不平衡的模拟环境中具有一定的实用性。