Information Technology Reference
In-Depth Information
Support Vector Machine Based
ICMP Covert Channel Attack Detection
Taeshik Sohn
1
, Taewoo Noh
1
, and Jongsub Moon
1
Center for Information Security Technologies, Korea University, Seoul, Korea
{
743zh2k,siva,jsmoon
}
@korea.ac.kr
Abstract.
TCP/IP protocol basically have much vulnerability in pro-
tocol itself. Specially, ICMP is ubiquitous to almost every TCP/IP based
network. Thereupon, many networks consider ICMP trac to be benign
and will allow it to be passed through, unmolested. So, attackers can
tunnel(covert channel) any information they want through it. To detect
an ICMP covert channel, we use SVM which has excellent performance in
pattern classification. Our experiments show that the proposed method
can detect an ICMP covert channel among normal ICMP trac using
SVM.
1
Introduction and Related Work
Covert channel isn't a normal communication channel and is used for trans-
mitting special information to processes or users prevented from accessing the
information. In this paper, we propose a method which can detect a hidden data
loaded in ICMP payload. we focused a SVM to detect the covert channel used
in ICMP, which was proposed by Vapnik[3] in 1995 and is known as an ecient
classification method for complex pattern.
A security analysis for TCP/IP is found in [4]. John Mchugh[1] provides a
wealth of information on analyzing a system for covert channels. Paper[2] de-
scribes the possibility of generating covert channel in an ICMP protocol.
2 Support Vector Machine
SVM is a learning machine that plots training vectors in high-dimensional feature
space and classifies each vector by its class. SVM views the classification problem
as a quadratic optimization problem. They combine generalization control with
a technique to avoid the “curse of dimensionality” by maximizing the margin
between the different classes. SVM classifies data by determining a set of support
vectors, which are members of the set of training inputs that outline a hyper
plane in feature space[5].
3 Approaching for ICMP Covert Channel Detection
Among the various kinds of ICMP message, we focus on the ICMP echo request
and reply. ICMP packet has the option to include a data section(payload). The
