Support Vector Machine Based ICMP Covert Channel Attack Detection - Computer Network Security

Information Technology Reference

In-Depth Information

arbitrary contents of the payload can have various data according to the message

types of ICMP protocol and kinds of the operating system as illustrated in table

1. In case of the normal ICMP packet, it has insignificant values(garbage values)

or null values and so on. Namely, therein can be laid the covert channel.

Table 1. The Characteristic of ICMP payload

ICMP Payload

Null Packet 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000

Win Packet 0900 6162 6364 6566 6768 696a 6b6c 6d6e 6f70 7172 7374 7576 7761

Solaris Packet 50ec f53d 048f 0700 0809 0a0b 0c0d 0e0f 1011 1213 1415 1617 1819

Linux Packet 9077 063e 2dbd 0400 0809 0a0b 0c0d 0e0f 1011 1213 1415 1617 1819

ICMP covert channel is simple : Arbitrary information is tunneled in the

payload portion of ICMP echo and ICMP echo reply packets. At this time, the

characteristic of payloads of each operating system is normally same or it has

the successive change of one byte in payload. Also, because the rest 4 bytes of

ICMP header are dependent on the each ICMP message type, covert data can be

inserted into the rest of 4bytes of header sometimes. To generate covert data, we

use ICMP covert channel tool as called Loki[2]. Loki exploits the covert channel

that exists inside of ICMP echo trac. This channel can exist because network

devices do not filter the contents of ICMP echo trac[2].

15 dimensions

type

code

checksum

Rest Of Header

Payload

13 dimensions

Rest Of Header

Payload

type

code

checksum

Fig. 1. The features of SVM

We propose a detection method for ICMP covert channel. The method is

SVM and target is the payload part and the rest 4bytes of header of the ICMP

packet as illustrated in figure 1. We preprocess the collected raw packets to two

cases : one case is ICMP payload(13 dimensions) and second case ICMP payload

and the rest 4 bytes of ICMP header(15 dimensions). One dimension of prepro-

cessed data is comprised of two bytes. So, 13 dimension is converted to 26bytes

of ICMP payload and 15 dimension is converted to the rest of header(4bytes) +

26bytes ICMP payload. Each dimension is converted to decimal value, that is,

the hexa values of 16bits(2bytes) are rearranged by the integer value of decimal

in the raw dump values of packet.

Search WWH ::

Custom Search

Home