Information Technology Reference
In-Depth Information
Table 2.
SVM Training Data Set and Test Data Set
Data Set
Training Set1(Total 4000)
Training Set2(Total 4000)
Normal Packet
All typed ICMP packet(2000)
OS based ICMP packet(2000)
Abnormal Packet
Loki packet (2000)
Loki packet (2000)
Data Set
Test Set1 (Total 1000)
Test Set2 (Total 1000)
Normal Packet
All typed ICMP packet(250)
All typed ICMP packet(250)
+ OS based ICMP packet(250)
+ OS based ICMP packet(250)
Abnormal Packet
Loki packets(500)
Loki packets(500)
4 Experiment Methods and Results
The SVM data set consist of the training set1, set2 and test set1, set2 as following
table 2. Normal ICMP packets are collected by a TCPdump tool. Abnormal
ICMP packets are generated by Loki. We preprocessed the raw packet values in
order to make training data and testing data. Each training data set is comprised
of 4000 packets. Training Set1 data consists of general ICMP packets. Training
Set2 data consists of ICMP packets depending on the characteristic of operating
systems. Also, abnormal packets are also generated by Loki, each training set
consists of 2000 packets. The test set1 and test set2 consist of 500 normal packets
and 500 abnormal packets. Here, the normal packets of test set have 250 general
ICMP packets and 250 OS dependent packets. The abnormal packets of test set
consists of packets which are forged by Loki tool. SVM detection tool used is
the freeware package[6]. Also, to compare the detection performance, we used
the two SVM kernels : linear, polynomial. In case of the polynomial kernel,
the degree is fixed with 3. The parameters of SVM were tunned with training
set1 and training set 2 each. For the two parameters of SVM, we tested two
cases of test set, i.e, test set1 and test set2. The inputs were two cases, that
is, input dimensions are for dimension 13 and 15. The kernel functions used in
SVM are also polynomial and linear each. So, all test cases are 16. Table 3 shows
overall experiment results. The resultant graph of covert channel detection using
training set 1 is shown in figure 2. In case of the SVM training set, we can see
that it is more ecient to classify the abnormal packets when the general type of
ICMP packets are trained(The detection rate of Training Set1 is 98.68%). Also,
we can see that detection performance is better in 15 dimension and is best in
polynomial kernel with degree of 3.
5 Conclusion
Covert channel attacks are an increasingly potential threat to the Internet envi-
ronments. We didn't have the best solution for covert channel detection yet. The
goal of this paper was to propose the detection method for ICMP covert chan-
nels with SVM among the many covert channels. The preprocessing for SVM
learning to detect a covert channel consists of two cases: one case is only includ-
ing a ICMP payload and the other case is including a ICMP payload and the
