信息安全研究 ›› 2020, Vol. 6 ›› Issue (2): 122-130.

• 学术论文 • 上一篇    下一篇

基于SVM的ICMP网络存储隐蔽信道检测

李抒霞1,周安民2,郑荣锋2,胡星高1   

  1. 1. 四川大学网络空间学院
    2. 四川大学电子信息学院
  • 收稿日期:2020-02-08 出版日期:2020-02-10 发布日期:2020-02-08
  • 通讯作者: 李抒霞
  • 作者简介:李抒霞 1995年生,硕士,主要研究领域:隐蔽通道。 周安民, 1963年生,研究员,主要研究领域:互联网技术;计算机软件及计算机应用;电信技术。 郑荣锋1990年生,博士,主要研究领域:网络流量分析、工控系统安全、嵌入式设备安全、网络威胁情报 胡星高 1996年生,硕士,主要研究领域:网络攻击检测

Detection of Network Storage Covert Channel over ICMP Protocol Based on SVM

  • Received:2020-02-08 Online:2020-02-10 Published:2020-02-08
  • Contact: LI ShuXia

摘要: 隐蔽通道利用了网络协议的特点来秘密进行数据的传输,严重威胁信息安全.大多数ICMP流量可以躲避防火墙等网络设备的检测,因此,攻击者利用网际控制报文协议(Internet control message protocol, ICMP)将数据隐藏在ICMP的有效负载部分,形成ICMP隐蔽通道.传统ICMP通道检测基于有效负载单一特征,为了更有效进行检测,通过分析ICMP协议,对正常ICMP流量的类型、数据包大小、数据固定格式等基本数据特征信息进行充分讨论,并用现有的一些ICMP隐蔽信息工具构建隐蔽通道,基于ICMP协议信息的12个特征,提出了基于支持向量机(support vector machine, SVM)的ICMP隐蔽信道检测算法.该算法通过提取网络流特征字段,采用SVM训练模型,检测结果表明,能较准确检测到ICMP隐蔽流量,且检测率较高,达到99%左右.

关键词: 存储隐蔽信道, 检测, 流量分析, 网际控制报文协议, 支持向量机

Abstract: Covert Channel known as a means of communication affects data sent secretly in the network and attack the network ,which seriously threatens information security. Most ICMP(Internet Control Message Protocol) can elude basic security systems such as firewalls. An attacker can hide any data based on the ICMP of the payload, which can form ICMP covert channel. Traditional ICMP channel detection is based on a single feature of the payload, by analyzing ICMP protocol, we fully discuss the basic data characteristic such as the type, the size of packet and fixed data format of the normal ICMP traffic so as to get the more effective detection. To validate our idea, we install some tools that allow to construct covert channel using ICMP. Based on the 12 characteristic of ICMP,We propose an ICMP covert channel detection algorithm based on Support Vector Machine(SVM). The algorithm extracts network flow characteristic fields and train the model using SVM.Our experimental results show the possibility to discover such ICMP traffic with high performance,reaching about 99%.

Key words: storage covert channel, detection, traffic analysis, ICMP protocol, SVM