The Study On Covert Channel Detection In The ICMP Payload Based On Information Entropy SVM

Network covert channel has been widely used for network attack. By definition it involves hiding information in the medium, which is not usually used for any form of information transfer. Due to the covert feature of a network covert channel and the defections of traditional network security products, the communication process in the channel is hard to be detected. Although many protocols of all levels of the TCP/IP model are vulnerable to covert channel operations, Relative to other protocols, ICMP protocol has a natural advantage; ICMP traffic is ubiquitous to almost TCP/IP based network. As such, many network devices consider ICMP traffic to be benign and will allow it to pass through, unmolested. So, attackers can generate arbitrary information tunneling in the payload of ICMP packets. The research of ICMP network covert channel is then presented to fulfill this requirement.The dissertation gives the general way for constructing a covert channel and brings a channel based on ICMP protocol, and C++Builder 6.0 to achieve. The method could detect the ICMP covert channel from normal ICMP traffic using SVM, but it can't perform well in speed and accuracy of classification when the ICMP traffic is large. We find that 95% of the ICMP packets do not contain covert channel after the analysis of the ICMP data flow distribution characteristics of entropy. If we prune the training set, it can perform well in speed and accuracy of classification. In addition, speed of classification is greatly improved. Therefore, we propose a Method to prune the large training set with entropy and a new information entropy support vector machine model to detect covert channel in the ICMP payload.The selection method of kernel in the information entropy support vector machine model is one of our in-depth researches. The performance, learning ability and generalization ability of SVM can't work well when we solve practical problems using a single kernel function. We can give some regulations according to which to select a kernel. Based on these regulations, we propose a new kernel selection method Reasonable Selection Method, which is different from traditional methods. Furthermore, mixtures of kernels are constructed.In summary, we hope this dissertation can contribute to the advancement of the detection of other network covert channels.