摘要
隐蔽通道利用了网络协议的特点来秘密进行数据的传输,严重威胁信息安全.大多数ICMP流量可以躲避防火墙等网络设备的检测,因此,攻击者利用网际控制报文协议(Internet control message protocol,ICMP)将数据隐藏在ICMP的有效负载部分,形成ICMP隐蔽通道.传统ICMP通道检测基于有效负载单一特征,为了更有效进行检测,通过分析ICMP协议,对正常ICMP流量的类型、数据包大小、数据固定格式等基本数据特征信息进行充分讨论,并用现有的一些ICMP隐蔽信息工具构建隐蔽通道,基于ICMP协议信息的12个特征,提出了基于支持向量机(support vector machine,SVM)的ICMP隐蔽信道检测算法.该算法通过提取网络流特征字段,采用SVM训练模型,检测结果表明,能较准确检测到ICMP隐蔽流量,且检测率较高,达到99%左右.
Covert Channel known as a means of communication affects data sent secretly in the network and attack the network,which seriously threatens information security.Most ICMP(Internet Control Message Protocol)can elude basic security systems such as firewalls.An attacker can hide any data based on the ICMP of the payload,which can form ICMP covert channel.Traditional ICMP channel detection is based on a single feature of the payload,by analyzing ICMP protocol,we fully discuss the basic data characteristic such as the type,the size of packet and fixed data format of the normal ICMP traffic so as to get the more effective detection.To validate our idea,we install some tools that allow to construct covert channel using ICMP.Based on the 12 characteristic of ICMP,We propose an ICMP covert channel detection algorithm based on Support Vector Machine(SVM).The algorithm extracts network flow characteristic fields and train the model using SVM.Our experimental results show the possibility to discover such ICMP traffic with high performance,reaching about 99%.
作者
李抒霞
周安民
郑荣锋
胡星高
Li Shuxia;Zhou Anmin;Zheng Rongfeng;Hu Xinggao(College of Cybersecurity,Sichuan University,Chengdu 610065;College of Electronics and Information Sichuan University,Chengdu 610065)
出处
《信息安全研究》
2020年第2期122-130,共9页
Journal of Information Security Research
