Detection of Covert Tunnel over Internet Control Message Protocol Based on Baseline Features
Covert tunnel is gradually used in threat attacks, such as remote control and data theft. In this paper, we propose a baseline feature-based malicious traffic detection method for Internet Control Message Protocol (ICMP) covert tunnel. We first analyze the packets involved in benign ICMP traffic and...
Saved in:
| Published in: | 2023 IEEE 29th International Conference on Parallel and Distributed Systems (ICPADS) pp. 2210 - 2218 |
|---|---|
| Main Authors: | , |
| Format: | Conference Proceeding |
| Language: | English |
| Published: |
IEEE
17-12-2023
|
| Subjects: | |
| Online Access: | Get full text |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| Summary: | Covert tunnel is gradually used in threat attacks, such as remote control and data theft. In this paper, we propose a baseline feature-based malicious traffic detection method for Internet Control Message Protocol (ICMP) covert tunnel. We first analyze the packets involved in benign ICMP traffic and ICMP covert tunnel, and determine five features that show better ability to differentiate benign ICMP traffic and ICMP covert tunnel, including the average length of packet payloads, the frequency of packets, the session duration, the ratio of request and reply, and the entropy value of payload. Then, we employ a variety of machine learning models to build binary classifiers for the detection of ICMP covert tunnel. A set of experimental results show that the best detection precision, recall and Fl value of the proposed method are as high as 99.51%, 99% and 99.48%, respectively. Meanwhile, the proposed method has millisecond traffic parsing and detection analysis capabilities, which can be applied to the detection of ICMP covert tunnel in real-world scenarios. |
|---|---|
| ISSN: | 2690-5965 |
| DOI: | 10.1109/ICPADS60453.2023.00298 |