Detection Research On Icmp Covert Tunnel Attack Intetions And Context-a Ware Attacks

An ICMP covert tunnel refers to a network tunnel that encapsulates data packets,malicious commands and malicious data of other protocols in the payload of the ICMP traffic for transmission,which is more concealed and difficult to detect.Currently,most detection methods are to detect the existence of ICMP covert tunnels instead of clearifying specific attack intentions,which is inconvenient for security researchers to take targeted defensive measures.In order to bypass the detection based on a single flow,some new types of covert tunnels disassemble malicious information into multiple flows for transmission,forming a context-aware covert tunnel.At present,there are no effective detection methods for such covert tunnels.To solve the two problems,this paper aims to clarify the specific attack intentions of ICMP covert tunnels and detect covert tunnels related to the context.Related research has been carried out and following results have been achieved.1.Aiming at the problem of the inability to identify specific attack intentions in ICMP covert tunnel detection,a specific attack intention detection model for ICMP covert tunnels is constructed,namely icmpTend.Keyword features of attack intentions are extracted from five types of attack intentions commonly found in ICMP covert tunnels,including shell attacks,accessing sensitive directory,stealing other protocol traffic,filling tunnel reserved words and common network attacks,and a feature dictionary is constructed.Considering the high-dimensional and linearly independent characteristics of ICMP traffic,SVM is used as the classifier to perform multi-class training and prediction.Based on the detection results of the model,the specific malicious attack intention can be clarified,this provides a basis for security researchers to take targeted defense measures.2.For the context-aware ICMP covert tunnel where malicious data or commands are split into multiple traffic for transmission,the context-aware ICMP covert tunnel detection model,namely contextTunnel is proposed which are based on the original hexadecimal data stream in a specified time window.On the one hand,the input of contextTunnel is the original hexadecimal data,avoiding information loss in the feature extraction process;on the other hand,the basic detection unit is the data stream which can detect that the attack is scattered to flows including multiple time-series features.Experiments show that contextTunnel can effectively detect context-aware covert tunnels,with a detection accuracy rate of 98%,precision rate of 98%,and a false negative rate of 2%only.3.On the basis of the icmpTend model and the contextTunnel model,an ICMP covert tunnel detection system is designed and implemented,which realizes the complete processes,including flow collection,flow analysis,data preprocessing and covert tunnel detection.After it is deployed,the system can capture traffic without the user's perception,efficiently analyze the traffic,identify the attack intent of the ICMP covert tunnel and detect the covert tunnel associated with the context.