Open Access

ARTICLE

ICMPTend: Internet Control Message Protocol Covert Tunnel Attack Intent Detector

Tengfei Tu1,2, Wei Yin3, Hua Zhang1,2,*, Xingyu Zeng1, Xiaoxiang Deng1, Yuchen Zhou1, Xu Liu4
1 State Key Laboratory of Networking and Switching Technology, Beijing University of Posts and Telecommunications, Beijing, 100876, China
2 State Key Laboratory of Cryptology, Beijing, 100878, China
3 National Computer Network Emergency Response Technical Team/Coordination Center of China, 100029, China
4 Pennsylvania State University, State College, 16801, USA
* Corresponding Author: Hua Zhang. Email:

Computers, Materials & Continua 2022, 71(2), 2315-2331. https://doi.org/10.32604/cmc.2022.022540

Received 10 August 2021; Accepted 16 September 2021; Issue published 07 December 2021

Abstract

The Internet Control Message Protocol (ICMP) covert tunnel refers to a network attack that encapsulates malicious data in the data part of the ICMP protocol for transmission. Its concealment is stronger and it is not easy to be discovered. Most detection methods are detecting the existence of channels instead of clarifying specific attack intentions. In this paper, we propose an ICMP covert tunnel attack intent detection framework ICMPTend, which includes five steps: data collection, feature dictionary construction, data preprocessing, model construction, and attack intent prediction. ICMPTend can detect a variety of attack intentions, such as shell attacks, sensitive directory access, communication protocol traffic theft, filling tunnel reserved words, and other common network attacks. We extract features from five types of attack intent found in ICMP channels. We build a multi-dimensional dictionary of malicious features, including shell attacks, sensitive directory access, communication protocol traffic theft, filling tunnel reserved words, and other common network attack keywords. For the high-dimensional and independent characteristics of ICMP traffic, we use a support vector machine (SVM) as a multi-class classifier. The experimental results show that the average accuracy of ICMPTend is 92%, training ICMPTend only takes 55 s, and the prediction time is only 2 s, which can effectively identify the attack intention of ICMP.

Keywords

Internet control message protocol; support vector machine; covert tunnel; network analysis

Cite This Article

T. Tu, W. Yin, H. Zhang, X. Zeng, X. Deng et al., "Icmptend: internet control message protocol covert tunnel attack intent detector," Computers, Materials & Continua, vol. 71, no.2, pp. 2315–2331, 2022.



This work is licensed under a Creative Commons Attribution 4.0 International License , which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.
  • 684

    View

  • 583

    Download

  • 0

    Like

Share Link

WeChat scan