Open Access

ARTICLE

ICMPTend: Internet Control Message Protocol Covert Tunnel Attack Intent Detector

Tengfei Tu^1,2, Wei Yin³, Hua Zhang^1,2,*, Xingyu Zeng¹, Xiaoxiang Deng¹, Yuchen Zhou¹, Xu Liu⁴

1 State Key Laboratory of Networking and Switching Technology, Beijing University of Posts and Telecommunications, Beijing, 100876, China
2 State Key Laboratory of Cryptology, Beijing, 100878, China
3 National Computer Network Emergency Response Technical Team/Coordination Center of China, 100029, China
4 Pennsylvania State University, State College, 16801, USA

* Corresponding Author: Hua Zhang. Email:

Computers, Materials & Continua 2022, 71(2), 2315-2331. https://doi.org/10.32604/cmc.2022.022540

Received 10 August 2021; Accepted 16 September 2021; Issue published 07 December 2021

Abstract

The Internet Control Message Protocol (ICMP) covert tunnel refers to a network attack that encapsulates malicious data in the data part of the ICMP protocol for transmission. Its concealment is stronger and it is not easy to be discovered. Most detection methods are detecting the existence of channels instead of clarifying specific attack intentions. In this paper, we propose an ICMP covert tunnel attack intent detection framework ICMPTend, which includes five steps: data collection, feature dictionary construction, data preprocessing, model construction, and attack intent prediction. ICMPTend can detect a variety of attack intentions, such as shell attacks, sensitive directory access, communication protocol traffic theft, filling tunnel reserved words, and other common network attacks. We extract features from five types of attack intent found in ICMP channels. We build a multi-dimensional dictionary of malicious features, including shell attacks, sensitive directory access, communication protocol traffic theft, filling tunnel reserved words, and other common network attack keywords. For the high-dimensional and independent characteristics of ICMP traffic, we use a support vector machine (SVM) as a multi-class classifier. The experimental results show that the average accuracy of ICMPTend is 92%, training ICMPTend only takes 55 s, and the prediction time is only 2 s, which can effectively identify the attack intention of ICMP.

---

Keywords

---