Open Access iconOpen Access

ARTICLE

crossmark

ICMPTend: Internet Control Message Protocol Covert Tunnel Attack Intent Detector

by Tengfei Tu1,2, Wei Yin3, Hua Zhang1,2,*, Xingyu Zeng1, Xiaoxiang Deng1, Yuchen Zhou1, Xu Liu4

1 State Key Laboratory of Networking and Switching Technology, Beijing University of Posts and Telecommunications, Beijing, 100876, China
2 State Key Laboratory of Cryptology, Beijing, 100878, China
3 National Computer Network Emergency Response Technical Team/Coordination Center of China, 100029, China
4 Pennsylvania State University, State College, 16801, USA

* Corresponding Author: Hua Zhang. Email: email

Computers, Materials & Continua 2022, 71(2), 2315-2331. https://doi.org/10.32604/cmc.2022.022540

Abstract

The Internet Control Message Protocol (ICMP) covert tunnel refers to a network attack that encapsulates malicious data in the data part of the ICMP protocol for transmission. Its concealment is stronger and it is not easy to be discovered. Most detection methods are detecting the existence of channels instead of clarifying specific attack intentions. In this paper, we propose an ICMP covert tunnel attack intent detection framework ICMPTend, which includes five steps: data collection, feature dictionary construction, data preprocessing, model construction, and attack intent prediction. ICMPTend can detect a variety of attack intentions, such as shell attacks, sensitive directory access, communication protocol traffic theft, filling tunnel reserved words, and other common network attacks. We extract features from five types of attack intent found in ICMP channels. We build a multi-dimensional dictionary of malicious features, including shell attacks, sensitive directory access, communication protocol traffic theft, filling tunnel reserved words, and other common network attack keywords. For the high-dimensional and independent characteristics of ICMP traffic, we use a support vector machine (SVM) as a multi-class classifier. The experimental results show that the average accuracy of ICMPTend is 92%, training ICMPTend only takes 55 s, and the prediction time is only 2 s, which can effectively identify the attack intention of ICMP.

Keywords


Cite This Article

APA Style
Tu, T., Yin, W., Zhang, H., Zeng, X., Deng, X. et al. (2022). Icmptend: internet control message protocol covert tunnel attack intent detector. Computers, Materials & Continua, 71(2), 2315-2331. https://doi.org/10.32604/cmc.2022.022540
Vancouver Style
Tu T, Yin W, Zhang H, Zeng X, Deng X, Zhou Y, et al. Icmptend: internet control message protocol covert tunnel attack intent detector. Comput Mater Contin. 2022;71(2):2315-2331 https://doi.org/10.32604/cmc.2022.022540
IEEE Style
T. Tu et al., “ICMPTend: Internet Control Message Protocol Covert Tunnel Attack Intent Detector,” Comput. Mater. Contin., vol. 71, no. 2, pp. 2315-2331, 2022. https://doi.org/10.32604/cmc.2022.022540



cc Copyright © 2022 The Author(s). Published by Tech Science Press.
This work is licensed under a Creative Commons Attribution 4.0 International License , which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.
  • 1950

    View

  • 1259

    Download

  • 0

    Like

Share Link