A novel comprehensive steganalysis of transmission control protocol/Internet protocol covert channels based on protocol behaviors and support vector machine

Abstract Covert channels are malicious conversations disguised in legitimate network communications, allowing information leak to the unauthorized or unknown receiver. Various network steganographic schemes that modify the header fields of transmission control protocol/Internet protocol (TCP/IP) have been proposed in recent years. People before conducted detection research based on the surface content of the header field and did not take into account the differences between the behavior characters of covert channels and the inherent behavior regularities of the header fields. Up to date, there is little comprehensive research on the steganalysis against the storage covert channels. In this paper, we focus on the detection of storage covert channels and introduce a novel comprehensive detection method based on the protocol behaviors. The protocol behavior characters are utilized to evaluate the regularities or correlations of header fields between adjacent packets according to the conventional use. First, the behavior features of the header fields in TCP/IP are extracted; a support vector machine is then applied to the behavior feature sets for discovering the existence of covert channels. Some recognized covert channel tools are detected in our detection experiment. Experimental results and discussion show that our detection method is of effectiveness. Copyright © 2014 John Wiley & Sons, Ltd.