Computer Science

Computer Science ›› 2026, Vol. 53 ›› Issue (6A): 250200069-11.doi: 10.11896/jsjkx.250200069

• Information Security • Previous Articles     Next Articles

Malicious Traffic Detection Method of ICMP Covert Channel Based on Baseline Features

DUAN Haiying1, WANG Baohui1, HUANG He2   

  1. 1 School of Software,Beihang University,Beijing 100191,China
    2 Aerospace Internet of Things Technology Co.,Ltd.,Beijing 100076,China
  • Online:2026-06-16 Published:2026-06-12
  • About author:DUAN Haiying,born in 1995,postgra-duate.Her main research interests include network security and artificial intelligence,etc.
    WANG Baohui,born in 1973,professor,master's supervisor.His main research interests includenetwork security,big data and artificial intelligence.

PDF (PC)

15

Abstract: ICMP is used for network management technology.Network attackers often use it to carry out illegal actions such as remote control,data theft and malicious attacks.It is a common method of hidden communication in network attacks in recent years,which brings serious security risks to the victim host.In view of the increasingly severe situation of ICMP covert channel attacks and the characteristics of ICMP data flow that are complex,difficult to identify and have strong concealment,it is found that there are insufficient feature extraction when using machine learning to detect malicious traffic in ICMP covert channel in existing research,and the robustness and generalization ability of the model are poor.Therefore,a baseline feature-based malicious traffic detection method for ICMP covert channels is proposed to address these challenges.Firstly,the baseline analysis of ICMP benign traffic and covert channel traffic is carried out,and five features with good discrimination are proposed:average data packet length,data packet frequency,session duration,ratio of request to reply packets,and message data information entropy.Then,a binary classifier is constructed by combining multiple machine learning models for malicious traffic detection.The experimental results show that the accuracy,recall and F1 value of the proposed method reach 99.53%,99.51%and 99.5%respectively,which are 2.83 persentage points,2.97 persentage points and 2.88 persentage points higher than those of the existing methods.In addition,considering that the baseline features are easy to be bypass by attackers through dynamic adjustment or obfuscating techniques,this paper adds an ICMP tunnel detection method based on adversarial training and ensemble learning,which enhances the robustness of the model by generating adversarial samples,and combines the advantages of deep attention network and traditional machine learning models to effectively identify covert tunnel traffic.The proposed method mainly uses PGD attack to generate adversarial samples,introduces a multi-head attention mechanism to extract deep features,and predicts the results through MLP.The final accuracy is improved to 99.63%.Experiments show that the proposed method improves the detection accuracy and robustness in the adversarial environment.In addition,the proposed method has millisecond level traffic analysis and detection capabilities,which can effectively adapt to the actual ICMP covert channel traffic detection requirements.

Key words: ICMP covert channel, Baseline features, PGD, Attention mechanism, Machine learning

CLC Number: 

  • TP393
[1] LI Y,GUO H,HOU J,et al.A Survey of Encrypted Malicious Traffic Detection[C]//2021 International Conference on Communications,Computing,Cybersecurity,and Informatics(CCCI).IEEE,2021:1-7.
[2] LI Z,SI C,CHENG Z,et al.MLMTD:A Multi-Layer Malicious Traffic Detection Model Based on Multi-Branch Octave Convolution and Attention Mechanism[C]//ICASSP 2024 IEEE International Conference on Acoustics,Speech and Signal Processing(ICASSP).IEEE,2024:4880-4884.
[3] GU G M,CHEN W H,HUANG W D.A Covert Tunnel and Encrypted Malicious Traffic Detection Method Based on Multi-Model Fusion[J].Netinfo Security,2024,24(5):694-708.
[4] DONG S,XIA Y,PENG T.Network abnormal traffic detection model based on semi-supervised deep reinforcement learning[J].IEEE Transactions on Network and Service Management,2021,18(4):4197-4212.
[5] SUI Z,SHU H,KANG F,et al.A Comprehensive Review of Tunnel Detection on Multilayer Protocols:From Traditional to Machine Learning Approaches.Applied Sciences.2023,13(3):1974.
[6] LI R,ZHANG LQ,LI H F,et al.Survey of Entropy-Based Network Traffic Anomaly Detection Methods[J].Computer Systems and Applications,2017,26(6):36-39.
[7] LU G,GUO R H, ZHOU Y,et al.Review of Malicious Traffic Feature Extraction[J].Netinfo Security,2018,18(9):1-9.
[8] LIU Y,GOU X.Research on Application of Feature Analysis Method in DNS Tunnel Detection[C]//Journal of Physics:Conference Series.IQP Publishing,2020.
[9] WU K,ZHANG Y Z,YIN T.FTPB:A Three-stage DNS Tunnel Detection Method Based on Character Feature Extraction[C]//19th International Conference on Trust,Security and Privacy in Computing and Communications(TrustCom).IEEE,2020:250-258.
[10] PETERIE S L,IVANOV J,KNIPPEL E,et al.Shallow tunnel detection using converted surface waves[J].Geophysics,2021,86(3):WB59-WB68.
[11] WANG F,HUANG L,CHEN Z,et al.A novel web tunnel detection method based on protocol behaviors[C]//International Conference on Security and Privacy in Communication Systems.Cham:Springer,2013:234-251.
[12] TU T,YIN W,ZHANG H,et al.Icmptend:internet controlmessage protocol covert tunnel attack intent detector[J].Computer,Materials & Continua,2022,71(2):2315-2331.
[13] WANG Z Y,CHEN S P.Self-Supervised Network Intrusion Detection Model Based on Graph Contrastive Learning[J].Electronic Science and Technology,2025,38(3):22-31.
[14] YANG P,LI Y,ZANG Y.Detecting DNS covert channels using stacking model[J].China Communications,2020,17(10):183-194.
[15] LI X D,ZHANG Y M,LI Y Q,et al.DNS Covert Channel Detection Algorithm Based on Multi-channel Convolution Neural Network and Attention Mechanism[J].Science Technology and Engineering,2024,24(35):15137-15144.
[16] WAN X,PENG Y,HAO R,et al.Capturing Spatial-Temporal Correlations with Attention Based Graph Convolutional Networks for Network Traffic Prediction[C]//2023 15th International Conference on Communication Software and Networks(ICCSN).IEEE,2023:95-99.
[17] LIN X,XIONG G,GOU G,et al.Et-bert:A contextualized datagram representation with pre-training transformers for encrypted traffic classification[C]//Proceedings of the ACM Web Conference 2022.2022:633-642.
[18] ROESCH M.Snort:Lightweight intrusion detection for net-works[C]//13th LISA Conference.1999:229-238.
[19] Ad-Aware offical website [EB/OL].https://www.adaware.com/.
[20] LIN H,LIU G,YAN Z.Detection of application-layer tunnelswith rules and machine learning[C]//International Conference on Security,Privacy and Anonymity in Computation,Communication and Storage.Cham:Springer,2019:441-455.
[21] LIU J,LI S,ZHANG Y,et al.Detecting DNS tunnel through binary-classification based on behavior features[C]//Trustcom/BigDataSE/ICESS.IEEE,2017:339-346.
[22] LI Y X,ZHOU A M,ZHENG R F,et al.Detection of Network Storage Covert Channel over ICMP Protocol Based on SVM[J].Journal of Information Security Research,2022,6(2):122-130.
[23] XU X D,WANG C A,ZHU S R.Covert channel detection in ICMP payload based on information entropy SVM[J].Journal of Computer Applications,2009,29(7):1796-1798.
[24] SAYADI S,ABBES T,BOUHOULA A.Detection of coverttunnels over ICMP protocol[C]//14th International Conference on Computer Systems and Applications.IEEE,2017:1247-1252.
[25] HAN X,XU L,REN M,et al.A naive bayesian network intrusion detection algorithm based on principal component analysis[C]//7th International Conference on Information Technology in Medicine and Education.IEEE,2015:325-328.
[26] ALMUSAWI A,ARNINTOOSI H.DNS Tunneling detectionmethod based on multilabel support vector machine[J/OL].https://doi.org/10.1155/2018/6137098.
[27] PALAU F,CATANIA C,GUERRA J,et al.DNS tunneling:a deep learning based lexicographical detection approach[J].arXiv:2006.06122,2020.
[28] WANG Y,AN J,HUANG W.Using CNN-based representation learning method for malicious traffic identification[C]//17th International Conference on Computer and Information Science.IEEE,2018:400-404.
[29] Icmptunnel offical website [EB/OL].https://github.com/Dha-valKapillicmp.
[30] LI Q,WANG B,WEN X,et al.Malicious traffic predictionmodel for ResNet based on Maple-IDS dataset[J].Network Daily News,2025(May):23-24.
[1] WEI Wei, LI Bicheng, ZHU Zhenshui, ZUO Jun. Semantic Modeling and Co-attention Mechanism for Multimodal Sarcasm Detection Method [J]. Computer Science, 2026, 53(6A): 250400127-6.
[2] FENG Guang, LIN Jianzhong, ZHONG Ting, ZHOU Yuanhua, ZHENG Runting, LIU Tianxiang. Triple Extraction Based on Pixel Difference Convolutional Network and Attention Mechanism [J]. Computer Science, 2026, 53(6A): 250400136-10.
[3] CHEN Dianlong, LIU Tengbin, GAO Xiong, TIAN Zijian, ZHU Wenbing, ZOU Shun, WANG Qiang. Defect Detection of Transmission Line Fittings Based on Multiscale Feature Fusion Attention and Cross-layer Aggregation [J]. Computer Science, 2026, 53(6A): 250600110-7.
[4] SHEN Yingchun, FENG Xiaohan, LI Qian. Accurate Recognition of Dialect Based on CTC-Conformer Model [J]. Computer Science, 2026, 53(6A): 250600112-8.
[5] ZHANG Zihao, WU Zezhong. Optimization of HAN-based GNN-Transformer Collaborative Contrastive Learning Framework [J]. Computer Science, 2026, 53(6A): 250900103-8.
[6] LI Jie, WANG Baohui, ZHANG Jingyuan. DDoS Attack Detection Based on Attention Mechanism TCN-BiLSTM [J]. Computer Science, 2026, 53(6A): 250300060-9.
[7] ZHANG Shouyi, SHEN Qiang, GUO Yiran, WANG Hanyu. Rain and Fog Weather Object Detection Algorithm Based on Improved YOLOv8 Model [J]. Computer Science, 2026, 53(6A): 250300090-7.
[8] YANG Geer, WANG Xin, SUN Wei, WANG Xinge, HU Zhongrui, MENG Wenjun, ZHANG Junqiang, WU Xinghui, LIU Jinshan, YAN Yuming. Survey on Positional Encoding Algorithms in Deep Learning [J]. Computer Science, 2026, 53(6A): 250300107-16.
[9] SUN Bo, WANG Zhijun, ZHOU Zhunan, LI Qingjie, WANG Yun, GENG Xia, ZHANG Yan , SUN Chenxuan. Imbalanced Data Learning Approach Utilizing Feature Value Based Class Overlap Degree [J]. Computer Science, 2026, 53(6A): 250600199-8.
[10] ZHONG Hao, KONG Qingxuan, CAI Xianqing, LI Zhizhong, SUN Hao. Intelligent Recognition Method Based on Multimodal Feature Fusion [J]. Computer Science, 2026, 53(6A): 250700065-10.
[11] KE Changbo, LI Tianhao, ZHANG Bolei, XIAO Fu, XU Kang. Teaching Evaluation Sentiment Analysis Method Based on Capsule Network [J]. Computer Science, 2026, 53(6): 10-18.
[12] LIU Ruyi, LYU Xiaohan, MIAO Qiguang, LU Zixiang, WANG Di. Academic Early Warning Prediction Model Based on Attention Mechanism and FeatureInteraction [J]. Computer Science, 2026, 53(6): 19-29.
[13] XIE Hui, LIANG Dan, YANG Huiting, JIA Chunli, HE Jiangshan, DONG Zexiao, REN Ziqi, JIANG Mingzhe, CHEN Xueli. Research on Adaptive Disciplinary Learning Effectiveness Evaluation Model Driven by PrefrontalEEG [J]. Computer Science, 2026, 53(6): 39-49.
[14] XU Zhihong, YANG Xinlei, WANG Liqin, DONG Yongfeng, WANG Xu. Knowledge Tracing Model Based on Relational Learning Memory Network [J]. Computer Science, 2026, 53(6): 84-92.
[15] LI Jinyou, ZHANG Wenshuai, SHEN Yu, ZHANG Yundong, LI Huimin, LI Jing. Machine Learning-based Parallel Parameter Optimization in High-performance ComputingApplications [J]. Computer Science, 2026, 53(6): 153-162.
Viewed
Full text


Abstract

Cited
  Shared   
  Discussed   
No Suggested Reading articles found!
渝ICP备16013121号-4
Add:18# Honghu West Rd., Yubei ,Chongqing,China    Post Code: 401121
Tel: 023-63500828/023-67039612/023-67039623
E-mail: jsjkx12@163.com
Powered by Beijing Magtech Co., Ltd.