Detection of Covert Channels over ICMP Protocol

With the growing complexity of networks and communications protocols that become increasingly enormous and extensive, we are confronted with the problem of covert channel that affects the confidentiality and integrity of data sent in the network. Covert channels also known as hidden channels can elude basic security systems such as Intrusion Detection Systems (IDS) and firewalls. We propose in this work a method to monitor and detect the presence of hidden channels that are based on an essential monitoring protocol "Internet Control Message Protocol" (ICMP). We undergo the network traffic with a set of verifications ranging from simple fields verification to more complex pattern matching operations. To validate our idea, we have installed Ptunnel, a tool that allows to tunnel TCP connections to a remote host using ICMP echo request and reply packets. Our experimental results show the possibility to discover such malicious traffic with high performance.