Detecting and Locating Storage-Based Covert Channels in Internet Protocol Version 6

Increased usage of the Internet has risen the demand for more IP addresses across the globe resulting in replacement of IPv4 by IPv6 protocol. Hence, security of IPv6 has become a vital area of research. One of the serious threats to Internet security is the presence of Network Covert Channels (NCCs) that provide substantial aid for performing covered communications like exchanging secret data and/or exfiltrating secret information from the organizations. To detect such malicious activities, there is an urgent requirement to develop and deploy efficient detection mechanisms in real-time networks. Further, to decode the hidden communications, there is an additional need to identify the location of covert data. Thus, this paper proposes a system for detecting and locating storage-based NCC(s) in IPv6 using Deep Neural Network (DNN) and One-vs-Rest (OvR) technique with Support Vector Machine (SVM). The proposed system is a two-layered system. Layer 1 detects an IPv6 packet as a normal/covert packet. Layer 2 locates the storage area of secret data in the covert packets detected at Layer 1. For experimentation, a dataset of normal and covert IPv6 packets was created using CAIDA’s dataset and pcapStego tool. Experiments were conducted to select the appropriate classifiers at both layers of the proposed system. With DNN and OvR SVM selected as the classifiers at Layer 1 and Layer 2 respectively, the proposed system locates covert data in IPv6 packets with an Accuracy of 99.7% and an average prediction time of 0.0719 seconds per covert sample, making it suitable for real-time deployment.