Covert Channel Detection and Analysis System Based on Data Mining

Covert channels and tunneling approaches are becoming a severe threat to information security. Penetration tools are employed to transit sensitive information through authorized streams. Since many current solutions are based on expert’s experiences or latter-wit, a self-learning detection and analysis system is starved for. A data mining framework for Covert Channel Detection and Analysis System (CCDAS) is presented in this paper. It utilizes protocol analysis method to reassemble each network connections according to all kinds of protocol specifications, and apply data mining programs to construct features that can accurately distinguish the abnormal behaviors of covert channels from the normal activities. The main components of CCDAS (namely Protocol Analyzer, Feature Constructor and Class Identifier) work together and detect various emerging covert channels automatically. Key-Words: information security, covert channel, data mining