Network covert channels detection using data mining and hierarchical organisation of frequent sets: an initial study

Currently, malware developers are increasingly turning their attention towards various types of information hiding techniques to conceal their malicious actions on the compromised machine or the network. One group of such mechanisms are network covert channels (CCs) which utilize subtle modifications to the legitimate network traffic to carry secret data. Unfortunately, nowadays no general detection approach exists that is able to fight covert communication in an efficient and scalable manner. On the contrary, typically for a given information hiding technique a dedicated detection solution is devised. That is why, in this paper we investigate possibility to utilize data mining approach to detect network covert channels: both distributed and undistributed. Specifically, we propose to rely on the hierarchical organisation of frequent sets discovered by the data mining algorithm and use it together with an outlier detection-based traffic classifier. Initial performance results reveal that the proposed solution has potential but it needs to be further evaluated in more realistic scenarios.