SPYIPv6: Locating Covert Data in One or a Combination of IPv6 Header Field(s)

Abstract

Read online

Advancement in the utilization of IPv6 protocol has led to an increase in research related to its security. In recent times, researchers proposed the possibility of the existence of covert channels over networks termed Network Covert Channels (NCCs) which may exploit IPv6. NCC is a serious threat that provides a hidden avenue for the transfer of information from one end to another. Hence, to detect and locate such threats that use IPv6 packets as cover, SPYIPv6 is proposed that detects the existence of hidden information in IPv6 packets and further identifies its location in one or a combination of IPv6 header field(s). The proposed SPYIPv6 comprises two layers. The first layer detects the covert IPv6 packets in the network traffic using a binary K-Nearest-Neighbour (b-KNN) classifier. These packets are further passed to the second layer that locates the header field(s) carrying covert data using a multiclass K-Nearest-Neighbour (m-KNN) classifier. The experimentation dataset was generated from normal and covert IPv6 packet samples. Normal packets were obtained from the Center for Applied Internet Data Analysis (CAIDA), whereas covert packets were obtained using an NCC generation tool (pcapStego) and Python scripts. Experimentation results show that SPYIPv6 attains an accuracy of 99.85% in detecting and identifying the location of hidden information in the IPv6 header. Further, when compared with other counterparts, SPYIPv6 provides higher accuracy in lesser testing time justifying its suitability for the detection and location of covert information present in one or a combination of the header field(s) of an IPv6 packet.

Keywords

• Cybersecurity
• detection of covert channels
• IPv6
• K-nearest-neighbour (KNN)
• label powerset
• network security