Detection of TCP covert channel based on Markov model

Network covert channel is a covert communication method by hiding covert messages into overt network packets. In recent years, with the development of various hiding methods, network covert channel has become a new kind of threat for network security. The covert channel that uses the redundancies existing in TCP protocol to make hiding is called TCP covert channel. In this paper, the behaviors of TCP flows are modeled by the Markov chain composed of the states of TCP packets. And the abnormality caused by TCP covert channel is described by the difference between the overt and covert TCP transition probability matrix. The detection method based on MAP is proposed to detect the covert communication hidden in TCP flows under various applications such as HTTP, FTP, TELNET, SSH and SMTP. Experiments show that the proposed algorithm achieves better detection performance than the existing methods.