An Approach for Thwarting Malicious Secret Channel: The Case of IP Record Route Option Header-Based Covert Channels

Abstract

The Internet constitutes actually one of the main communication platforms for cybercriminals and terrorists to exchange secret messages and hidden information. The use of clear or non-encrypted network traffic to communicate over the Internet allows steganalysis process and surveillance agencies to easily identify the presence of secret messages and hidden information, and classify the involved entities as potential cyber criminals or terrorists. However, covert channels can be an efficient and remedial communication solution for cybercriminals and terrorists to exchanged secret messages and hidden information. In fact, most covert channels attempt to send clear and non- encrypted messages embedded in the fields of network packets in order to offer robust communication channels against steganalysis. Nevertheless, covert channels are an immense cause of security concern and are classified as a serious threat because they can be used to pass malicious messages. This explains why detection and elimination of covert channels are considered a big issue that faces security systems and needs to be addressed. In this paper, a novel approach for detecting a particular type of covert channels is discussed. The covert channel uses the IP Record route option header in network IP packets to send secret messages and hidden information. The paper demonstrates that this type of covert channels is not robust enough against steganalysis. The proposed detection approach is based on the IP Loose source route option header. Conducted experiments show that the proposed approach is simple and straightforward to implement and can contribute to identifying malicious online activities of cyber criminals and terrorists.