HTTP Cookie Covert Channel Detection Based on Session Flow Interaction Features

Abstract

HTTP cookie covert channel is a covert communication method that encodes malicious information in cookie fields to escape regulatory audits. It is difficult to detect this kind of covert channel according to the cookie content because cookie fields are mainly encoded in custom modes. To effectively identify the HTTP cookie covert channel, this paper proposes a detection method based on the interaction features of the session flow. First, we split the HTTP session flow into fine-grained “interaction process” subflows to comprehensively describe the communication process of the cookie. Then, we compare and analyze the differences between HTTP cookie covert channels and normal cookie communications based on the interaction process, design three types of 7-dimensional features, and build the detection model combined with the machine learning algorithm. Experimental results show that our method can effectively detect HTTP cookie covert channels, and the detection rate can reach 99%. We also prove that our method has advantages in stability and time performance compared with the existing detection methods through experiment and analysis. In addition, our method has certain practicability in the simulation environment with imbalanced data.