Covert timing channel detection method based on random forest algorithm

Network stealth events emerging in endless stream, covert timing channel is one of the most difficult means to prevent. In order to further improve the detection rate of the covert timing channel under the condition of small embedded information length. In this paper, the detection method based on SVM is analyzed. On the basis of the above analysis, adds a variety of statistical features, and a detection method based on random forest algorithm is proposed. The Inter-Packet Delay sequence of the covert timing channel is described from the statistical features of each order, and the above characteristics are used as the communication fingerprint of the covert channel. Then, the classifier based on the random forest algorithm is trained according to the communication fingerprint of the sample, and the classifier is used to judge whether the channel to be detected is the normal channel. The experimental results show that the method can effectively detect the covert timing channel in the case where the length of the embedded information is small. Compared with existing related works, this method has a certain rate of improvement, and the importance of the proposed statistical features are evaluated.