A Self-Attention Mechanism-Based Model to Detect IPv6 Multi-Field Covert Channels

Abstract

IPv6 covert channels have emerged as a novel type of network threat, which poses new challenges to network security. Multi-field covert channels make use of distributed embedding technology to scatter covert information across multiple packet fields. Existing deep learning-based methods for detecting IPv6 covert channels primarily focus on detecting of single-field covert channels, limiting their capability to detect multi-field covert channels and thereby restricting their applicability in large-scale distributed network environments. Furthermore, current research efforts predominantly concentrate on detecting covert channels that embed secret information within the IPv6 header, while overlooking the potential covert channels present within the IPv6 extension headers. To address these issues, we propose a model for detecting IPv6 multi-field covert channels based on self-attention mechanism, which utilizes a multi-head attention mechanism to aggregate input data, compute correlation scores between different subfields, and then weight-average the subfields to detect and locate covert channels. Our model is evaluated on the IPv6 covert channel dataset, and the results demonstrate its capability to detect multi-field covert channels constructed using both the IPv6 header and IPv6 extension headers, encompassing a total of 23 detection types. Compared to BNS-CNN and DICCh-D, the detectable fields have been increased by 2.5 times. Additionally, our model demonstrates significant precision (97.13%) and a low false positive rate (6.3%) in detecting and locating multiple scenarios.