Design and analysis of the covert channel implemented by behaviors of network users

In this paper, a novel covert channel, called covert behavior channel, is proposed according to behaviors of network users to solve the security and efficiency problem of the traditional covert channel. In the proposed channel, operation sequences of the network protocols are used as carriers of covert information. An encryption-based information embedding scheme is designed to improve security of the covert information. With the help of Markov model, the capacity of the proposed covert channel with time-varying noise is derived. The formulation for analyzing the covert behavior channel is presented against the channel noise aroused by discarding packets. By introducing corrected entropy-based algorithm to detect the covert behavior channel, the security of the channel is verified. Numerical results show that the proposed covert behavior channel is more secure than covert storage channels and achieves a better bit rate and robustness than that of covert timing channels. Copyright © 2016 John Wiley & Sons, Ltd.

[1]  Rachel Greenstadt,et al.  Covert Messaging through TCP Timestamps , 2002, Privacy Enhancing Technologies.

[2]  Peng Ning,et al.  On the secrecy of timing-based active watermarking trace-back techniques , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[3]  I. S. Moskowitz,et al.  Covert channels-here to stay? , 1994, Proceedings of COMPASS'94 - 1994 IEEE 9th Annual Conference on Computer Assurance.

[4]  Jianhua Li,et al.  Evaluating the transmission rate of covert timing channels in a network , 2011, Comput. Networks.

[5]  Sebastian Zander,et al.  A survey of covert channels and countermeasures in computer network protocols , 2007, IEEE Communications Surveys & Tutorials.

[6]  Ingemar J. Cox,et al.  Digital Watermarking , 2003, Lecture Notes in Computer Science.

[7]  Vijay Varadharajan,et al.  The Silence of the LANs: Efficient Leakage Resilience for IPsec VPNs , 2012, IEEE Transactions on Information Forensics and Security.

[8]  P. Varaiya,et al.  Capacity, mutual information, and coding for finite-state Markov channels , 1994, Proceedings of 1994 IEEE International Symposium on Information Theory.

[9]  Fei Wang,et al.  A novel distributed covert channel in HTTP , 2014, Secur. Commun. Networks.

[10]  George Cybenko,et al.  Engineering Statistical Behaviors for Attacking and Defending Covert Channels , 2013, IEEE Journal of Selected Topics in Signal Processing.

[11]  Theodore G. Handel,et al.  Hiding Data in the OSI Network Model , 1996, Information Hiding.

[12]  Sebastian Zander,et al.  Capacity of Temperature-Based Covert Channels , 2011, IEEE Communications Letters.

[13]  Steven Gianvecchio,et al.  An Entropy-Based Approach to Detecting Covert Timing Channels , 2011, IEEE Transactions on Dependable and Secure Computing.

[14]  Craig H. Rowland,et al.  Covert Channels in the TCP/IP Protocol Suite , 1997, First Monday.

[15]  Craig Partridge,et al.  Single-packet IP traceback , 2002, TNET.

[16]  Liusheng Huang,et al.  A novel comprehensive steganalysis of transmission control protocol/Internet protocol covert channels based on protocol behaviors and support vector machine , 2015, Secur. Commun. Networks.

[17]  Farinaz Koushanfar,et al.  A Timing Channel Spyware for the CSMA/CA Protocol , 2013, IEEE Transactions on Information Forensics and Security.

[18]  Deepa Kundur,et al.  Practical Data Hiding in TCP/IP , 2002 .

[19]  Yun Q. Shi,et al.  Detecting Covert Channels in Computer Networks Based on Chaos Theory , 2013, IEEE Transactions on Information Forensics and Security.

[20]  Bo Ai,et al.  Finite-state Markov channel modeling for vehicle-to-infrastructure communications , 2014, 2014 IEEE 6th International Symposium on Wireless Vehicular Communications (WiVeC 2014).

[21]  Carla E. Brodley,et al.  IP Covert Channel Detection , 2009, TSEC.

[22]  Richard Lippmann,et al.  The 1999 DARPA off-line intrusion detection evaluation , 2000, Comput. Networks.

[23]  Richard A. Kemmerer,et al.  Covert flow trees: a technique for identifying and analyzing covert storage channels , 1991, Proceedings. 1991 IEEE Computer Society Symposium on Research in Security and Privacy.

[24]  Saurabh Bagchi,et al.  Capacity Bounds on Timing Channels with Bounded Service Times , 2007, 2007 IEEE International Symposium on Information Theory.

[25]  Douglas S. Reeves,et al.  Robust Correlation of Encrypted Attack Traffic through Stepping Stones by Flow Watermarking , 2011, IEEE Transactions on Dependable and Secure Computing.

[26]  Manfred Wolf Covert Channels in LAN Protocols , 1989, LANSEC.

[27]  Kamran Ahsan,et al.  Covert Channel Analysis and Data Hiding in TCP/IP , 2002 .

[28]  Qiong Li,et al.  The Research on Information Hiding Based on Command Sequence of FTP Protocol , 2005, KES.

[29]  Butler W. Lampson,et al.  A note on the confinement problem , 1973, CACM.