Detection of Size Modulation Covert Channels Using Countermeasure Variation

Network covert channels enable stealthy communications for malware and data exfiltration. For this reason, developing effective countermeasures for these threats is important for the protection of individuals and organizations. However, due to the large number of available covert channel techniques, it is considered impractical to develop countermeasures for all existing covert channels. In recent years, researchers started to develop countermeasures that (instead of only countering one particular hiding technique) can be applied to a whole family of similar hiding techniques. These families are referred to as hiding patterns. Considering above, the main contribution of this paper is to introduce the concept of countermeasure variation. Countermeasure variation is a slight modification of a given countermeasure that was designed to detect covert channels of one specific hiding pattern so that the countermeasure can also detect covert channels that are representing other hiding patterns. We exemplify countermeasure variation using the compressibility score, the ǫ-similarity and the regularity metric originally presented by Cabuk et al. All three methods are used to detect covert channels that utilize the Inter-packet Times pattern and we show that countermeasure variation allows the application of these countermeasures to detect covert channels of the Size Modulation pattern, too.

[1]  Manfred Wolf Covert Channels in LAN Protocols , 1989, LANSEC.

[2]  Weijia Jia,et al.  Novel Packet Size-Based Covert Channel Attacks against Anonymizer , 2013, IEEE Transactions on Computers.

[3]  C. Gray Girling,et al.  Covert Channels in LAN's , 1987, IEEE Transactions on Software Engineering.

[4]  Sebastian Zander,et al.  Information Hiding in Communication Networks: Fundamentals, Mechanisms, Applications, and Countermeasures , 2016 .

[5]  Xiamu Niu,et al.  A Novel Covert Channel Based on Length of Messages , 2009, 2009 International Symposium on Information Engineering and Electronic Commerce.

[6]  Carla E. Brodley,et al.  IP Covert Channel Detection , 2009, TSEC.

[7]  Carla E. Brodley,et al.  IP covert timing channels: design and detection , 2004, CCS '04.

[8]  Steffen Wendzel,et al.  Detection of Covert Channels in TCP Retransmissions , 2018, NordSec.

[9]  Wojciech Mazurczyk,et al.  Steganography in Modern Smartphones and Mitigation Techniques , 2014, IEEE Communications Surveys & Tutorials.

[10]  Muawia A. Elsadig,et al.  A balanced approach to eliminate packet length-based covert channels , 2017, 2017 4th IEEE International Conference on Engineering Technologies and Applied Sciences (ICETAS).

[11]  Sebastian Zander,et al.  Pattern-Based Survey and Categorization of Network Covert Channel Techniques , 2014, ACM Comput. Surv..

[12]  Wojciech Mazurczyk,et al.  Evaluation of steganographic methods for oversized IP packets , 2012, Telecommun. Syst..

[13]  Theodore G. Handel,et al.  Hiding Data in the OSI Network Model , 1996, Information Hiding.

[14]  Wojciech Mazurczyk,et al.  Towards Deriving Insights into Data Hiding Methods Using Pattern-based Approach , 2018, ARES.

[15]  Peter Sommerlad,et al.  Security Patterns: Integrating Security and Systems Engineering , 2006 .

[16]  Jonathan K. Millen 20 years of covert channel modeling and analysis , 1999, Proceedings of the 1999 IEEE Symposium on Security and Privacy (Cat. No.99CB36344).

[17]  Wojciech Mazurczyk,et al.  One Countermeasure, Multiple Patterns: Countermeasure Variation for Covert Channels , 2018, CECC.

[18]  Aladdin Enterprises,et al.  ZLIB Compressed Data Format Specification version 3.3 , 1996 .

[19]  Wojciech Mazurczyk,et al.  Hidden and Uncontrolled - On the Emergence of Network Steganographic Threats , 2014, ISSE.