IP Covert Channel Detection

A covert channel can occur when an attacker finds and exploits a shared resource that is not designed to be a communication mechanism. A network covert channel operates by altering the timing of otherwise legitimate network traffic so that the arrival times of packets encode confidential data that an attacker wants to exfiltrate from a secure area from which she has no other means of communication. In this article, we present the first public implementation of an IP covert channel, discuss the subtle issues that arose in its design, and present a discussion on its efficacy. We then show that an IP covert channel can be differentiated from legitimate channels and present new detection measures that provide detection rates over 95%. We next take the simple step an attacker would of adding noise to the channel to attempt to conceal the covert communication. For these noisy IP covert timing channels, we show that our online detection measures can fail to identify the covert channel for noise levels higher than 10%. We then provide effective offline search mechanisms that identify the noisy channels.

[1]  Paul M. B. Vitányi,et al.  Clustering by compression , 2003, IEEE Transactions on Information Theory.

[2]  Ira S. Moskowitz,et al.  Variable noise effects upon a simple timing channel , 1991, Proceedings. 1991 IEEE Computer Society Symposium on Research in Security and Privacy.

[3]  Craig H. Rowland,et al.  Covert Channels in the TCP/IP Protocol Suite , 1997, First Monday.

[4]  John C. Wray An Analysis of Covert Timing Channels , 1992, J. Comput. Secur..

[5]  Srinivasan Seshan,et al.  Analyzing stability in wide-area network performance , 1997, SIGMETRICS '97.

[6]  Richard A. Kemmerer,et al.  Shared resource matrix methodology: an approach to identifying storage and timing channels , 1983, TOCS.

[7]  Richard A. Kemmerer,et al.  Covert Flow Trees: A Visual Approach to Analyzing Covert Storage Channels , 1991, IEEE Trans. Software Eng..

[8]  Joanna Rutkowska joanna The Implementation of Passive Covert Channels in the Linux Kernel , 2004 .

[9]  Rachel Greenstadt,et al.  Covert Messaging through TCP Timestamps , 2002, Privacy Enhancing Technologies.

[10]  T. Moon Error Correction Coding: Mathematical Methods and Algorithms , 2005 .

[11]  Dong Hoon Lee,et al.  Covert Channel Detection in the ICMP Payload Using Support Vector Machine , 2003, ISCIS.

[12]  Virgil D. Gligor,et al.  A guide to understanding covert channel analysis of trusted systems , 1993 .

[13]  Bin Ma,et al.  The similarity metric , 2001, IEEE Transactions on Information Theory.

[14]  Gustavus J. Simmons,et al.  The Prisoners' Problem and the Subliminal Channel , 1983, CRYPTO.

[15]  Anthony Ephremides,et al.  Covert Information Transmission through the Use of Standard Collision Resolution Algorithms , 1999, Information Hiding.

[16]  Paul A. Karger,et al.  Storage channels in disk arm optimization , 1991, Proceedings. 1991 IEEE Computer Society Symposium on Research in Security and Privacy.

[17]  Sally Floyd,et al.  Wide-area traffic: the failure of Poisson modeling , 1994 .

[18]  Matt Bishop,et al.  Computer Security: Art and Science , 2002 .

[19]  Eamonn J. Keogh,et al.  Towards parameter-free data mining , 2004, KDD.

[20]  C. Gray Girling,et al.  Covert Channels in LAN's , 1987, IEEE Transactions on Software Engineering.

[21]  Marvin Schaefer,et al.  Program confinement in KVM/370 , 1977, ACM '77.

[22]  Loïc Hélouët,et al.  Covert channels detection in protocols using scenarios , 2003 .

[23]  J. Morsink,et al.  The Universal Declaration of Human Rights: Origins, Drafting, and Intent , 1999 .

[24]  I. S. Moskowitz,et al.  Covert channels-here to stay? , 1994, Proceedings of COMPASS'94 - 1994 IEEE 9th Annual Conference on Computer Assurance.

[25]  Song Li,et al.  A network layer covert channel in ad-hoc wireless networks , 2004, 2004 First Annual IEEE Communications Society Conference on Sensor and Ad Hoc Communications and Networks, 2004. IEEE SECON 2004..

[26]  kc claffy,et al.  Application of sampling methodologies to network traffic characterization , 1993, SIGCOMM 1993.

[27]  Jonathan K. Millen 20 years of covert channel modeling and analysis , 1999, Proceedings of the 1999 IEEE Symposium on Security and Privacy (Cat. No.99CB36344).

[28]  Steven J. Murdoch,et al.  Embedding Covert Channels into TCP/IP , 2005, Information Hiding.

[29]  A. Glavieux,et al.  Near Shannon limit error-correcting coding and decoding: Turbo-codes. 1 , 1993, Proceedings of ICC '93 - IEEE International Conference on Communications.

[30]  William I. Gasarch,et al.  Book Review: An introduction to Kolmogorov Complexity and its Applications Second Edition, 1997 by Ming Li and Paul Vitanyi (Springer (Graduate Text Series)) , 1997, SIGACT News.

[31]  Catherine Rosenberg,et al.  New approach for tra c characterisation in ATM networks , 1995 .

[32]  Bruce E. Hajek,et al.  An information-theoretic and game-theoretic study of timing channels , 2002, IEEE Trans. Inf. Theory.

[33]  Kamran Ahsan,et al.  Covert Channel Analysis and Data Hiding in TCP/IP , 2002 .

[34]  Wei-Ming Hu Reducing Timing Channels with Fuzzy Time , 1992, J. Comput. Secur..

[35]  Ronald de Wolf,et al.  Algorithmic Clustering of Music Based on String Compression , 2004, Computer Music Journal.

[36]  Mark Handley,et al.  Network Intrusion Detection: Evasion, Traffic Normalization, and End-to-End Protocol Semantics , 2001, USENIX Security Symposium.

[37]  George C. Polyzos,et al.  Application of sampling methodologies to network traffic characterization , 1993, SIGCOMM '93.

[38]  Jan Trobitius,et al.  Anwendung der "Common Criteria for Information Technology Security Evaluation" (CC) / ISO 15408 auf ein SOA Registry-Repository , 2007, Informatiktage.

[39]  Dorothy E. Denning,et al.  A lattice model of secure information flow , 1976, CACM.

[40]  Matthias Bauer New covert channels in HTTP: adding unwitting Web browsers to anonymity sets , 2003, WPES '03.

[41]  Riccardo Gusella,et al.  Characterizing the Variability of Arrival Processes with Indexes of Dispersion , 1991, IEEE J. Sel. Areas Commun..

[42]  Taeshik Shon,et al.  A Study on the Covert Channel Detection of TCP/IP Header Using Support Vector Machine , 2003, ICICS.

[43]  Ira S. Moskowitz,et al.  Simple timing channels , 1994, Proceedings of 1994 IEEE Computer Society Symposium on Research in Security and Privacy.

[44]  Theodore G. Handel,et al.  Hiding Data in the OSI Network Model , 1996, Information Hiding.

[45]  Ming Li,et al.  An Introduction to Kolmogorov Complexity and Its Applications , 2019, Texts in Computer Science.

[46]  Carla E. Brodley,et al.  Compression and machine learning: a new perspective on feature space vectors , 2006, Data Compression Conference (DCC'06).

[47]  Roland E. Best Phase-Locked Loops , 1984 .

[48]  David R. Cox,et al.  The statistical analysis of series of events , 1966 .

[49]  Deepa Kundur,et al.  Practical Data Hiding in TCP/IP , 2002 .

[50]  H. Hirsh,et al.  DNA Sequence Classification Using Compression-Based Induction , 1995 .

[51]  Carla E. Brodley,et al.  IP covert timing channels: design and detection , 2004, CCS '04.

[52]  Sally Floyd,et al.  Wide area traffic: the failure of Poisson modeling , 1995, TNET.

[53]  Roland E. Best Phase-locked loops : design, simulation, and applications , 2003 .