On the Performance of Anomaly Detection Systems Uncovering Traffic Mimicking Covert Channels

Anomaly Detection Systems aim to construct accurate network traffic models with the objective to discover yet unknown malicious network traffic patterns. In this paper, we study the use of the same methods in order to create a covert channel which is not discovered by Anomaly Detection Systems and can be used to exfiltrate (malicous) traffic from a network. The channel is created by imitating current network traffic behaviour as detected by passive network analysis. Moreover, we present methods for calculating thresholds for the bandwidth of the channel such that, with high probability, the resulting traffic falls within the margins of the Anomaly Detection System under consideration. We also present results of practical experiments with commonly used Anomaly Detection Systems showing the practical applicability of our approach. Keywords—Anomaly Detection; Mimicry; Covert Channel;

[1]  Steffen Wendzel,et al.  Hidden and under control , 2014, annals of telecommunications - annales des télécommunications.

[2]  Dorothy E. Denning,et al.  An Intrusion-Detection Model , 1986, 1986 IEEE Symposium on Security and Privacy.

[3]  Charles V. Wright,et al.  Traffic Morphing: An Efficient Defense Against Statistical Traffic Analysis , 2009, NDSS.

[4]  Philip K. Chan,et al.  PHAD: packet header anomaly detection for identifying hostile network traffic , 2001 .

[5]  Carla E. Brodley,et al.  IP Covert Channel Detection , 2009, TSEC.

[6]  Maciej Szmit,et al.  Implementation of Brutlag's algorithm in Anomaly Detection 3.0 , 2012, 2012 Federated Conference on Computer Science and Information Systems (FedCSIS).

[7]  Salvatore J. Stolfo,et al.  Anagram: A Content Anomaly Detector Resistant to Mimicry Attack , 2006, RAID.

[8]  David A. Wagner,et al.  Intrusion detection via static analysis , 2001, Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001.

[9]  Kevin Borders,et al.  Siren: catching evasive malware , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[10]  Youki Kadobayashi,et al.  Network-based mimicry anomaly detection using divergence measures , 2015, 2015 International Symposium on Networks, Computers and Communications (ISNCC).

[11]  Matteo Casenove,et al.  Exfiltrations using polymorphic blending techniques: Analysis and countermeasures , 2015, 2015 7th International Conference on Cyber Conflict: Architectures in Cyberspace.

[12]  Ridha Khédri,et al.  Exploring Covert Channels , 2011, 2011 44th Hawaii International Conference on System Sciences.