Effective Detection of Multimedia Protocol Tunneling using Machine Learning

Multimedia protocol tunneling enables the creation of covert channels by modulating data into the input of popular multimedia applications such as Skype. To be effective, protocol tunneling must be unobservable, i.e., an adversary should not be able to distinguish the streams that carry a covert channel from those that do not. However, existing multimedia protocol tunneling systems have been evaluated using ad hoc methods, which casts doubts on whether such systems are indeed secure, for instance, for censorship-resistant communication. In this paper, we conduct an experimental study of the unobservability properties of three state of the art systems: Facet, CovertCast, and DeltaShaper. Our work unveils that previous claims regarding the unobservability of the covert channels produced by those tools were flawed and that existing machine learning techniques, namely those based on decision trees, can uncover the vast majority of those channels while incurring in comparatively lower false positive rates. We also explore the application of semi-supervised and unsupervised machine learning techniques. Our findings suggest that the existence of manually labeled samples is a requirement for the successful detection of covert channels.

[1]  A. Houmansadr,et al.  : Using Live Streaming to Evade Internet Censorship , 2016 .

[2]  Yuval Elovici,et al.  Kitsune: An Ensemble of Autoencoders for Online Network Intrusion Detection , 2018, NDSS.

[3]  Thomas Shrimpton,et al.  Marionette: A Programmable Network Traffic Obfuscation System , 2015, USENIX Security Symposium.

[4]  Philipp Winter,et al.  Inductive Intrusion Detection in Flow-Based Network Data Using One-Class Support Vector Machines , 2011, 2011 4th IFIP International Conference on New Technologies, Mobility and Security.

[5]  Nicholas Hopper,et al.  Cover your ACKs: pitfalls of covert channel censorship circumvention , 2013, CCS.

[6]  Nikita Borisov,et al.  Cirripede: circumvention infrastructure using router redirection with plausible deniability , 2011, CCS '11.

[7]  David Fifield,et al.  Censors' Delay in Blocking Circumvention Proxies , 2016, FOCI.

[8]  Zhi-Hua Zhou,et al.  Isolation Forest , 2008, 2008 Eighth IEEE International Conference on Data Mining.

[9]  Vitaly Shmatikov,et al.  The Parrot Is Dead: Observing Unobservable Network Communications , 2013, 2013 IEEE Symposium on Security and Privacy.

[10]  John R. Anderson,et al.  MACHINE LEARNING An Artificial Intelligence Approach , 2009 .

[11]  Tao Wang,et al.  Effective Attacks and Provable Defenses for Website Fingerprinting , 2014, USENIX Security Symposium.

[12]  Eric Wustrow,et al.  TapDance: End-to-Middle Anticensorship without Flow Blocking , 2014, USENIX Security Symposium.

[13]  David Fifield,et al.  Threat modeling and circumvention of Internet censorship , 2017 .

[14]  Shuai Li,et al.  Facet: Streaming over Videoconferencing for Censorship Circumvention , 2014, WPES.

[15]  Wouter Joosen,et al.  Automated Website Fingerprinting through Deep Learning , 2017, NDSS.

[16]  Maya R. Gupta,et al.  Similarity-based Classification: Concepts and Algorithms , 2009, J. Mach. Learn. Res..

[17]  Venkatesh Saligrama,et al.  Anomaly Detection with Score functions based on Nearest Neighbor Graphs , 2009, NIPS.

[18]  George Danezis,et al.  k-fingerprinting: A Robust Scalable Website Fingerprinting Technique , 2015, USENIX Security Symposium.

[19]  Huaiyu Zhu On Information and Sufficiency , 1997 .

[20]  Sameer Singh,et al.  Novelty detection: a review - part 2: : neural network based approaches , 2003, Signal Process..

[21]  Ian Goldberg,et al.  Slitheen: Perfectly Imitated Decoy Routing through Traffic Replacement , 2016, CCS.

[22]  Thomas Ristenpart,et al.  Protocol misidentification made easy with format-transforming encryption , 2013, CCS.

[23]  J. Ross Quinlan,et al.  Induction of Decision Trees , 1986, Machine Learning.

[24]  Ian Goldberg,et al.  SkypeMorph: protocol obfuscation for Tor bridges , 2012, CCS.

[25]  Nuno Santos,et al.  DeltaShaper: Enabling Unobservable Censorship-resistant TCP Tunneling over Videoconferencing Streams , 2017, Proc. Priv. Enhancing Technol..

[26]  Rajkumar Buyya,et al.  On the effectiveness of isolation‐based anomaly detection in cloud data centers , 2017, Concurr. Comput. Pract. Exp..

[27]  Tom Fawcett,et al.  ROC Graphs: Notes and Practical Considerations for Researchers , 2007 .

[28]  Vitaly Shmatikov,et al.  Beauty and the Burst: Remote Identification of Encrypted Video Streams , 2017, USENIX Security Symposium.

[29]  K. Pearson On the Criterion that a Given System of Deviations from the Probable in the Case of a Correlated System of Variables is Such that it Can be Reasonably Supposed to have Arisen from Random Sampling , 1900 .

[30]  Aditya Akella,et al.  Seeing through Network-Protocol Obfuscation , 2015, CCS.

[31]  Gaël Varoquaux,et al.  The NumPy Array: A Structure for Efficient Numerical Computation , 2011, Computing in Science & Engineering.

[32]  Charles V. Wright,et al.  Language Identification of Encrypted VoIP Traffic: Alejandra y Roberto or Alice and Bob? , 2007, USENIX Security Symposium.

[33]  W. Timothy Strayer,et al.  Rebound: Decoy routing on asymmetric routes via error messages , 2015, 2015 IEEE 40th Conference on Local Computer Networks (LCN).

[34]  Rob Johnson,et al.  Games without Frontiers: Investigating Video Games as a Covert Channel , 2015, 2016 IEEE European Symposium on Security and Privacy (EuroS&P).

[35]  Leonidas J. Guibas,et al.  The Earth Mover's Distance as a Metric for Image Retrieval , 2000, International Journal of Computer Vision.

[36]  Bhavani M. Thuraisingham,et al.  Adaptive encrypted traffic fingerprinting with bi-directional dependence , 2016, ACSAC.

[37]  Vitaly Shmatikov,et al.  CloudTransport: Using Cloud Storage for Censorship-Resistant Networking , 2014, Privacy Enhancing Technologies.

[38]  Klaus Wehrle,et al.  Website Fingerprinting at Internet Scale , 2016, NDSS.

[39]  Vlad Sandulescu,et al.  Predicting the future relevance of research institutions - The winning solution of the KDD Cup 2016 , 2016, ArXiv.

[40]  Vitaly Shmatikov,et al.  CovertCast: Using Live Streaming to Evade Internet Censorship , 2016, Proc. Priv. Enhancing Technol..

[41]  Christopher McCubbin,et al.  Cyber Threat Hunting Through the Use of an Isolation Forest , 2017, CompSysTech.

[42]  Bernhard Schölkopf,et al.  Estimating the Support of a High-Dimensional Distribution , 2001, Neural Computation.

[43]  Charles V. Wright,et al.  Traffic Morphing: An Efficient Defense Against Statistical Traffic Analysis , 2009, NDSS.

[44]  Grenville J. Armitage,et al.  A survey of techniques for internet traffic classification using machine learning , 2008, IEEE Communications Surveys & Tutorials.

[45]  Vern Paxson,et al.  Blocking-resistant communication through domain fronting , 2015, Proc. Priv. Enhancing Technol..

[46]  Sándor Molnár,et al.  On the identification and analysis of Skype traffic , 2011, Int. J. Commun. Syst..

[47]  Nikita Borisov,et al.  I want my voice to be heard: IP over Voice-over-IP for unobservable censorship circumvention , 2013, NDSS.

[48]  Tianqi Chen,et al.  XGBoost: A Scalable Tree Boosting System , 2016, KDD.

[49]  Leo Breiman,et al.  Random Forests , 2001, Machine Learning.

[50]  W. Timothy Strayer,et al.  Decoy Routing: Toward Unblockable Internet Communication , 2011, FOCI.