Mimic: An active covert channel that evades regularity-based detection

A covert timing channel is a hidden communication channel based on network timing that an attacker can use to sneak secrets out of a secure system. Active covert channels, in which the attacker uses a program to automatically generate innocuous traffic to use as a medium for embedding the covert channel, are especially problematic, as they allow the attacker to output large amounts of secret data. Further, it is relatively easy to create an active covert channel that outputs traffic with the same delay distribution as legitimate traffic. However, these channels are generally detectable due to their regularity - as they are generate by a computer program, they do not have the variations found in human-generated traffic. In this work, we show how to build a an active covert channel that generates traffic in a purposefully irregular manner. In particular, we propose Mimic, an active covert channel that mimics both the shape and regularity of legitimate traffic to disguise its presence. Mimic includes two modules, a shape modeler and a regularity modeler, for learning about the statistical properties of real traffic and generating traffic with the same properties. The main novelty of Mimic stems from its ability to produce irregular patterns similar to those of legitimate traffic while maintaining the distribution shape. To measure the effectiveness of our mechanism, we run experiments for both detection and throughput over a LAN and over the Internet. Our results show that Mimic can generate channels with a wide range of regularity values, making it undetectable by any known detection technique, without sacrificing channel capacity.

[1]  Steven Gianvecchio,et al.  Detecting covert timing channels: an entropy-based approach , 2007, CCS '07.

[2]  Wei-Ming Hu Reducing Timing Channels with Fuzzy Time , 1992, J. Comput. Secur..

[3]  Jianhua Li,et al.  Implementing a passive network covert timing channel , 2010, Comput. Secur..

[4]  Carla E. Brodley,et al.  IP Covert Channel Detection , 2009, TSEC.

[5]  Nikita Borisov,et al.  RAINBOW: A Robust And Invisible Non-Blind Watermark for Network Flows , 2009, NDSS.

[6]  Saurabh Bagchi,et al.  TCP/IP Timing Channels: Theory to Implementation , 2009, IEEE INFOCOM 2009.

[7]  Stefan Katzenbeisser,et al.  Hide and Seek in Time - Robust Covert Timing Channels , 2009, ESORICS.

[8]  Richard A. Kemmerer,et al.  Shared resource matrix methodology: an approach to identifying storage and timing channels , 1983, TOCS.

[9]  Ira S. Moskowitz,et al.  A pump for rapid, reliable, secure communication , 1993, CCS '93.

[10]  Gaurav Shah,et al.  Keyboards and Covert Channels , 2006, USENIX Security Symposium.

[11]  Ruby B. Lee,et al.  Covert and Side Channels Due to Processor Architecture , 2006, 2006 22nd Annual Computer Security Applications Conference (ACSAC'06).

[12]  Ira S. Moskowitz,et al.  The Pump: a decade of covert fun , 2005, 21st Annual Computer Security Applications Conference (ACSAC'05).

[13]  Mike Fisk,et al.  Eliminating Steganography in Internet Traffic with Active Wardens , 2002, Information Hiding.

[14]  Giuseppe Baselli,et al.  Measuring regularity by means of a corrected conditional entropy in sympathetic outflow , 1998, Biological Cybernetics.

[15]  Matthew K. Wright,et al.  Evading stepping-stone detection under the cloak of streaming media with SNEAK , 2010, Comput. Networks.

[16]  Richard A. Kemmerer,et al.  A practical approach to identifying storage and timing channels: twenty years later , 2002, 18th Annual Computer Security Applications Conference, 2002. Proceedings..

[17]  Sushil Jajodia,et al.  Model-Based Covert Timing Channels: Automated Modeling and Evasion , 2008, RAID.

[18]  Douglas S. Reeves,et al.  Robust correlation of encrypted attack traffic through stepping stones by manipulation of interpacket delays , 2003, CCS '03.

[19]  Dawn Xiaodong Song,et al.  Timing Analysis of Keystrokes and Timing Attacks on SSH , 2001, USENIX Security Symposium.

[20]  Duminda Wijesekera,et al.  Status-Based Access Control , 2008, TSEC.

[21]  C. Brodley,et al.  Network covert channels: design, analysis, detection, and elimination , 2006 .

[22]  Carla E. Brodley,et al.  IP covert timing channels: design and detection , 2004, CCS '04.

[23]  Sang Joon Kim,et al.  A Mathematical Theory of Communication , 2006 .

[24]  Matthew K. Wright,et al.  Liquid: A detection-resistant covert timing channel based on IPD shaping , 2011, Comput. Networks.

[25]  Sushil Jajodia,et al.  Network Flow Watermarking Attack on Low-Latency Anonymous Communication Systems , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[26]  Javier Santos,et al.  Managing Information Systems Security: Critical Success Factors and Indicators to Measure Effectiveness , 2006, ISC.