Pattern-Based Survey and Categorization of Network Covert Channel Techniques

Network covert channels are used to hide communication inside network protocols. Various techniques for covert channels have arisen in the past few decades. We surveyed and analyzed 109 techniques developed between 1987 and 2013 and show that these techniques can be reduced to only 11 different patterns. Moreover, the majority (69.7%) of techniques can be categorized into only four different patterns (i.e., most techniques we surveyed are similar). We represent the patterns in a hierarchical catalog using a pattern language. Our pattern catalog will serve as a base for future covert channel novelty evaluation. Furthermore, we apply the concept of pattern variations to network covert channels. With pattern variations, the context of a pattern can change. For example, a channel developed for IPv4 can automatically be adapted to other network protocols. We also propose the pattern-based covert channel optimizations pattern hopping and pattern combination. Finally, we lay the foundation for pattern-based countermeasures: whereas many current countermeasures were developed for specific channels, a pattern-oriented approach allows application of one countermeasure to multiple channels. Hence, future countermeasure development can focus on patterns, and the development of real-world protection against covert channels is greatly simplified.

[1]  Gaurav Shah,et al.  Keyboards and Covert Channels , 2006, USENIX Security Symposium.

[2]  Norka B. Lucena,et al.  Syntax and Semantics-Preserving Application-Layer Protocol Steganography , 2004, Information Hiding.

[3]  Sebastian Zander,et al.  A survey of covert channels and countermeasures in computer network protocols , 2007, IEEE Communications Surveys & Tutorials.

[4]  Deepa Kundur,et al.  Practical Data Hiding in TCP/IP , 2002 .

[5]  Chih-Hung Lin,et al.  Towards Adaptive Covert Communication System , 2008, 2008 14th IEEE Pacific Rim International Symposium on Dependable Computing.

[6]  Grzegorz Lewandowski,et al.  Analyzing Network-Aware Active Wardens in IPv6 , 2006, Information Hiding.

[7]  Wojciech Mazurczyk,et al.  Retransmission steganography and its detection , 2011, Soft Comput..

[8]  Joseph W. Yoder,et al.  Architectural Patterns for Enabling Application Security , 1998 .

[9]  Grzegorz Lewandowski,et al.  Covert Channels in IPv6 , 2005, Privacy Enhancing Technologies.

[10]  Max Jacobson,et al.  A Pattern Language: Towns, Buildings, Construction , 1981 .

[11]  Gustavus J. Simmons,et al.  The Prisoners' Problem and the Subliminal Channel , 1983, CRYPTO.

[12]  Steffen Wendzel,et al.  Preventing Protocol Switching Covert Channels , 2012 .

[13]  Ehab Al-Shaer,et al.  Building Covert Channels over the Packet Reordering Phenomenon , 2009, IEEE INFOCOM 2009.

[14]  Jonathan K. Millen 20 years of covert channel modeling and analysis , 1999, Proceedings of the 1999 IEEE Symposium on Security and Privacy (Cat. No.99CB36344).

[15]  Aaron Marcus Patterns within patterns , 2004, INTR.

[16]  Peter Forbrig,et al.  Formal Pattern Specifications to Facilitate Semi-automated User Interface Generation , 2013, HCI.

[17]  Shivakant Mishra,et al.  A Protocol for Building Secure and Reliable Covert Channel , 2008, 2008 Sixth Annual Conference on Privacy, Security and Trust.

[18]  Sebastian Zander,et al.  Stealthier Inter-packet Timing Covert Channels , 2011, Networking.

[19]  Rachel Greenstadt,et al.  Covert Messaging through TCP Timestamps , 2002, Privacy Enhancing Technologies.

[20]  James A. Landay,et al.  The Design of Sites - Patterns for Creating Winning Web Sites (2. ed.) , 2007 .

[21]  Craig A. Shue,et al.  Reporting Insider Threats via Covert Channels , 2013, 2013 IEEE Security and Privacy Workshops.

[22]  Javier López,et al.  HIDE_DHCP: Covert Communications through Network Configuration Messages , 2012, SEC.

[23]  Maxim Anikeev,et al.  Network Based Detection of Passive Covert Channels in TCP/IP , 2005, The IEEE Conference on Local Computer Networks 30th Anniversary (LCN'05)l.

[24]  Ralph Johnson,et al.  design patterns elements of reusable object oriented software , 2019 .

[25]  Mike Fisk,et al.  Eliminating Steganography in Internet Traffic with Active Wardens , 2002, Information Hiding.

[26]  C. Gray Girling,et al.  Covert Channels in LAN's , 1987, IEEE Transactions on Software Engineering.

[27]  Colin Allison,et al.  Covert Channels in Internet Protocols: A Survey , 2005 .

[28]  Wojciech Mazurczyk,et al.  Multilevel Steganography: Improving Hidden Communication in Networks , 2011, J. Univers. Comput. Sci..

[29]  Vincent H. Berk,et al.  Detection of Covert Channel Encoding in Network Packet Delays , 2005 .

[30]  Steven Gianvecchio,et al.  Detecting covert timing channels: an entropy-based approach , 2007, CCS '07.

[31]  Ahmed Seffah,et al.  The evolution of design patterns in HCI: from pattern languages to pattern-oriented design , 2010, PEICS '10.

[32]  Xiapu Luo,et al.  Cloak: A Ten-Fold Way for Reliable Covert Communications , 2007, ESORICS.

[33]  C. Brodley,et al.  Network covert channels: design, analysis, detection, and elimination , 2006 .

[34]  Wei-Ming Hu Reducing Timing Channels with Fuzzy Time , 1992, J. Comput. Secur..

[35]  Martin Vetterli,et al.  Communication using phantoms: covert channels in the Internet , 2001, Proceedings. 2001 IEEE International Symposium on Information Theory (IEEE Cat. No.01CH37252).

[36]  Vijay Varadharajan,et al.  The Silence of the LANs: Efficient Leakage Resilience for IPsec VPNs , 2012, IEEE Transactions on Information Forensics and Security.

[37]  Qiong Li,et al.  The Research on Information Hiding Based on Command Sequence of FTP Protocol , 2005, KES.

[38]  Butler W. Lampson,et al.  A note on the confinement problem , 1973, CACM.

[39]  Ahmed Seffah,et al.  Modeling patterns for task models , 2004, TAMODIA '04.

[40]  Wojciech Mazurczyk,et al.  Evaluation of steganographic methods for oversized IP packets , 2012, Telecommun. Syst..

[41]  Taeshik Shon,et al.  A Study on the Covert Channel Detection of TCP/IP Header Using Support Vector Machine , 2003, ICICS.

[42]  Theodore G. Handel,et al.  Hiding Data in the OSI Network Model , 1996, Information Hiding.

[43]  Ira S. Moskowitz,et al.  A pump for rapid, reliable, secure communication , 1993, CCS '93.

[44]  Sihan Qing,et al.  Optimization of covert channel identification , 2005, Third IEEE International Security in Storage Workshop (SISW'05).

[45]  Steffen Wendzel,et al.  Low-Attention Forwarding for Mobile Network Covert Channels , 2011, Communications and Multimedia Security.

[46]  Sushil Jajodia,et al.  Model-Based Covert Timing Channels: Automated Modeling and Evasion , 2008, RAID.

[47]  Amir Herzberg,et al.  Limiting MitM to MitE Covert-Channels , 2013, 2013 International Conference on Availability, Reliability and Security.

[48]  Jana Dittmann,et al.  WLAN steganography: a first practical review , 2006, MM&Sec '06.

[49]  Masaaki Kurosu,et al.  Human-Computer Interaction. Human-Centred Design Approaches, Methods, Tools, and Environments , 2013, Lecture Notes in Computer Science.

[50]  Jenifer Tidwell,et al.  Designing interfaces - patterns for effective interaction design , 2019 .

[51]  Sebastian Zander,et al.  Detecting protocol switching covert channels , 2012, 37th Annual IEEE Conference on Local Computer Networks.

[52]  Mark Handley,et al.  Network Intrusion Detection: Evasion, Traffic Normalization, and End-to-End Protocol Semantics , 2001, USENIX Security Symposium.

[53]  Sebastian Zander,et al.  Covert channels in the IP time to live field , 2006 .

[54]  Thomas Rist,et al.  Covert Channels and Their Prevention in Building Automation Protocols: A Prototype Exemplified Using BACnet , 2012, 2012 IEEE International Conference on Green Computing and Communications.

[55]  Richard A. Kemmerer,et al.  Covert flow trees: a technique for identifying and analyzing covert storage channels , 1991, Proceedings. 1991 IEEE Computer Society Symposium on Research in Security and Privacy.

[56]  Sebastian Zander,et al.  Covert channels in multiplayer first person shooter online games , 2008, 2008 33rd IEEE Conference on Local Computer Networks (LCN).

[57]  Steffen Wendzel,et al.  Systematic Engineering of Control Protocols for Covert Channels , 2012, Communications and Multimedia Security.

[58]  WendzelSteffen,et al.  Pattern-Based Survey and Categorization of Network Covert Channel Techniques , 2015 .

[59]  Zhang Yong,et al.  Entropy based taxonomy of network convert channels , 2009, 2009 2nd International Conference on Power Electronics and Intelligent Transportation System (PEITS).

[60]  Manfred Wolf Covert Channels in LAN Protocols , 1989, LANSEC.

[61]  Birgit Pfitzmann,et al.  Information Hiding Terminology - Results of an Informal Plenary Meeting and Additional Proposals , 1996, Information Hiding.

[62]  Joanna Rutkowska joanna The Implementation of Passive Covert Channels in the Linux Kernel , 2004 .

[63]  Steven J. Murdoch,et al.  Covert channel vulnerabilities in anonymity systems , 2007 .

[64]  William J Buchanan Covert Channel Analysis and Detection with Reverse Proxy Servers using Microsoft Windows , 2004 .

[65]  Peter Forbrig,et al.  HCI Patterns as a Means to Transform Interactive User Interfaces to Diverse Contexts of Use , 2011, HCI.

[66]  Craig H. Rowland,et al.  Covert Channels in the TCP/IP Protocol Suite , 1997, First Monday.

[67]  共立出版株式会社 コンピュータ・サイエンス : ACM computing surveys , 1978 .

[68]  Julio Hernandez-Castro,et al.  Steganography using the Extensible Messaging and Presence Protocol (XMPP) , 2013, ArXiv.

[69]  Carla E. Brodley,et al.  IP Covert Channel Detection , 2009, TSEC.

[70]  Steven J. Murdoch,et al.  Embedding Covert Channels into TCP/IP , 2005, Information Hiding.

[71]  Steffen Wendzel,et al.  Dynamic routing in covert channel overlays based on control protocols , 2012, 2012 International Conference for Internet Technology and Secured Transactions.

[72]  John C. Thomas,et al.  Perspectives on HCI patterns: concepts and tools , 2003, CHI Extended Abstracts.

[73]  Xiamu Niu,et al.  A Normal-Traffic Network Covert Channel , 2009, 2009 International Conference on Computational Intelligence and Security.

[74]  Chuan Ma,et al.  Covert channel for local area network , 2010, 2010 IEEE International Conference on Wireless Communications, Networking and Information Security.

[75]  James A. Landay,et al.  The Design of Sites: Patterns for Creating Winning Web Sites (2nd Edition) , 2006 .

[76]  Richard A. Kemmerer,et al.  Shared resource matrix methodology: an approach to identifying storage and timing channels , 1983, TOCS.

[77]  Hilarie Orman,et al.  Covert Channel Elimination Protocols , 1996 .

[78]  Scott Craver,et al.  On Public-Key Steganography in the Presence of an Active Warden , 1998, Information Hiding.

[79]  Ira S. Moskowitz,et al.  Covert Channels - A Context-Based View , 1996, Information Hiding.

[80]  Wojciech Mazurczyk,et al.  Information Hiding Using Improper frame padding , 2010, 2010 14th International Telecommunications Network Strategy and Planning Symposium (NETWORKS).