1 / 26

Analysis and Detection of Network Covert Channels

Analysis and Detection of Network Covert Channels. Sweety Chauhan CMSC 691 IA 30 th Nov. 2005 chauhan2@umbc.edu. Outline. New and Significant Summary of the results Covert network channels timestamp field as covert channel Network timing channel regularity of timing channel

elga
Download Presentation

Analysis and Detection of Network Covert Channels

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Analysis and Detection of Network Covert Channels Sweety Chauhan CMSC 691 IA 30th Nov. 2005 chauhan2@umbc.edu

  2. Outline • New and Significant • Summary of the results • Covert network channels • timestamp field as covert channel • Network timing channel • regularity of timing channel • channel capacity

  3. Summary of results • Embedding of covert messages in TCP timestamp field is possible by Covert_ts system • Covert timing channels can be detected by • regularity in the timing channel • Usage of the channel capacity

  4. Motivation Network is heavily guarded with • Intrusion Detection Systems (IDS) • Packet Anomaly Detection Systems (PADS) • Firewalls The intruder has very limited options for getting the data out Exfiltration of data is possible by: • FTP- detected in log files and traffic dumps • Communication via high port numbers - can trigger Packet Anomaly Detection Systems • Encoding data in the unused fields of packet headers – detected by IDS and PADS The attacker will look for more covert ways of moving the data out of the compromised network Hence, Detection of network covert (storage and timing) channels is significant!!!

  5. New • Covert_ts implementation of embedding of covert messages in TCP timestamp (Possibility has been discussed in research community) • Proposed detection method based on the channel capacity (information theory)

  6. Previous work- TCP Covert Tools • Most of work is concentrated on covert storage channels than timing covert channel • TCP Covert Channels • Covert_TCP • IP identification field • TCP ISN field • TCP ACK number • Nushu • TCP ISN

  7. Hierarchy of Covert Channels Family of Covert Channels Steganography Network Channels Text Manipulation Images / Audio / Executables TCP / IP Channels Word manipulation Operating Systems Data Appending Data Hiding/Alternate Data Streams EOF / Headers / Footers

  8. 0-44 bytes Fields that may be used as covert channel IP Header

  9. 0-44 bytes Timestamp TCP header

  10. TCP Option - Timestamp • allows a host to accurately measure the round trip time of a path • consists of two 32 bit fields – TS Value and TS Echo Reply • TS Value is set by the ‘timestamp clock’ of sender • use of TCP timestamps is not universal

  11. Timestamp Low-bit Modulation • Covert_ts system • System requirements • Linux kernel 2.4.9 or higher • libpcap • Modulate low bit of TCP timestamp to convey data • At low bandwidths, the low bit of the timestamp is quite random

  12. Timestamp Evaluation • Bandwidth • Low- one bit per TCP segment • Detection • extremely difficult for low bandwidth • Prevention • Moderate, take out TCP timestamp option • Permissibility • all networks

  13. Difficulty in Implementation • Timestamp clock’s tick frequency is between 1Hz and 1 kHz • Must be strictly monotonic • a fast connection will be slowed down while sending covert data

  14. Sending component is a process linux kernel module that modifies outgoing TCP/IP traffic by replacing hard_start_xmit function • checks for tcp packet with a timestamp • then calculates what the timestamp should be raised, raises it and waits that long • Receiving component sniffs incoming traffic using libpcap

  15. Timestamp Detection - Fast • Sending of TCP segments will be slowed down to a fixed rate • Algorithm: • Count number of different & total timestamps sent by a particular host • Calculate the ratio of total to different timestamps • If covert channel is in use the ratio will be close to 0.75 otherwise very close to 1

  16. Timestamp Detection - Slow • difficult to detect • low bit is more random • Algorithm: • Record all the low bits of the timestamp • Put them through a complex randomness test • If very random, then covert channel being used • To prevent introduce some non-random data

  17. Timing Covert Channel • use packet inter-arrival times, not header or payload embedded information, to encode covert messages • regularity of a timing channel • channel capacity can be used to detect covert communication

  18. Investigation • sending and receiving data bypassing the usual intrusion detection techniques • exploiting time delays between transmitted packets • Given a chain of consecutive delays ∆ti ,is it possible to say with certain probability that there has been malicious intent?

  19. An intruder is able to control machine A (inside the LAN) and use it to exfiltrate data coded in inter-packet delays • X does not have to be the destination for the network packets • X must be on the path so that the packets may be intercepted and their interpacket delays can be measured • The fewer hops between X and A, the more accurate the delay will be Internet Receiver X ∆ti , ∆t2 , ∆t3 A LAN

  20. Assumptions • An attacker will pick an encoding that will yield a decent bandwidth on average, while being sufficiently stealthy • The best coding system – attains the Shannon limit (core of the detection mechanism)

  21. Attacker • will not choose a random distribution on the delays but • try to maximizes the Shannon channel capacity • The Shannon capacity of discrete memoryless channel : Where PX is a probability distribution on the input symbols and I(X;Y) is the mutual information between X and Y (i.e. dependence between two random variables)

  22. Arimato-Blahut algorithm • finds an input symbol distribution that maximizes the channel capacity • Initialization • Recursion • Termination

  23. Proposed method • Based on network characteristics, • guess the coding system that attacker may use • analyze the emitted symbols to see if they match such distribution (Statistical Analysis) • If yes, covert communication is taking place

  24. Issues • Optimal input delay distribution may not be unique • Channel matrix is not constant over time (depends on network traffic)

  25. Future Work • Run experiments with specified number of hops (approx. 25) • Find channel matrix for discrete input alphabet • Once channel matrix is complete Shannon capacity can be estimated through Arimato-Blahut algorithm

  26. References • Embedding Covert Channels into TCP/IP, Steven J. Murdoch, Stephen Lewis, 7th Information Hiding Workshop, Barcelona, Catalonia (Spain) June 2005 • 20 Years of Covert Channel Modeling and Analysis, Jonathan Millen, SRI International IEEE Symposium on Security and Privacy, 1999 • T. M. Cover and J. A. Thomas. Elements of Information Theory. Wiley Series in Telecommunications. John Wiley & Sons, New York, NY, USA, 1991

More Related