430 likes | 619 Views
Detecting Covert Timing Channels: An Entropy-Based Approach. Steven Gianvecchio Haining Wang College of William and Mary. Outline. Background Covert Timing Channels Detection Methods Entropy-Based Approach Experimental Evaluation Potential Countermeasures Conclusion. Outline.
E N D
Detecting Covert Timing Channels:An Entropy-Based Approach Steven Gianvecchio Haining Wang College of William and Mary
Outline Background Covert Timing Channels Detection Methods Entropy-Based Approach Experimental Evaluation Potential Countermeasures Conclusion
Outline Background Covert Timing Channels Detection Methods Entropy-Based Approach Experimental Evaluation Potential Countermeasures Conclusion 3
Background Covert Channels: • covert channel - manipulates a shared resource to transfer information • The goal is to hide communication (or hide extra communication) with a host • steal sensitive data (e.g., keys or passwords) • hide other illicit communications
Background Types of Covert Channels: • The shared resource is the type • covert storage channels • e.g., packet header fields • covert timing channels • e.g., packet arrival times
Outline Background Covert Timing Channels Detection Methods Entropy-Based Approach Experimental Evaluation Potential Countermeasures Conclusion
Covert Timing Channels Scenario 1: Scenario 2: active or passive passive Types of Covert Timing Channels: active - generates additional traffic passive - manipulates existing traffic
Covert Timing Channels Covert Timing Channels: IP Covert Timing Channel or IPCTC (Cabuk 2004) Time-Replay Covert Timing Channel or TRCTC (Cabuk 2006) JitterBug (Shah 2006) 8
Covert Timing Channels • IP Covert Timing Channel or IPCTC (Cabuk 2004) • 1-bit: send a packet • 0-bit: do nothing packet packet time interval t 1-bit 0-bit 1-bit 0-bit
Covert Timing Channels • Time-Replay Covert Timing Channel or TRCTC (Cabuk 2006) • replay a sample of legitimate traffic • bin 0 < cutoff < bin 1 • 1-bit: replay from bin 1 • 0-bit: replay from bin 0 • by construction, the distribution of inter-packet delays is close to the legitimate distribution
Covert Timing Channels • JitterBug (Shah 2006) • 0-bit: increase to modulo w • 1-bit: increase to modulo ceil(w/2) • timing window w is the maximum delay that can be added • for small w, the distribution of inter-packet delays is close to the legitimate distribution
Outline Background Covert Timing Channels Detection Methods Entropy-Based Approach Experimental Evaluation Potential Countermeasures Conclusion
Detection Methods Types of Detection Tests: shape – relates to first-order statistics statistics of singles invariant on permutations of the data regularity – relates to second or higher-order statistics statistics of doubles, triples, etc.
Detection Methods Tests of Shape: • Kolmogorov-Smirnov test – where s1 and s2 are distribution functions Tests of Regularity: • The regularity test (Cabuk 2004) –
Motivation • There are a number of other tests • However, noprevious test is effective at detecting a wide range of different covert timing channels • Our goal is to develop a better solution • entropy-based approach • entropy and conditional entropy
Outline Background Covert Timing Channels Detection Methods Entropy-Based Approach Experimental Evaluation Potential Countermeasures Conclusion
Entropy • In general, the creation of covert timing channels has some effect on entropy • entropy is a measure of information • covert timing channels transfer information entropy rate regular complex random max 0 ◄predictable unpredictable► 17
The entropy of a series – The conditional entropy of a series – The entropy rate of a process – Entropy 18
The data is binned in Q bins e.g., 0.0 < bin1≤ 0.22, 0.22 < bin2 ≤ 0.51, etc. The “true” probabilities are replaced with empirical probabilities of bin sequences The entropy estimate is EN The conditional entropy estimate is CE Entropy Estimation 19
2.2 CE CE tends to 0 as m increases entropy (graph adapted from Porta 1998) 0.0 1 m 15 20
2.2 CE CCE entropy (graph adapted from Porta 1998) corrective term 0.0 1 m 15 21
2.2 CCE entropy (graph adapted from Porta 1998) m=4 The minimum of CCE is the best choice for m 0.0 1 m 15 22
The corrected conditional entropy test (Porta 1998) estimates the entropy rate, Q=5, m varies The entropy test estimates the first-order entropy Q=2^16, m=1 Entropy-Based Approach 23
Outline Background Covert Timing Channels Detection Methods Entropy Experimental Evaluation Potential Countermeasures Conclusion
Experimental Evaluation • Covert Timing Channels: • IPCTC • TRCTC • JitterBug • Detection Tests: • regularity test (regularity) • Kolmogorov-Smirnov test (KSTEST) • entropy test (EN) • corrected conditional entropy test (CCE)
Experimental Evaluation IPCTC 100x 2000 HTTP inter-packet delays enhancement: the time interval t is rotated among 40ms, 60ms, and 80ms avoids creating a regular pattern at multiples of the time interval t
Experimental Evaluation • IPCTC test scores
Experimental Evaluation • IPCTC test scores 28
Experimental Evaluation • IPCTC detection rates
Experimental Evaluation TRCTC 100x 2000 HTTP inter-packet delays the distribution of inter-packet delays is close to the legitimate distribution, but with no correlations
Experimental Evaluation • TRCTC test scores
Experimental Evaluation CCE scores TRCTC LEGIT
Experimental Evaluation • TRCTC detection rates
Experimental Evaluation • JitterBug • 100x 2000 SSH inter-packet delays • the distribution of inter-packet delays is close to the legitimate distribution, but with small delays added • enhancement: a random sequence si is subtracted before the modulo operation • avoids creating a regular pattern at multiples of the timing window w
Experimental Evaluation • JitterBug test scores
Experimental Evaluation EN scores JitterBug LEGIT
Experimental Evaluation • JitterBug detection rates
Outline Background Covert Timing Channels Detection Methods Entropy Experimental Evaluation Potential Countermeasures Conclusion
Potential Countermeasures TRCTC replay longer correlated sequences this would reduce the capacity JitterBug use a smaller timing-window w again, this would reduce the capacity
Conclusion • The regularity test has problems with the high variation of legitimate traffic • fails for all covert timing channels tested • Kolmogorov-Smirnov test has problems when the distribution of covert traffic is close to the distribution of legitimate traffic • fails for JitterBug and TRCTC
Conclusion • CCE detects abnormal regularity • EN detects abnormal shape • In combination, our entropy-based approach is effective on all of the covert timing channels tested
Questions? Thank You! 42