Using a Novel Blending Method Over Multiple Network Connections

for Secure Communications

Jaime C. Acostaand

John Medrano

U.S. Army Research Laboratory

Motivation

– Network attack steps– Locate a network– Analyze traffic– Identify target– Scan nodes for vulnerabilities– Execute exploit

– Issue– Node addresses and traffic flows

Motivation

– Covert Communication– Traditionally seen as adversarial– Data exfiltration

– From a defensive perspective– Hide data in decoy traffic– Hide node endpoints– Avoid scanning– Avoid suspicion for critical data

Covert Communication

– Timing channels

– Timing anomalies

– Generally low throughput

– Data channels

– Unused fields, invalid messages

– Once documented identification is trivial

Objectives

– Scalable throughput

– Reliable

– Dynamic insertion point selection

Research Question

Can we leverage characteristics of network flows for covert, secure communication?

Envisioned Approach

A

FED

CB

Envisioned Approach

Conn1

Conn2

Conn3Conn4

Conn5

Conn6

Conn7Conn8

A

FED

CB

Connections: 1. Unidirectional 2. Fixed size messages sharing the same

a. source and destination MAC, IP, and portsb. protocol type

3. Have an update rate 4. Have a complexity measure

Envisioned Approach

Connection Name

Communication Rate

Connection Complexity

Conn1 5 msg/sec Low

Conn2 10 msg/sec Med

Conn3 1 msg/sec High

...

Conn1

Conn2

Conn3Conn4

Conn5

Conn6

Conn7Conn8

Promiscuous Traffic

Covert Communicators

A

FED

CB

Envisioned Approach

Connection Name

Communication Rate

Connection Complexity

Conn1 5 msg/sec Low

Conn2 10 msg/sec Med

Conn3 1 msg/sec High

...

Conn1

Conn2

Conn3Conn4

Conn5

Conn6

Conn7Conn8

Promiscuous Traffic

Covert Communicators

Hide data within high-complexity payloads

A

FED

CB

Methodology

– Implement a system – Parameters for determining insertion points

– Evaluate– Vary parameter values– Measure throughput and reliability

Network Blending Communication System (NBCS)

Network

Analysis Subsystem

Display Subsystem

Communications Subsystem

Configuration

NBCS Analysis SubsystemNetwork

b0 b1 b2 b3 b4

b0 b1 b2 b3 b4

Connection 1

b0 b1 b2 b3 b4

Packets during window

Connection 2

Connection 3

NBCS Analysis SubsystemNetwork

b0 b1 b2 b3 b4

b0 b1 b2 b3 b4

Connection 1

b0 b1 b2 b3 b4

Packets during window

Connection 2

Connection 3

NBCS Analysis Subsystem

Min/Max = byteComplexities

NBCS Analysis SubsystemNetwork

b0 b1 b2 b3 b4

b0 b1 b2 b3 b4

Connection 1

b0 b1 b2 b3 b4

Packets during window

c0 c1 c2 c3 c4

byteComplexities

sum

Connection 1 complexity

C

Connection 2

Connection 3

Freq.Distribution

NBCS system

Network

Analysis Subsystem

Display Subsystem

Communications Subsystem

Configuration

Communications Subsystem

Connection 1 with sufficient complexity

…

Connection 4 with sufficient complexity

…

Latest packets with sufficient byteComplexities

Communications Subsystem

Connection 1 with sufficient complexity

…

Connection 4 with sufficient complexity

…

Latest packets with sufficient byteComplexities

Attach Sync and Checksum Bytes

check rateToUse

Communications Subsystem

Connection 1 with sufficient complexity

…

Connection 4 with sufficient complexity

…

Latest packets with sufficient byteComplexities

NBCS System

Network

Analysis Subsystem

Display Subsystem

Communications Subsystem

Configuration

Display Subsystem

Requirements – How it can be done

– Hub– Promiscuous by default

– Switch – Port mirroring

– Wireless– Within distance

– Multicast– Within group

Requirements – How it can be done

– Hub– Promiscuous by default

– Switch – Port mirroring

– Wireless– Within distance

– Multicast– Within group

Evaluation - Network Setup

Load A Load BOvert Nodes 6 12Packets/sec 80-100 5200-5500Bytes/sec 95KB – 115KB 2.7MB – 3.5MB# of Connections 15-20 (6 UDP) 40-50 (6 UDP)

Evaluation

– Controlled (favoring low detectability)

– Window Size = 1000ms

– Sync Bytes = 2

– Checksum Bytes = 2

– Protocol to Use = UDP

– Rate Threshold = 10

– Rate to Use = 0.1

Evaluation

– Independent– Byte Complexity Threshold [0.1-0.9]

– Dependent– Throughput– Packet loss

– Procedure– Covert sender and receiver start

simultaneously– Covert data buffer is always full– Run for 5 minutes

Results - Throughput

Results – Packet Loss

Future Work

– More beneficial to hide covert data based on byte similarity?

– Wireless and multicast traffic?

– Automatic parameter tuning in real time depending on network characteristics?

Questions

Preliminary Wireless Tests

Preliminary Wireless Tests

NBCS Analysis SubsystemNetwork

b0 b1 b2 b3 b4

b0 b1 b2 b3 b4

Connection 1

b0 b1 b2 b3 b4

Packets during window

Connection 2

Connection 3

NBCS Analysis Subsystem

Sample byte complexities

NBCS Analysis SubsystemNetwork

b0 b1 b2 b3 b4

b0 b1 b2 b3 b4

Connection 1

b0 b1 b2 b3 b4

Packets during window

c0 c1 c2 c3 c4

byteComplexities

sum

Connection 1 complexity

C

Connection 2

Connection 3

Min Max