Date post: | 21-Jan-2016 |
Category: |
Documents |
Upload: | oliver-mckinney |
View: | 213 times |
Download: | 1 times |
UMBC CMSC 691 IA
Analysis and Detection of Network Covert Channels
Sweety Chauhan
CMSC 691 IA 30th Nov. 2005
UMBC CMSC 691 IA
Outline
New and Significant Summary of the results Covert network channels
timestamp field as covert channel Network timing channel
regularity of timing channel channel capacity
UMBC CMSC 691 IA
Summary of results
Embedding of covert messages in TCP timestamp field is possible by Covert_ts system
Covert timing channels can be detected by regularity in the timing channel Usage of the channel capacity
UMBC CMSC 691 IA
MotivationNetwork is heavily guarded with
1. Intrusion Detection Systems (IDS)
2. Packet Anomaly Detection Systems (PADS)
3. Firewalls
The intruder has very limited options for
getting the data out
Exfiltration of data is possible by:1. FTP- detected in log files and
traffic dumps
2. Communication via high port numbers - can trigger Packet Anomaly Detection Systems
3. Encoding data in the unused fields of packet headers – detected by IDS and PADS
The attacker will look for more covert ways of moving the data out of the compromised network Hence, Detection of network covert (storage and timing) channels is significant!!!
UMBC CMSC 691 IA
New
Covert_ts implementation of embedding of covert messages in TCP timestamp (Possibility has been discussed in research community)
Proposed detection method based on the channel capacity (information theory)
UMBC CMSC 691 IA
Previous work- TCP Covert Tools Most of work is concentrated on covert
storage channels than timing covert channel TCP Covert Channels
Covert_TCP IP identification field TCP ISN field TCP ACK number
Nushu TCP ISN
UMBC CMSC 691 IA
Hierarchy of Covert Channels
Family of Covert ChannelsFamily of Covert Channels
SteganographySteganography Text ManipulationText ManipulationNetwork ChannelsNetwork Channels
Operating SystemsOperating Systems Data AppendingData Appending
Images / Audio / Executables TCP / IP Channels Word manipulation
Data Hiding/Alternate Data Streams EOF / Headers / Footers
UMBC CMSC 691 IA
IP Header
0-44bytes
Fields that may be used as covert channel
UMBC CMSC 691 IA
TCP header
0-44bytes
Timestamp
UMBC CMSC 691 IA
TCP Option - Timestamp
allows a host to accurately measure the round trip time of a path
consists of two 32 bit fields – TS Value and TS Echo Reply TS Value is set by the ‘timestamp clock’ of sender
use of TCP timestamps is not universal
UMBC CMSC 691 IA
Timestamp Low-bit Modulation
Covert_ts system System requirements
Linux kernel 2.4.9 or higher libpcap
Modulate low bit of TCP timestamp to convey data
At low bandwidths, the low bit of the timestamp is quite random
UMBC CMSC 691 IA
Timestamp Evaluation
Bandwidth Low- one bit per TCP segment
Detection extremely difficult for low bandwidth
Prevention Moderate, take out TCP timestamp option
Permissibility all networks
UMBC CMSC 691 IA
Difficulty in Implementation Timestamp clock’s tick frequency is between 1Hz
and 1 kHz Must be strictly monotonic a fast connection will be slowed down while
sending covert data
UMBC CMSC 691 IA
Sending component is a process linux kernel module that modifies outgoing TCP/IP traffic by replacing hard_start_xmit function checks for tcp packet with a timestamp then calculates what the timestamp should be
raised, raises it and waits that long Receiving component sniffs incoming traffic
using libpcap
UMBC CMSC 691 IA
Timestamp Detection - Fast
Sending of TCP segments will be slowed down to a fixed rate
Algorithm: Count number of different & total timestamps sent by a particular
host Calculate the ratio of total to different timestamps If covert channel is in use the ratio will be close to 0.75 otherwise
very close to 1
UMBC CMSC 691 IA
Timestamp Detection - Slow
difficult to detect low bit is more random Algorithm:
Record all the low bits of the timestamp Put them through a complex randomness test If very random, then covert channel being used
To prevent introduce some non-random data
UMBC CMSC 691 IA
Timing Covert Channel
use packet inter-arrival times, not header or payload embedded information, to encode covert messages
regularity of a timing channel channel capacity can be used to detect
covert communication
UMBC CMSC 691 IA
Investigation
sending and receiving data bypassing the usual intrusion detection techniques
exploiting time delays between transmitted packets
Given a chain of consecutive delays ∆ti ,is it possible to say with certain probability that there has been malicious intent?
UMBC CMSC 691 IA
An intruder is able to control machine A (inside the LAN) and use it to exfiltrate data coded in inter-packet delays
X does not have to be the destination for the network packets X must be on the path so that the packets may be intercepted and their
interpacket delays can be measured The fewer hops between X and A, the more accurate the delay will be
Internet X
ALAN
Receiver
∆ti , ∆t2 , ∆t3
UMBC CMSC 691 IA
Assumptions
An attacker will pick an encoding that will yield a decent bandwidth on average, while being sufficiently stealthy
The best coding system – attains the Shannon limit (core of the detection mechanism)
UMBC CMSC 691 IA
Attacker
will not choose a random distribution on the delays but
try to maximizes the Shannon channel capacity The Shannon capacity of discrete memoryless
channel :
Where PX is a probability distribution on the input symbols and
I(X;Y) is the mutual information between X and Y (i.e. dependence between two random variables)
UMBC CMSC 691 IA
Arimato-Blahut algorithm
finds an input symbol distribution that maximizes the channel capacity
1. Initialization
2. Recursion
3. Termination
UMBC CMSC 691 IA
Proposed method
Based on network characteristics, guess the coding system that attacker may use analyze the emitted symbols to see if they match
such distribution (Statistical Analysis) If yes, covert communication is taking place
UMBC CMSC 691 IA
Issues
Optimal input delay distribution may not be unique
Channel matrix is not constant over time (depends on network traffic)
UMBC CMSC 691 IA
Future Work
Run experiments with specified number of hops (approx. 25)
Find channel matrix for discrete input alphabet Once channel matrix is complete Shannon
capacity can be estimated through Arimato-Blahut algorithm
UMBC CMSC 691 IA
References
1. Embedding Covert Channels into TCP/IP, Steven J. Murdoch, Stephen Lewis, 7th Information Hiding Workshop, Barcelona, Catalonia (Spain) June 2005
2. 20 Years of Covert Channel Modeling and Analysis, Jonathan Millen, SRI International IEEE Symposium on Security and Privacy, 1999
3. T. M. Cover and J. A. Thomas. Elements of Information Theory. Wiley Series in Telecommunications. John Wiley & Sons, New York, NY, USA, 1991