UMBC CMSC 691 IA

Analysis and Detection of Network Covert Channels

Sweety Chauhan

CMSC 691 IA 30th Nov. 2005

chauhan2@umbc.edu

UMBC CMSC 691 IA

Outline

New and Significant Summary of the results Covert network channels

timestamp field as covert channel Network timing channel

regularity of timing channel channel capacity

UMBC CMSC 691 IA

Summary of results

Embedding of covert messages in TCP timestamp field is possible by Covert_ts system

Covert timing channels can be detected by regularity in the timing channel Usage of the channel capacity

UMBC CMSC 691 IA

MotivationNetwork is heavily guarded with

1. Intrusion Detection Systems (IDS)

2. Packet Anomaly Detection Systems (PADS)

3. Firewalls

The intruder has very limited options for

getting the data out

Exfiltration of data is possible by:1. FTP- detected in log files and

traffic dumps

2. Communication via high port numbers - can trigger Packet Anomaly Detection Systems

3. Encoding data in the unused fields of packet headers – detected by IDS and PADS

The attacker will look for more covert ways of moving the data out of the compromised network Hence, Detection of network covert (storage and timing) channels is significant!!!

UMBC CMSC 691 IA

New

Covert_ts implementation of embedding of covert messages in TCP timestamp (Possibility has been discussed in research community)

Proposed detection method based on the channel capacity (information theory)

UMBC CMSC 691 IA

Previous work- TCP Covert Tools Most of work is concentrated on covert

storage channels than timing covert channel TCP Covert Channels

Covert_TCP IP identification field TCP ISN field TCP ACK number

Nushu TCP ISN

UMBC CMSC 691 IA

Hierarchy of Covert Channels

Family of Covert ChannelsFamily of Covert Channels

SteganographySteganography Text ManipulationText ManipulationNetwork ChannelsNetwork Channels

Operating SystemsOperating Systems Data AppendingData Appending

Images / Audio / Executables TCP / IP Channels Word manipulation

Data Hiding/Alternate Data Streams EOF / Headers / Footers

UMBC CMSC 691 IA

IP Header

0-44bytes

Fields that may be used as covert channel

UMBC CMSC 691 IA

TCP header

0-44bytes

Timestamp

UMBC CMSC 691 IA

TCP Option - Timestamp

allows a host to accurately measure the round trip time of a path

consists of two 32 bit fields – TS Value and TS Echo Reply TS Value is set by the ‘timestamp clock’ of sender

use of TCP timestamps is not universal

UMBC CMSC 691 IA

Timestamp Low-bit Modulation

Covert_ts system System requirements

Linux kernel 2.4.9 or higher libpcap

Modulate low bit of TCP timestamp to convey data

At low bandwidths, the low bit of the timestamp is quite random

UMBC CMSC 691 IA

Timestamp Evaluation

Bandwidth Low- one bit per TCP segment

Detection extremely difficult for low bandwidth

Prevention Moderate, take out TCP timestamp option

Permissibility all networks

UMBC CMSC 691 IA

Difficulty in Implementation Timestamp clock’s tick frequency is between 1Hz

and 1 kHz Must be strictly monotonic a fast connection will be slowed down while

sending covert data

UMBC CMSC 691 IA

Sending component is a process linux kernel module that modifies outgoing TCP/IP traffic by replacing hard_start_xmit function checks for tcp packet with a timestamp then calculates what the timestamp should be

raised, raises it and waits that long Receiving component sniffs incoming traffic

using libpcap

UMBC CMSC 691 IA

Timestamp Detection - Fast

Sending of TCP segments will be slowed down to a fixed rate

Algorithm: Count number of different & total timestamps sent by a particular

host Calculate the ratio of total to different timestamps If covert channel is in use the ratio will be close to 0.75 otherwise

very close to 1

UMBC CMSC 691 IA

Timestamp Detection - Slow

difficult to detect low bit is more random Algorithm:

Record all the low bits of the timestamp Put them through a complex randomness test If very random, then covert channel being used

To prevent introduce some non-random data

UMBC CMSC 691 IA

Timing Covert Channel

use packet inter-arrival times, not header or payload embedded information, to encode covert messages

regularity of a timing channel channel capacity can be used to detect

covert communication

UMBC CMSC 691 IA

Investigation

sending and receiving data bypassing the usual intrusion detection techniques

exploiting time delays between transmitted packets

Given a chain of consecutive delays ∆ti ,is it possible to say with certain probability that there has been malicious intent?

UMBC CMSC 691 IA

An intruder is able to control machine A (inside the LAN) and use it to exfiltrate data coded in inter-packet delays

X does not have to be the destination for the network packets X must be on the path so that the packets may be intercepted and their

interpacket delays can be measured The fewer hops between X and A, the more accurate the delay will be

Internet X

ALAN

Receiver

∆ti , ∆t2 , ∆t3

UMBC CMSC 691 IA

Assumptions

An attacker will pick an encoding that will yield a decent bandwidth on average, while being sufficiently stealthy

The best coding system – attains the Shannon limit (core of the detection mechanism)

UMBC CMSC 691 IA

Attacker

will not choose a random distribution on the delays but

try to maximizes the Shannon channel capacity The Shannon capacity of discrete memoryless

channel :

Where PX is a probability distribution on the input symbols and

I(X;Y) is the mutual information between X and Y (i.e. dependence between two random variables)

UMBC CMSC 691 IA

Arimato-Blahut algorithm

finds an input symbol distribution that maximizes the channel capacity

1. Initialization

2. Recursion

3. Termination

UMBC CMSC 691 IA

Proposed method

Based on network characteristics, guess the coding system that attacker may use analyze the emitted symbols to see if they match

such distribution (Statistical Analysis) If yes, covert communication is taking place

UMBC CMSC 691 IA

Issues

Optimal input delay distribution may not be unique

Channel matrix is not constant over time (depends on network traffic)

UMBC CMSC 691 IA

Future Work

Run experiments with specified number of hops (approx. 25)

Find channel matrix for discrete input alphabet Once channel matrix is complete Shannon

capacity can be estimated through Arimato-Blahut algorithm

UMBC CMSC 691 IA

References

1. Embedding Covert Channels into TCP/IP, Steven J. Murdoch, Stephen Lewis, 7th Information Hiding Workshop, Barcelona, Catalonia (Spain) June 2005

2. 20 Years of Covert Channel Modeling and Analysis, Jonathan Millen, SRI International IEEE Symposium on Security and Privacy, 1999

3. T. M. Cover and J. A. Thomas. Elements of Information Theory. Wiley Series in Telecommunications. John Wiley & Sons, New York, NY, USA, 1991