U.S. Army Research Laboratory Using a Novel Blending Method Over Multiple Network Connections for Secure Communications Jaime C. Acosta and John Medrano U.S. Army Research Laboratory
Motivation Network attack steps Issue Locate a network Analyze traffic Identify target Scan nodes for vulnerabilities Execute exploit Issue Node addresses and traffic flows Vis: can I run scans on the machines Gen: does this look like proprietary, insider attackers could analyze interesting, or in a war scenario, someone could go look at traffic. (if non-ip, unknown protocols, etc…). Even if on different band, may be seen one day, but this will be hidden under noses, so won’t look anomalous.
From a defensive perspective Motivation Covert Communication Traditionally seen as adversarial Data exfiltration From a defensive perspective Hide data in decoy traffic Hide node endpoints Avoid scanning Avoid suspicion for critical data Vis: can I run scans on the machines Gen: does this look like proprietary, insider attackers could analyze interesting, or in a war scenario, someone could go look at traffic. (if non-ip, unknown protocols, etc…). Even if on different band, may be seen one day, but this will be hidden under noses, so won’t look anomalous.
Covert Communication Timing channels Timing anomalies Generally low throughput Data channels Unused fields, invalid messages Once documented identification is trivial
Objectives Scalable throughput Reliable Dynamic insertion point selection
Research Question Can we leverage characteristics of network flows for covert, secure communication?
Envisioned Approach A B C D E F This research is a first step, (hub, then multicast, wireless, then drivers, etc) Define connections: Connections are fixed size, unidirectional network flows among two nodes. State benefits here.
Envisioned Approach A B C D E F Connections: 1. Unidirectional 2. Fixed size messages sharing the same a. source and destination MAC, IP, and ports b. protocol type 3. Have an update rate 4. Have a complexity measure This research is a first step, (hub, then multicast, wireless, then drivers, etc) Define connections: Connections are fixed size, unidirectional network flows among two nodes. State benefits here.
Envisioned Approach A B C D E F ... Promiscuous Traffic Covert Communicators Conn1 A B Conn3 Connection Name Communication Rate Connection Complexity Conn1 5 msg/sec Low Conn2 10 msg/sec Med Conn3 1 msg/sec High ... C Conn2 Conn4 Promiscuous Traffic Conn5 Conn7 D E F This research is a first step, (hub, then multicast, wireless, then drivers, etc) Define connections: Connections are fixed size, unidirectional network flows among two nodes. State benefits here. Conn6 Conn8
Hide data within high-complexity payloads Envisioned Approach Hide data within high-complexity payloads Covert Communicators Conn1 Connection Name Communication Rate Connection Complexity Conn1 5 msg/sec Low Conn2 10 msg/sec Med Conn3 1 msg/sec High ... A B Conn3 C Conn2 Conn4 Promiscuous Traffic Conn5 Conn7 D E F This research is a first step, (hub, then multicast, wireless, then drivers, etc) Define connections: Connections are fixed size, unidirectional network flows among two nodes. State benefits here. Conn6 Conn8
Methodology Implement a system Evaluate Parameters for determining insertion points Evaluate Vary parameter values Measure throughput and reliability
Network Blending Communication System (NBCS) Analysis Subsystem Display Subsystem Communications Subsystem Configuration Highlight one at a time and describe each.
NBCS Analysis Subsystem Network Connection 1 b0 b1 b2 b3 b4 Packets during window b0 b1 b2 b3 b4 b0 b1 b2 b3 b4 Separate onto multiple slides. Keep this, but give example values for b0-b4 and c0-c4? Say that c0-c4 are histograms. Insert a max/min from connection1 to byte complexities. Packets from the network are kept in connections. After each window, the complexity for each byte is calculated by summing the complexity of each byte in the connection Connection 2 Connection 3
NBCS Analysis Subsystem Network Connection 1 b0 b1 b2 b3 b4 Packets during window b0 b1 b2 b3 b4 b0 b1 b2 b3 b4 Separate onto multiple slides. Keep this, but give example values for b0-b4 and c0-c4? Say that c0-c4 are histograms. Insert a max/min from connection1 to byte complexities. Packets from the network are kept in connections. After each window, the complexity for each byte is calculated by summing the complexity of each byte in the connection Connection 2 Connection 3
NBCS Analysis Subsystem Say we’re assuming unknown covert data, so a minimum of 0 will give a complexity of 0. Min/Max = byteComplexities
NBCS Analysis Subsystem Network Connection 1 b0 b1 b2 b3 b4 Packets during window b0 b1 b2 b3 b4 b0 b1 b2 b3 b4 Freq. Distribution sum c0 c1 c2 c3 c4 C byteComplexities Connection 1 complexity Separate onto multiple slides. Keep this, but give example values for b0-b4 and c0-c4? Say that c0-c4 are histograms. Insert a max/min from connection1 to byte complexities. Packets from the network are kept in connections. After each window, the complexity for each byte is calculated by summing the complexity of each byte in the connection Connection 2 Connection 3
Communications Subsystem NBCS system Network Analysis Subsystem Display Subsystem Communications Subsystem Configuration
Communications Subsystem Covert data queue Connection 1 with sufficient complexity … Latest packets with sufficient byteComplexities Change green to blue and change blue to something else to match previous slide. Separate onto multiple slides. After each window, the latest packets with sufficient complexity are selected (one per connection). The green areas show the series of bytes with sufficient complexity. Connection 4 with sufficient complexity …
Communications Subsystem Covert data queue Connection 1 with sufficient complexity … Latest packets with sufficient byteComplexities check rateToUse Change green to blue and change blue to something else to match previous slide. Separate onto multiple slides. After each window, the latest packets with sufficient complexity are selected (one per connection). The green areas show the series of bytes with sufficient complexity. Connection 4 with sufficient complexity … Attach Sync and Checksum Bytes
Communications Subsystem Covert data queue Connection 1 with sufficient complexity … Latest packets with sufficient byteComplexities Change green to blue and change blue to something else to match previous slide. Separate onto multiple slides. After each window, the latest packets with sufficient complexity are selected (one per connection). The green areas show the series of bytes with sufficient complexity. Connection 4 with sufficient complexity …
Communications Subsystem NBCS System Network Analysis Subsystem Display Subsystem Communications Subsystem Configuration
Display Subsystem
Requirements – How it can be done Hub Promiscuous by default Switch Port mirroring Wireless Within distance Multicast Within group
Requirements – How it can be done Hub Promiscuous by default Switch Port mirroring Wireless Within distance Multicast Within group Started with the simplest case
Evaluation - Network Setup Load A Load B Overt Nodes 6 12 Packets/sec 80-100 5200-5500 Bytes/sec 95KB – 115KB 2.7MB – 3.5MB # of Connections 15-20 (6 UDP) 40-50 (6 UDP)
Controlled (favoring low detectability) Window Size = 1000ms Evaluation Controlled (favoring low detectability) Window Size = 1000ms Sync Bytes = 2 Checksum Bytes = 2 Protocol to Use = UDP Rate Threshold = 10 Rate to Use = 0.1 Startup procedure covert receiver started 5 seconds after covert sender send buffer always full
Byte Complexity Threshold [0.1-0.9] Dependent Throughput Packet loss Evaluation Independent Byte Complexity Threshold [0.1-0.9] Dependent Throughput Packet loss Procedure Covert sender and receiver start simultaneously Covert data buffer is always full Run for 5 minutes Startup procedure covert receiver started 5 seconds after covert sender send buffer always full
Results - Throughput
Results – Packet Loss
Future Work More beneficial to hide covert data based on byte similarity? Wireless and multicast traffic? Automatic parameter tuning in real time depending on network characteristics?
Questions
Preliminary Wireless Tests
Preliminary Wireless Tests
NBCS Analysis Subsystem Network Connection 1 b0 b1 b2 b3 b4 Packets during window b0 b1 b2 b3 b4 b0 b1 b2 b3 b4 Separate onto multiple slides. Keep this, but give example values for b0-b4 and c0-c4? Say that c0-c4 are histograms. Insert a max/min from connection1 to byte complexities. Packets from the network are kept in connections. After each window, the complexity for each byte is calculated by summing the complexity of each byte in the connection Connection 2 Connection 3
NBCS Analysis Subsystem Separate onto multiple slides Will include better slide from q review. the value ranges for the bytes are stored in eight bins (x-axis). Each time a new packet is received, the bin corresponding to the byte value is incremented (y-axis). The leftmost histogram is for a byte that exhibits a predominate value with some occurrences of surrounding values. The middle histogram shows a byte value that is mostly evenly distributed (which is most favored for covert data placement), while the rightmost graph shows a byte value that has three discrete value ranges Sample byte complexities
NBCS Analysis Subsystem Network Connection 1 b0 b1 b2 b3 b4 Packets during window b0 b1 b2 b3 b4 b0 b1 b2 b3 b4 Min Max sum c0 c1 c2 c3 c4 C byteComplexities Connection 1 complexity Separate onto multiple slides. Keep this, but give example values for b0-b4 and c0-c4? Say that c0-c4 are histograms. Insert a max/min from connection1 to byte complexities. Packets from the network are kept in connections. After each window, the complexity for each byte is calculated by summing the complexity of each byte in the connection Connection 2 Connection 3