U.S. Army Research Laboratory

Slides:



Advertisements
Similar presentations
Storage System Integration with High Performance Networks Jon Bakken and Don Petravick FNAL.
Advertisements

IEEE INFOCOM 2004 MultiNet: Connecting to Multiple IEEE Networks Using a Single Wireless Card.
1 Routing Protocols I. 2 Routing Recall: There are two parts to routing IP packets: 1. How to pass a packet from an input interface to the output interface.
Umut Girit  One of the core members of the Internet Protocol Suite, the set of network protocols used for the Internet. With UDP, computer.
Extensible Networking Platform IWAN 2005 Extensible Network Configuration and Communication Framework Todd Sproull and John Lockwood
1 Internet Networking Spring 2004 Tutorial 13 LSNAT - Load Sharing NAT (RFC 2391)
Multiple constraints QoS Routing Given: - a (real time) connection request with specified QoS requirements (e.g., Bdw, Delay, Jitter, packet loss, path.
Characterization of Wireless Networks in the Home Mark Yarvis, Konstantina Papagiannaki and W. Steven Conner Presenter - Bob Kinicki.
Spatial Reuse Ring Networks Chun-Hung Chen Department of Computer Science and Information Engineering National Taipei University of Technology
Shivkumar KalyanaramanRensselaer Q1-1 ECSE-6600: Internet Protocols Quiz 1 Time: 60 min (strictly enforced) Points: 50 YOUR NAME: Be brief, but DO NOT.
Stream Control Transmission Protocol 網路前瞻技術實驗室 陳旻槿.
ITIS 6167/8167: Network and Information Security Weichao Wang.
Reduced TCP Window Size for Legacy LAN QoS Niko Färber July 26, 2000.
1 Spring Semester 2007, Dept. of Computer Science, Technion Internet Networking recitation #12 LSNAT - Load Sharing NAT (RFC 2391)
Low Latency Wireless Video Over Networks Using Path Diversity John Apostolopolous Wai-tian Tan Mitchell Trott Hewlett-Packard Laboratories Allen.
Gursharan Singh Tatla Transport Layer 16-May
Internet Relay Chat Security Issues By Kelvin Lau and Ming Li.
Virtual LANs. VLAN introduction VLANs logically segment switched networks based on the functions, project teams, or applications of the organization regardless.
Wireshark and TCP/IP Basics ACM SIG-Security Lance Pendergrass.
Connecting LANs, Backbone Networks, and Virtual LANs
MESH Implementation With AP5131 version R.
Process-to-Process Delivery:
Lucent Technologies – Proprietary Use pursuant to company instruction Learning Sequential Models for Detecting Anomalous Protocol Usage (work in progress)
The following figure illustrates the effect on a class B address of extending a network mask from to : Subnets are created.
Document Number ETH West Diamond Avenue - Third Floor, Gaithersburg, MD Phone: (301) Fax: (301)
ICS-FORTH WISDOM Workpackage 3: New security algorithm design FORTH-ICS The next six months Cork, 29 January 2007.
Chapter 4: Managing LAN Traffic
Section 4 : The OSI Network Layer CSIS 479R Fall 1999 “Network +” George D. Hickman, CNI, CNE.
TCP/SYN Attack – use ACL to allow traffic from TCP connections that were established from the internal network and block packets from an external network.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Connecting to the Network Networking for Home and Small Businesses.
CS3502: Data and Computer Networks Local Area Networks - 4 Bridges / LAN internetworks.
Discovery 2 Internetworking Module 5 JEOPARDY John Celum.
Microsoft Windows Server 2003 TCP/IP Protocols and Services Technical Reference Slide: 1 Lesson 11 User Datagram Protocol (UDP)
1 The Internet and Networked Multimedia. 2 Layering  Internet protocols are designed to work in layers, with each layer building on the facilities provided.
Switching breaks up large collision domains into smaller ones Collision domain is a network segment with two or more devices sharing the same Introduction.
Transport Layer Moving Segments. Transport Layer Protocols Provide a logical communication link between processes running on different hosts as if directly.
Rushing Attacks and Defense in Wireless Ad Hoc Network Routing Protocols ► Acts as denial of service by disrupting the flow of data between a source and.
4/19/20021 TCPSplitter: A Reconfigurable Hardware Based TCP Flow Monitor David V. Schuehler.
ISACA – Charlotte Chapter June 3, 2014 Mark Krawczyk, CISA, CISSP, CCNA.
Chapter 3 - VLANs. VLANs Logical grouping of devices or users Configuration done at switch via software Not standardized – proprietary software from vendor.
Planning and Analyzing Wireless LAN
Network Components By Kagan Strayer. Network Components This presentation will cover various network components and their functions. The components that.
1 IEX8175 RF Electronics Avo Ots telekommunikatsiooni õppetool, TTÜ raadio- ja sidetehnika inst.
CTC 228 – Computer Networks Fall 2015 Instructor: Robert Spengler.
UDP & TCP Where would we be without them!. UDP User Datagram Protocol.
1 Transport Layer: Basics Outline Intro to transport UDP Congestion control basics.
Data Communications is the Real World OSI Layers 1 & 2 a.k.a TCP/IP Network Interface Layer.
1 Three ways to (ab)use Multipath Congestion Control Costin Raiciu University Politehnica of Bucharest.
2: Transport Layer 11 Transport Layer 1. 2: Transport Layer 12 Part 2: Transport Layer Chapter goals: r understand principles behind transport layer services:
IPv6 Security Issues Georgios Koutepas, NTUA IPv6 Technology and Advanced Services Oct.19, 2004.
U Innsbruck Informatik - 1 Specification of a Network Adaptation Layer for the Grid GGF7 presentation Michael Welzl University.
WTG – Wireless Traffic Generator Presented by: Lilach Givaty Supervised by: Dr. Yehuda Ben-Shimol, Shlomi Atias.
Implementing Cisco IP Routing (ROUTE v2.0)
UDP: User Datagram Protocol. What Can IP Do? Deliver datagrams to hosts – The IP address in a datagram header identify a host – treats a computer as an.
Ethernet Packet Filtering – Part 2 Øyvind Holmeide 10/28/2014 by.
ETTC 2015-Guaranteed end-to-end latency through Ethernet Øyvind Holmeide 02/01/2015 by.
Ethernet Packet Filtering - Part1 Øyvind Holmeide Jean-Frédéric Gauvin 05/06/2014 by.
Internet Protocol Version 6 Specifications
Network Anti-Spoofing with SDN Data plane Authors:Yehuda Afek et al.
Selecting Unicast or Multicast Mode
Packets & Routing Lower OSI layers (1-3) concerned with packets and the network Packets carry data independently through the network, and into other networks…
Long-haul Transport Protocols
Liang Chen Advisor: Gagan Agrawal Computer Science & Engineering
Chapter 4: Switched Networks
© 2002, Cisco Systems, Inc. All rights reserved.
Process-to-Process Delivery:
Advanced Computer Networks
1 ADDRESS RESOLUTION PROTOCOL (ARP) & REVERSE ADDRESS RESOLUTION PROTOCOL ( RARP) K. PALANIVEL Systems Analyst, Computer Centre Pondicherry University,
Routing and the Network Layer (ref: Interconnections by Perlman
Review of Internet Protocols Transport Layer
Presentation transcript:

U.S. Army Research Laboratory Using a Novel Blending Method Over Multiple Network Connections for Secure Communications Jaime C. Acosta and John Medrano U.S. Army Research Laboratory

Motivation Network attack steps Issue Locate a network Analyze traffic Identify target Scan nodes for vulnerabilities Execute exploit Issue Node addresses and traffic flows Vis: can I run scans on the machines Gen: does this look like proprietary, insider attackers could analyze interesting, or in a war scenario, someone could go look at traffic. (if non-ip, unknown protocols, etc…). Even if on different band, may be seen one day, but this will be hidden under noses, so won’t look anomalous.

From a defensive perspective Motivation Covert Communication Traditionally seen as adversarial Data exfiltration From a defensive perspective Hide data in decoy traffic Hide node endpoints Avoid scanning Avoid suspicion for critical data Vis: can I run scans on the machines Gen: does this look like proprietary, insider attackers could analyze interesting, or in a war scenario, someone could go look at traffic. (if non-ip, unknown protocols, etc…). Even if on different band, may be seen one day, but this will be hidden under noses, so won’t look anomalous.

Covert Communication Timing channels Timing anomalies Generally low throughput Data channels Unused fields, invalid messages Once documented identification is trivial

Objectives Scalable throughput Reliable Dynamic insertion point selection

Research Question Can we leverage characteristics of network flows for covert, secure communication?

Envisioned Approach A B C D E F This research is a first step, (hub, then multicast, wireless, then drivers, etc) Define connections: Connections are fixed size, unidirectional network flows among two nodes. State benefits here.

Envisioned Approach A B C D E F Connections: 1. Unidirectional 2. Fixed size messages sharing the same a. source and destination MAC, IP, and ports b. protocol type 3. Have an update rate 4. Have a complexity measure This research is a first step, (hub, then multicast, wireless, then drivers, etc) Define connections: Connections are fixed size, unidirectional network flows among two nodes. State benefits here.

Envisioned Approach A B C D E F ... Promiscuous Traffic Covert Communicators Conn1 A B Conn3 Connection Name Communication Rate Connection Complexity Conn1 5 msg/sec Low Conn2 10 msg/sec Med Conn3 1 msg/sec High ... C Conn2 Conn4 Promiscuous Traffic Conn5 Conn7 D E F This research is a first step, (hub, then multicast, wireless, then drivers, etc) Define connections: Connections are fixed size, unidirectional network flows among two nodes. State benefits here. Conn6 Conn8

Hide data within high-complexity payloads Envisioned Approach Hide data within high-complexity payloads Covert Communicators Conn1 Connection Name Communication Rate Connection Complexity Conn1 5 msg/sec Low Conn2 10 msg/sec Med Conn3 1 msg/sec High ... A B Conn3 C Conn2 Conn4 Promiscuous Traffic Conn5 Conn7 D E F This research is a first step, (hub, then multicast, wireless, then drivers, etc) Define connections: Connections are fixed size, unidirectional network flows among two nodes. State benefits here. Conn6 Conn8

Methodology Implement a system Evaluate Parameters for determining insertion points Evaluate Vary parameter values Measure throughput and reliability

Network Blending Communication System (NBCS) Analysis Subsystem Display Subsystem Communications Subsystem Configuration Highlight one at a time and describe each.

NBCS Analysis Subsystem Network Connection 1 b0 b1 b2 b3 b4 Packets during window b0 b1 b2 b3 b4 b0 b1 b2 b3 b4 Separate onto multiple slides. Keep this, but give example values for b0-b4 and c0-c4? Say that c0-c4 are histograms. Insert a max/min from connection1 to byte complexities. Packets from the network are kept in connections. After each window, the complexity for each byte is calculated by summing the complexity of each byte in the connection Connection 2 Connection 3

NBCS Analysis Subsystem Network Connection 1 b0 b1 b2 b3 b4 Packets during window b0 b1 b2 b3 b4 b0 b1 b2 b3 b4 Separate onto multiple slides. Keep this, but give example values for b0-b4 and c0-c4? Say that c0-c4 are histograms. Insert a max/min from connection1 to byte complexities. Packets from the network are kept in connections. After each window, the complexity for each byte is calculated by summing the complexity of each byte in the connection Connection 2 Connection 3

NBCS Analysis Subsystem Say we’re assuming unknown covert data, so a minimum of 0 will give a complexity of 0. Min/Max = byteComplexities

NBCS Analysis Subsystem Network Connection 1 b0 b1 b2 b3 b4 Packets during window b0 b1 b2 b3 b4 b0 b1 b2 b3 b4 Freq. Distribution sum c0 c1 c2 c3 c4 C byteComplexities Connection 1 complexity Separate onto multiple slides. Keep this, but give example values for b0-b4 and c0-c4? Say that c0-c4 are histograms. Insert a max/min from connection1 to byte complexities. Packets from the network are kept in connections. After each window, the complexity for each byte is calculated by summing the complexity of each byte in the connection Connection 2 Connection 3

Communications Subsystem NBCS system Network Analysis Subsystem Display Subsystem Communications Subsystem Configuration

Communications Subsystem Covert data queue Connection 1 with sufficient complexity … Latest packets with sufficient byteComplexities Change green to blue and change blue to something else to match previous slide. Separate onto multiple slides. After each window, the latest packets with sufficient complexity are selected (one per connection). The green areas show the series of bytes with sufficient complexity. Connection 4 with sufficient complexity …

Communications Subsystem Covert data queue Connection 1 with sufficient complexity … Latest packets with sufficient byteComplexities check rateToUse Change green to blue and change blue to something else to match previous slide. Separate onto multiple slides. After each window, the latest packets with sufficient complexity are selected (one per connection). The green areas show the series of bytes with sufficient complexity. Connection 4 with sufficient complexity … Attach Sync and Checksum Bytes

Communications Subsystem Covert data queue Connection 1 with sufficient complexity … Latest packets with sufficient byteComplexities Change green to blue and change blue to something else to match previous slide. Separate onto multiple slides. After each window, the latest packets with sufficient complexity are selected (one per connection). The green areas show the series of bytes with sufficient complexity. Connection 4 with sufficient complexity …

Communications Subsystem NBCS System Network Analysis Subsystem Display Subsystem Communications Subsystem Configuration

Display Subsystem

Requirements – How it can be done Hub Promiscuous by default Switch Port mirroring Wireless Within distance Multicast Within group

Requirements – How it can be done Hub Promiscuous by default Switch Port mirroring Wireless Within distance Multicast Within group Started with the simplest case

Evaluation - Network Setup Load A Load B Overt Nodes 6 12 Packets/sec 80-100 5200-5500 Bytes/sec 95KB – 115KB 2.7MB – 3.5MB # of Connections 15-20 (6 UDP) 40-50 (6 UDP)

Controlled (favoring low detectability) Window Size = 1000ms Evaluation Controlled (favoring low detectability) Window Size = 1000ms Sync Bytes = 2 Checksum Bytes = 2 Protocol to Use = UDP Rate Threshold = 10 Rate to Use = 0.1 Startup procedure covert receiver started 5 seconds after covert sender send buffer always full

Byte Complexity Threshold [0.1-0.9] Dependent Throughput Packet loss Evaluation Independent Byte Complexity Threshold [0.1-0.9] Dependent Throughput Packet loss Procedure Covert sender and receiver start simultaneously Covert data buffer is always full Run for 5 minutes Startup procedure covert receiver started 5 seconds after covert sender send buffer always full

Results - Throughput

Results – Packet Loss

Future Work More beneficial to hide covert data based on byte similarity? Wireless and multicast traffic? Automatic parameter tuning in real time depending on network characteristics?

Questions

Preliminary Wireless Tests

Preliminary Wireless Tests

NBCS Analysis Subsystem Network Connection 1 b0 b1 b2 b3 b4 Packets during window b0 b1 b2 b3 b4 b0 b1 b2 b3 b4 Separate onto multiple slides. Keep this, but give example values for b0-b4 and c0-c4? Say that c0-c4 are histograms. Insert a max/min from connection1 to byte complexities. Packets from the network are kept in connections. After each window, the complexity for each byte is calculated by summing the complexity of each byte in the connection Connection 2 Connection 3

NBCS Analysis Subsystem Separate onto multiple slides Will include better slide from q review. the value ranges for the bytes are stored in eight bins (x-axis). Each time a new packet is received, the bin corresponding to the byte value is incremented (y-axis). The leftmost histogram is for a byte that exhibits a predominate value with some occurrences of surrounding values. The middle histogram shows a byte value that is mostly evenly distributed (which is most favored for covert data placement), while the rightmost graph shows a byte value that has three discrete value ranges Sample byte complexities

NBCS Analysis Subsystem Network Connection 1 b0 b1 b2 b3 b4 Packets during window b0 b1 b2 b3 b4 b0 b1 b2 b3 b4 Min Max sum c0 c1 c2 c3 c4 C byteComplexities Connection 1 complexity Separate onto multiple slides. Keep this, but give example values for b0-b4 and c0-c4? Say that c0-c4 are histograms. Insert a max/min from connection1 to byte complexities. Packets from the network are kept in connections. After each window, the complexity for each byte is calculated by summing the complexity of each byte in the connection Connection 2 Connection 3