Model-Based Covert Timing Channels: Automated Modeling and Evasion Steven Gianvecchio 1, Haining Wang 1, Duminda Wijesekera 2, and Sushil Jajodia 2 1 College.

Slides:



Advertisements
Similar presentations
Network II.5 simulator ..
Advertisements

1 Routing Protocols I. 2 Routing Recall: There are two parts to routing IP packets: 1. How to pass a packet from an input interface to the output interface.
CENG 3331 Introduction to Telecommunications and Networks.
VSMC MIMO: A Spectral Efficient Scheme for Cooperative Relay in Cognitive Radio Networks 1.
CloudWatcher: Network Security Monitoring Using OpenFlow in Dynamic Cloud Networks or: How to Provide Security Monitoring as a Service in Clouds? Seungwon.
10/14/2005Caltech1 Reliable State Machines Dr. Gary R Burke California Institute of Technology Jet Propulsion Laboratory.
GWDAW 16/12/2004 Inspiral analysis of the Virgo commissioning run 4 Leone B. Bosi VIRGO coalescing binaries group on behalf of the VIRGO collaboration.
Battle of Botcraft: Fighting Bots in Online Games with Human Observational Proofs Steven Gianvecchio, Zhenyu Wu, Mengjun Xie, and Haining Wang.
Queuing Network Models for Delay Analysis of Multihop Wireless Ad Hoc Networks Nabhendra Bisnik and Alhussein Abouzeid Rensselaer Polytechnic Institute.
Tuning Skype Redundancy Control Algorithm for User Satisfaction Te-Yuan Huang, Kuan-Ta Chen, Polly Huang Proceedings of the IEEE Infocom Conference Rio.
Comparison of different MIMO-OFDM signal detectors for LTE
PHY Covert Channels: Can you see the Idles? Ki Suh Lee Cornell University Joint work with Han Wang, and Hakim Weatherspoon 1 첩자첩자 Chupja.
Western Michigan University Covert Timing Channels Omar Darwish Instructor: Professor Elise de Doncker.
LBVC: Towards Low-bandwidth Video Chats on Smartphones Xin Qi, Qing Yang, David T. Nguyen, Gang Zhou, Ge Peng College of William and Mary 1.
PROJECT PRESENTATION “ Analyzing Factors that affect VoIP Call Quality ” Presented By: Vamsi Krishna Karnati 11/24/2014.
Emulatore di Protocolli di Routing per reti Ad-hoc Alessandra Giovanardi DI – Università di Ferrara Pattern Project Area 3: Problematiche di instradamento.
1 “Multiplexing Live Video Streams & Voice with Data over a High Capacity Packet Switched Wireless Network” Spyros Psychis, Polychronis Koutsakis and Michael.
IP: The Internet Protocol
Digital Data Transmission ECE 457 Spring Information Representation Communication systems convert information into a form suitable for transmission.
The Capacity of Wireless Ad Hoc Networks
Network Coding for Large Scale Content Distribution Christos Gkantsidis Georgia Institute of Technology Pablo Rodriguez Microsoft Research IEEE INFOCOM.
Fast Detection of Denial-of-Service Attacks on IP Telephony Hemant Sengar, Duminda Wijesekera and Sushil Jajodia Center for Secure Information Systems,
Fast Detection of Denial-of-Service Attacks on IP Telephony Hemant Sengar, Duminda Wijesekera and Sushil Jajodia Center for Secure Information Systems,
Computer Network 實踐資管 Wang-Jiunn Cheng 2004 PART VII-2 Wide Area Networks (WANs), Routing, and Shortest Paths.
Chapter 10 Introduction to Wide Area Networks Data Communications and Computer Networks: A Business User’s Approach.
Analysis of Simulation Input.. Simulation Machine n Simulation can be considered as an Engine with input and output as follows: Simulation Engine Input.
A Graph-based Framework for Transmission of Correlated Sources over Multiuser Channels Suhan Choi May 2006.
7/3/2015© 2007 Raymond P. Jefferis III1 Queuing Systems.
Deep Packet Inspection with Regular Expression Matching Min Chen, Danny Guo {michen, CSE Dept, UC Riverside 03/14/2007.
University of Utah 1 The Effect of Interconnect Design on the Performance of Large L2 Caches Naveen Muralimanohar Rajeev Balasubramonian.
TCP: Software for Reliable Communication. Spring 2002Computer Networks Applications Internet: a Collection of Disparate Networks Different goals: Speed,
Battle of Botcraft: Fighting Bots in Online Games withHuman Observational Proofs Steven Gianvecchio, Zhenyu Wu, Mengjun Xie, and Haining Wang The College.
1 SOUTHERN TAIWAN UNIVERSITY ELECTRICAL ENGINEERING DEPARTMENT Gain Scheduler Middleware: A Methodology to Enable Existing Controllers for Networked Control.
Research on cloud computing application in the peer-to-peer based video-on-demand systems Speaker : 吳靖緯 MA0G rd International Workshop.
A VOICE ACTIVITY DETECTOR USING THE CHI-SQUARE TEST
Communication Networks
1 Networks and Telecommunications. 2 Applying Telecommunications in Business TELECOMMUNICATIONS – the transmission of data between devices in different.
SIGCOMM 2002 New Directions in Traffic Measurement and Accounting Focusing on the Elephants, Ignoring the Mice Cristian Estan and George Varghese University.
Transmitting Information with Microfluidic Systems
WEMAREC: Accurate and Scalable Recommendation through Weighted and Ensemble Matrix Approximation Chao Chen ⨳ , Dongsheng Li
When rate of interferer’s codebook small Does not place burden for destination to decode interference When rate of interferer’s codebook large Treating.
Performance Evaluation of VoIP in Different Settings Tom Christiansen Ioannis Giotis Shobhit Raj Mathur.
Chapter 2 – X.25, Frame Relay & ATM. Switched Network Stations are not connected together necessarily by a single link Stations are typically far apart.
1 Measurement and Classification of Humans and Bots in Internet Chat By Steven Gianvecchio, Mengjun Xie, Zhenyu Wu, and Haining Wang College of William.
Homework 3 – Sample Solution Targeted Application –Electronic medical records (EMR) system in the “Designing Human-Centered Distributed Information Systems”
Jhih-sin Jheng 2009/09/01 Machine Learning and Bioinformatics Laboratory.
Data and Computer Communications Chapter 10 – Circuit Switching and Packet Switching (Wide Area Networks)
TELE202 Lecture 5 Packet switching in WAN 1 Lecturer Dr Z. Huang Overview ¥Last Lectures »C programming »Source: ¥This Lecture »Packet switching in Wide.
Chi-Cheng Lin, Winona State University CS 313 Introduction to Computer Networking & Telecommunication Data Link Layer Part I – Designing Issues and Elementary.
Covert Channels Thomas Arnold CSCI 5235/Summer /12/2010.
COP 4930 Computer Network Projects Summer C 2004 Prof. Roy B. Levow Lecture 3.
A Dynamic Packet Stamping Methodology for DDoS Defense Project Presentation by Maitreya Natu, Kireeti Valicherla, Namratha Hundigopal CISC 859 University.
Performance Analysis of Real Traffic Carried with Encrypted Cover Flows Nabil Schear David M. Nicol University of Illinois at Urbana-Champaign Department.
Lecture 2 Outline Announcements: No class next Wednesday MF lectures (1/13,1/17) start at 12:50pm Review of Last Lecture Analog and Digital Signals Information.
Outline Transmitters (Chapters 3 and 4, Source Coding and Modulation) (week 1 and 2) Receivers (Chapter 5) (week 3 and 4) Received Signal Synchronization.
DIGITAL COMMUNICATIONS Linear Block Codes
Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung( ) Sriram Gopinath( )
Lecture (Mar 23, 2000) H/W Assignment 3 posted on Web –Due Tuesday March 28, 2000 Review of Data packets LANS WANS.
Dynamic Data Rate and Transmit Power Adjustment in IEEE Wireless LANs Pierre Chevillat, Jens Jelitto, and Hong Linh Truong IBM Zurich Research Laboratory.
CMSC 691 IAUMBC Analysis and Detection of Network Covert Channels Sweety Chauhan CMSC 691 IA 30 th Nov. 2005
Reed-Solomon Codes in Slow Frequency Hop Spread Spectrum Andrew Bolstad Iowa State University Advisor: Dr. John J. Komo Clemson University.
Mitigating Congestion in Wireless Sensor Networks Bret Hull, Kyle Jamieson, Hari Balakrishnan MIT Computer Science and Artificial Intelligence Laborartory.
Introduction Computer networks: – definition – computer networks from the perspectives of users and designers – Evaluation criteria – Some concepts: –
Virtual-Channel Flow Control William J. Dally
Empirically Characterizing the Buffer Behaviour of Real Devices
SOUTHERN TAIWAN UNIVERSITY ELECTRICAL ENGINEERING DEPARTMENT
Wireless Sensor Networks 5th Lecture
COVERT STORAGE CHANNEL MODULE
COVERT STORAGE CHANNEL MODULE
NetWarden: Mitigating Network Covert Channels without Performance Loss
Presentation transcript:

Model-Based Covert Timing Channels: Automated Modeling and Evasion Steven Gianvecchio 1, Haining Wang 1, Duminda Wijesekera 2, and Sushil Jajodia 2 1 College of William and Mary 2 George Mason University

RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion 2 Outline  Background  Covert Timing Channels  Model-Based Framework  Experimental Evaluation  Capacity  Detection Resistance  Conclusion

RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion 3 Outline  Background  Covert Timing Channels  Model-Based Framework  Experimental Evaluation  Capacity  Detection Resistance  Conclusion

RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion 4 Background  Covert Channels  manipulate shared resources to transfer information  hide communication (or extra communication)  exfiltrate sensitive data (e.g., keys, passwords)

RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion 5 Background  Types of Covert Channels  shared resource is the type  covert storage channels (e.g., packet header fields)  covert timing channels (e.g., packet arrival times)

RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion 6 Outline  Background  Covert Timing Channels  Model-Based Framework  Experimental Evaluation  Capacity  Detection Resistance  Conclusion

RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion 7  Main Goals  high capacity  strong detection resistance  Capacity –  bits/time unit, not bits/symbol Covert Timing Channels

RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion 8 Covert Timing Channels  OPtimal Capacity (OPC)  send information as fast as possible  E(X) is small (1,000s of packets/second)  Fixed-average Packet Rate (FPR)  send information as fast as possible with a fixed-average packet rate  E(X) is fixed (a few packets/second)

RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion 9 Outline  Background  Covert Timing Channels  Model-Based Framework  Experimental Evaluation  Capacity  Detection Resistance  Conclusion

RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion 10 Model-Based Framework  The Framework  filters and analyzes legitimate traffic  encodes and transmits covert traffic

RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion 11 Components  Filter  filters input for the specified type of traffic (e.g., outgoing HTTP)  outputs legitimate IPDs

RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion 12 Components  Analyzer  fits the legitimate IPDs to several models using MLE (blocks of 100 IPDs)  selects the model with the lowest RMSE

RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion 13 Components  Encoder  uses the IDF of the model  generates covert IPDs that mimic the legitimate traffic

RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion 14 Encoding / Decoding  1. Continuize  2. Encode  3. Decode  4. Discretize

RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion 15 Components  Transmitter  sends out packets with covert IPDs  Receiver and Decoder  receive packets and decode message

RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion 16 Model-Based Framework  Implementation Details  components run in user space  filter, encoder, transmitter written in C; plus inline assembly for RDTSC  analyzer written in MATLAB

RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion 17 Outline  Background  Covert Timing Channels  Model-Based Framework  Experimental Evaluation  Capacity  Detection Resistance  Conclusion

RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion 18 Experimental Evaluation  Test Scenarios  LAN, WAN East-to-East, WAN East-to-West LANWAN-EEWAN-EW distance0.3 mi525 mi2660 mi RTT1.7ms59.6ms87.2ms IPDV2.5e e-032.1e-04 hops31813 IPDV – inter-packet delay variation

RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion 19 Test Setup  MB-HTTP  Weibull – avg. λ = , avg. k =  E(X) is (~3 packets/second)  OPC  E(X) is 7.31e-3 to 7.87e-5 (1,515 to 12,777 packets/second)  FPR  Exponential – λ =  E(X) is (~3 packets/second)

RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion 20 Theoretical Capacity channel LANWAN-EEWAN-EW CPPCPSCPPCPSCPPCPS MB-HTTP OPC 0.506, FPR CPP – capacity/packet, CPS = capacity/second  LAN, WAN East-East, WAN East-West  OPC has highest capacity

RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion 21 Theoretical Capacity channel LANWAN-EEWAN-EW CPPCPSCPPCPSCPPCPS MB-HTTP OPC 0.506, FPR CPP – capacity/packet, CPS = capacity/second  LAN, WAN East-East, WAN East-West  MB-HTTP and FPR are close

RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion 22 Empirical Capacity  WAN East-East  MB-HTTP versus FPR  capacity and bit error degrade quickly

RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion 23 Empirical Capacity  WAN East-West  MB-HTTP versus FPR  capacity and bit error degrade slowly

RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion 24 Empirical Capacity channel LANWAN-EEWAN-EW CPPCPSCPPCPSCPPCPS MB-HTTP OPC , ,512 FPR CPP – capacity/packet, CPS = capacity/second  LAN, WAN East-East, WAN East-West  OPC again has the highest capacity

RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion 25 Empirical Capacity channel LANWAN-EEWAN-EW CPPCPSCPPCPSCPPCPS MB-HTTP OPC , ,512 FPR CPP – capacity/packet, CPS = capacity/second  LAN, WAN East-East, WAN East-West  MB-HTTP and FPR are still close

RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion 26 Tests of Shape:  Kolmogorov-Smirnov test – where s 1 and s 2 are distribution functions Tests of Regularity:  The regularity test (Cabuk 2004) – 26 Detection Resistance

RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion 27 KSTEST LEGIT-HTTPMB-HTTP FPROPC sample size meanstddevm.s.d.m.s.dm.s.d 100x2, x10, x50, x250,  KSTEST scores  high mean and low s.d. for FPR and OPC

RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion 28 KSTEST LEGIT-HTTPMB-HTTP FPROPC sample size meanstddevm.s.d.m.s.dm.s.d 100x2, x10, x50, x250,  KSTEST scores  similar mean and s.d. for LEGIT and MB-HTTP

RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion 29 KSTEST  KSTEST distribution  similar distributions for LEGIT-HTTP and MB- HTTP scores

RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion 30 KSTEST  KSTEST distribution  LEGIT-HTTP and MB-HTTP overlap even with 250,000 packets

RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion 31 KSTEST LEGIT-HTTPMB-HTTP FPROPC sample sizeFPTP 100x2, x10, x50, x250,  KSTEST detection rates  FPR and OPC are detected easily

RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion 32 KSTEST LEGIT-HTTPMB-HTTP FPROPC sample sizeFPTP 100x2, x10, x50, x250,  KSTEST detection rates  FP equals TP for LEGIT and MB-HTTP

RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion 33 regularity LEGIT-HTTPMB-HTTP FPROPC sample sizemean 100x2,000 w= x2,000 w=  regularity scores  similar mean for LEGIT and MB-HTTP

RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion 34 regularity LEGIT-HTTPMB-HTTP FPROPC sample sizeFPTP 100x2,000 w= x2,000 w=  regularity detection rates  MB-HTTP is not detected at all

RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion 35 regularity LEGIT-HTTPMB-HTTP FPROPC sample sizeFPTP 100x2,000 w= x2,000 w=  regularity detection rates  again FPR and OPC are detected easily

RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion 36 Outline  Background  Covert Timing Channels  Model-Based Framework  Experimental Evaluation  Capacity  Detection Resistance  Conclusion

RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion 37 Conclusion  Model-Based Covert Timing Channels  can be built automatically  effective even in coast-to-coast scenario  capacity is very close to FPR  much stronger detection resistance than FPR and OPC

RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion 38 Conclusion (cont.)  Future Work  investigate detection methods for model- based covert timing channels  explore other more advanced covert timing channel designs (e.g., non-parametric models)

RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion 39 Questions? Thank You!

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.