Presentation is loading. Please wait.

Presentation is loading. Please wait.

COVERT STORAGE CHANNEL MODULE

Published byLindsay Wade Modified over 5 years ago

Similar presentations

Presentation on theme: "COVERT STORAGE CHANNEL MODULE"— Presentation transcript:

1 COVERT STORAGE CHANNEL MODULE
Xenia Mountrouidou College of Charleston Xiangyang Li Johns Hopkins University Information Security Institute

2 Outline Start reserving your topology Learning Goals Audience
Background Variations

3 Reserve Topology Go to: https://goo.gl/KTOVfA
Use the Rspec: berPaths/files/csc_lab_rspec.txt

4 Learning Goals Generate regular traffic based on a distribution
Generate covert storage traffic channel traffic with TCP flag manipulation Analyze the TCP packets Detect the presence of covert storage traffic in a network using entropy Use Wireshark, GENI

5 Audience CS majors Some background work is needed

6 Background Linux, SFTP and Wireshark Covert Storage Channels TCP Flags
GENI

7 What are Covert Storage Channels?
A Covert Storage Channel is a communications channel that is hidden within the medium of legitimate communications channel. Covert channels manipulate a communications medium in an unexpected or unconventional way by using resources that are not meant for communication in order to transmit information in an undetectable manner. How do we use TCP Flags as carriers? A Covert Storage Channel uses the TCP Flag (TF) header field in a network packet, a six-bit field used to set up TCP connection for transmitting messages. The two communicating parties, start exchanging messages based on pre-agreed coding scheme.

8 Covert Channels Covert channels transmit hidden information.
Covert Timing Channel (CTC): e.g., packet inter-arrival time patterns Covert Storage Channel (CSC): e.g., network packet headers CSC’s use a specific information carrier. Accomplices use pre-agreed coding. Network traffics are complex, ideal for CSC. CSC applications: command control, data exfiltration. ( November 2016

9 CSC Examples Single Packet - TCP Flags as Carrier
Valid Invalid Multi Packet - Sequence Number as Carrier URG ACK PSH RST SYN FIN 1 URG ACK PSH RST SYN FIN 1 A single-packet CSC transmits information using the TCP flag field. Out of the 64 possible combinations of TCP flags for this 6-bit header field, only fewer than half are used in normal traffic. Significant use of invalid combinations can be a CSC instance. A multi-packet CSC looks at the relationship between packets. In normal traffic the packet sequence number changes in certain pattern, i.e., incrementing by 1 each time in one session. This CSC uses abnormal changes to encode secret information, i.e., decrease in value or increase by over 1 in incrementing its value. November 2016

10 How Cybercrime Exploits Covert Storage Channels?
Researchers focus on methods toward more reliable CSC channels for the need of privacy and protection of communication parties. Conspirators seek advanced steganographic tools for purposes of: Data Exfiltration Command and Control (C&C)

11 How to Detect CSC? Anomaly detection through traffic modeling
TCP flag usage of regular traffic is relatively stable. The usage for CSC traffic varies considerably. A normal profile is the TCP flag frequency distribution of regular traffic. Distance of ongoing traffic to the normal profile indicates whether something abnormal is happening: Relative entropy or Kullback–Leibler divergence measures the difference from model distribution Q to observation distribution P. Mahalanobis distance is used to detect anomalies by comparing one observation x=(x1,x2, …xn) to a set of observations (from regular traffic) of mean μ and covariance matrix S. Here x is a specific TCP flag. November 2016

12 CSC Lab for non-CS Majors
Draw Topology Generate regular traffic Use TCP flag manipulation Generate covert storage channel traffic Detect the presence of covert storage traffic Experiments on GENI GENI: Virtual laboratory for networking and distributed systems research and education

13 Simulating Covert Storage Channels
Real machines Small Network CSC traffic Regular traffic You control all these!

14 Variations and References
Usage of different TCP header field as CSC Usage of Split-Join Network for transmitting CSC traffic J. Chow, X. Li, and X. Mountrouidou, Raising flags: Detecting covert storage channels using relative entropy, IEEE International Conference on Intelligence and Security Informatics (IEEE ISI 2017), Beijing, China, July 22-24, 2017.

15 Questions? LET’S EXPERIMENT!

Download ppt "COVERT STORAGE CHANNEL MODULE"

Similar presentations

TCP/IP Christopher Zacky. lolwut Decimal Numbers.

TCP/IP Christopher Zacky. lolwut Decimal Numbers.
CISCO NETWORKING ACADEMY Chabot College ELEC 99.05 Transport Layer (4)

CISCO NETWORKING ACADEMY Chabot College ELEC Transport Layer (4)
Computer Security and Penetration Testing

Computer Security and Penetration Testing
TCP - Part I Relates to Lab 5. First module on TCP which covers packet format, data transfer, and connection management.

TCP - Part I Relates to Lab 5. First module on TCP which covers packet format, data transfer, and connection management.
CSEE W4140 Networking Laboratory Lecture 6: TCP and UDP Jong Yul Kim 02.25.2009.

CSEE W4140 Networking Laboratory Lecture 6: TCP and UDP Jong Yul Kim
TCP 與 UDP 協定分析 第 22 組 b91902049 陳贊羽 b91902064 馬家驤 b91902067 林怡賢 b91902077 王奕棠.

TCP 與 UDP 協定分析 第 22 組 b 陳贊羽 b 馬家驤 b 林怡賢 b 王奕棠.
UDP & TCP Where would we be without them!. UDP User Datagram Protocol.

UDP & TCP Where would we be without them!. UDP User Datagram Protocol.
Configuring a Router with RIP Basic Configuration and Show Commands.

Configuring a Router with RIP Basic Configuration and Show Commands.
1 TCP - Part I Relates to Lab 5. First module on TCP which covers packet format, data transfer, and connection management.

1 TCP - Part I Relates to Lab 5. First module on TCP which covers packet format, data transfer, and connection management.
1 CS 4396 Computer Networks Lab Transmission Control Protocol (TCP) Part I.

1 CS 4396 Computer Networks Lab Transmission Control Protocol (TCP) Part I.
Networks I Transmission Control Protocol Instituto Tecnológico y de Estudios Superiores de Monterrey Campus Estado de México Prof. MSc. Ivan A. Escobar.

Networks I Transmission Control Protocol Instituto Tecnológico y de Estudios Superiores de Monterrey Campus Estado de México Prof. MSc. Ivan A. Escobar.
CS3505 The Internet and Info Hiway transport layer protocols : TCP/UDP.

CS3505 The Internet and Info Hiway transport layer protocols : TCP/UDP.
TRANSPORT LAYER  Session multiplexing  Segmentation  Flow control (TCP)  Connection-oriented (TCP)  Reliability (TCP)

TRANSPORT LAYER  Session multiplexing  Segmentation  Flow control (TCP)  Connection-oriented (TCP)  Reliability (TCP)
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
Internet Relay Chat Security Issues By Kelvin Lau and Ming Li.

Internet Relay Chat Security Issues By Kelvin Lau and Ming Li.
Embedding Covert Channels into TCP/IP

Embedding Covert Channels into TCP/IP
6.1. Transport Control Protocol (TCP) It is the most widely used transport protocol in the world. Provides reliable end to end connection between two hosts.

6.1. Transport Control Protocol (TCP) It is the most widely used transport protocol in the world. Provides reliable end to end connection between two hosts.
TCP Lecture 13 November 13, 2000. TCP Background Transmission Control Protocol (TCP) TCP provides much of the functionality that IP lacks: reliable service.

TCP Lecture 13 November 13, TCP Background Transmission Control Protocol (TCP) TCP provides much of the functionality that IP lacks: reliable service.
TCP1 Transmission Control Protocol (TCP). TCP2 Outline Transmission Control Protocol.

TCP1 Transmission Control Protocol (TCP). TCP2 Outline Transmission Control Protocol.
Chi-Cheng Lin, Winona State University CS 313 Introduction to Computer Networking & Telecommunication Data Link Layer Part I – Designing Issues and Elementary.

Chi-Cheng Lin, Winona State University CS 313 Introduction to Computer Networking & Telecommunication Data Link Layer Part I – Designing Issues and Elementary.

Similar presentations

Ads by Google