Presentation is loading. Please wait.

Presentation is loading. Please wait.

Noam Segev, Israel Chernyak, Evgeny Reznikov Supervisor: Gabi Nakibly, Ph. D.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Noam Segev, Israel Chernyak, Evgeny Reznikov Supervisor: Gabi Nakibly, Ph. D."— Presentation transcript:

1 Noam Segev, Israel Chernyak, Evgeny Reznikov Supervisor: Gabi Nakibly, Ph. D.

2

3  Create a covert channel detector that would function in the described scenario.  The detector’s operation:  A learning period of clear traffic  Two traffic samples: ▪ A clean sample ▪ Traffic containing a covert channel  Goal: Correct classification of both samples

4  We used four detection methods in the creation of the detector:  BLOSUM  PSPM  Learning Algorithm  Entropy-based approach

5  Taken from the field of bioinformatics  BLOSUM (BLOcks of Amino Acid SUbstitution Matrix) is a substitution matrix used for sequence alignment of proteins.  PSPM(Position Specific Probability Matrix) is a substitution matrix used for sequence alignment of proteins.  The algorithms constructs a substitution matrix of probabilities for each amino acid to be present in certain positions in the sequence.

6  We break down the learning communication to 10 groups of 10. (total length of 100)  We defined the probability of a value to be  We define the probability of a couple of values to be  When receiving a new packet we compare to a packet from the original communication using the formula  The values checked can be packet size or packet delay

7  We break down the learning communication to 10 groups of 10. (total length of 100)  We defined the probability of a value to be  The values checked can be packet size or packet delay

8  There exists a range of weaker algorithms for covert channel detection exist.  Each weak algorithm is either less accurate or only good for detecting a certain type of covert channel.  We utilized a learning algorithm in an attempt to boost and combine the effectiveness of several of the weaker algorithms. Learning Algorithm

9  We used the C4.5 learning algorithm to combine three of the weaker algorithms:  Regularity detection  Histogram of packet times/sizes  Epsilon similarity

10  Regularity:  Histogram:

11  Stores and sorts the list of all inter-arrival times between packets.  P i – inter-arrival time i in the sorted list.  Epsilon similarity: the percentage of |P i - P i+1 |/P i that are smaller than the epsilon.

12  During the semester we compiled a collection of traffic samples created by 3 of the covert channel programs designed by previous teams, as well as some samples of randomly generated traffic with normal distribution of sizes and inter-arrival times.  The learning algorithm was given a training set of the answers all the above methods gave for each packet in the aforementioned traffic.

13  Entropy measures the amount of disorder in a system.  A covert channel injects information into certain communication metrics, therefore increasing the amount of order over these metrics.  By measuring the amount of entropy of a given channel over the above metrics we can try to deduce the existence of a covert channel.

14  We used the entropy calculation methods presented in Gianvecchio &Wang ’07:

15  Our method calculates the entropy of the following variables:  Packet delay  Packet sizes  Combined (size & time)  Bursts (k-packet averages on packet size & delay)  Peaks (maxima points of packet sizes and delays)

16  The challenge consisted of 3 simulations.  Each included:  A learning phase on clean traffic.  A detection phase on clean traffic to weed out false positives.  And a detection phase on traffic contaminated by the covert channel.

17  In this challenge our detector hasn’t generated any output – defined as a negative detection result – due to an error (which was found only later) which placed the output statements in an unreachable “if” statement.

18  Due to the aforementioned error suffered by our program, the results of the first challenge were inconclusive.  We decided that we’d attempt to investigate the sensitivity factor of our methods (since we saw neither false nor true positives).

19  We hoped that the algorithm would detect a pattern indicating which of the detection methods should be trusted in which case.  In case it was needed, we intended to boost the algorithm with providing more information about the covert channel – statistical information about packet distribution, as well as the numerical values computed by the aforementioned methods.

20  Unfortunately, it turned out that the covert channels we chose to work with were mainly detected by the histogram method, which didn’t leave much room for maneuver with the learning algorithm.

21  Several issues were detected in our program:  The aforementioned error which prevented output from being displayed.  In the BLOSUM method, there were miscalculations in the algorithm.  The entropy calculations, albeit correct, suffered from inefficiency, which forced us to reduce several parameters, affecting the accuracy.  Sensitivity factors were tweaked throughout the program.

22  The second challenge consisted of one simulation, including, as in the first challenge:  A learning phase on clean traffic.  A detection phase on clean traffic to weed out false positives.  A detection phase on traffic contaminated by a covert channel.

23  Unfortunately, after weeding out false positives, no detection was made.  After some investigation, we discovered that the BLOSUM method has, in fact, detected the covert channel, but due to another error, failed to report it.

24  Further refinement of the detection methods’ sensitivity thresholds is necessary.  In the learning algorithm method, the chosen methods proved to be insufficiently robust. Additionally, the lack of covert channel communication samples further undermined our efforts.

25  It would be interesting to see how the learning algorithm fares given a large amount of traffic samples, as well as stronger methods such as the entropy and BLOSUM methods we have implemented during this project.

Download ppt "Noam Segev, Israel Chernyak, Evgeny Reznikov Supervisor: Gabi Nakibly, Ph. D."

Similar presentations

Estimating a Population Proportion

Estimating a Population Proportion
Statistics Versus Parameters

Statistics Versus Parameters
Gapped Blast and PSI BLAST Basic Local Alignment Search Tool ~Sean Boyle Basic Local Alignment Search Tool ~Sean Boyle.

Gapped Blast and PSI BLAST Basic Local Alignment Search Tool ~Sean Boyle Basic Local Alignment Search Tool ~Sean Boyle.
BLAST, PSI-BLAST and position- specific scoring matrices Prof. William Stafford Noble Department of Genome Sciences Department of Computer Science and.

BLAST, PSI-BLAST and position- specific scoring matrices Prof. William Stafford Noble Department of Genome Sciences Department of Computer Science and.
Measuring the degree of similarity: PAM and blosum Matrix

Measuring the degree of similarity: PAM and blosum Matrix
1 Copyright © 2005 Brooks/Cole, a division of Thomson Learning, Inc. Chapter 8 Sampling Variability & Sampling Distributions.

1 Copyright © 2005 Brooks/Cole, a division of Thomson Learning, Inc. Chapter 8 Sampling Variability & Sampling Distributions.
Hypothesis Testing After 2 hours of frustration trying to fill out an IRS form, you are skeptical about the IRS claim that the form takes 15 minutes on.

Hypothesis Testing After 2 hours of frustration trying to fill out an IRS form, you are skeptical about the IRS claim that the form takes 15 minutes on.
1/55 EF 507 QUANTITATIVE METHODS FOR ECONOMICS AND FINANCE FALL 2008 Chapter 10 Hypothesis Testing.

1/55 EF 507 QUANTITATIVE METHODS FOR ECONOMICS AND FINANCE FALL 2008 Chapter 10 Hypothesis Testing.
Simulation.

Simulation.
Modeling Cross-Episodic Migration of Memory Using Neural Networks by, Adam Britt Definitions: Episodic Memory – Memory of a specific event, combination.

Modeling Cross-Episodic Migration of Memory Using Neural Networks by, Adam Britt Definitions: Episodic Memory – Memory of a specific event, combination.
Efficient Estimation of Emission Probabilities in profile HMM By Virpi Ahola et al Reviewed By Alok Datar.

Efficient Estimation of Emission Probabilities in profile HMM By Virpi Ahola et al Reviewed By Alok Datar.
1 Validation and Verification of Simulation Models.

1 Validation and Verification of Simulation Models.
Similar Sequence Similar Function Charles Yan Spring 2006.

Similar Sequence Similar Function Charles Yan Spring 2006.
BCOR 1020 Business Statistics Lecture 21 – April 8, 2008.

BCOR 1020 Business Statistics Lecture 21 – April 8, 2008.
Mining Long Sequential Patterns in a Noisy Environment Jiong Yang, Wei Wang, Philip S. Yu, and Jiawei Han SIGMOD 2002 Presented by: Eddie Date: 2002/12/23.

Mining Long Sequential Patterns in a Noisy Environment Jiong Yang, Wei Wang, Philip S. Yu, and Jiawei Han SIGMOD 2002 Presented by: Eddie Date: 2002/12/23.
Statistical Critical Path Selection for Timing Validation Kai Yang, Kwang-Ting Cheng, and Li-C Wang Department of Electrical and Computer Engineering University.

Statistical Critical Path Selection for Timing Validation Kai Yang, Kwang-Ting Cheng, and Li-C Wang Department of Electrical and Computer Engineering University.
Problem Solving Methods. Class Objectives Learn to apply the problem solving process Learn techniques for error-free problem solving.

Problem Solving Methods. Class Objectives Learn to apply the problem solving process Learn techniques for error-free problem solving.
Chapter 10 Hypothesis Testing

Chapter 10 Hypothesis Testing
Comparing Systems Using Sample Data Andy Wang CIS 5930-03 Computer Systems Performance Analysis.

Comparing Systems Using Sample Data Andy Wang CIS Computer Systems Performance Analysis.
Respected Professor Kihyeon Cho

Respected Professor Kihyeon Cho

Similar presentations

Ads by Google