Presentation is loading. Please wait.

Presentation is loading. Please wait.

CMSC 691 IAUMBC Analysis and Detection of Network Covert Channels Sweety Chauhan CMSC 691 IA 30 th Nov. 2005

Published byOliver McKinney Modified over 9 years ago

Similar presentations

Presentation on theme: "CMSC 691 IAUMBC Analysis and Detection of Network Covert Channels Sweety Chauhan CMSC 691 IA 30 th Nov. 2005"— Presentation transcript:

1 CMSC 691 IAUMBC Analysis and Detection of Network Covert Channels Sweety Chauhan CMSC 691 IA 30 th Nov. 2005 chauhan2@umbc.edu

2 CMSC 691 IAUMBC Outline New and Significant Summary of the results Covert network channels timestamp field as covert channel Network timing channel regularity of timing channel channel capacity

3 CMSC 691 IAUMBC Summary of results Embedding of covert messages in TCP timestamp field is possible by Covert_ts system Covert timing channels can be detected by regularity in the timing channel Usage of the channel capacity

4 CMSC 691 IAUMBC Motivation Network is heavily guarded with 1. Intrusion Detection Systems (IDS) 2. Packet Anomaly Detection Systems (PADS) 3. Firewalls The intruder has very limited options for getting the data out Exfiltration of data is possible by: 1. FTP- detected in log files and traffic dumps 2. Communication via high port numbers - can trigger Packet Anomaly Detection Systems 3. Encoding data in the unused fields of packet headers – detected by IDS and PADS The attacker will look for more covert ways of moving the data out of the compromised network Hence, Detection of network covert (storage and timing) channels is significant!!!

5 CMSC 691 IAUMBC New Covert_ts implementation of embedding of covert messages in TCP timestamp (Possibility has been discussed in research community) Proposed detection method based on the channel capacity (information theory)

6 CMSC 691 IAUMBC Previous work- TCP Covert Tools Most of work is concentrated on covert storage channels than timing covert channel TCP Covert Channels Covert_TCP IP identification field TCP ISN field TCP ACK number Nushu TCP ISN

7 CMSC 691 IAUMBC Hierarchy of Covert Channels Family of Covert Channels Steganography Text Manipulation Network Channels Operating Systems Data Appending Images / Audio / ExecutablesTCP / IP ChannelsWord manipulation Data Hiding/Alternate Data StreamsEOF / Headers / Footers

8 CMSC 691 IAUMBC IP Header 0-44 bytes Fields that may be used as covert channel

9 CMSC 691 IAUMBC TCP header 0-44 bytes Timestamp

10 CMSC 691 IAUMBC TCP Option - Timestamp allows a host to accurately measure the round trip time of a path consists of two 32 bit fields – TS Value and TS Echo Reply TS Value is set by the ‘timestamp clock’ of sender use of TCP timestamps is not universal

11 CMSC 691 IAUMBC Timestamp Low-bit Modulation Covert_ts system System requirements Linux kernel 2.4.9 or higher libpcap Modulate low bit of TCP timestamp to convey data At low bandwidths, the low bit of the timestamp is quite random

12 CMSC 691 IAUMBC Timestamp Evaluation Bandwidth Low- one bit per TCP segment Detection extremely difficult for low bandwidth Prevention Moderate, take out TCP timestamp option Permissibility all networks

13 CMSC 691 IAUMBC Difficulty in Implementation Timestamp clock’s tick frequency is between 1Hz and 1 kHz Must be strictly monotonic a fast connection will be slowed down while sending covert data

14 CMSC 691 IAUMBC Sending component is a process linux kernel module that modifies outgoing TCP/IP traffic by replacing hard_start_xmit function checks for tcp packet with a timestamp then calculates what the timestamp should be raised, raises it and waits that long Receiving component sniffs incoming traffic using libpcap

15 CMSC 691 IAUMBC Timestamp Detection - Fast Sending of TCP segments will be slowed down to a fixed rate Algorithm: Count number of different & total timestamps sent by a particular host Calculate the ratio of total to different timestamps If covert channel is in use the ratio will be close to 0.75 otherwise very close to 1

16 CMSC 691 IAUMBC Timestamp Detection - Slow difficult to detect low bit is more random Algorithm: Record all the low bits of the timestamp Put them through a complex randomness test If very random, then covert channel being used To prevent introduce some non-random data

17 CMSC 691 IAUMBC Timing Covert Channel use packet inter-arrival times, not header or payload embedded information, to encode covert messages regularity of a timing channel channel capacity can be used to detect covert communication

18 CMSC 691 IAUMBC Investigation sending and receiving data bypassing the usual intrusion detection techniques exploiting time delays between transmitted packets Given a chain of consecutive delays ∆t i, is it possible to say with certain probability that there has been malicious intent?

19 CMSC 691 IAUMBC An intruder is able to control machine A (inside the LAN) and use it to exfiltrate data coded in inter-packet delays X does not have to be the destination for the network packets X must be on the path so that the packets may be intercepted and their interpacket delays can be measured The fewer hops between X and A, the more accurate the delay will be Internet X A LAN Receiver ∆t i, ∆t 2, ∆t 3

20 CMSC 691 IAUMBC Assumptions An attacker will pick an encoding that will yield a decent bandwidth on average, while being sufficiently stealthy The best coding system – attains the Shannon limit (core of the detection mechanism)

21 CMSC 691 IAUMBC Attacker will not choose a random distribution on the delays but try to maximizes the Shannon channel capacity The Shannon capacity of discrete memoryless channel : Where P X is a probability distribution on the input symbols and I(X;Y) is the mutual information between X and Y (i.e. dependence between two random variables)

22 CMSC 691 IAUMBC Arimato-Blahut algorithm finds an input symbol distribution that maximizes the channel capacity 1.Initialization 2.Recursion 3.Termination

23 CMSC 691 IAUMBC Proposed method Based on network characteristics, guess the coding system that attacker may use analyze the emitted symbols to see if they match such distribution (Statistical Analysis) If yes, covert communication is taking place

24 CMSC 691 IAUMBC Issues Optimal input delay distribution may not be unique Channel matrix is not constant over time (depends on network traffic)

25 CMSC 691 IAUMBC Future Work Run experiments with specified number of hops (approx. 25) Find channel matrix for discrete input alphabet Once channel matrix is complete Shannon capacity can be estimated through Arimato- Blahut algorithm

26 CMSC 691 IAUMBC References 1. Embedding Covert Channels into TCP/IP, Steven J. Murdoch, Stephen Lewis, 7th Information Hiding Workshop, Barcelona, Catalonia (Spain) June 2005 Embedding Covert Channels into TCP/IP 2. 20 Years of Covert Channel Modeling and Analysis, Jonathan Millen, SRI International IEEE Symposium on Security and Privacy, 1999 20 Years of Covert Channel Modeling and Analysis 3. T. M. Cover and J. A. Thomas. Elements of Information Theory. Wiley Series in Telecommunications. John Wiley & Sons, New York, NY, USA, 1991

Download ppt "CMSC 691 IAUMBC Analysis and Detection of Network Covert Channels Sweety Chauhan CMSC 691 IA 30 th Nov. 2005"

Similar presentations

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
Umut Girit 200535027.  One of the core members of the Internet Protocol Suite, the set of network protocols used for the Internet. With UDP, computer.

Umut Girit  One of the core members of the Internet Protocol Suite, the set of network protocols used for the Internet. With UDP, computer.
IS333, Ch. 26: TCP Victor Norman Calvin College 1.

IS333, Ch. 26: TCP Victor Norman Calvin College 1.
Covert Channels in TCP and IP Headers Drew Hintz

Covert Channels in TCP and IP Headers Drew Hintz
Chapter 7 – Transport Layer Protocols

Chapter 7 – Transport Layer Protocols
Western Michigan University Covert Timing Channels Omar Darwish Instructor: Professor Elise de Doncker.

Western Michigan University Covert Timing Channels Omar Darwish Instructor: Professor Elise de Doncker.
1 Internet Networking Spring 2002 Tutorial 4 ICMP (Internet Control Message Protocol)

1 Internet Networking Spring 2002 Tutorial 4 ICMP (Internet Control Message Protocol)
1 Fall 2005 Hardware Addressing and Frame Identification Qutaibah Malluhi CSE Department Qatar University.

1 Fall 2005 Hardware Addressing and Frame Identification Qutaibah Malluhi CSE Department Qatar University.
Chapter 5 The Network Layer.

Chapter 5 The Network Layer.
EECS 598-2 Presentation Web Tap: Intelligent Intrusion Detection Kevin Borders.

EECS Presentation Web Tap: Intelligent Intrusion Detection Kevin Borders.
Detecting Network Intrusions via Sampling : A Game Theoretic Approach Presented By: Matt Vidal Murali Kodialam T.V. Lakshman July 22, 2003 Bell Labs, Lucent.

Detecting Network Intrusions via Sampling : A Game Theoretic Approach Presented By: Matt Vidal Murali Kodialam T.V. Lakshman July 22, 2003 Bell Labs, Lucent.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
Internet Networking Spring 2004

Internet Networking Spring 2004
Encapsulation Security Payload Protocol Lan Vu. OUTLINE 1.Introduction and terms 2.ESP Overview 3.ESP Packet Format 4.ESP Fields 5.ESP Modes 6.ESP packet.

Encapsulation Security Payload Protocol Lan Vu. OUTLINE 1.Introduction and terms 2.ESP Overview 3.ESP Packet Format 4.ESP Fields 5.ESP Modes 6.ESP packet.
Exploiting Packet Header Redundancy for Zero Cost Dissemination of Dynamic Resource Information Peter A. Dinda Prescience Lab Department of Computer Science.

Exploiting Packet Header Redundancy for Zero Cost Dissemination of Dynamic Resource Information Peter A. Dinda Prescience Lab Department of Computer Science.
Department of Electronic Engineering City University of Hong Kong EE3900 Computer Networks Transport Protocols Slide 1 Transport Protocols.

Department of Electronic Engineering City University of Hong Kong EE3900 Computer Networks Transport Protocols Slide 1 Transport Protocols.
TCP: Software for Reliable Communication. Spring 2002Computer Networks Applications Internet: a Collection of Disparate Networks Different goals: Speed,

TCP: Software for Reliable Communication. Spring 2002Computer Networks Applications Internet: a Collection of Disparate Networks Different goals: Speed,
Network Simulation Internet Technologies and Applications.

Network Simulation Internet Technologies and Applications.
Embedding Covert Channels into TCP/IP

Embedding Covert Channels into TCP/IP
Information Hiding: Covert Channels Amir Houmansadr CS660: Advanced Information Assurance Spring 2015 Content may be borrowed from other resources. See.

Information Hiding: Covert Channels Amir Houmansadr CS660: Advanced Information Assurance Spring 2015 Content may be borrowed from other resources. See.

Similar presentations

Ads by Google