Advertisement

ProtoLeaks: A Reliable and Protocol-Independent Network Covert Channel

  • Arne Swinnen
  • Raoul Strackx
  • Pieter Philippaerts
  • Frank Piessens
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7671)

Abstract

We propose a theoretical framework for a network covert channel based on enumerative combinatorics. It offers protocol independence and avoids detection by using a mimicry defense. Using a network monitoring phase, traffic is analyzed to detect which application-layer protocols are allowed through the firewalls. Using these results, a covert channel is built based on permutations of benign network objects, such as FTP commands and HTTP requests to different web servers. Any protocol that offers reliability guarantees can be plugged into the framework. This includes any protocol that is built on top of the TCP protocol. The framework closely mimics the behavioral statistics of the legitimate traffic, making the covert channel very hard to detect.

Keywords

timing channel ordered channel adaptive covert communication 

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    National Computer Security Center, US DoD. Trusted Computer System Evaluation Criteria. Tech. Rep. DOD 5200.28-STD (1985)Google Scholar
  2. 2.
    Zander, S., Armitage, G., Branch, P.: A Survey of Covert Channels and Countermeasures in Computer Network Protocols. IEEE Communications Surveys and Tutorials 9(3), 44–57 (2007)CrossRefGoogle Scholar
  3. 3.
    Fisk, G., Fisk, M., Papadopoulos, C., Neil, J.: Eliminating Steganography in Internet Traffic with Active Wardens. In: Petitcolas, F.A.P. (ed.) IH 2002. LNCS, vol. 2578, pp. 18–35. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  4. 4.
    Eßer, H., Freiling, F.: Kapazitätsmessung eines verdeckten Zeitkanals über HTTP. Tech. Rep. TR-2005-10 (2005)Google Scholar
  5. 5.
    Shah, G., Molina, A., Blaze, M.: Keyboards and covert channels. In: Proc. 15th Conf. USENIX Security Symposium (2006)Google Scholar
  6. 6.
    Luo, X., Zhou, P., Chan, E.W.W., Chang, R.K.C., Lee, W.: A Combinatorial Approach to Network Covert Communications with Applications in Web Leaks. In: Proceedings of the IEEE/IFIP International Conference on Dependable Systems and Networks, DSN (2011)Google Scholar
  7. 7.
    El-Atawy, A., Al-Shaer, E.: Building Covert Channels over the Packet Reordering Phenomenon. In: IEEE INFOCOM 2009 (2009)Google Scholar
  8. 8.
    Myrvold, W., Ruskey, F.: Ranking and unranking permutations in linear time. Information Processing Letters 79, 281–284 (2000)MathSciNetCrossRefGoogle Scholar
  9. 9.
    Hartigan, J.A., Wong, M.A.: Algorithm AS 136: A k-means clustering algorithm. Journal of the Royal Statistical Society. Series C (Applied Statistics) (1979)Google Scholar
  10. 10.
    Rousseeuw, P.J.: Silhouettes: A graphical aid to the interpretation and validation of cluster analysis. Journal of Computational and Applied Mathematics 20 (1987)Google Scholar
  11. 11.
    Danzig, P.B., Jamin, S.: tcplib: A library of internetwork traffic characteristics. Tech. rep. (1991)Google Scholar
  12. 12.
    Shiravi, A., Shiravi, H., Tavallaee, M., Ghorbani, A.A.: Toward developing a systematic approach to generate benchmark datasets for intrusion detection (2012)Google Scholar
  13. 13.
    Gianvecchio, S., Wang, H., Wijesekera, D., Jajodia, S.: Model-based covert timing channels: Automated modeling and evasion (2008)Google Scholar
  14. 14.
    Cabuk, S., Brodley, C.E., Shields, C.: IP Covert Timing Channels: Design and Detection. In: Proc. 11th ACM Conf. Computer and Communications Security, CCS, pp. 178–187 (2004)Google Scholar
  15. 15.
    Luo, X., Chan, E.W.W., Chang, R.K.C.: Cloak: A Ten-Fold Way for Reliable Covert Communications. In: Biskup, J., López, J. (eds.) ESORICS 2007. LNCS, vol. 4734, pp. 283–298. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  16. 16.
    Khan, H., Javed, Y., Mirza, F., Khayam, S.A.: Embedding a Covert Channel in Active Network Connections. In: IEEE Global Telecommunications Conference (2009)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2012

Authors and Affiliations

  • Arne Swinnen
    • 1
  • Raoul Strackx
    • 1
  • Pieter Philippaerts
    • 1
  • Frank Piessens
    • 1
  1. 1.Dept. of Computer ScienceUniversity of LeuvenBelgium

Personalised recommendations