Abstract
We propose a theoretical framework for a network covert channel based on enumerative combinatorics. It offers protocol independence and avoids detection by using a mimicry defense. Using a network monitoring phase, traffic is analyzed to detect which application-layer protocols are allowed through the firewalls. Using these results, a covert channel is built based on permutations of benign network objects, such as FTP commands and HTTP requests to different web servers. Any protocol that offers reliability guarantees can be plugged into the framework. This includes any protocol that is built on top of the TCP protocol. The framework closely mimics the behavioral statistics of the legitimate traffic, making the covert channel very hard to detect.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
National Computer Security Center, US DoD. Trusted Computer System Evaluation Criteria. Tech. Rep. DOD 5200.28-STD (1985)
Zander, S., Armitage, G., Branch, P.: A Survey of Covert Channels and Countermeasures in Computer Network Protocols. IEEE Communications Surveys and Tutorials 9(3), 44–57 (2007)
Fisk, G., Fisk, M., Papadopoulos, C., Neil, J.: Eliminating Steganography in Internet Traffic with Active Wardens. In: Petitcolas, F.A.P. (ed.) IH 2002. LNCS, vol. 2578, pp. 18–35. Springer, Heidelberg (2003)
Eßer, H., Freiling, F.: Kapazitätsmessung eines verdeckten Zeitkanals über HTTP. Tech. Rep. TR-2005-10 (2005)
Shah, G., Molina, A., Blaze, M.: Keyboards and covert channels. In: Proc. 15th Conf. USENIX Security Symposium (2006)
Luo, X., Zhou, P., Chan, E.W.W., Chang, R.K.C., Lee, W.: A Combinatorial Approach to Network Covert Communications with Applications in Web Leaks. In: Proceedings of the IEEE/IFIP International Conference on Dependable Systems and Networks, DSN (2011)
El-Atawy, A., Al-Shaer, E.: Building Covert Channels over the Packet Reordering Phenomenon. In: IEEE INFOCOM 2009 (2009)
Myrvold, W., Ruskey, F.: Ranking and unranking permutations in linear time. Information Processing Letters 79, 281–284 (2000)
Hartigan, J.A., Wong, M.A.: Algorithm AS 136: A k-means clustering algorithm. Journal of the Royal Statistical Society. Series C (Applied Statistics) (1979)
Rousseeuw, P.J.: Silhouettes: A graphical aid to the interpretation and validation of cluster analysis. Journal of Computational and Applied Mathematics 20 (1987)
Danzig, P.B., Jamin, S.: tcplib: A library of internetwork traffic characteristics. Tech. rep. (1991)
Shiravi, A., Shiravi, H., Tavallaee, M., Ghorbani, A.A.: Toward developing a systematic approach to generate benchmark datasets for intrusion detection (2012)
Gianvecchio, S., Wang, H., Wijesekera, D., Jajodia, S.: Model-based covert timing channels: Automated modeling and evasion (2008)
Cabuk, S., Brodley, C.E., Shields, C.: IP Covert Timing Channels: Design and Detection. In: Proc. 11th ACM Conf. Computer and Communications Security, CCS, pp. 178–187 (2004)
Luo, X., Chan, E.W.W., Chang, R.K.C.: Cloak: A Ten-Fold Way for Reliable Covert Communications. In: Biskup, J., López, J. (eds.) ESORICS 2007. LNCS, vol. 4734, pp. 283–298. Springer, Heidelberg (2007)
Khan, H., Javed, Y., Mirza, F., Khayam, S.A.: Embedding a Covert Channel in Active Network Connections. In: IEEE Global Telecommunications Conference (2009)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2012 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Swinnen, A., Strackx, R., Philippaerts, P., Piessens, F. (2012). ProtoLeaks: A Reliable and Protocol-Independent Network Covert Channel. In: Venkatakrishnan, V., Goswami, D. (eds) Information Systems Security. ICISS 2012. Lecture Notes in Computer Science, vol 7671. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-35130-3_9
Download citation
DOI: https://doi.org/10.1007/978-3-642-35130-3_9
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-35129-7
Online ISBN: 978-3-642-35130-3
eBook Packages: Computer ScienceComputer Science (R0)