Firewall resistance to metaferography in network communications

In recent years corporations and other enterprises have seen a consolidation of security services on the network perimeter. Services that have traditionally been stand-alone, such as content filtering and antivirus scanning, are pushing their way to the edge and running on security gateways such as firewalls. As a result, firewalls have transitioned from devices that protect availability by preventing denial-of-service to devices that are also responsible for protecting the confidentiality and integrity of data. However, little, if any, practical research has been done on the ability of existing technical controls such as firewalls to detect and prevent covert channels. The experiment in this thesis has been designed to evaluate the effectiveness of firewalls—specifically application-layer firewalls—in detecting, correcting, and preventing covert channels. Several application-layer HTTP covert channel tools, including Wsh and CCTT (both storage channels), as well as Leaker/Recover (a timing channel), are tested using the 7-layer OSI Network Model as a framework for analysis. This thesis concludes that with a priori knowledge of the covert channel and proper signatures, application-layer firewalls can detect both storage and timing channels. Without a priori knowledge of the covert channel, either a heuristic-based or a behavioral-based detection technique would be required. In addition, this thesis demonstrates that application-layer firewalls inherently resist covert channels by adhering to strict type enforcement of RFC standards. This thesis also asserts that metaferography is a more appropriate term than covert channels to describe the study of “carried writing” since metaferography is consistent with the etymology and naming convention of the other main branches of information hiding—namely cryptography and steganography

Moving target network steganography

A branch of information hiding that has gained traction in recent years is network steganography. Network steganography uses network protocols are carriers to hide and transmit data. Storage channel network steganography manipulates values in protocol header and data fields and stores covert data inside them. The timing channel modulates the timing of events in the protocol to transfer covert information. Many current storage channel network steganography methods have low bandwidths and they hide covert data directly into the protocol which allows discoverers of the channel to read the confidential information. A new type of storage channel network steganography method is proposed and implemented which abstracts the idea of hiding data inside the network protocol. The addition of a moving target mechanism rotates the locations of data to be evaluated preventing brute force attacks. The bandwidth of the algorithm can also be controlled by increasing or decreasing the rate of packet transmission. A proof of concept is developed to implement the algorithm. Experimental run times are compared with their theoretical equivalents to compare the accuracy of the proof of concept. Detailed probability and data transfer analysis is performed on the algorithm to see how the algorithm functions in terms of security and bandwidth. Finally, a detection and mitigation analysis is performed to highlight the flaws with the algorithm and how they can be improved

Efficient Non-Linear Covert Channel Detection in TCP Data Streams

Cyber-attacks are causing losses amounted to billions of dollars every year due to data breaches and vulnerabilities. The existing tools for data leakage prevention and detection are often bypassed by using various different types of sophisticated techniques such as network steganography for stealing the data. This is due to several weaknesses which can be exploited by a threat actor in existing detection systems. The weaknesses are high time and memory training complexities as well as large training datasets. These challenges become worse when the amount of generated data increases in every second in many realms. In addition, the number of false positives is high which makes them inaccurate. Finally, there is a lack of a framework catering for the needs such as raising alerts as well as data monitoring and updating/adapting of a threshold value used for checking the data packets for covert data. In order to overcome these weaknesses, this paper proposes a novel framework that includes elements such as continuous data monitoring, threshold maintenance, and alert notification. This paper also proposes a model based on statistical measures to detect covert data leakages, especially for non-linear chaotic data. The main advantage of the proposed model is its capability to provide results with tolerance/threshold values much more efficiently. Our experiments indicate that the proposed framework has low false positives and outperforms various existing techniques in terms of accuracy and efficiency

Implementation of an Optimized Steganography Technique over TCP/IP and Tests Against Well-Known Security Equipment

Nowadays we are witnessing a total convergence towards a digital world where information is digitized, conveyed and processed using highly developed techniques and tools. The development of broadband networks, including the internet, has made easy the manipulation, transmission and sharing of information. However, new security issues arise and they are particularly related to integrity, confidentiality and traceability of data. Facing this situation, network security has become very important and challenges related to the protection of exchanged data over the internet against unauthorized access and use have increased. In the current work, we propose to implement an optimized steganography technique over TCP/IP protocol [1]. We have also tested it against well-known security equipment using latest versions. We will see that they are inefficient to stop this kind of cover channels. Our work is like an alarm to every IT administrator to change their thinking about data lost prevention (DLP) and exfiltration of sensitive information

Detecting Selected Network Covert Channels Using Machine Learning

International audienceNetwork covert channels break a computer's security policy to establish a stealthy communication. They are a threat being increasingly used by malicious software. Most previous studies on detecting network covert channels using Machine Learning (ML) were tested with a dataset that was created using one single covert channel tool and also are ineffective at classifying covert channels into patterns. In this paper, selected ML methods are applied to detect popular network covert channels. The capacity of detecting and classifying covert channels with high precision is demonstrated. A dataset was created from nine standard covert channel tools and the covert channels are then accordingly classified into patterns and labelled. Half of the generated dataset is used to train three different ML algorithms. The remaining half is used to verify the algorithms' performance. The tested ML algorithms are Support Vector Machines (SVM), k-Nearest Neighbors (k-NN) and Deep Neural Networks (DNN). The k-NN model demonstrated the highest precision rate at 98% detection of a given covert channel and with a low false positive rate of 1%

Steganographic Timing Channels

This paper describes steganographic timing channels that use cryptographic primitives to hide the presence of covert channels in the timing of network traffic. We have identified two key properties for steganographic timing channels: (1) the parameters of the scheme should be cryptographically keyed, and (2) the distribution of input timings should be indistinguishable from output timings. These properties are necessary (although we make no claim they are sufficient) for the undetectability of a steganographic timing channel. Without them, the contents of the channel can be read and observed by unauthorized persons, and the presence of the channel is trivially exposed by noticing large changes in timing distributions – a previously proposed methodology for covert channel detection. Our steganographic timing scheme meets the secrecy requirement by employing cryptographic keys, and we achieve a restricted form of input/output distribution parity. Under certain distributions, our schemes conforms to a uniformness property; input timings that are uniformly distributed modulo a timing window are indistinguishable from output timings, measured under the same modulo. We also demonstrate that our scheme is practical under real network conditions, and finally present an empirical study of its covertness using the firstorder entropy metric, as suggested by Gianvecchio and Wang [8], which is currently the best published practical detection heuristic for timing channels

Mobile Agents for Detecting Network Attacks Using Timing Covert Channels

This article addresses the problem of network attacks using steganographic techniques based on the manipulation of time relationships between IP packets. In the study, an efficient method to detect such attacks is presented. The proposed algorithm is based on the Change Observation Theory, and employs two types of agents: base and flying ones. The agents observe the time parameters of the network traffic, using proposed meta-histograms and trained machine learning algorithms, in the node where they were installed. The results of experiments using various machine learning algorithm are presented and discussed. The study showed that the Random Forest and MLP classifiers achieved the best detection results, yielding an area under the ROC curve (AUC) above 0.85 for the evaluation data. We showed a proof-of-concept for an attack detection method that combined the classification algorithm, the proposed anomaly metrics and the mobile agents. We claim that due to a unique feature of self-regulation, realized by destroying unnecessary agents, the proposed method can establish a new type of multi-agent intrusion detection system that can be applied to a wider group of IT systems

Evaluating Hamming Distance as a Metric for the Detection of CRC-based Side-channel Communications in MANETs

AbstractSide-channel communication is a form of traffic in which malicious parties communicate secretly over a wireless network. This is often established through the modification of Ethernet frame header fields, such as the Frame Check Sequence (FCS). The FCS is responsible for determining whether or not a frame has been corrupted in transmission, and contains a value calculated through the use of a predetermined polynomial. A malicious party may send messages that appear as nothing more than naturally corrupted noise on a network to those who are not the intended recipient. We use a metric known as Hamming distance in an attempt to differentiate purposely corrupted frames from naturally corrupted ones. In theory, it should be possible to recognize purposely corrupted frames based on how high this Hamming distance value is, as it signifies how many bits are different between the expected and the received FCS values. It is hypothesized that a range of threshold values based off of this metric exist, which may allow for the detection of side-channel communication across all scenarios. We ran an experiment with human subjects in a foot platoon formation and analyzed the data using a support vector machine. Our results show promise on the use of Hamming distance for side-channel detection in MANETs