Traffic Analysis Resistant Infrastructure

Network traffic analysis is using metadata to infer information from traffic flows. Network traffic flows are the tuple of source IP, source port, destination IP, and destination port. Additional information is derived from packet length, flow size, interpacket delay, Ja3 signature, and IP header options. Even connections using TLS leak site name and cipher suite to observers. This metadata can profile groups of users or individual behaviors. Statistical properties yield even more information. The hidden Markov model can track the state of protocols where each state transition results in an observation. Format Transforming Encryption (FTE) encodes data as the payload of another protocol. The emulated protocol is called the host protocol. Observation-based FTE is a particular case of FTE that uses real observations from the host protocol for the transformation. By communicating using a shared dictionary according to the predefined protocol, it can difficult to detect anomalous traffic. Combining observation-based FTEs with hidden Markov models (HMMs) emulates every aspect of a host protocol. Ideal host protocols would cause significant collateral damage if blocked (protected) and do not contain dynamic handshakes or states (static). We use protected static protocols with the Protocol Proxy--a proxy that defines the syntax of a protocol using an observation-based FTE and transforms data to payloads with actual field values. The Protocol Proxy massages the outgoing packet\u27s interpacket delay to match the host protocol using an HMM. The HMM ensure the outgoing traffic is statistically equivalent to the host protocol. The Protocol Proxy is a covert channel, a method of communication with a low probability of detection (LPD). These covert channels trade-off throughput for LPD. The multipath TCP (mpTCP) Linux kernel module splits a TCP streams across multiple interfaces. Two potential architectures involve splitting a covert channel across several interfaces (multipath) or splitting a single TCP stream across multiple covert channels (multisession). Splitting a covert channel across multiple interfaces leads to higher throughput but is classified as mpTCP traffic. Splitting a TCP flow across multiple covert channels is not as performant as the previous case, but it provides added obfuscation and resiliency. Each covert channel is independent of the others, and a channel failure is recoverable. The multipath and multisession frameworks provide independently address the issues associated with covert channels. Each tool addresses a challenge. The Protocol Proxy provides anonymity in a setting were detection could have critical consequences. The mpTCP kernel module offers an architecture that increases throughput despite the channel\u27s low-bandwidth restrictions. Fusing these architectures improves the goodput of the Protocol Proxy without sacrificing the low probability of detection

Covert6: A Tool to Corroborate the Existence of IPv6 Covert Channels

Covert channels are any communication channel that can be exploited to transfer information in a manner that violates the system’s security policy. Research in the field has shown that, like many communication channels, IPv4 and the TCP/IP protocol suite have been susceptible to covert channels, which could be exploited to leak data or be used for anonymous communications. With the introduction of IPv6, researchers are acutely aware that many vulnerabilities of IPv4 have been remediated in IPv6. However, a proof of concept covert channel system was demonstrated in 2006. A decade later, IPv6 and its related protocols have undergone major changes, which has introduced a need to reevaluate the current state of covert channels within IPv6. The current research demonstrates the corroboration of covert channels in IPv6 by building a tool that establishes a covert channel against a simulated enterprise network. This is further validated against multiple channel criteria

Moving target network steganography

A branch of information hiding that has gained traction in recent years is network steganography. Network steganography uses network protocols are carriers to hide and transmit data. Storage channel network steganography manipulates values in protocol header and data fields and stores covert data inside them. The timing channel modulates the timing of events in the protocol to transfer covert information. Many current storage channel network steganography methods have low bandwidths and they hide covert data directly into the protocol which allows discoverers of the channel to read the confidential information. A new type of storage channel network steganography method is proposed and implemented which abstracts the idea of hiding data inside the network protocol. The addition of a moving target mechanism rotates the locations of data to be evaluated preventing brute force attacks. The bandwidth of the algorithm can also be controlled by increasing or decreasing the rate of packet transmission. A proof of concept is developed to implement the algorithm. Experimental run times are compared with their theoretical equivalents to compare the accuracy of the proof of concept. Detailed probability and data transfer analysis is performed on the algorithm to see how the algorithm functions in terms of security and bandwidth. Finally, a detection and mitigation analysis is performed to highlight the flaws with the algorithm and how they can be improved

CovertNet: Circumventing Web Surveillance Using Covert Channels

Senior Project submitted to The Division of Science, Mathematics and Computing of Bard College

Unified Description for Network Information Hiding Methods

Until now hiding methods in network steganography have been described in arbitrary ways, making them difficult to compare. For instance, some publications describe classical channel characteristics, such as robustness and bandwidth, while others describe the embedding of hidden information. We introduce the first unified description of hiding methods in network steganography. Our description method is based on a comprehensive analysis of the existing publications in the domain. When our description method is applied by the research community, future publications will be easier to categorize, compare and extend. Our method can also serve as a basis to evaluate the novelty of hiding methods proposed in the future.Comment: 24 pages, 7 figures, 1 table; currently under revie

ARPNetSteg: Network Steganography using Address Resolution Protocol

Steganography is a technique that allows hidden transfer of data using some media such as Image, Audio, Video, Network Protocol or a Document, without its existence getting noticed. Over the past few years, a lot of research has been done in the field of Image, Video and Audio Steganography but very little work has been done in Network Steganography. A Network Steganography technique hides data in a Network Data Unit, i.e., a Network Protocol Packet. In this paper we present an algorithm ARPNetSteg that implements Network Steganography using the Address resolution protocol. Our technique is a robust technique that can transfer 44 bits of covert data per ARP reply packet