Covert channel detection using Information Theory

This paper presents an information theory based detection framework for covert channels. We first show that the usual notion of interference does not characterize the notion of deliberate information flow of covert channels. We then show that even an enhanced notion of "iterated multivalued interference" can not capture flows with capacity lower than one bit of information per channel use. We then characterize and compute the capacity of covert channels that use control flows for a class of systems.Comment: In Proceedings SecCo 2010, arXiv:1102.516

Covert channels in the HTTP network protocol: Channel characterization and detecting man-in-the-middle attacks

Network covert channels provide two entities the ability to communicate stealthily. Hypertext Transfer Protocol (HTTP), which accounts for approximately half of all traffic on the Internet (Burke, 2007), has become the fertile ground for various network covert channels. Proliferation of network covert channels throughout the World Wide Web and other areas of cyberspace has raised new security concerns and brought both challenges and enhancements to the area of Information Warfare. Covert channels impact our ability to observe and orient in this domain and need to be better understood. They are however, extremely difficult to study as a whole. Network covert channels tend to be protocol, implementation, and/or application specific. Similar to biology or botany, where we classify plants and animals, the first step of research is to define a classification scheme. In the paper, it is intended to define a set of common characteristics, classify and analyze several known covert channels in HTTP with respect to these characteristics. New HTTP based covert channels are discussed and their characteristics presented as well. Although many applications of covert channels are malicious in nature, this paper argues that there are beneficial applications of network covert channels, such as detecting Man-in-the-Middle attacks

Capacity boost with data security in Network Protocol Covert Channel

Covert channels leaks information where information travels unnoticed i.e. the communication itself is hidden. Encryption used to protect the communication   from being decoded by unauthorized users. But covert channels hide the existence of communication. Covert channels are serious security threat. There are many existing techniques available for development of covert channels by manipulating certain fields in the network protocols such as HTTP, IP, TCP, etc. The available packet length based covert channels are having tamper resistance capability but due to abnormal traffic distribution results in detection possibility. In this paper we present packet length based covert channel by using real time packet lengths where statistical detection of the covert channels is not possible due to random transformations and computations used in the algorithm. Also we improved the covert data capacity and security by applying certain encryption algorithm which doesn't change the length of the original data load compared to other available techniques. We focused on implementation details and try to find out the future expansion. Keywords: Covert channels, packet length, high bandwidth, network protocols, packet payload, computer networ

Detecting Selected Network Covert Channels Using Machine Learning

International audienceNetwork covert channels break a computer's security policy to establish a stealthy communication. They are a threat being increasingly used by malicious software. Most previous studies on detecting network covert channels using Machine Learning (ML) were tested with a dataset that was created using one single covert channel tool and also are ineffective at classifying covert channels into patterns. In this paper, selected ML methods are applied to detect popular network covert channels. The capacity of detecting and classifying covert channels with high precision is demonstrated. A dataset was created from nine standard covert channel tools and the covert channels are then accordingly classified into patterns and labelled. Half of the generated dataset is used to train three different ML algorithms. The remaining half is used to verify the algorithms' performance. The tested ML algorithms are Support Vector Machines (SVM), k-Nearest Neighbors (k-NN) and Deep Neural Networks (DNN). The k-NN model demonstrated the highest precision rate at 98% detection of a given covert channel and with a low false positive rate of 1%

DYST (Did You See That?): An Amplified Covert Channel That Points To Previously Seen Data

Covert channels are unforeseen and stealthy communication channels that enable manifold adversary scenarios. However, they can also allow the exchange of confidential information by journalists. All covert channels described until now therefore need to craft seemingly legitimate information flows for their information exchange, mimicking unsuspicious behavior. In this paper, we present DYST, which represents a new class of covert channels we call history covert channels jointly with the new paradigm of covert channel amplification. History covert channels can communicate almost exclusively by pointing to unaltered legitimate traffic created by regular network nodes. Only a negligible fraction of the covert communication process requires the transfer of actual covert channel information by the covert channel's sender. This allows, for the first time, an amplification of the covert channel's message size, i.e., minimizing the fraction of actually transferred secret data by a covert channel's sender in relation to the overall secret data being exchanged. We extend the current taxonomy for covert channels to show how history channels can be categorized. We describe multiple scenarios in which history covert channels can be realized, theoretically analyze the characteristics of these channels and show how their configuration can be optimized for different implementations. We further evaluate the robustness and detectability of history covert channels.Comment: 18 pages, rev

Covert Channels in SIP for VoIP signalling

In this paper, we evaluate available steganographic techniques for SIP (Session Initiation Protocol) that can be used for creating covert channels during signaling phase of VoIP (Voice over IP) call. Apart from characterizing existing steganographic methods we provide new insights by introducing new techniques. We also estimate amount of data that can be transferred in signalling messages for typical IP telephony call.Comment: 8 pages, 4 figure