Design of Transport Layer Based Hybrid Covert Channel Detection Engine

Computer network is unpredictable due to information warfare and is prone to various attacks. Such attacks on network compromise the most important attribute, the privacy. Most of such attacks are devised using special communication channel called "Covert Channel". The word "Covert" stands for hidden or non-transparent. Network Covert Channel is a concealed communication path within legitimate network communication that clearly violates security policies laid down. The non-transparency in covert channel is also referred to as trapdoor. A trapdoor is unintended design within legitimate communication whose motto is to leak information. Subliminal channel, a variant of covert channel works similarly except that the trapdoor is set in a cryptographic algorithm. A composition of covert channel with subliminal channel is the "Hybrid Covert Channel". Hybrid covert channel is homogenous or heterogeneous mixture of two or more variants of covert channels either active at same instance or at different instances of time. Detecting such malicious channel activity plays a vital role in removing threat to the legitimate network. In this paper, we present a study of multi-trapdoor covert channels and introduce design of a new detection engine for hybrid covert channel in transport layer visualized in TCP and SSL.Comment: 8 pages, 4 figures, Journa

Виявлення аномалiй мережного трафiку з метою знешкодження прихованих каналiв передачi iнформацiї у мережних протоколах

В роботі досліджено методи виявлення та знешкодження відомих прихованих каналів у мережних протоколах. Випробувано готові засоби боротьби із прихованими каналам на прикладі DNS тунелю. Розроблено та реалізовано власний метод виявлення прихованих каналів передачi iнформацiї у мережних протоколах шляхом детектування аномалій мережного трафіку. У ході дослідження створено засоби моніторингу та аналізу мережного трафіку – вочер та дашборд. Доведено доцільність використання комбінації Wireshark та Elastic Stack з метою виявлення потенційного прихованого каналу. Розглянуто превентивні заходи боротьби із прихованими каналами.Methods of detection and neutralizing of known covert channels in network protocols were investigated. Ready-made tools to eliminate hidden channels have been tested on the example of DNS tunnel. Own method of detecting covert channels of information transmission in network protocols by detecting network traffic anomalies was developed and implemented. In the course of the study, the means of monitoring and analysis of network traffic – watcher and dashboard – were created. The expediency of using the Wireshark and Elastic Stack combination to identify a potential covert channel has been proven. Preventive measures to use as countermeasures against covert channels were investigated