Moving target network steganography

A branch of information hiding that has gained traction in recent years is network steganography. Network steganography uses network protocols are carriers to hide and transmit data. Storage channel network steganography manipulates values in protocol header and data fields and stores covert data inside them. The timing channel modulates the timing of events in the protocol to transfer covert information. Many current storage channel network steganography methods have low bandwidths and they hide covert data directly into the protocol which allows discoverers of the channel to read the confidential information. A new type of storage channel network steganography method is proposed and implemented which abstracts the idea of hiding data inside the network protocol. The addition of a moving target mechanism rotates the locations of data to be evaluated preventing brute force attacks. The bandwidth of the algorithm can also be controlled by increasing or decreasing the rate of packet transmission. A proof of concept is developed to implement the algorithm. Experimental run times are compared with their theoretical equivalents to compare the accuracy of the proof of concept. Detailed probability and data transfer analysis is performed on the algorithm to see how the algorithm functions in terms of security and bandwidth. Finally, a detection and mitigation analysis is performed to highlight the flaws with the algorithm and how they can be improved

An approach towards anomaly based detection and profiling covert TCP/IP channels

Firewalls and detection systems have been used for preventing and detecting attacks by a wide variety of mechanisms. A problem has arisen where users and applications can circumvent security policies because of the particularities in the TCP/IP protocol, the ability to obfuscate the data payload, tunnel protocols, and covertly simulate a permitted communication. It has been shown that unusual traffic patterns may lead to discovery of covert channels that employ packet headers. In addition, covert channels can be detected by observing an anomaly in unused packet header fields. Presently, we are not aware of any schemes that address detecting anomalous traffic patterns that can potentially be created by a covert channel. In this work, we will explore the approach of combining anomaly based detection and covert channel profiling to be used for detecting a very precise subset of covert storage channels in network protocols. We shall also discuss why this method is more practical and industry-ready compared to the present research on how to profile and mitigate these types of attacks. Finally, we shall describe a specialized tool to passively monitor networks for these types of attacks and show how it can be used to build an efficient hybrid covert channel and anomaly based detection system

Uma proposta de gerenciamento para a rede catarinense de ciencia e tecnologia

Dissertação (Mestrado) - Universidade Federal de Santa Catarina, Centro TecnologicoA importância do processo de gerenciamento de redes, suas possibilidades de uso e seus benefícios são ressaltados, especialmente quando aplicado em um backbone de âmbito regional. Neste sentido é apresentada uma proposta de gerência para a Rede Catarinense de Ciência e Tecnologia - RCT. Trata-se de uma contribuição para a sua administração e operacionalização (buscando sempre as melhores condições de funcionamento) com o objetivo também de colaborar com a disseminação e dismistificação desta cultura. A RCT, inicialmente projetada com 21 pontos de presença distribuídos em 14 cidades, encontra-se em fase de ampliação; serão 59 pontos beneficiando diretamente 36 cidades. Sua concepção e implementação são descritas com o registro dos principais fatos, de seus pontos de presença, das instituições que a compõem, de sua atual fase de desenvolvimento, etc. O modelo de gerenciamento OSI, com sua arquitetura CMIP é apresentado, assim como a classificação das necessidades de gerenciamento, de acordo com o modelo funcional (falhas, desempenho, configuração, contabilização e segurança). Relaciona-se também um conjunto de RFC's que definem a arquitetura SNMP-Internet, a SMI e sua árvore de registros, os tipos de acesso e aspectos característicos de uma comunidade e, complementarmente, em que consiste um sistema de gerenciamento de redes. São apresentadas algumas ferramentas básicas de gerenciamento ad hoc e relacionadas às MIB's disponíveis, com destaque para a MIB privada Cisco e a netView6000SubAgent. Com o enfoque voltado ao cliente, conforme os atuais conceitos de qualidade total, passou-se à definição do público-alvo, segmentado de acordo com suas necessidades e a forma de atendê-las (responsáveis pela tomada de decisão, grupos de gerência de redes e usuários da Internet). Para o conjunto de usuários da Internet estão disponíveis informações relativas à distribuição de tráfego ao longo do dia nas diferentes linhas de comunicação do backbone, monitoradas com urn aplicativo de domínio público (Routers-stats), O uso de um aplicativo comercial (AIX SystemView SetView 6000 for AIX), em função do maior número de recursos disponíveis, tanto em monitoração como em controle, está voltado a atender às necessidades do grupo, de gerência de redes. Analisa-se a freqüência de polling para a monitoração de tráfego, indicam-se as variáveis das MIB's mais adequadas a receberem acompanhamentos e também os indicadores derivados destas e considerados importantes (taxa de utilização do canal de comunicações, problemas no canal de comunicações, taxas de descarte de pacotes, taxa de erros e utilização da estação de trabalho). Aos responsáveis pela tomada de decisão recomendam-se relatórios específicos, especialmente preparados para a necessidade em questão, procurando evitar relatórios técnicos e rotineiros. Face à dinamicidade da RCT, seja em função de seu crescimento (aumento do número de pontos e/ou tráfego) ou em relação à adoção de novas tecnologias (implantação do ATM entre Ufsc e Udesc, etc.) ou face à evolução das ferramentas de gerenciamento, é fundamental a contínua reavaliação desta propostas, abrindo amplas possibilidades para a continuidade deste trabalho

Network-aware Active Wardens in IPv6

Every day the world grows more and more dependent on digital communication. Technologies like e-mail or the World Wide Web that not so long ago were considered experimental, have first become accepted and then indispensable tools of everyday life. New communication technologies built on top of the existing ones continuously race to provide newer and better functionality. Even established communication media like books, radio, or television have become digital in an effort to avoid extinction. In this torrent of digital communication a constant struggle takes place. On one hand, people, organizations, companies and countries attempt to control the ongoing communications and subject them to their policies and laws. On the other hand, there oftentimes is a need to ensure and protect the anonymity and privacy of the very same communications. Neither side in this struggle is necessarily noble or malicious. We can easily imagine that in presence of oppressive censorship two parties might have a legitimate reason to communicate covertly. And at the same time, the use of digital communications for business, military, and also criminal purposes gives equally compelling reasons for monitoring them thoroughly. Covert channels are communication mechanisms that were never intended nor designed to carry information. As such, they are often able to act ``below\u27\u27 the notice of mechanisms designed to enforce security policies. Therefore, using covert channels it might be possible to establish a covert communication that escapes notice of the enforcement mechanism in place. Any covert channel present in digital communications offers a possibility of achieving a secret, and therefore unmonitored, communication. There have been numerous studies investigating possibilities of hiding information in digital images, audio streams, videos, etc. We turn our attention to the covert channels that exist in the digital networks themselves, that is in the digital communication protocols. Currently, one of the most ubiquitous protocols in deployment is the Internet Protocol version 4 (IPv4). Its universal presence and range make it an ideal candidate for covert channel investigation. However, IPv4 is approaching the end of its dominance as its address space nears exhaustion. This imminent exhaustion of IPv4 address space will soon force a mass migration towards Internet Protocol version 6 (IPv6) expressly designed as its successor. While the protocol itself is already over a decade old, its adoption is still in its infancy. The low acceptance of IPv6 results in an insufficient understanding of its security properties. We investigated the protocols forming the foundation of the next generation Internet, Internet Protocol version 6 (IPv6) and Internet Control Message Protocol (ICMPv6) and found numerous covert channels. In order to properly assess their capabilities and performance, we built cctool, a comprehensive covert channel tool. Finally, we considered countermeasures capable of defeating discovered covert channels. For this purpose we extended the previously existing notions of active wardens to equip them with the knowledge of the surrounding network and allow them to more effectively fulfill their role

Volume 28, Number 1

https://thekeep.eiu.edu/post_amerikan/1218/thumbnail.jp

An adaptive approach to detecting behavioural covert channels in IPv6

One of the most important techniques in data hiding is (Metaferography) covert channel, which recently has shown potential impacts on network and data security. Encryption can only protect communication from being decoded, meanwhile, covert channel is the art of hiding information in an overt communication as a carrier of information. Covert channels are normally used for transferring information stealthily. They are used to leak information across the network and to ex/infiltrate classified information from legitimate targets. These hidden channels violate network security and privacy polices, it is easy to embed but unlikely and almost impossible to be detected. Despite of the obvious improvements in IPv6 components and functionality enhancements, there exist intrinsic security vulnerabilities. These vulnerabilities have ongoing implications on network security and traffic performance. Hence, they will create insecure environments in business and banking network, information security management and IT security. ICMPv6 is vital integral part in IPv6, as well as IPsec protocol, to mitigate and eliminate covert channels, the RFC standards and controls should be investigated intensively. Furthermore, incomplete implementation of IPv6 nowadays on all Operating Systems has not exposed the realm of this security protocol performance explicitly. In this thesis, we present a novel Hybrid Heuristic Intelligent Algorithm coupled with enhanced Polynomial Naïve Bayes machine Learning algorithm. The framework is implemented in a supervised learning model to detect and classify covert channels in IPv6. The proposed multi-threaded framework acts as an active security warden processing intelligent information gain and optimized decision trees technique to improve the security vulnerabilities in this new network generation protocol. This new approach develops intelligent heuristic techniques for in depth packet inspection to analyse and examine the header fields of IPv6 protocol. Some of these fields are designated by the designer for quality of service (QoS), future performance diagnostic analysis, unfortunately, they are misused by "bad guys and black hats" to perform various network security attacks against vulnerable targets. These attacks cause immediate and ongoing damage to classified data. In order to prevent and mitigate these types of breaches and threat risks, a multi-security prevention model was created. Furthermore, advanced machine learning technique was implemented to detect, classify and document all current and future unknown anomaly attacks. The suggested HeuBNet6 classiffier obtained highly significant results of 98% detection rate and showed better performance and accuracy with good True Positive Rate (TPR) and low False Positive Rate (FPR)