Firewall resistance to metaferography in network communications

In recent years corporations and other enterprises have seen a consolidation of security services on the network perimeter. Services that have traditionally been stand-alone, such as content filtering and antivirus scanning, are pushing their way to the edge and running on security gateways such as firewalls. As a result, firewalls have transitioned from devices that protect availability by preventing denial-of-service to devices that are also responsible for protecting the confidentiality and integrity of data. However, little, if any, practical research has been done on the ability of existing technical controls such as firewalls to detect and prevent covert channels. The experiment in this thesis has been designed to evaluate the effectiveness of firewalls—specifically application-layer firewalls—in detecting, correcting, and preventing covert channels. Several application-layer HTTP covert channel tools, including Wsh and CCTT (both storage channels), as well as Leaker/Recover (a timing channel), are tested using the 7-layer OSI Network Model as a framework for analysis. This thesis concludes that with a priori knowledge of the covert channel and proper signatures, application-layer firewalls can detect both storage and timing channels. Without a priori knowledge of the covert channel, either a heuristic-based or a behavioral-based detection technique would be required. In addition, this thesis demonstrates that application-layer firewalls inherently resist covert channels by adhering to strict type enforcement of RFC standards. This thesis also asserts that metaferography is a more appropriate term than covert channels to describe the study of “carried writing” since metaferography is consistent with the etymology and naming convention of the other main branches of information hiding—namely cryptography and steganography

Evaluation of intrusion detection systems with automatic traffic generation programs

In this master\u27s thesis work, a program was developed using the Perl programming language to enable user defined attack programs to run automatically. A similar program was also developed for background traffic. With this program, the different features of the Nmap exploration and scanning tool were exploited to build scenarios of attacks. Automated scenarios of attacks running in to the order of hundreds were developed. Also, different sets of automated stealthy attacks scenarios running in to the order of hundreds were developed using the timing modes, stealthy scans and scan delay features of Nmap. These automated attacks scenarios were employed in the evaluation of the Snort intrusion detection system. It was discovered that 73% of all the Nmap\u27s scanning types and discovery methods that were used in this work resulted in scanning activity. The Snort intrusion detection system detected and produced alerts on every of the 73% Nmap\u27s scan types and discovery method that resulted in scanning activity. Snort was found to have a non-existent false alarm rate and a very high detection rate of 100% using these attacks scenarios and background traffic. The developed attacks scenarios program were found to be easy to use, efficient, and easy to expand by setting only the type of attacks, parameters of the attack, and the delay time between two successive attacks in a configuration file

Compromising Anonymous Communication Systems Using Blind Source Separation

We propose a class of anonymity attacks to both wired and wireless anonymity networks. These attacks are based on the blind source separation algorithms widely used to recover individual signals from mixtures of signals in statistical signal processing. Since the philosophy behind the design of current anonymity networks is to mix traffic or to hide in crowds, the proposed anonymity attacks are very effective. The flow separation attack proposed for wired anonymity networks can separate the traffic in a mix network. Our experiments show that this attack is effective and scalable. By combining the flow separation method with frequency spectrum matching, a passive attacker can derive the traffic map of the mix network. We use a nontrivial network to show that the combined attack works. The proposed anonymity attacks for wireless networks can identify nodes in fully anonymized wireless networks using collections of very simple sensors. Based on a time series of counts of anonymous packets provided by the sensors, we estimate the number of nodes with the use of principal component analysis. We then proceed to separate the collected packet data into traffic flows that, with help of the spatial diversity in the available sensors, can be used to estimate the location of the wireless nodes. Our simulation experiments indicate that the estimators show high accuracy and high confidence for anonymized TCP traffic. Additional experiments indicate that the estimators perform very well in anonymous wireless networks that use traffic padding

Compromising Anonymous Communication Systems Using Blind Source Separation

We propose a class of anonymity attacks to both wired and wireless anonymity networks. These attacks are based on the blind source separation algorithms widely used to recover individual signals from mixtures of signals in statistical signal processing. Since the philosophy behind the design of current anonymity networks is to mix traffic or to hide in crowds, the proposed anonymity attacks are very effective. The flow separation attack proposed for wired anonymity networks can separate the traffic in a mix network. Our experiments show that this attack is effective and scalable. By combining the flow separation method with frequency spectrum matching, a passive attacker can derive the traffic map of the mix network. We use a nontrivial network to show that the combined attack works. The proposed anonymity attacks for wireless networks can identify nodes in fully anonymized wireless networks using collections of very simple sensors. Based on a time series of counts of anonymous packets provided by the sensors, we estimate the number of nodes with the use of principal component analysis. We then proceed to separate the collected packet data into traffic flows that, with help of the spatial diversity in the available sensors, can be used to estimate the location of the wireless nodes. Our simulation experiments indicate that the estimators show high accuracy and high confidence for anonymized TCP traffic. Additional experiments indicate that the estimators perform very well in anonymous wireless networks that use traffic padding

Harnessing Predictive Models for Assisting Network Forensic Investigations of DNS Tunnels

In recent times, DNS tunneling techniques have been used for malicious purposes, however network security mechanisms struggle to detect them. Network forensic analysis has been proven effective, but is slow and effort intensive as Network Forensics Analysis Tools struggle to deal with undocumented or new network tunneling techniques. In this paper, we present a machine learning approach, based on feature subsets of network traffic evidence, to aid forensic analysis through automating the inference of protocols carried within DNS tunneling techniques. We explore four network protocols, namely, HTTP, HTTPS, FTP, and POP3. Three features are extracted from the DNS tunneled traffic: IP packet length, DNS Query Name Entropy, and DNS Query Name Length. We benchmark the performance of four classification models, i.e., decision trees, support vector machines, k-nearest neighbours, and neural networks, on a data set of DNS tunneled traffic. Classification accuracy of 95% is achieved and the feature set reduces the original evidence data size by a factor of 74%. More importantly, our findings provide strong evidence that predictive modeling machine learning techniques can be used to identify network protocols within DNS tunneled traffic in real-time with high accuracy from a relatively small-sized feature-set, without necessarily infringing on privacy from the outset, nor having to collect complete DNS Tunneling sessions

Advanced information processing system: Inter-computer communication services

The purpose is to document the functional requirements and detailed specifications for the Inter-Computer Communications Services (ICCS) of the Advanced Information Processing System (AIPS). An introductory section is provided to outline the overall architecture and functional requirements of the AIPS and to present an overview of the ICCS. An overview of the AIPS architecture as well as a brief description of the AIPS software is given. The guarantees of the ICCS are provided, and the ICCS is described as a seven-layered International Standards Organization (ISO) Model. The ICCS functional requirements, functional design, and detailed specifications as well as each layer of the ICCS are also described. A summary of results and suggestions for future work are presented