Transcript Slide 1

Analysis and Detection of
Network Covert Channels
Sweety Chauhan
CMSC 691 IA
30th Nov. 2005
[email protected]
UMBC
CMSC 691 IA
Outline



New and Significant
Summary of the results
Covert network channels


timestamp field as covert channel
Network timing channel


regularity of timing channel
channel capacity
UMBC
CMSC 691 IA
Summary of results


Embedding of covert messages in TCP
timestamp field is possible by Covert_ts system
Covert timing channels can be detected by


regularity in the timing channel
Usage of the channel capacity
UMBC
CMSC 691 IA
Motivation
Network is heavily guarded with
1.
2.
3.
Intrusion Detection Systems (IDS)
Packet Anomaly Detection Systems (PADS)
Firewalls
The intruder has very
limited options for
getting the data out
Exfiltration of data is possible by:
1.
2.
3.
FTP- detected in log files and
traffic dumps
Communication via high port
numbers - can trigger Packet
Anomaly Detection Systems
Encoding data in the unused
fields of packet headers –
detected by IDS and PADS
The attacker will look for more covert ways of
moving the data out of the compromised network
Hence, Detection of network covert (storage and
timing) channels is significant!!!
UMBC
CMSC 691 IA
New


Covert_ts implementation of embedding of
covert messages in TCP timestamp
(Possibility has been discussed in research
community)
Proposed detection method based on the
channel capacity (information theory)
UMBC
CMSC 691 IA
Previous work- TCP Covert Tools


Most of work is concentrated on covert
storage channels than timing covert channel
TCP Covert Channels

Covert_TCP




IP identification field
TCP ISN field
TCP ACK number
Nushu

UMBC
TCP ISN
CMSC 691 IA
Hierarchy of Covert Channels
Family of Covert Channels
Steganography
Images / Audio / Executables
UMBC
Network Channels
Text Manipulation
TCP / IP Channels
Word manipulation
Operating Systems
Data Appending
Data Hiding/Alternate Data Streams
EOF / Headers / Footers
CMSC 691 IA
IP Header
0-44
bytes
Fields that may be used as covert channel
UMBC
CMSC 691 IA
TCP header
0-44
bytes
Timestamp
UMBC
CMSC 691 IA
TCP Option - Timestamp


allows a host to accurately measure the
round trip time of a path
consists of two 32 bit fields – TS Value and
TS Echo Reply


TS Value is set by the ‘timestamp clock’ of sender
use of TCP timestamps is not universal
UMBC
CMSC 691 IA
Timestamp Low-bit Modulation

Covert_ts system



System requirements
 Linux kernel 2.4.9 or higher
 libpcap
Modulate low bit of TCP timestamp to convey data
At low bandwidths, the low bit of the timestamp
is quite random
UMBC
CMSC 691 IA
Timestamp Evaluation

Bandwidth


Detection


extremely difficult for low bandwidth
Prevention


Low- one bit per TCP segment
Moderate, take out TCP timestamp option
Permissibility

all networks
UMBC
CMSC 691 IA

Difficulty in Implementation



Timestamp clock’s tick frequency is between 1Hz
and 1 kHz
Must be strictly monotonic
a fast connection will be slowed down while
sending covert data
UMBC
CMSC 691 IA

Sending component is a process linux kernel
module that modifies outgoing TCP/IP traffic
by replacing hard_start_xmit function



checks for tcp packet with a timestamp
then calculates what the timestamp should be
raised, raises it and waits that long
Receiving component sniffs incoming traffic
using libpcap
UMBC
CMSC 691 IA
Timestamp Detection - Fast


Sending of TCP segments will be slowed
down to a fixed rate
Algorithm:



Count number of different & total timestamps sent by a particular
host
Calculate the ratio of total to different timestamps
If covert channel is in use the ratio will be close to 0.75 otherwise
very close to 1
UMBC
CMSC 691 IA
Timestamp Detection - Slow



difficult to detect
low bit is more random
Algorithm:




Record all the low bits of the timestamp
Put them through a complex randomness test
If very random, then covert channel being used
To prevent introduce some non-random data
UMBC
CMSC 691 IA
Timing Covert Channel



use packet inter-arrival times, not header or
payload embedded information, to encode
covert messages
regularity of a timing channel
channel capacity can be used to detect
covert communication
UMBC
CMSC 691 IA
Investigation



sending and receiving data bypassing the
usual intrusion detection techniques
exploiting time delays between transmitted
packets
Given a chain of consecutive delays ∆ti ,is it
possible to say with certain probability that
there has been malicious intent?
UMBC
CMSC 691 IA

An intruder is able to control machine A (inside the LAN) and use it to exfiltrate
data coded in inter-packet delays
Internet
X
Receiver
∆ti , ∆t2 , ∆t3
A
LAN



X does not have to be the destination for the network packets
X must be on the path so that the packets may be intercepted and their
interpacket delays can be measured
The fewer hops between X and A, the more accurate the delay will be
UMBC
CMSC 691 IA
Assumptions


An attacker will pick an encoding that will
yield a decent bandwidth on average, while
being sufficiently stealthy
The best coding system – attains the
Shannon limit (core of the detection
mechanism)
UMBC
CMSC 691 IA
Attacker



will not choose a random distribution on the delays
but
try to maximizes the Shannon channel capacity
The Shannon capacity of discrete memoryless
channel :
Where PX is a probability distribution on the input symbols and
I(X;Y) is the mutual information between X and Y (i.e. dependence between two random variables)
UMBC
CMSC 691 IA
Arimato-Blahut algorithm
finds an input symbol distribution that maximizes the channel
capacity
1. Initialization
2. Recursion
3. Termination
UMBC
CMSC 691 IA
Proposed method

Based on network characteristics,



guess the coding system that attacker may use
analyze the emitted symbols to see if they match
such distribution (Statistical Analysis)
If yes, covert communication is taking place
UMBC
CMSC 691 IA
Issues


Optimal input delay distribution may not be
unique
Channel matrix is not constant over time
(depends on network traffic)
UMBC
CMSC 691 IA
Future Work



Run experiments with specified number of
hops (approx. 25)
Find channel matrix for discrete input alphabet
Once channel matrix is complete Shannon
capacity can be estimated through ArimatoBlahut algorithm
UMBC
CMSC 691 IA
References
1.
2.
3.
Embedding Covert Channels into TCP/IP,
Steven J. Murdoch, Stephen Lewis, 7th
Information Hiding Workshop, Barcelona,
Catalonia (Spain) June 2005
20 Years of Covert Channel Modeling and
Analysis, Jonathan Millen, SRI International
IEEE Symposium on Security and Privacy, 1999
T. M. Cover and J. A. Thomas. Elements of
Information Theory. Wiley Series in
Telecommunications. John Wiley & Sons, New
York, NY, USA, 1991
UMBC
CMSC 691 IA