ACM Portal
  Subscribe (Full Service)    Register (Limited Service, Free)    Login
  Search:   The ACM Digital Library   The Guide
  
ACM Home Page
Please provide us with feedback. Feedback
IP Covert Channel Detection
Full text PdfPdf (854 KB)
Source
ACM Transactions on Information and System Security (TISSEC) archive
Volume 12 ,  Issue 4  (April 2009) table of contents
Article No. 22  
Year of Publication: 2009
ISSN:1094-9224
Authors
Serdar Cabuk  Hewlett-Packard Laboratories
Carla E. Brodley  Tufts University
Clay Shields  Georgetown University
Publisher
ACM  New York, NY, USA
Bibliometrics
Downloads (6 Weeks): 112,   Downloads (12 Months): 527,   Citation Count: 0
Additional Information:

abstract   references   index terms   collaborative colleagues  

Tools and Actions: Request Permissions Request Permissions    Review this Article  
DOI Bookmark: Use this link to bookmark this Article: http://doi.acm.org/10.1145/1513601.1513604
What is a DOI?

ABSTRACT

A covert channel can occur when an attacker finds and exploits a shared resource that is not designed to be a communication mechanism. A network covert channel operates by altering the timing of otherwise legitimate network traffic so that the arrival times of packets encode confidential data that an attacker wants to exfiltrate from a secure area from which she has no other means of communication. In this article, we present the first public implementation of an IP covert channel, discuss the subtle issues that arose in its design, and present a discussion on its efficacy. We then show that an IP covert channel can be differentiated from legitimate channels and present new detection measures that provide detection rates over 95%. We next take the simple step an attacker would of adding noise to the channel to attempt to conceal the covert communication. For these noisy IP covert timing channels, we show that our online detection measures can fail to identify the covert channel for noise levels higher than 10%. We then provide effective offline search mechanisms that identify the noisy channels.


REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

 
1
Abad, C. 2001. IP checksum covert channels and selected hash collision. Tech. rep., University of California.
 
2
Ahsan, K. 2000. Covert channel analysis and data hiding in TCP/IP. M.S. thesis, University of Toronto.
 
3
Ahsan, K. and Kundur, D. 2002. Practical data hiding in TCP/IP. In Proceedings of the Workshop on Multimedia Security (MMSEC’02), 63--70.
4
Hari Balakrishnan , Mark Stemm , Srinivasan Seshan , Randy H. Katz, Analyzing stability in wide-area network performance, Proceedings of the 1997 ACM SIGMETRICS international conference on Measurement and modeling of computer systems, p.2-12, June 15-18, 1997, Seattle, Washington, United States
5
Matthias Bauer, New covert channels in HTTP: adding unwitting Web browsers to anonymity sets, Proceedings of the 2003 ACM workshop on Privacy in the electronic society, October 30, 2003, Washington, DC  [doi>10.1145/1005140.1005152]
 
6
Berrou, C., Glavieux, A., and Thitimajshima, P. 1993. Near Shannon limit error-correcting coding and decoding: Turbo codes. In Proceedings of the IEEE International Conference on Communications (ICC’93), 2, 1064--1070.
 
7
Best, R. E. 2003. Phase-Locked Loops: Design, Simulation and Applications, 5th Ed. McGraw-Hill Professional.
 
8
Bishop, M. 2002. Computer Security: Art and Science. Addison Wesley Professional.
9
Serdar Cabuk , Carla E. Brodley , Clay Shields, IP covert timing channels: design and detection, Proceedings of the 11th ACM conference on Computer and communications security, October 25-29, 2004, Washington DC, USA  [doi>10.1145/1030083.1030108]
 
10
Castro, S. 2003. CCTT: Covert channel tunneling tool. Tech. rep., The Gray-World Team.
 
11
Cilibrasi, R. and Vitanyi, P. M. B. 2005. Clustering by compression. IEEE Trans. Inf. Theory 51, 4, 1523--1545.
 
12
Rudi Cilibrasi , Paul Vitányi , Ronald De Wolf, Algorithmic Clustering of Music Based on String Compression, Computer Music Journal, v.28 n.4, p.49-67, December 2004  [doi>10.1162/0148926042728449]
13
Kimberly C. Claffy , George C. Polyzos , Hans-Werner Braun, Application of sampling methodologies to network traffic characterization, Conference proceedings on Communications architectures, protocols and applications, p.194-203, September 13-17, 1993, San Francisco, California, United States
 
14
Common Criteria. 1998. Common criteria for information technology security evaluation, version 2.0 Ed. ISO/IEC Standard 15408.
 
15
Cox, D. R. and Lewis, P. A. W. 1966. The Statistical Analysis of Series of Events. Chapman and Hall.
 
16
Daemon9. 1997. Loki2 (the implementation). Phrack 51, 6.
 
17
Daemon9. 1996. Project Loki. Phrack 49, 6.
18
Dorothy E. Denning, A lattice model of secure information flow, Communications of the ACM, v.19 n.5, p.236-243, May 1976  [doi>10.1145/360051.360056]
 
19
Department of Defense. 1985. Trusted computer system evaluation criteria, 5200.28-STD Washington: Government Publishing Office.
 
20
Talat Mert Dogu , Anthony Ephremides, Covert Information Transmission through the Use of Standard Collision Resolution Algorithms, Proceedings of the Third International Workshop on Information Hiding, p.419-433, September 29-October 01, 1999
 
21
Giffin, J., Greenstadt, R., Litwack, P., and Tibbetts, R. 2002. Covert messaging through TCP timestamps. In Proceedings of the Workshop on Privacy Enhancing Technologies (PET’02), 2482, 194--208.
 
22
Giles, J. and Hajek, B. 2003. An information-theoretic and game-theoretic study of timing channels. IEEE Trans. Inf. Theory 48, 9, 2455--2477.
 
23
C. G. Girling, Covert Channels in LAN's, IEEE Transactions on Software Engineering, v.13 n.2, p.292-296, February 1987  [doi>10.1109/TSE.1987.233153]
 
24
GNU. 2003. GNU zip utility. http://www.gzip.org.
 
25
Gusella, R. 1991. Characterizing the variability of arrival processes with indexes of dispersion. IEEE J. Select. Areas Comm. 9, 2, 203--211.
 
26
Theodore G. Handel , Maxwell T. Sandford, II, Hiding Data in the OSI Network Model, Proceedings of the First International Workshop on Information Hiding, p.23-38, May 30-June 01, 1996
 
27
Mark Handley , Vern Paxson , Christian Kreibich, Network intrusion detection: evasion, traffic normalization, and end-to-end protocol semantics, Proceedings of the 10th conference on USENIX Security Symposium, p.9-9, August 13-17, 2001, Washington, D.C.
 
28
Hauser, V. 1999. Placing backdoors through firewalls. Tech. rep., The Hacker’s Choice.
 
29
Helouet, L., Jard, C., and Zeitoun, M. 2003. Covert channels detection in protocols using scenarios. In Proceedings of Workshop on Security Protocols Verification (SPV’03), 21--25.
 
30
Henry, P. A. 2000. Covert channels provided hackers the opportunity and the means for the current distributed denial of service attacks. Tech. rep., CyberGuard Corporation.
 
31
Hu, W. M. 1992. Reducing timing channels with fuzzy time. J. Comput. Secur. 1, 3--4, 233--254.
 
32
Karger, P. A. and Wray, J. C. 1991. Storage channels in disk arm optimization. In Proceedings of the IEEE Computer Society Symposium of Research in Security and Privacy (SP’91), 52--61.
33
Richard A. Kemmerer, Shared resource matrix methodology: an approach to identifying storage and timing channels, ACM Transactions on Computer Systems (TOCS), v.1 n.3, p.256-277, August 1983  [doi>10.1145/357369.357374]
 
34
Richard A. Kemmerer , Phillip A. Porras, Covert Flow Trees: A Visual Approach to Analyzing Covert Storage Channels, IEEE Transactions on Software Engineering, v.17 n.11, p.1166-1185, November 1991  [doi>10.1109/32.106972]
35
Eamonn Keogh , Stefano Lonardi , Chotirat Ann Ratanamahatana, Towards parameter-free data mining, Proceedings of the tenth ACM SIGKDD international conference on Knowledge discovery and data mining, August 22-25, 2004, Seattle, WA, USA  [doi>10.1145/1014052.1014077]
 
36
Ming Li , Xin Chen , Xin Li , Bin Ma , Paul Vitányi, The similarity metric, Proceedings of the fourteenth annual ACM-SIAM symposium on Discrete algorithms, January 12-14, 2003, Baltimore, Maryland
 
37
Ming Li , Paul Vitányi, An introduction to Kolmogorov complexity and its applications (2nd ed.), Springer-Verlag New York, Inc., Secaucus, NJ, 1997
 
38
Li, S. and Ephremides, A. 2004. A network layer covert channel in ad-hoc wireless networks. In Proceedings of the 1st IEEE Communications Society Conference on Sensor and Ad Hoc Communications and Networks (SECON’04), 88--96.
 
39
D. Lowenstern , H. Hirsh , M. Noordiwier , P. Yianilos, DNA Sequence Classification Using Compression-Based Induction, Certer for Discrete Mathematics & Theoretical Computer Science, 1995
 
40
Millen, J. 1999. 20 years of covert channel modeling and analysis. In Proceedings of the IEEE Symposium on Security and Privacy (SP’99). 113--114.
 
41
Todd K. Moon, Error Correction Coding: Mathematical Methods and Algorithms, Wiley-Interscience, 2005
 
42
Ira S. Moskowitz , Allen R. Miller, Simple Timing Channels, Proceedings of the 1994 IEEE Symposium on Security and Privacy, p.56, May 16-18, 1994
 
43
Moskowitz, I. S. and Kang, M. H. 1994. Covert channels - Here to stay? In Proceedings of the 9th Annual Conference on Computer Assurance (COMPASS’94). National Institute of Standards and Technology, 235--244.
 
44
Murdoch, S. J. and Lewis, S. 2005. Embedding covert channels into TCP/IP. In Proceedings of the Workshop on Information Hiding (IH’05), 3727, 247--261.
 
45
NCSC. 1993. A guide to understanding covert channel analysis of trusted systems. Tech. Rep. Library No. S--240,572, National Computer Security Centre.
 
46
Vern Paxson , Sally Floyd, Wide area traffic: the failure of Poisson modeling, IEEE/ACM Transactions on Networking (TON), v.3 n.3, p.226-244, June 1995  [doi>10.1109/90.392383]
 
47
Rosenberg, C., Guillemin, F., and Mazumdar, R. 1995. New approach for traffic characterization in ATM networks. In Proceedings of the IEEE International Conference on Communications (ICC’95), 142, 87--90.
 
48
Rowland, C. 1997. Covert channels in the TCP/IP protocol suite. Tech. rep., First Monday.
 
49
Rutkowska, J. 2004. The implementation of passive covert channels in the Linux kernel. Tech. rep., Chaos Communication Congress.
50
Marvin Schaefer , Barry Gold , Richard Linde , John Scheid, Program confinement in KVM/370, Proceedings of the 1977 annual conference, p.404-410, January 1977  [doi>10.1145/800179.1124633]
 
51
D. Sculley , Carla E. Brodley, Compression and Machine Learning: A New Perspective on Feature Space Vectors, Proceedings of the Data Compression Conference, p.332-332, March 28-30, 2006  [doi>10.1109/DCC.2006.13]
 
52
Simmons, G. J. 1984. The prisoner’s problem and the subliminal channel. In Advances in Cryptography, 51--67.
 
53
Smith, J. C. 2000. Covert shells. Tech. rep., SANS Institute Information Security Reading Room.
 
54
Sohn, T., Moon, J., Lee, S., Lee, D. H., and Lim, J. 2003a. Covert channel detection in the ICMP payload using support vector machine. In Proceedings of the International Conference on Information and Communications Security (ICS’03), 828--835.
 
55
Sohn, T., Seo, J.-T., and Moon, J. 2003b. A study on the covert channel detection of TCP/IP header using support vector machine. In Proceedings of the International Conference on Information and Communications Security (ICS’03), 313--324.
 
56
United Nations. 1948. Universal declaration of human rights. 217A, 3.
 
57
WAND Research Group. 2001. NZIX-II trace archive. University of Waikato Computer Science Department. http://pma.nlanr.net/Traces/long/nzix2.html.
 
58
Wehner, S. 2004. Analyzing network traffic and worms using compression. Tech. rep., Centrum Wiskunde and Informatica.
 
59
Wray, J. C. 1991. An analysis of covert timing channels. In Proceedings of the IEEE Computer Society Symposium on Research in Security and Privacy (SP’91), 2--7.

INDEX TERMS

Primary Classification:
  C. Computer Systems Organization
  C.2 COMPUTER-COMMUNICATION NETWORKS
      C.2.0 General
          Subjects: Security and protection (e.g., firewalls)

Additional Classification:
  H. Information Systems
  H.1 MODELS AND PRINCIPLES
      H.1.1 Systems and Information Theory
          Subjects: Information theory


General Terms:
Security


Keywords:
Network covert channels, channel detection, information hiding

Collaborative Colleagues:
Serdar Cabuk: colleagues
Carla E. Brodley: colleagues
Clay Shields: colleagues

The ACM Portal is published by the Association for Computing Machinery. Copyright © 2009 ACM, Inc.
Terms of Usage   Privacy Policy   Code of Ethics   Contact Us

Useful downloads: Adobe Acrobat    QuickTime    Windows Media Player    Real Player