A combinatorial approach to network covert communications with applications in Web Leaks

Wang, Liu; Zhou, Peng; Chan, Ehw; Chang, Rocky K. C.; Lee, Wenke

doi:10.1109/dsn.2011.5958260

Cited by 16 publications

(23 citation statements)

References 30 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Especially, Luo et al [20][21][22] designed a combinatorics-based scheme, called Cloak, to transmit information in the ordering of packets within different flows. Based on the 12-fold way in [26], Cloak offers ten different encoding and decoding methods, each of which has a unique tradeoff between undetectability and capacity.…”

Section: Http Headermentioning

confidence: 99%

LiHB

Shen

Huang

Wang

et al. 2015

Proceedings of the 3rd ACM Workshop on Information Hiding and Multimedia Security

View full text Add to dashboard Cite

The application-layer covert channels have been extensively studied in recent years. Information-hiding in ubiquitous application packets can significantly improve the capacity of covert channels. However, the undetectability is still a knotty problem, because the existing covert channels are all frustrated by proper detection schemes. In this paper, we propose LiHB, a behavior-based covert channel in HTTP. When a client is browsing a website and downloading webpage objects, we can reveal some fluctuation behaviors that the distribution relationship between the ports opening and HTTP requests are flexible. Based on combinatorial nature of distributing N HTTP requests over M HTTP flows, such fluctuation can be exploited by LiHB channel to encode covert messages, which can obtain high stealthiness. Besides, LiHB achieves a considerable and controllable capacity by setting the number of webpage objects and HTTP flows. Compared with existing techniques, LiHB is the first covert channel implemented based on the unsuspicious behavior of browsers, the most important application-layer software. Because most HTTP proxies are using NAPT techniques, LiHB can also operate well even when a proxy is equipped, which poses a serious threat to individual privacy. Experimental results show that LiHB covert channel achieves a good capacity, reliability and high undetectability.

show abstract

Section: Http Headermentioning

confidence: 99%

LiHB

Shen

Huang

Wang

et al. 2015

Proceedings of the 3rd ACM Workshop on Information Hiding and Multimedia Security

View full text Add to dashboard Cite

show abstract

“…In the second type, some combinatorial function is applied to the IPDs to inject the covert message. This type of CTCs is also referred to as combinatorial CTCs, which can be based on a single flow as in or multiple flows as in . In the case of a single flow, packets are transmitted in groups where the size of the group is used to encode information .…”

Section: Motivation and Related Workmentioning

confidence: 99%

“…A predetermined IPD is used to demarcate groups. In the case of multiple flows, both the size of the group and the flow in which the group of packets arrives are used to encode information . In this paper, we consider the design, implementation, and performance evaluation of a model‐based CTC.…”

Section: Motivation and Related Workmentioning

confidence: 99%

“…In covert storage channels, the sender embeds the covert message in the overt carrier (e.g., the least significant bit substitution in a jpeg image or an audio file, modifying unused bits of a packet headers) . CTCs, on the other hand, employ modulation and coding techniques to alter the timing characteristics of the overt carrier (e.g., hard disk head movement, phone calls, or inter‐packet delays (IPDs) of a packet stream) . In this paper, we focus on CTCs, specifically those in which the covert sender modulates the covert message into the IPDs of a network packet stream.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Design and performance evaluation of a covert timing channel

Archibald

Ghosal

2015

Security Comm. Networks

View full text Add to dashboard Cite

In a model-based covert timing channel (CTC), the (covert) sender modulates the inter-packet delays (IPDs) of the packet stream generated by the overt application (source) by following a well-known statistical model of the application traffic. Implementing a CTC system that operates on real application traffic such as Skype requires addressing several challenges. First, packets generated by Skype must meet a maximum end-to-end delay requirement, which imposes limits on how long a packet can be buffered by the sender. Second, buffer overrun and underrun may occur because of transient mismatches between the rate at which packets are generated by the source and the rate at which the sender can service the covert buffer. As a single IPD of Skype traffic is small and has a small delay spread, we propose to use delay of multiple IPDs to modulate the encoded symbols. To minimize buffer overruns and underruns, we partition the delay of multiple IPDs so that each encoded symbol can be mapped to multiple partitions of the delay distribution. We then provide a mathematical model to choose the appropriate partition for a given encoded symbol based on the state of the buffer. We evaluate the performance of a users-space implementation of the CTC system in real network settings for Skype traffic. We show that the covert channel based on the proposed design can be established even when the source is connected to a public WiFi network and it is largely non-detectable under well-known statistical tests including the entropy test, the Kolmogorov-Smirnov test, and the Kullback-Leibler divergence test.

show abstract

“…Luo et al [72] implemented ACKLeaks covert channel which embeds covert messages into pure TCP ACK packets from single or multiple TCP connections, using the combinatorial approach. ACKLeaks can evade contentbased detection methods and can be implemented by exploiting the existing TCP connections.…”

Section: Steganography In Transport Layermentioning

confidence: 99%

Covert channels in TCP/IP protocol stack - extended version-

Mileva

Panajotov

2014

Open Computer Science

View full text Add to dashboard Cite

We give a survey of different techniques for hiding data in several protocols from the TCP/IP protocol stack.Techniques are organized according to affected layer and protocol. For most of the covert channels its data bandwidth is given. IntroductionAn overt channel is a communication channel within a computer system or network, designed for the authorized transfer of data. A covert channel (first introduced by Lampson [62]), on the other hand, is any communication channel that can be exploited by a process to transfer information in a manner that violates the systems security policy [26]. Any shared resource can potentially be used as a covert channel. Covert channels can be divided primarily in storage and timing channels. In a case of the storage channels, usually one process writes (directly or indirectly) to a shared resource, while another process reads from it. Timing channel is essentially any technique that conveys information by the timing of events, in which case the receiving process needs a clock. Special timing covert channel is counting channel which carries data by counting the occurrences of certain events [44].Additionally, timing channels can be active if they generate additional traffic or passive if they manipulate the timing of existing traffic. As any other communication channel, covert channel can be noisy or noiseless.According to the number of information flows between the sender and the receiver -several or one, there are aggregated and non-aggregated covert channels [36]. According to the presence or absence of the intermediate node in the communication, covert channels can be indirect or direct. Payload tunnel is a covert channel, where one protocol is tunnelled in the payload of the other protocol. Covert channels are studied as a part of the science * E-mail: aleksandra.mileva@ugd.edu.mk † E-mail: boris.panajotov@ugd.edu.mk steganography, and different steganographic methods used in telecommunication networks are known as network steganography.The adversary model is based on the Simmons prisoner problem [105]: two parties want to communicate confidentially and undetected over an insecure channel, the warden. The warden can be passive -which monitor traffic and report when some unauthorized traffic is detected, or active -which can modify the content of the messages with the purpose of eliminating any form of hidden communication. Simmons introduced the term subliminal channel, a variant of covert channel which uses cryptographic algorithm or protocol for hiding messages. A composition of covert channel with subliminal channel is the hybrid channel.Covert channels can be analysed by the total number of steganogram bits transmitted during a second (Raw Bit Rate -RBR), or by the total number of steganogram bits transmitted per PDU (for example, Packet Raw BitRate-PRBR) [78]. In ideal case, if no packets are lost, capacity of some storage channels can be expressed as Steganography in Internet layerInternet Protocol (IP) is the primary protocol in the TCP/IP protocol stack, ...

show abstract

A combinatorial approach to network covert communications with applications in Web Leaks

Cited by 16 publications

References 30 publications

LiHB

LiHB

Design and performance evaluation of a covert timing channel

Covert channels in TCP/IP protocol stack - extended version-

Contact Info

Product

Resources

About