2005
DOI: 10.1007/11558859_19
|View full text |Cite
|
Sign up to set email alerts
|

Embedding Covert Channels into TCP/IP

Abstract: Abstract. It is commonly believed that steganography within TCP/IP is easily achieved by embedding data in header fields seemingly filled with "random" data, such as the IP identifier, TCP initial sequence number (ISN) or the least significant bit of the TCP timestamp. We show that this is not the case; these fields naturally exhibit sufficient structure and non-uniformity to be efficiently and reliably differentiated from unmodified ciphertext. Previous work on TCP/IP steganography does not take this into acc… Show more

Help me understand this report

Search citation statements

Order By: Relevance

Paper Sections

Select...
1
1
1
1

Citation Types

0
156
0

Year Published

2007
2007
2016
2016

Publication Types

Select...
4
3
2

Relationship

0
9

Authors

Journals

citations
Cited by 210 publications
(156 citation statements)
references
References 14 publications
0
156
0
Order By: Relevance
“…NUSHU sender modifies the Initial Sequence Number (ISN) and Acknowledge Sequence Number fields generated by OS. Murdoch and Lewis [85] developed a robust scheme, Lathra, which generates ISNs for OpenBSD and Linux, that are almost indistinguishable from those generated by a genuine TCP stack, except by wardens with knowledge of a shared secret key.…”
Section: Steganography In Transport Layermentioning
confidence: 99%
See 1 more Smart Citation
“…NUSHU sender modifies the Initial Sequence Number (ISN) and Acknowledge Sequence Number fields generated by OS. Murdoch and Lewis [85] developed a robust scheme, Lathra, which generates ISNs for OpenBSD and Linux, that are almost indistinguishable from those generated by a genuine TCP stack, except by wardens with knowledge of a shared secret key.…”
Section: Steganography In Transport Layermentioning
confidence: 99%
“…Several covert channels can be eliminate by blocking protocols/ports by firewalls (Loki [22,23], ICMPTX [113], Skeeve [128], ICMP-Chat [84]) or ingress/egress filtering (B0CK [120], Skeeve [128], false IPv6 Source Address Covert−TCP [98] can be detected using a Support Vector Machine (SVM) [109], and together with NUSHU [99] by [85] anomaly tests, because covert headers are easily distinguished from those generated by a genuine TCP/IP stack.…”
Section: Defence Mechanismsmentioning
confidence: 99%
“…In the network layer, many methods have been proposed to hide data in the IP packets and ICMP packets. Virtually all possible fields in the IP headers have been exploited for storage covert channels [9,16,17,18]. The fields in the TCP header are also equally exploited for embedding storage covert channels [9,19,20,17].…”
Section: Related Workmentioning
confidence: 99%
“…A covert channel needs to be undetectable, meaning that the covert traffic should not be distinguishable from a legitimate traffic. Murdoch et al show that many of the storage covert channels can be detected easily since the covert message modifies the benign pattern of the utilized header fields [17]. Also, different statistical tests have been utilized to detect covert timing channels [2,7].…”
Section: Introductionmentioning
confidence: 99%