Mimic: An active covert channel that evades regularity-based detection

Kothari, Kush; Wright, Matthew

doi:10.1016/j.comnet.2012.10.008

Cited by 22 publications

(11 citation statements)

References 15 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The GPU will use the CCE calculation to report which flows are likely to contain covert channels. In our work, we consider a well-known CTC variety known as model-based covert timing channels (MBCTCs), which avoid detection by fitting the CTC's packet timings to a statistical model based on natural traffic [7]. By testing our tool against a traffic sample injected with MBCTCs, we confirm the CCE test's effectiveness as a classifier established in previous results [5].…”

Section: Introductionsupporting

confidence: 64%

See 1 more Smart Citation

Real-time GPU-based timing channel detection using entropy

Gegan

Ahuja

Owens

et al. 2016

2016 IEEE Conference on Communications and Network Security (CNS)

View full text Add to dashboard Cite

Abstract-As line rates continue to grow, network security applications such as covert timing channel (CTC) detection must utilize new techniques for processing network flows in order to protect critical enterprise networks. GPU-based packet processing provides one means of scaling the detection of CTCs and other anomalies in network flows. In this paper, we implement a GPUbased detection tool, capable of detecting model-based covert timing channels (MBCTCs). The GPU's ability to process a large number of packets in parallel enables more complex detection tests, such as the corrected conditional entropy (CCE) test-a modified version of the conditional entropy measurement, which has a variety of applications outside of covert channel detection. In our experiments, we evaluate the CCE test's true and false positive detection rates, as well as the time required to perform the test on the GPU. Our results demonstrate that GPU packet processing can be applied successfully to perform real-time CTC detection at near 10 Gbps with high accuracy.

show abstract

Section: Introductionsupporting

confidence: 64%

“…Examples include the -similarity test (effective for detecting IPCTC traffic), and measuring the data and acknowledgement packet timing intervals (effective for detecting the Cloak CTC) [5]. After new detection techniques are introduced, new covert timing channel types designed to counter those techniques tend to follow [5], [7].…”

Section: Related Workmentioning

confidence: 99%

Real-time GPU-based timing channel detection using entropy

Gegan

Ahuja

Owens

et al. 2016

2016 IEEE Conference on Communications and Network Security (CNS)

View full text Add to dashboard Cite

show abstract

“…It is always classified by the employed carrier; the most popular type of covert channels is network covert channels, which is based on network traffic; information is embedded by manipulating the packet timing information [1][2][3][4] or pudding some bits into the packet headers [5]. As the youngest branch of covert channels, wireless covert channel conceals the very existence of secret information by modulating it into the delivered wireless signal [6] or modifying some redundant fields of wireless communication protocols [7].…”

Section: Introductionmentioning

confidence: 99%

A Wireless Covert Channel Based on Constellation Shaping Modulation

Cao

Liu

et al. 2018

Security and Communication Networks

View full text Add to dashboard Cite

Wireless covert channel is an emerging covert communication technique which conceals the very existence of secret information in wireless signal including GSM, CDMA, and LTE. The secret message bits are always modulated into artificial noise superposed with cover signal, which is then demodulated with the shared codebook at the receiver. In this paper, we first extend the traditional KS test and regularity test in covert timing channel detection into wireless covert channel, which can be used to reveal the very existence of secret data in wireless covert channel from the aspect of multiorder statistics. In order to improve the undetectability, a wireless covert channel for OFDM-based communication system based on constellation shaping modulation is proposed, which generates additional constellation points around the standard points in normal constellations. The carrier signal is then modulated with the dirty constellation and the secret message bits are represented by the selection mode of the additional constellation points; shaping modulation is employed to keep the distribution of constellation errors unchanged. Experimental results show that the proposed wireless covert channel scheme can resist various statistical detections. The communication reliability under typical interference is also proved.

show abstract

“…However, such mechanisms are not applicable to the problem of linking flows studied in this paper. Particularly, a significant number of covert traffic timing mechanisms work by generating synthetic network flows-as opposed to modifying some existing flows-in order embed covert messages [1,6,15,23,27,28,39]. The synthetic traffic is generated in a way to mimic that of normal traffic.…”

Section: Relevance To Covert Communicationsmentioning

confidence: 99%

TagIt: Tagging Network Flows using Blind Fingerprints

Rezaei

Houmansadr

2017

Proceedings on Privacy Enhancing Technologies

View full text Add to dashboard Cite

Flow fingerprinting is a mechanism for linking obfuscated network flows at large scale. In this paper, we introduce the first blind flow fingerprinting system called TagIt. Our system works by modulating fingerprint signals into the timing patterns of network flows through slightly delaying packets into secret time intervals only known to the fingerprinting parties. We design TagIt to to enable reliable fingerprint extraction by legitimate fingerprinting parties despite natural network noise, but invisible to an adversary who does not possess the secret fingerprinting key. TagIt makes use of randomization to resist various detection attacks such as multi-flow attacks. We evaluate the performance and invisibility of TagIt through theoretical analysis as well as simulations and experimentation on live network flows.

show abstract

Mimic: An active covert channel that evades regularity-based detection

Cited by 22 publications

References 15 publications

Real-time GPU-based timing channel detection using entropy

Real-time GPU-based timing channel detection using entropy

A Wireless Covert Channel Based on Constellation Shaping Modulation

TagIt: Tagging Network Flows using Blind Fingerprints

Contact Info

Product

Resources

About