Network Based Detection of Passive Covert Channels in TCP/IP

Tumoian, E.; Anikeev, Maxim

doi:10.1109/lcn.2005.92

Cited by 34 publications

(16 citation statements)

References 1 publication

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Sohn et al demonstrated that simple covert channels encoded in the IP ID or TCP ISN field can be discovered with high accuracy by Support Vector Machines (SVMs) [Sohn et al 2003]. Tumoian et al showed that a neural network can detect Rutkowska's TCP ISN covert channel [Rutkowska 2004] with high accuracy [Tumoian and Anikeev 2005] (both Random Value pattern). Zander et al demonstrated that inter-packet timing channels can be detected by C4.5 decision trees trained on several features [Zander et al 2011] (Inter-arrival Time pattern).…”

Section: Countermeasures For Patternsmentioning

confidence: 99%

Pattern-Based Survey and Categorization of Network Covert Channel Techniques

et al. 2015

View full text Add to dashboard Cite

Network covert channels are used to hide communication inside network protocols. Within the last decades, various techniques for covert channels arose. We surveyed and analyzed 109 techniques developed between 1987 and 2013 and show that these techniques can be reduced to only 11 different patterns. Moreover, the majority (69.7%) of techniques can be categorized in only four different patterns, i.e. most of the techniques we surveyed are very similar. We represent the patterns in a hierarchical catalog using a pattern language. Our pattern catalog will serve as a base for future covert channel novelty evaluation. Furthermore, we apply the concept of pattern variations to network covert channels. With pattern variations, the context of a pattern can change. For example, a channel developed for IPv4 can automatically be adapted to other network protocols. We also propose the pattern-based covert channel optimizations pattern hopping and pattern combination. Finally, we lay the foundation for pattern-based countermeasures: While many current countermeasures were developed for specific channels, a pattern-oriented approach allows to apply one countermeasure to multiple channels. Hence, future countermeasure development can focus on patterns, and the development of real-world protection against covert channels is greatly simplified.

show abstract

Section: Countermeasures For Patternsmentioning

confidence: 99%

Pattern-Based Survey and Categorization of Network Covert Channel Techniques

et al. 2015

View full text Add to dashboard Cite

show abstract

“…This means that we do not handle cases where, for example, a single key is sent in one data package. In this way, the proposed technique is similar to other techniques which use machine learning techniques, such as those that employ neural networks (e.g., Tumoian and Anikeev 2005) or support vector machines (e.g., Sohn et al 2003), to analyse data streams for anomalies indicating the possible existence of a covert channel. Since machine learning techniques require training data, it is acknowledged in Tumoian and Anikeev (2005) that it is impossible to discover a covert channel using a single data package and that the more packets that are recorded, the more precise the technique will be.…”

Section: Discussionmentioning

confidence: 99%

Investigative support for information confidentiality

Jaskolka

Khédri

Sabri

2015

J Ambient Intell Human Comput

View full text Add to dashboard Cite

With the ubiquity and pervasiveness of computers in daily activities and with the ever-growing complexity of communication networks and protocols, covert channels are becoming an eminent threat to the confidentiality of information. In light of this threat, we propose a technique to detect confidential information leakage via protocol-based covert channels. Although several works examine covert channel detection and analysis from the perspective of information theory by, for instance, analysing channel capacities, we propose a different technique that tackles the problem from a different perspective. The proposed technique takes an algebraic approach using relations. It provides tests to verify the existence of a leakage of information via a monitored covert channel. It also provides computations which show how the information was leaked if a leakage exists. We also discuss possible applications of the proposed technique in cryptanalysis and digital forensics based on a knownplaintext attack. We report on a prototype tool that allows for the automation of the proposed technique.

show abstract

“…This statistic is then compared with a threshold for traffic classification. In [3], the authors have proposed detecting covert messages in ISN field by using Elman neural network model. They predict the ISN by using all the data received before and calculate the Hamming distance between the predicted ISN and the new ISN.…”

Section: Literature Surveymentioning

confidence: 99%

A Support Vector Machine-Based Framework for Detection of Covert Timing Channels

Shrestha

Hempel

Rezaei

et al. 2016

IEEE Trans. Dependable and Secure Comput.

View full text Add to dashboard Cite

Covert channels exploit side channels within existing network resources to transmit secret messages. They are integrated into the elements of network resources that were not even designed for the purpose of communication. This means that traditional security features like firewalls cannot detect them. Their ability to evade detection makes covert channels a grave security concern. Hence, it is imperative to detect and disrupt them. However, a generic mechanism that can be used to detect a large variety of covert channels is missing. In this paper, we propose a Support Vector Machine (SVM)-based framework for reliable detection of covert communications. The machine learning framework utilizes the fingerprints derived from the traffic under investigation to classify the traffic as covert or overt. We trained our classifier using the fingerprints from four popular and diverse covert timing channel algorithms and tested each of them independently. We have shown that the machine learning framework has great potential to blindly detect covert channels, even when the covert message size is reduced. His research interests include theoretical and mathematical modeling, wireless communications, signal processing, high-speed networks, network security, among others.

show abstract

Network Based Detection of Passive Covert Channels in TCP/IP

Cited by 34 publications

References 1 publication

Pattern-Based Survey and Categorization of Network Covert Channel Techniques

Pattern-Based Survey and Categorization of Network Covert Channel Techniques

Investigative support for information confidentiality

A Support Vector Machine-Based Framework for Detection of Covert Timing Channels

Contact Info

Product

Resources

About