Syntax and Semantics-Preserving Application-Layer Protocol Steganography

Lucena, Norka B.; Pease, James; Yadollahpour, Payman; Chapin, Steve J.

doi:10.1007/978-3-540-30114-1_12

Cited by 35 publications

(34 citation statements)

References 21 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Alter the number of options placed in an IPv4 packet 2. Modulate the number of options placed in a DHCP packet [Rios et al 2012] [Lucena et al 2004] 6. Extend Simple Mail Transfer Protocol (SMTP) packet headers with additional fields [Getchell 2008] 7.…”

Section: P2 Sequence Patternmentioning

confidence: 99%

“…Utilize the DHCP xid field [Rios et al 2012] 5. Utilize the Secure Shell (SSH) protocol Message Authentication Code (MAC field) [Lucena et al 2004] Notes: As some header elements, such as the TCP ISN, follow a distribution which conforms to a particular operating system or context, their values cannot be considered perfectly random and the placement of "random" values in such elements can lead to different value distributions, which can be detected [Murdoch 2007]. …”

Section: P5 Random Value Patternmentioning

confidence: 99%

See 1 more Smart Citation

Pattern-Based Survey and Categorization of Network Covert Channel Techniques

et al. 2015

View full text Add to dashboard Cite

Network covert channels are used to hide communication inside network protocols. Within the last decades, various techniques for covert channels arose. We surveyed and analyzed 109 techniques developed between 1987 and 2013 and show that these techniques can be reduced to only 11 different patterns. Moreover, the majority (69.7%) of techniques can be categorized in only four different patterns, i.e. most of the techniques we surveyed are very similar. We represent the patterns in a hierarchical catalog using a pattern language. Our pattern catalog will serve as a base for future covert channel novelty evaluation. Furthermore, we apply the concept of pattern variations to network covert channels. With pattern variations, the context of a pattern can change. For example, a channel developed for IPv4 can automatically be adapted to other network protocols. We also propose the pattern-based covert channel optimizations pattern hopping and pattern combination. Finally, we lay the foundation for pattern-based countermeasures: While many current countermeasures were developed for specific channels, a pattern-oriented approach allows to apply one countermeasure to multiple channels. Hence, future countermeasure development can focus on patterns, and the development of real-world protection against covert channels is greatly simplified.

show abstract

Section: P2 Sequence Patternmentioning

confidence: 99%

Section: P5 Random Value Patternmentioning

confidence: 99%

Pattern-Based Survey and Categorization of Network Covert Channel Techniques

et al. 2015

View full text Add to dashboard Cite

show abstract

“…Lucena et al [67] suggest the MAC field for carrying messages up to 160 bits per SSH PDU. To simulate the randomness of the MAC, the embedded messages are previously compressed and then encrypted (Table 10).…”

Section: Session Initiation Protocol (Sip) and Session Description Prmentioning

confidence: 99%

“…SSH [67] MAC channel can be detected by wrong recomputed MAC value at the receiver end, and other [67] channel can be detected if sender do not care about packet length distribution in the normal SSH traffic.…”

Section: Defence Mechanismsmentioning

confidence: 99%

Covert channels in TCP/IP protocol stack - extended version-

Mileva

Panajotov

2014

Open Computer Science

View full text Add to dashboard Cite

We give a survey of different techniques for hiding data in several protocols from the TCP/IP protocol stack.Techniques are organized according to affected layer and protocol. For most of the covert channels its data bandwidth is given. IntroductionAn overt channel is a communication channel within a computer system or network, designed for the authorized transfer of data. A covert channel (first introduced by Lampson [62]), on the other hand, is any communication channel that can be exploited by a process to transfer information in a manner that violates the systems security policy [26]. Any shared resource can potentially be used as a covert channel. Covert channels can be divided primarily in storage and timing channels. In a case of the storage channels, usually one process writes (directly or indirectly) to a shared resource, while another process reads from it. Timing channel is essentially any technique that conveys information by the timing of events, in which case the receiving process needs a clock. Special timing covert channel is counting channel which carries data by counting the occurrences of certain events [44].Additionally, timing channels can be active if they generate additional traffic or passive if they manipulate the timing of existing traffic. As any other communication channel, covert channel can be noisy or noiseless.According to the number of information flows between the sender and the receiver -several or one, there are aggregated and non-aggregated covert channels [36]. According to the presence or absence of the intermediate node in the communication, covert channels can be indirect or direct. Payload tunnel is a covert channel, where one protocol is tunnelled in the payload of the other protocol. Covert channels are studied as a part of the science * E-mail: aleksandra.mileva@ugd.edu.mk † E-mail: boris.panajotov@ugd.edu.mk steganography, and different steganographic methods used in telecommunication networks are known as network steganography.The adversary model is based on the Simmons prisoner problem [105]: two parties want to communicate confidentially and undetected over an insecure channel, the warden. The warden can be passive -which monitor traffic and report when some unauthorized traffic is detected, or active -which can modify the content of the messages with the purpose of eliminating any form of hidden communication. Simmons introduced the term subliminal channel, a variant of covert channel which uses cryptographic algorithm or protocol for hiding messages. A composition of covert channel with subliminal channel is the hybrid channel.Covert channels can be analysed by the total number of steganogram bits transmitted during a second (Raw Bit Rate -RBR), or by the total number of steganogram bits transmitted per PDU (for example, Packet Raw BitRate-PRBR) [78]. In ideal case, if no packets are lost, capacity of some storage channels can be expressed as Steganography in Internet layerInternet Protocol (IP) is the primary protocol in the TCP/IP protocol stack, ...

show abstract

“…This part of the taxonomy is highly developed, but it is not relevant to steganography. Figure 1 in Lucena et al [8], where Alice and Bob communicate by modifying messages which were sent, and which will ultimately be received, by other parties. However an improper billing is not a typical goal of steganography, so it seems inappropriate to classify stegocommunication as a threat to billing.…”

Section: Extension Of the Threat Taxonomy Of Voipsamentioning

confidence: 99%

A Security Model for VoIP Steganography

Thomborson

Wang

et al. 2009

2009 International Conference on Multimedia Information Networking and Security

View full text Add to dashboard Cite

Abstract-In 2005, an extensive taxonomy of threats for VoIP was published by a prominent industry group. Strangely, this taxonomy does not identify stegocommunication as a threat, even though many steganographic channels have been identified in VoIP protocols. To avoid such security gaps in the future, we argue that stegocommunication should be added to the traditional list of network threats: interruption, interception, modification, fabrication. The stegocommunication threat arises when the communication channel is purchased, provided, or supervised by anyone other than the communicating parties. We illustrate a stegocommunication threat to a business owner Charles. If Charles purchases a VoIP service for business-related communications by an employee Alice, then he faces the risk that Alice may undetectably communicate a business secret to an outside party Bob. In this insider-threat scenario, Charles can mitigate his security risk by installing a stegodetector.

show abstract

Syntax and Semantics-Preserving Application-Layer Protocol Steganography

Cited by 35 publications

References 21 publications

Pattern-Based Survey and Categorization of Network Covert Channel Techniques

Pattern-Based Survey and Categorization of Network Covert Channel Techniques

Covert channels in TCP/IP protocol stack - extended version-

A Security Model for VoIP Steganography

Contact Info

Product

Resources

About