Content uploaded by Steffen Wendzel
Author content
All content in this area was uploaded by Steffen Wendzel on Feb 04, 2015
Content may be subject to copyright.
A preview of the PDF is not available
Pattern-Based Survey and Categorization of Network Covert Channel Techniques
Abstract and Figures
Network covert channels are used to hide communication inside network protocols. Various techniques for covert channels have arisen in the past few decades. We surveyed and analyzed 109 techniques developed between 1987 and 2013 and show that these techniques can be reduced to only 11 different patterns. Moreover, the majority (69.7%) of techniques can be categorized into only four different patterns (i.e., most techniques we surveyed are similar). We represent the patterns in a hierarchical catalog using a pattern language. Our pattern catalog will serve as a base for future covert channel novelty evaluation. Furthermore, we apply the concept of pattern variations to network covert channels. With pattern variations, the context of a pattern can change. For example, a channel developed for IPv4 can automatically be adapted to other network protocols. We also propose the pattern-based covert channel optimizations pattern hopping and pattern combination. Finally, we lay the foundation for pattern-based countermeasures: whereas many current countermeasures were developed for specific channels, a pattern-oriented approach allows application of one countermeasure to multiple channels. Hence, future countermeasure development can focus on patterns, and the development of real-world protection against covert channels is greatly simplified.
Figures - uploaded by Steffen Wendzel
Author content
All figure content in this area was uploaded by Steffen Wendzel
Content may be subject to copyright.
... A process with a high security level usually divulges information to a process with a low security level. The emphasis has switched to network covert channels, where covert data may be encoded into a network protocol, as a result of the emergence and quick growth of computer networks [16]. ...
... Wendzel et al. [16] divide network covert storage channels into two categories: (i) techniques that change header fields or other non-payload elements and (ii) techniques that conceal covert messages into the payload section. Moreover, seven patterns are used to categorize the non-payload techniques. ...
... The majority of detection approaches to detect network covert channel concentrate on a particular type of covert channel technique rather than focusing on the shared characteristics of several different types of covert channels. In this context, Wendzel et al. [16] categorized covert channel approaches into eleven categories in an effort to develop a mechanism to identify common behaviors of covert channels. Wendzel et al. noted that almost 70% of these methods fall into four major categories. ...
With the rapid advancement of communication and computer network technologies, covert channels are now more secure, quicker to set up, harder to detect, and easier to design than ever before. By breaking a system security policy, a covert channel can be utilized to leak confidential communications. Undoubtedly, one of the most difficult challenges is still detecting such harmful, unobservable, and covert dangers. Due to the fact that this danger takes advantage of techniques not intended for communication, it is invisible to conventional security solutions. This chapter offers a concise overview of covert channel concept, techniques, classifications, and countermeasures, emphasizing how new technologies are vulnerable to being exploited for initiation of different covert channels and how they offer a rich environment for developing effective but challenging covert channel attacks. It gives a comprehensive review of common covert channel countermeasures with more focus on machine learning detection techniques. Although some research studies have revealed beneficial uses of covert channel, which is natural given that many approaches have a double-edged sword impact, this chapter focuses on covert channels as a security threat that compromise our data and networks.
... They are used in scenarios where regular communication is too exposed and the use of encryption alone is not sufficient. 1 It needs to have a very low probability of being detected by the enemy, 2,3 while achieving a certain data rate at the target receiver. 4 Its considered a advanced security technology. ...
... IPCTC is flipped and generated at time intervals of (10, 20, and 30 ms) and (20,40, and 60 ms), respectively. The LNCTC maps the 8-bit information into three consecutive IPDs, with k in the range of [1,13], and for each of these IPDs t i , t i = Δ + k ⋅ , with Δ and set to (10, 5 ms) and (20, 10 ms), respectively. The Jitterbug transmits the information by adding small delays to make it modulo , which are set to 5 and 20 ms, respectively. ...
Network covert channels use network resources to transmit data covertly, and their existence will seriously threaten network security. Therefore, an effective method is needed to prevent and detect them. Current network covert timing channel detection methods often incorporate machine learning methods in order to achieve generalized detection, but they consume a large amount of computational resources. In this paper, we propose a generalized detection framework for covert channels based on perceptual hashing without relying on machine learning methods. And we propose a one‐dimensional data feature descriptor for feature extraction of perceptual hash for the data characteristics of covert timing channels. We first generate the hash sequence of the corresponding channel to get the average hash, which is used for comparison in the test phase. The experimental results show that the feature descriptor can capture the feature differences of one‐dimensional data well. When compared to machine learning methods, this perceptual hashing algorithms enable faster traffic detection. Meanwhile, our method is able to detect the effectiveness with the smallest coverage window compared with the latest solutions. Moreover, it exhibits robustness in jitter network environment.
... While modularity and universal behaviour were sought-after within the rest of the framework, the detection methods will be more specialised. While each malware is individual and differs from others in its methods of communication and execution, it is possible to use pattern-based approaches like Wendzel et al. [20,21] to curate a more generalised view that helps researchers find potential similarities. This could allow the grouping of distinct malware samples with conceptually or technically similar methods, and then use analogous detection algorithms to increase the success rate of malicious traffic being recognised as such. ...
Stegomalware poses a rising threat in the security landscape as more and more malware samples use steganography to disguise their network traffic, rendering traditional detection approaches less and less useful. To detect such advanced threats, it is important to identify and focus on unique characteristics of stegomalware. We present a new malware detection framework tailored for stegomalware nested in TCP/IP protocols. With the framework, we are able to observe real malware in a secure environment, use the gained insights to create realistic simulations, extract relevant characteristics and perform detection based on the gained data. The goal of the framework is to enable and streamline the process of developing new detection methods.
... A. RELEVANT STUDies In this section, we focus on the relevant studies that explore covert channels used for data transfer. One study [12] conducts a comprehensive survey on covert channels employed to conceal information within network protocols. They analyze approximately 109 techniques targeting covert communication protocols and classify them based on special patterns. ...
A covert communication channel facilitates direct data transfer between two parties through pre-communication knowledge agreements, ensuring secure and confidential transmission of information. However, the existing covert channels suffer from performance limitations, specifically in terms of throughput and speed. The encoding techniques employed in covert channels can be time-consuming and have limited data transfer capabilities. Furthermore, the ability of covert channels to handle files with different formats has not been sufficiently explored. This paper introduces a high-performance implementation of a covert channel that leverages Java exception handling during program execution. To optimize the covert channel’s performance, this research explores the use of several encoding methods, including ASCII, Byte, Hexadecimal, Base64, and Huffman coding. The proposed covert channel’s performance is evaluated and analyzed for various coding methods. To study the impact on performance, multiple file formats, including text, audio, and video, were used in the experiment. Experimental results showed that the hexadecimal coding method improves the throughput and decreases the time delay of the covert channel. This is attributed to its ability to minimize the number of tries before encountering an "Index Out of Bounds" exception. On the contrary, the Base64 method is found to be inefficient as it produces longer strings than the original inputs, resulting in increased time delays during data transfer. The best results are achieved when applying the hexadecimal method with Huffman coding. It takes 6241 milliseconds to transmit a 12.8-megabyte text file, with a throughput of 23116 bits per millisecond.
... These channels manipulate different layers of the Internet Protocol stack to facilitate covert communication. The sender, who can control parts of the network stack, modifies protocol headers, fragments, checksum values, or packet transmission timing to conceal the information [34,42]. The hidden messages could be embedded in unused bits or fields of protocol headers, such as the IP identification field, the IP fragment offset, the TCP sequence number field, and TCP timestamps [22,35]. ...
Covert channel networks are a well-known method for circumventing the security measures organizations put in place to protect their networks from adversarial attacks. This paper introduces a novel method based on bit-rate modulation for implementing covert channels between devices connected over a wide area network. This attack can be exploited to exfiltrate sensitive information from a machine (i.e., covert sender) and stealthily transfer it to a covert receiver while evading network security measures and detection systems. We explain how to implement this threat, focusing specifically on covert channel networks and their potential security risks to network information transmission. The proposed method leverages bit-rate modulation, where a high bit rate represents a ‘1’ and a low bit rate represents a ‘0’, enabling covert communication. We analyze the key metrics associated with covert channels, including robustness in the presence of legitimate traffic and other interference, bit-rate capacity, and bit error rate. Experiments demonstrate the good performance of this attack, which achieved 5 bps with excellent robustness and a channel capacity of up to 0.9239 under different noise sources. Therefore, we show that bit-rate modulation effectively violates network security and compromises sensitive data.
... Alas, each method for hiding the presence of a malicious communication requires a tight coupling with the abused protocol, thus making the design and deployments of countermeasures poorly generalizable (Zander et al., 2007). Fortunately, the various cloaking mechanisms could be brought back to a set of recurrent "hiding patterns", mainly based on the overwriting of a field or the manipulation of a temporal behavior, see, (Wendzel et al. (2015); Wendzel et al. (2021)) for a detailed taxonomy. ...
Modern IoT ecosystems are the preferred target of threat actors wanting to incorporate resource-constrained devices within a botnet or leak sensitive information. A major research effort is then devoted to create countermeasures for mitigating attacks, for instance, hardware-level verification mechanisms or effective network intrusion detection frameworks. Unfortunately, advanced malware is often endowed with the ability of cloaking communications within network traffic, e.g., to orchestrate compromised IoT nodes or exfiltrate data without being noticed. Therefore, this paper showcases how different autoencoder-based architectures can spot the presence of malicious communications hidden in conversations, especially in the TTL of IPv4 traffic. To conduct tests, this work considers IoT traffic traces gathered in a real setting and the presence of an attacker deploying two hiding schemes (i.e., naive and “elusive” approaches). Collected results showcase the effectiveness of our method as well as the feasibility of deploying autoencoders in production-quality IoT settings.
... Further, in 1996, Handel et al. [35] proposed the possible misuse of various network protocols in the Open System Interconnections (OSI) reference model for the development of covert channels. Since then various techniques for the development of NCCs have been proposed, a few of which are summarized in [36], [37], [38], [39], [40], [41], [42], and [43] over different protocols like IPv4, ARP, TCP, UDP, MQTT etc. used over the Internet. ...
Advancement in the utilization of IPv6 protocol has led to an increase in research related to its security. In recent times, researchers proposed the possibility of the existence of covert channels over networks termed Network Covert Channels (NCCs) which may exploit IPv6. NCC is a serious threat that provides a hidden avenue for the transfer of information from one end to another. Hence, to detect and locate such threats that use IPv6 packets as cover, SPYIPv6 is proposed that detects the existence of hidden information in IPv6 packets and further identifies its location in one or a combination of IPv6 header field(s). The proposed SPYIPv6 comprises two layers. The first layer detects the covert IPv6 packets in the network traffic using a binary K-Nearest-Neighbour (b-KNN) classifier. These packets are further passed to the second layer that locates the header field(s) carrying covert data using a multiclass K-Nearest-Neighbour (m-KNN) classifier. The experimentation dataset was generated from normal and covert IPv6 packet samples. Normal packets were obtained from the Center for Applied Internet Data Analysis (CAIDA), whereas covert packets were obtained using an NCC generation tool (pcapStego) and Python scripts. Experimentation results show that SPYIPv6 attains an accuracy of 99.85% in detecting and identifying the location of hidden information in the IPv6 header. Further, when compared with other counterparts, SPYIPv6 provides higher accuracy in lesser testing time justifying its suitability for the detection and location of covert information present in one or a combination of the header field(s) of an IPv6 packet.
The continuous and rapidly advancing developments in network technology seem to encourage hackers to find new ways to breach a system’s security policy; consequently, compromising confidential information. When the interpretation of a security model adopted by a system is violated by a communication between two users, or processes operating on their behalf, it is said that the two users are communicating indirectly or covertly. This thesis deals with detecting and resolving network packet length covert channels. These channels are notoriously known to be risky, invisible, and undetectable. The thesis introduces and develops three new approaches to resolve covert channels. Furthermore, the thesis introduces an approach that accurately detects this notorious type of channels. Combined together, the four (4) approaches form a system that is proven to be successful in detecting and resolving network packet length covert channels. The first approach eliminates covert channels by hiding the true identity of a system’s user from the process or processes that represent him or her inside that system. This approach not only completely eliminates the known and potential covert channels, but also those that are unknown, never detected, and/or undetectable by the system. The second approach eliminates network packet length covert channels by altering the covert message in a way that the intended receiver gets an unintended message – a totally different and useless message. Two term-based similarity tests (cosine and dice coefficient similarity tests) were successfully computed and showed zero (0) similarity score while a semantic similarity test (MCS Method) shows 0.0405626 similarity score. These results indicate that this approach effectively resolves any potential covert channel. The third approach is an enhanced version of the previous approach. It reduces its overheads up to 50 %. With this third approach, the term-based similarity tests show zero (0) similarity score and the semantic similarity test shows 0.0674704 similarity score. These results again show that there are no similarities between the covert intended message and its distorted and altered form that was obtained using this approach. The fourth and last approach is a machine learning-based detection approach to detect network packet length covert channels. It attained an excellent degree of detection accuracy: 98% with zero (0) False Negative (FN) and 0.02 False Positive (FP) classification errors.
Transfer of secret information is made possible by the use of network steganography, which benefits from the features included in standard communication protocols. Aside from its notable benefits of concealing and transmitting confidential information, network steganography has a significant drawback because hackers may alter packets to send data or interact with the command host. Network steganography at the transport and network layers enables the seamless incorporation of cutting-edge covert channel methods. Its detection is crucial for maintaining network security and preventing potential data breaches or malicious activities that may threaten the integrity and confidentiality of network communication. Detection of attacks is often very difficult, especially with traditional tools like intrusion detection system. We propose a new method to detect based on machine learning to identify anomalous conduct of steganographic packets.
With its wider acceptability, cloud can host a diverse set of data and applications ranging from entertainment to personal to industry. The foundation of cloud computing is based on virtual machines where boundaries among the application data are very thin, and the potential of data leakage exists all the time. For instance, a virtual machine covert timing channel is an aggressive mechanism to leak confidential information through shared components or networks by violating isolation and security policies in practice. The performance of a covert timing channel (covert channel) is crucial to adversaries and attempts have been made to improve the performance of covert timing channels by advancing the encoding mechanism and covert information carriers. Though promising, the redundancy of the covert message is mainly overlooked. This paper applies three encoding schemes namely run-length, Huffman, and arithmetic encoding schemes for data compression of a virtual machine covert timing channel by exploiting redundancy. Accordingly, the paper studies the performance of such channels according to their capacity. Unfortunately, we show that these encoding schemes still contain redundancy in a covert channel scenario, and thereby a new encoding scheme namely optimized Runlength encoding (OptRLE) is presented that greatly enhances the performance of a covert timing channel. Several optimizations schemes adopted by OptRLE are also discussed, and a mathematical model of the behavior of an OptRLE-based covert timing channel is proposed. The theoretical capacity of a channel can be obtained using the proposed model. Our analysis reveals that OptRLE further improves the performance of a covert timing channel, in addition to the effects of the optimizations. Experimental result shows how OptRLE affects the size of covert data and the capacity of covert timing channels, and why the performance of the covert timing channel is improved.
Covert channels are used for secret transfer of information. Encryption only protects communication from being decoded by unauthorized parties, whereas covert channels aim to hide the very existence of communication. This paper discusses a novel covert file transfer protocol (CFTP) based on the IP record route option. The CFTP protocol is used to secretly transfer text files and short messages between hosts. Firewalls that limit the outgoing traffic to a few allowed application protocols (e.g. FTP) can be circumvented by the CFTP protocol. To demonstrate the practical efficiency of the proposed covert protocol, a user friendly tool based on the client/server technology is implemented. Compared to related research, the main contribution in this work is that it introduces a new generation of covert channels. The proposed protocol is based on a novel session-oriented mechanism that offers TCP-like features embedded inside the IP option field. It provides more sophisticated communication tools that can be used for hiding information as well as synchronizing sessions and controlling the flow of exchanged data between hosts.
Virtual Private Networks (VPNs) are increasingly used to build logically isolated networks. However, existing VPN designs and deployments neglect the problem of traffic analysis and covert channels. Hence, there are many ways to infer information from VPN traffic without decrypting it. Many proposals were made to mitigate network covert channels, but previous works remained largely theoretical or resulted in prohibitively high padding overhead and performance penalties.
In this work, we (1) analyse the impact of covert channels in IPsec, (2) present several improved and novel approaches for covert channel mitigation in IPsec, (3) propose and implement a system for dynamic performance trade-offs, and (4) implement our design in the Linux IPsec stack and evaluate its performance for different types of traffic and mitigation policies. At only 24% overhead, our prototype enforces tight information-theoretic bounds on all information leakage.
Covert channels are a form of hidden communication that may violate the integrity of systems. Since their birth in Multi-Level Security systems in the early 70's they have evolved considerably, such that new solutions have appeared for computer networks mainly due to vague protocols specifications. In this paper we concentrate on short-range covert channels and analyze the opportunities of concealing data in various extensively used protocols today. From this analysis we observe several features that can be effectively exploited for subliminal data transmission in the Dynamic Host Configuration Protocol (DHCP). The result is a proof-of-concept implementation, HIDE_DHCP, which integrates three different covert channels each of which accommodate to different stealthiness and capacity requirements. Finally, we provide a theoretical and experimental analysis of this tool in terms of its reliability, capacity, and detectability.
We present here the first work to propose different mechanisms for hiding
data in the Extensible Messaging and Presence Protocol (XMPP). This is a very
popular instant messaging protocol used by many messaging platforms such as
Google Talk, Cisco, LiveJournal and many others. Our paper describes how to
send a secret message from one XMPP client to another, without raising the
suspicion of any intermediaries. The methods described primarily focus on using
the underlying protocol as a means for steganography, unlike other related
works that try to hide data in the content of instant messages. In doing so, we
provide a more robust means of data hiding and additionally offer some
preliminary analysis of its general security, in particular against
entropic-based steganalysis.
We study covert channels between a MitM attacker, and her MitE 'malware', running within the protected network of a victim organisation, and how to prevent or limit such channels. Our focus is on advanced timing channels, that allow communication between the MitM and MitE, even when hosts inside the protected network are restricted to only communicate to other (local and remote) hosts in the protected network. Furthermore, we assume communication is encrypted with fixed packet size (padding). We show that these do not suffice to prevent covert channels between MitM and MitE; furthermore, we show that even if we restrict communication to a constant rate, e.g., one packet everysecond, communication from MitE to MitM is still possible.We present efficient traffic shapers against covert channels between MitM and MitE. Our solutions preserve efficiency and bounded delay (QoS), while limiting covert traffic leakage, in both directions.
The detection of covert timing channels is of increasing interest in light of recent practice on the exploitation of covert timing channels over the Internet. However, due to the high variation in legitimate network traffic, detecting covert timing channels is a challenging task. The existing detection schemes are ineffective to detect most of the covert timing channels known to the security community. In this paper, we introduce a new entropy-based approach to detecting various covert timing channels. Our new approach is based on the observation that the creation of a covert timing channel has certain effects on the entropy of the original process, and hence, a change in the entropy of a process provides a critical clue for covert timing channel detection. Exploiting this observation, we investigate the use of entropy and conditional entropy in detecting covert timing channels. Our experimental results show that our entropy-based approach is sensitive to the current covert timing channels, and is capable of detecting them in an accurate manner.
This paper depicts potentialities of formal HCI pattern specifications with regard to facilitate the semi-automated generation of user interfaces for interactive applications. In a first step existing proven and well accepted techniques in the field of model-based user interface development are highlighted and briefly reviewed. Subsequently it is discussed how we combine model-based and pattern-oriented methods within our user interface modeling and development framework in order to partly enable automated user interface generation. In this context a concrete pattern definition approach is introduced and illustrated with tangible examples from the domain of interactive knowledge sharing applications.
Trusted insiders that betray an organization can inflict substantial harm. In addition to having privileged access to organization resources and information, these users may be familiar with the defenses surrounding valuable assets. Computers systems at the organization need a mechanism for communicating suspicious activity that is difficult for a malicious insider (or even an outsider) to detect or block. In this work, we propose a covert channel in the Ethernet frame that allows a computer system to report activity inside other, unrelated network communication. The covert channel leverages the differences in the framing approaches used by Ethernet and IP packets to append hidden information to IP packet and transmit it to an organization's administrator. This stealthy communication is difficult for even advanced attackers and is challenging to block since it opportunistically uses unrelated communication. Further, since the transmission is tied to the Ethernet frame, the communication cannot traverse network routers, preventing security information from leaving the organization. We introduce the covert channel, incorporate it into a working prototype, and combine it with an intrusion detection system to show its promise for security event reporting.
In this paper, we examine general mechanisms that a network covert channel may exploit, and we characterize the essence of network covert channels, which are decided by overt sources. So we present a taxonomy of network covert channels based on entropy of overt sources. We classify overt sources into three categories, as variety entropy, constrant entropy and fixed entropy sources, and name the network covert channels correspondingly. For each category we give the definition, meaning, and countermeasure method. Then we group classical network covert channels emerged in 30 years and representational network covert channels proposed in recent 3 years into our taxonomy framework.
