A Study on the Covert Channel Detection of TCP/IP Header Using Support Vector Machine

Sohn, Taeshik; Seo, Jungtaek; Moon, Jongsub

doi:10.1007/978-3-540-39927-8_29

Cited by 52 publications

(41 citation statements)

References 6 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…Classifier models are then trained based on provided examples of features of covert channels and normal traffic. Sohn et al demonstrated that simple covert channels encoded in the IP ID or TCP ISN field can be discovered with high accuracy by Support Vector Machines (SVMs) [Sohn et al 2003]. Tumoian et al showed that a neural network can detect Rutkowska's TCP ISN covert channel [Rutkowska 2004] with high accuracy [Tumoian and Anikeev 2005] (both Random Value pattern).…”

Section: Countermeasures For Patternsmentioning

confidence: 99%

Pattern-Based Survey and Categorization of Network Covert Channel Techniques

et al. 2015

View full text Add to dashboard Cite

Network covert channels are used to hide communication inside network protocols. Within the last decades, various techniques for covert channels arose. We surveyed and analyzed 109 techniques developed between 1987 and 2013 and show that these techniques can be reduced to only 11 different patterns. Moreover, the majority (69.7%) of techniques can be categorized in only four different patterns, i.e. most of the techniques we surveyed are very similar. We represent the patterns in a hierarchical catalog using a pattern language. Our pattern catalog will serve as a base for future covert channel novelty evaluation. Furthermore, we apply the concept of pattern variations to network covert channels. With pattern variations, the context of a pattern can change. For example, a channel developed for IPv4 can automatically be adapted to other network protocols. We also propose the pattern-based covert channel optimizations pattern hopping and pattern combination. Finally, we lay the foundation for pattern-based countermeasures: While many current countermeasures were developed for specific channels, a pattern-oriented approach allows to apply one countermeasure to multiple channels. Hence, future countermeasure development can focus on patterns, and the development of real-world protection against covert channels is greatly simplified.

show abstract

Section: Countermeasures For Patternsmentioning

confidence: 99%

Pattern-Based Survey and Categorization of Network Covert Channel Techniques

et al. 2015

View full text Add to dashboard Cite

show abstract

“…This means that we do not handle cases where, for example, a single key is sent in one data package. In this way, the proposed technique is similar to other techniques which use machine learning techniques, such as those that employ neural networks (e.g., Tumoian and Anikeev 2005) or support vector machines (e.g., Sohn et al 2003), to analyse data streams for anomalies indicating the possible existence of a covert channel. Since machine learning techniques require training data, it is acknowledged in Tumoian and Anikeev (2005) that it is impossible to discover a covert channel using a single data package and that the more packets that are recorded, the more precise the technique will be.…”

Section: Discussionmentioning

confidence: 93%

Investigative support for information confidentiality

Jaskolka

Khédri

Sabri

2015

J Ambient Intell Human Comput

View full text Add to dashboard Cite

With the ubiquity and pervasiveness of computers in daily activities and with the ever-growing complexity of communication networks and protocols, covert channels are becoming an eminent threat to the confidentiality of information. In light of this threat, we propose a technique to detect confidential information leakage via protocol-based covert channels. Although several works examine covert channel detection and analysis from the perspective of information theory by, for instance, analysing channel capacities, we propose a different technique that tackles the problem from a different perspective. The proposed technique takes an algebraic approach using relations. It provides tests to verify the existence of a leakage of information via a monitored covert channel. It also provides computations which show how the information was leaked if a leakage exists. We also discuss possible applications of the proposed technique in cryptanalysis and digital forensics based on a knownplaintext attack. We report on a prototype tool that allows for the automation of the proposed technique.

show abstract

“…Several covert channels can be eliminate by blocking protocols/ports by firewalls (Loki [22,23], ICMPTX [113], Skeeve [128], ICMP-Chat [84]) or ingress/egress filtering (B0CK [120], Skeeve [128], false IPv6 Source Address Covert−TCP [98] can be detected using a Support Vector Machine (SVM) [109], and together with NUSHU [99] by [85] anomaly tests, because covert headers are easily distinguished from those generated by a genuine TCP/IP stack.…”

Section: Defence Mechanismsmentioning

confidence: 99%

Covert channels in TCP/IP protocol stack - extended version-

Mileva

Panajotov

2014

Open Computer Science

View full text Add to dashboard Cite

We give a survey of different techniques for hiding data in several protocols from the TCP/IP protocol stack.Techniques are organized according to affected layer and protocol. For most of the covert channels its data bandwidth is given. IntroductionAn overt channel is a communication channel within a computer system or network, designed for the authorized transfer of data. A covert channel (first introduced by Lampson [62]), on the other hand, is any communication channel that can be exploited by a process to transfer information in a manner that violates the systems security policy [26]. Any shared resource can potentially be used as a covert channel. Covert channels can be divided primarily in storage and timing channels. In a case of the storage channels, usually one process writes (directly or indirectly) to a shared resource, while another process reads from it. Timing channel is essentially any technique that conveys information by the timing of events, in which case the receiving process needs a clock. Special timing covert channel is counting channel which carries data by counting the occurrences of certain events [44].Additionally, timing channels can be active if they generate additional traffic or passive if they manipulate the timing of existing traffic. As any other communication channel, covert channel can be noisy or noiseless.According to the number of information flows between the sender and the receiver -several or one, there are aggregated and non-aggregated covert channels [36]. According to the presence or absence of the intermediate node in the communication, covert channels can be indirect or direct. Payload tunnel is a covert channel, where one protocol is tunnelled in the payload of the other protocol. Covert channels are studied as a part of the science * E-mail: aleksandra.mileva@ugd.edu.mk † E-mail: boris.panajotov@ugd.edu.mk steganography, and different steganographic methods used in telecommunication networks are known as network steganography.The adversary model is based on the Simmons prisoner problem [105]: two parties want to communicate confidentially and undetected over an insecure channel, the warden. The warden can be passive -which monitor traffic and report when some unauthorized traffic is detected, or active -which can modify the content of the messages with the purpose of eliminating any form of hidden communication. Simmons introduced the term subliminal channel, a variant of covert channel which uses cryptographic algorithm or protocol for hiding messages. A composition of covert channel with subliminal channel is the hybrid channel.Covert channels can be analysed by the total number of steganogram bits transmitted during a second (Raw Bit Rate -RBR), or by the total number of steganogram bits transmitted per PDU (for example, Packet Raw BitRate-PRBR) [78]. In ideal case, if no packets are lost, capacity of some storage channels can be expressed as Steganography in Internet layerInternet Protocol (IP) is the primary protocol in the TCP/IP protocol stack, ...

show abstract

A Study on the Covert Channel Detection of TCP/IP Header Using Support Vector Machine

Cited by 52 publications

References 6 publications

Pattern-Based Survey and Categorization of Network Covert Channel Techniques

Pattern-Based Survey and Categorization of Network Covert Channel Techniques

Investigative support for information confidentiality

Covert channels in TCP/IP protocol stack - extended version-

Contact Info

Product

Resources

About