bccstego: A Framework for Investigating Network Covert Channels

Repetto, Matteo; Caviglione, Luca; Zuppelli, Marco

doi:10.1145/3465481.3470028

Cited by 12 publications

(7 citation statements)

References 20 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…• Inspection Layer: it contains a set of eBPF programs that can create statistics on the usage of header fields and packet inter-arrival times for both IPv4/v6 traffic. Programs 3 collecting data to address storage channels are based on a modified version of bccstego, i.e., a suite of tools able to generate filters for inspecting network and higher-level protocols like TCP/UDP [22]. Instead, to address timing channels, we created a novel eBPF program 4 collecting time information and implementing the approach presented in [12] within the kernel; • Management Layer: to load and unload eBPF programs as well as to collect measures, we implemented ad-hoc scripts and user-land utilities taking advantage of the BPF Compiler Collection (BCC) library 5 .…”

Section: Methodsmentioning

confidence: 99%

Code Layering for the Detection of Network Covert Channels in Agentless Systems

Zuppelli

Repetto

Schaffhauser

et al. 2022

IEEE Trans. Netw. Serv. Manage.

Self Cite

View full text Add to dashboard Cite

Section: Methodsmentioning

confidence: 99%

Code Layering for the Detection of Network Covert Channels in Agentless Systems

Zuppelli

Repetto

Schaffhauser

et al. 2022

IEEE Trans. Netw. Serv. Manage.

Self Cite

View full text Add to dashboard Cite

“…Luca et al [13] presented the use of code augmentation in eBPF inside the Linux kernel to collect the statistics of IPv6 header fields like Flow Label. Repetto et al [14] used the BCC tool for running eBPF programs to obtain statistics about IPv6 header fields viz. the Flow Label field, the Traffic Class field, and the Hop Limit field.…”

Section: Literature Reviewmentioning

confidence: 99%

“…the Flow Label field, the Traffic Class field, and the Hop Limit field. The underlying concept in both [13] and [14] was to share a common technique for analyzing packets' headers and gathering data for hidden data analysis. The authors inferred that abnormal changes in the statistical values of these header fields can raise an alarm about the existence of a covert channel.…”

Section: Literature Reviewmentioning

confidence: 99%

“…As countermeasures, few methods have been proposed by researchers to detect the existence of storage-based NCCs in IPv6. The detection approaches in [13] and [14] use statistical analysis of the IPv6 packet's header field using eBPF (extended Berkley Packet Filter) for IPv6-based covert channel detection. In these techniques, authors make use of changing number of bins (evaluated for a fixed time in IPv6 network traffic) as a metric to detect the existence of storage-based NCCs in IPv6.…”

Section: Introductionmentioning

confidence: 99%

“…In these techniques, authors make use of changing number of bins (evaluated for a fixed time in IPv6 network traffic) as a metric to detect the existence of storage-based NCCs in IPv6. The limitation of such approaches as discussed by the authors in their work [13], [14] are as follows.…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Detecting and Locating Storage-Based Covert Channels in Internet Protocol Version 6

2022

View full text Add to dashboard Cite

Increased usage of the Internet has risen the demand for more IP addresses across the globe resulting in replacement of IPv4 by IPv6 protocol. Hence, security of IPv6 has become a vital area of research. One of the serious threats to Internet security is the presence of Network Covert Channels (NCCs) that provide substantial aid for performing covered communications like exchanging secret data and/or exfiltrating secret information from the organizations. To detect such malicious activities, there is an urgent requirement to develop and deploy efficient detection mechanisms in real-time networks. Further, to decode the hidden communications, there is an additional need to identify the location of covert data. Thus, this paper proposes a system for detecting and locating storage-based NCC(s) in IPv6 using Deep Neural Network (DNN) and One-vs-Rest (OvR) technique with Support Vector Machine (SVM). The proposed system is a two-layered system. Layer 1 detects an IPv6 packet as a normal/covert packet. Layer 2 locates the storage area of secret data in the covert packets detected at Layer 1. For experimentation, a dataset of normal and covert IPv6 packets was created using CAIDA's dataset and pcapStego tool. Experiments were conducted to select the appropriate classifiers at both layers of the proposed system. With DNN and OvR SVM selected as the classifiers at Layer 1 and Layer 2 respectively, the proposed system locates covert data in IPv6 packets with an Accuracy of 99.7% and an average prediction time of 0.0719 seconds per covert sample, making it suitable for real-time deployment.INDEX TERMS Cybersecurity, deep neural network, internet protocol version 6, machine learning, network covert channel detection, one-vs-rest, support vector machine.

show abstract

Privacy-Leaking and Steganographic Threats in Wireless Connected Environments

Caviglione

2022

Towards a Wireless Connected World: Achievements and New Technologies

View full text Add to dashboard Cite

bccstego: A Framework for Investigating Network Covert Channels

Cited by 12 publications

References 20 publications

Code Layering for the Detection of Network Covert Channels in Agentless Systems

Code Layering for the Detection of Network Covert Channels in Agentless Systems

Detecting and Locating Storage-Based Covert Channels in Internet Protocol Version 6

Privacy-Leaking and Steganographic Threats in Wireless Connected Environments

Contact Info

Product

Resources

About