ICMP Covert Channel Resiliency

Stokes, Kristian; Yuan, Bo; Johnson, Daryl; Lutz, Peter

doi:10.1007/978-90-481-9151-2_87

Cited by 2 publications

(2 citation statements)

References 2 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…After a training phase, they built an SVM classifier able to discern suspect ICMP packets. In [8] K. Stokes et al tested the efficiency of firewalls and IDS to detect ICMP based hidden channels. They concluded that covert channels can easily defeat many modern security appliances if ICMP protocol is permitted.…”

Section: Related Workmentioning

confidence: 99%

Detection of Covert Channels Over ICMP Protocol

Sayadi

Abbes

Bouhoula³

2017

2017 IEEE/ACS 14th International Conference on Computer Systems and Applications (AICCSA)

View full text Add to dashboard Cite

With the growing complexity of networks and communications protocols that become increasingly enormous and extensive, we are confronted with the problem of covert channel that affects the confidentiality and integrity of data sent in the network. Covert channels also known as hidden channels can elude basic security systems such as Intrusion Detection Systems (IDS) and firewalls. We propose in this work a method to monitor and detect the presence of hidden channels that are based on an essential monitoring protocol "Internet Control Message Protocol" (ICMP). We undergo the network traffic with a set of verifications ranging from simple fields verification to more complex pattern matching operations. To validate our idea, we have installed Ptunnel, a tool that allows to tunnel TCP connections to a remote host using ICMP echo request and reply packets. Our experimental results show the possibility to discover such malicious traffic with high performance.

show abstract

Section: Related Workmentioning

confidence: 99%

Detection of Covert Channels Over ICMP Protocol

Sayadi

Abbes

Bouhoula³

2017

2017 IEEE/ACS 14th International Conference on Computer Systems and Applications (AICCSA)

View full text Add to dashboard Cite

show abstract

“…It offers password protection with SHA-256 and ability to change usage of ICMP codes within the application. These payload tunnels are further examined in [111] for resiliency with modern security approaches. Ping tunnel [110] allows to reliably tunnel TCP connections to a remote host using ICMP Echo Request and Echo Response packets.…”

Section: Need Of Synchronizationmentioning

confidence: 99%

Covert channels in TCP/IP protocol stack - extended version-

Mileva

Panajotov

2014

Open Computer Science

View full text Add to dashboard Cite

We give a survey of different techniques for hiding data in several protocols from the TCP/IP protocol stack.Techniques are organized according to affected layer and protocol. For most of the covert channels its data bandwidth is given. IntroductionAn overt channel is a communication channel within a computer system or network, designed for the authorized transfer of data. A covert channel (first introduced by Lampson [62]), on the other hand, is any communication channel that can be exploited by a process to transfer information in a manner that violates the systems security policy [26]. Any shared resource can potentially be used as a covert channel. Covert channels can be divided primarily in storage and timing channels. In a case of the storage channels, usually one process writes (directly or indirectly) to a shared resource, while another process reads from it. Timing channel is essentially any technique that conveys information by the timing of events, in which case the receiving process needs a clock. Special timing covert channel is counting channel which carries data by counting the occurrences of certain events [44].Additionally, timing channels can be active if they generate additional traffic or passive if they manipulate the timing of existing traffic. As any other communication channel, covert channel can be noisy or noiseless.According to the number of information flows between the sender and the receiver -several or one, there are aggregated and non-aggregated covert channels [36]. According to the presence or absence of the intermediate node in the communication, covert channels can be indirect or direct. Payload tunnel is a covert channel, where one protocol is tunnelled in the payload of the other protocol. Covert channels are studied as a part of the science * E-mail: aleksandra.mileva@ugd.edu.mk † E-mail: boris.panajotov@ugd.edu.mk steganography, and different steganographic methods used in telecommunication networks are known as network steganography.The adversary model is based on the Simmons prisoner problem [105]: two parties want to communicate confidentially and undetected over an insecure channel, the warden. The warden can be passive -which monitor traffic and report when some unauthorized traffic is detected, or active -which can modify the content of the messages with the purpose of eliminating any form of hidden communication. Simmons introduced the term subliminal channel, a variant of covert channel which uses cryptographic algorithm or protocol for hiding messages. A composition of covert channel with subliminal channel is the hybrid channel.Covert channels can be analysed by the total number of steganogram bits transmitted during a second (Raw Bit Rate -RBR), or by the total number of steganogram bits transmitted per PDU (for example, Packet Raw BitRate-PRBR) [78]. In ideal case, if no packets are lost, capacity of some storage channels can be expressed as Steganography in Internet layerInternet Protocol (IP) is the primary protocol in the TCP/IP protocol stack, ...

show abstract

ICMP Covert Channel Resiliency

Cited by 2 publications

References 2 publications

Detection of Covert Channels Over ICMP Protocol

Detection of Covert Channels Over ICMP Protocol

Covert channels in TCP/IP protocol stack - extended version-

Contact Info

Product

Resources

About