-
[show abstract]
[hide abstract]
ABSTRACT: Covert channels aim to hide the existence of communication. Recently, Murdoch proposed a temperature-based covert channel where information is transmitted by remotely inducing and measuring changes of temperature of an unwitting intermediate host. The channel was invented for the purpose of attacking anonymous servers, but could also be used for general-purpose covert communications. We propose an empirical method for estimating realistic (and previously unknown) capacities for this channel. In example scenarios with different intermediate hosts and different levels of temperature induction and noise we find the channel capacity is up to 20.5 bits per hour, but it almost halves to 10.3 bits per hour with higher noise or more effective cooling at the intermediate host.
IEEE Communications Letters 02/2011; · 0.98 Impact Factor
-
[show abstract]
[hide abstract]
ABSTRACT: A key part of First Person Shooter network gaming is the game server discovery phase. Whilst probing for suitable servers from a wireless network, a large burst of network traffic is generated, potentially leading to detrimental effects on network capacity available to other wireless users. This can be minimised using an optimised algorithm to order the discovery probes and subsequently terminate the discovery process early. In this paper we explore further modifications to a previously proposed algorithm and examine its efficacy in further reducing the probe time/traffic during the server discovery phase. We show that it is possible to further reduce the overall discovery process duration by up to 13% while still presenting all suitable servers to the user for selection.
Wireless Communications and Networking Conference (WCNC), 2010 IEEE; 05/2010
-
[show abstract]
[hide abstract]
ABSTRACT: We propose and evaluate a novel improvement to a previously published, unreliable covert channel based on the network traffic of multiplayer, first person shooter online games (FPSCC). Covert channels typically embed themselves within pre-existing (overt) data transmissions in order to carry hidden messages. FPSCC encodes covert bits as slight, yet continuous, variations of a player's character's movements. These variations are visually imperceptible to human players, yet occur frequently enough to create a low bit-rate covert channel. The nature of first person shooter network protocols means the original FPSCC channel is noisy (not reliable), experiencing a significant number of bit errors (including synchronisation errors). We have now augmented FPSCC to ensure bits are transmitted reliably. Evaluation of our technique with a prototype demonstrates throughput of up to 13 bits/second without any bit errors.
Local Computer Networks, 2009. LCN 2009. IEEE 34th Conference on; 11/2009
-
[show abstract]
[hide abstract]
ABSTRACT: Consumer network access links can become bottlenecks when faced with heterogeneous network traffic where real-time traffic from network games finds itself competing with nongame traffic for access to bandwidth. We would like to prioritize network game traffic over these bandwidth restricted links. However, the limited resources of consumer access devices make this problematic. We propose a solution whereby the classification of flows is outsourced to an ISP-based system. The access device is then notified of flow classifications and can apply a simple flow prioritization rule. We have developed a prototype of this system and found it viable in terms of functionality, timeliness of classification, and scalability.
IEEE Communications Magazine 01/2009; · 3.79 Impact Factor
-
[show abstract]
[hide abstract]
ABSTRACT: Covert channels aim to hide the existence of communication between two or more parties. Such channels typically utilise pre-existing (overt) data transmissions to carry hidden messages. Internet-based covert channels often encode new information into unused (or loosely specified) IP packet header fields, or the time intervals between IP packet arrivals. We propose a novel covert channel embedded within the traffic of multiplayer, first person shooter online games. We encode covert bits as slight, yet continuous, variations of a playerpsilas characterpsilas movements. Movement information is propagated to all clients attached to a given game server, yet the channel remains covert so long as the variations are visually imperceptible to the human players. A modified version of Quake III Arena is used to demonstrate our concept. We empirically analyse the covert channelpsilas bit rate, and compare the statistical characteristics of unmodified game traffic with those of game traffic carrying covert information.
Local Computer Networks, 2008. LCN 2008. 33rd IEEE Conference on; 11/2008
-
[show abstract]
[hide abstract]
ABSTRACT: Literature on the use of machine learning (ML) algorithms for classifying IP traffic has demonstrated potential to be deployed in real-world IP networks. The key challenges of timely and continuous classification are addressed, in which multiple short sub-flows taken at different points within the original application's flow lifetime are used to train the classifier. The classification decision process is repeated continuously using a sliding window of the flow's most recent N packets. The work left a critical question of how to automate the identification of appropriate sub-flows for training. In this paper we propose a novel approach for sub-flows identification and selection using ML clustering algorithms. We evaluate our approach using accuracy, model build time, classification speed and physical resource consumption metrics.
Communications, 2008. ICC '08. IEEE International Conference on; 06/2008
-
[show abstract]
[hide abstract]
ABSTRACT: Covert channels are used for the secret transfer of information. Encryption only protects communication from being decoded by unauthorized parties, whereas covert channels aim to hide the very existence of the communication. Initially, covert channels were identified as a security threat on monolithic systems such as mainframes. More recently, focus has shifted toward covert channels in computer network protocols. The huge amount of data and large number of different protocols in the Internet is ideal as a high-bandwidth vehicle for covert communication. This article provides an overview of the existing techniques for creating covert channels in widely deployed network protocols, and common methods for their detection, elimination, and capacity limitation.
IEEE Communications Magazine 01/2008; · 3.79 Impact Factor
-
G. Armitage
[show abstract]
[hide abstract]
ABSTRACT: Clients for online multiplayer first person shooter (FPS) games typically discover game servers through a two-step process. Clients initially query a well-known master server for a list of currently registered game servers, and then sequentially probe each game server in the order they were returned by the master server. The starting and stopping of clients over time creates a 24-hour cycle of 'background noise' (probe traffic) impacting on registered game servers, independent of a given server's actual popularity with players. Based on over 10 million probe packets from two topologically distinct Wolfenstein enemy territory servers in 2006, this paper shows that probe arrivals are uncorrelated and exhibit exponentially distributed inter-probe intervals during both busiest and least-busy hours of the 24-hour cycle. A modified Laplace curve is then shown to be a reasonable estimator of lambda for the exponentially distributed probe arrivals during any hour of the day. The ability to easily synthesise probe traffic patterns will augment existing approaches to modeling the IP traffic loads experienced by game servers and network devices attached to game servers.
Networks, 2007. ICON 2007. 15th IEEE International Conference on; 12/2007
-
[show abstract]
[hide abstract]
ABSTRACT: Communication is not necessarily made secure by the use of encryption alone. The mere existence of communication is often enough to raise suspicion and trigger investigative actions. Covert channels aim to side-step this problem by hiding additional information within the 'normal' behaviour of preexisting communication streams. The huge amount of data and vast number of different protocols in the Internet make it ideal as a high-bandwidth vehicle for covert channels. Several researchers have proposed modulation techniques to encode covert information into the IP Time To Live field. In this paper we compare the different encoding techniques and also propose two new improved encoding schemes. We present a software framework developed for evaluating covert channels in network protocols. We use this software to empirically evaluate the transmission rates of the different TTL modulation techniques for real Internet traffic.
Networks, 2007. ICON 2007. 15th IEEE International Conference on; 12/2007
-
[show abstract]
[hide abstract]
ABSTRACT: The lawful interception (LI) of communications is necessary in modern telecommunications networks in order to help law enforcement agencies with the investigation and prosecution of criminal activities. The challenging aspect of LI in mobile IPv6 networks lies in the variety of ways that the network can be operated and translates into LI solutions which range in complexity from trivial to complex. In turn, the complexity of an LI solution manifests in LI signalling volume and effects the ability to fulfill critical LI requirements such as capturing 100% of target traffic. We propose a generic LI architecture that supports user mobility prediction schemes to fulfill LI requirements. We then propose two simple user mobility prediction schemes before analysing their prediction performance and effect on LI metrics. Our results show that the simple prediction scheme proposed in this paper can accurately predict the future position of a mobile user and can lead to the fulfillment of LI requirements, such as capturing 100% of target traffic, while at the same time being sensitive to security issues by restricting interception activation only to parts of the network that are visited by the mobile target.
Networks, 2007. ICON 2007. 15th IEEE International Conference on; 12/2007
-
[show abstract]
[hide abstract]
ABSTRACT: Communication is not necessarily made secure by the use of encryption alone. The mere existence of communication is often enough to raise suspicion and trigger investigative actions. Covert channels aim to hide the very existence of the communication. The huge amount of data and vast number of different protocols in the Internet makes it ideal as a high-bandwidth vehicle for covert communications. A number of researchers have proposed different techniques to encode covert information into the IP time to live (TTL) field. This is a noisy covert channel since the TTL field is modified between covert sender and receiver. For computing the channel capacity it is necessary to know the probability of channel errors. In this paper we derive analytical solutions for the error probabilities of the different encoding schemes. We simulate the different encoding schemes and compare the simulation results with the analytical error probabilities. Finally, we compare the performance of the different encoding schemes for an idealised error distribution and an empirical TTL error distribution obtained from real Internet traffic.
Communications and Information Technologies, 2007. ISCIT '07. International Symposium on; 11/2007
-
IEEE Communications Surveys & Tutorials 10/2007; 9(3):44-57. · 6.31 Impact Factor
-
[show abstract]
[hide abstract]
ABSTRACT: Web caches are generally considered useful because they reduce replication of network traffic flowing from original content sources. In this paper we experimentally characterise the network and transport layer consequences of Web caching in the consumer ISP context. We instrumented a small number of Australian, broadband-attached homes to collect round-trip time (RTT) and hop count statistics for their HTTP/TCP sessions, and collect DNS lookup statistics associated with each HTTP exchange. We estimated the impact of DNS lookup delays on overall HTTP session times, and use our RTT and hop count statistics to show that consumer ISPs would benefit greatly from local caching, particularly in Australia where speed of light delays have a large impact on session times when retrieving international content.
TENCON 2005 2005 IEEE Region 10; 12/2005
-
[show abstract]
[hide abstract]
ABSTRACT: This paper proposes a novel architecture for meeting Quality of Service (QoS) requirements of real-time traffic across consumer broadband links. In our approach the responsibility of QoS signalling is moved away from the application to the network. Network servers automatically identify traffic that might benefit from QoS and then trigger the provisioning of QoS by signalling network elements such as access routers. This approach removes the need for the application to signal to the network its explicit QoS requirements, making applications easier to develop and more portable. It also enables QoS provision for legacy applications for which there is limited opportunity to include explicit end-host signalling protocols. The paper develops the architecture required to realize the approach and discusses the underlying techniques.
TENCON 2005 2005 IEEE Region 10; 12/2005
-
[show abstract]
[hide abstract]
ABSTRACT: Many enterprise sites utilise 802.11b/g technology to create an untrusted access network sitting outside their protected institutional IP network, with internal access allowed only through an IP-layer virtual private network (VPN) gateway. Often such networks do not implement link layer security, because of the known weaknesses of the IEEE's wired equivalent privacy (WEP). This results in a wireless network on which arbitrary people can establish themselves as hosts with arbitrary IP addresses. Although the enterprise IP network is protected by the VPN gateway, users of the wireless network can become victims of unscrupulous (or accidental) interception of their IP communication. Common Windows laptop (mis-)configurations often try and establish communications through a default gateway on the 192.168/16 network. Anyone could configure another host as this default gateway on the enterprise 802.11b/g network and thus hijack a visitor's network connection without the visitor even realising. In this paper we test and confirm the plausibility of this attack in a University wireless LAN and present results from real world data, confirming the existence of users failing to reconfigure their visiting host and attempting to connect via possible malicious gateways. We then suggest possible mitigation techniques.
TENCON 2005 2005 IEEE Region 10; 12/2005
-
[show abstract]
[hide abstract]
ABSTRACT: The random waypoint model (RWP) is a simple mobility model based on random destinations, speeds and pause times. The RWP is one of many mobility models used in simulations of mobile communications networks to model human movement. The RWP is often criticised as not being representative of how humans actually move. Paradoxically, validation of the RWP against real mobility data is seen as being difficult due to the impracticalities of obtaining real mobility data. In this paper we consider the RWP as a model of user mobility in networks that cater for a large geographical areas, such as a city. We present results from a real world user movement trace and use these to validate some of the key characteristics of the RWP. The data presented was obtained from one individual's movement around the city of Melbourne, Australia, for a period of two months and included recording the individual's destinations, speed, rest times, and routes of travel.
TENCON 2005 2005 IEEE Region 10; 12/2005
-
[show abstract]
[hide abstract]
ABSTRACT: The dynamic classification and identification of network applications responsible for network traffic flows offers substantial benefits to a number of key areas in IP network engineering, management and surveillance. Currently such classifications rely on selected packet header fields (e.g. port numbers) or application layer protocol decoding. These methods have a number of shortfalls e.g. many applications can use unpredictable port numbers and protocol decoding requires a high amount of computing resources or is simply infeasible in case protocols are unknown or encrypted. We propose a novel method for traffic classification and application identification using an unsupervised machine learning technique. Flows are automatically classified based on statistical flow characteristics. We evaluate the efficiency of our approach using data from several traffic traces collected at different locations of the Internet. We use feature selection to find an optimal feature set and determine the influence of different features.
Local Computer Networks, 2005. 30th Anniversary. The IEEE Conference on; 12/2005
-
[show abstract]
[hide abstract]
ABSTRACT: Darknets are increasingly being proposed as a means by which network administrators can monitor for anomalous, externally sourced traffic. Current darknet designs require large, contiguous blocks of unused IP addresses - not always feasible for enterprise network operators. In this paper we introduce, define and evaluate the concept of a Greynet - a region of IP address space that is sparsely populated with 'darknet' addresses interspersed with active (or 'lit') IP addresses. We use raw traffic traces collected within a university network to evaluate how sparseness affects a greynet's effectiveness and hence show that enterprise operators can achieve useful levels of network scan detection, with only small numbers of 'dark' IP addresses making up their greynets.
Local Computer Networks, 2005. 30th Anniversary. The IEEE Conference on; 12/2005
-
[show abstract]
[hide abstract]
ABSTRACT: There exist many tools to passively monitor a link for traffic flows. They are typically used near the edge of the network, but not necessarily at the termination point of data flows - usually within a few hops of end-points. Round trip time (RTT) values for individual flows is of interest for network management purposes and can be used to indicate user experienced network delay, and in network design decisions. Determining the RTT when not at an end-point of a data flow is complicated by the fact that packets may be seen out of order and that witnessed packets may not reach their destination. In this paper we present an algorithm to estimate running RTT and jitter characteristics of TCP streams monitored at the midpoint of a TCP flow.
Local Computer Networks, 2005. 30th Anniversary. The IEEE Conference on; 12/2005
-
[show abstract]
[hide abstract]
ABSTRACT: The emergence of widespread broadband home Internet connectivity is leading to a change in patterns of home user online behavior. Innovative networked applications (e.g., online multimedia and gaming) are making their mark. Will the next killer Internet applications be new forms of online digital home entertainment? Can the Internet support a widespread explosion in the use of such applications? In this article we explore potential problems in running interactive multimedia and game applications over existing Internet and home access network infrastructures. We also discuss the issues both network and application developers should consider when designing new Internet entertainment applications such that widespread usage becomes a possibility.
IEEE Communications Magazine 06/2005; · 3.79 Impact Factor
