ArticlePDF Available

Pattern-Based Survey and Categorization of Network Covert Channel Techniques

April 2015
ACM Computing Surveys 47(3):50:1-26

DOI:10.1145/2684195

Source
arXiv

Authors:

Steffen Wendzel

Hochschule Worms

Sebastian Zander

Murdoch University

Bernhard Fechner

FernUniversität in Hagen

Christian Herdin

University of Applied Sciences Augsburg

Network covert channels are used to hide communication inside network protocols. Various techniques for covert channels have arisen in the past few decades. We surveyed and analyzed 109 techniques developed between 1987 and 2013 and show that these techniques can be reduced to only 11 different patterns. Moreover, the majority (69.7%) of techniques can be categorized into only four different patterns (i.e., most techniques we surveyed are similar). We represent the patterns in a hierarchical catalog using a pattern language. Our pattern catalog will serve as a base for future covert channel novelty evaluation. Furthermore, we apply the concept of pattern variations to network covert channels. With pattern variations, the context of a pattern can change. For example, a channel developed for IPv4 can automatically be adapted to other network protocols. We also propose the pattern-based covert channel optimizations pattern hopping and pattern combination. Finally, we lay the foundation for pattern-based countermeasures: whereas many current countermeasures were developed for specific channels, a pattern-oriented approach allows application of one countermeasure to multiple channels. Hence, future countermeasure development can focus on patterns, and the development of real-world protection against covert channels is greatly simplified.

The concept of patterns

…

Network covert channel pattern hierarchy, excluding hiding techniques utilizing payload

…

Number of associated covert channel techniques per covert channel pattern. Shaded bars represent child patterns.

…

Concept of Covert Channel Pattern Variation

…

Figures - uploaded by Steffen Wendzel

Content may be subject to copyright.

Content uploaded by Steffen Wendzel

Content may be subject to copyright.

A preview of the PDF is not available

A Generic Taxonomy for Steganography Methods

Preprint

Jul 2022

A unified understanding of terms and their applicability is essential for every scientific discipline: steganography is no exception. Being divided into several domains (for instance, text steganography, digital media steganography, and network steganography), it is crucial to provide a unified terminology as well as a taxonomy that is not limited to some specific applications or areas. A prime attempt towards a unified understanding of terms was conducted in 2015 with the introduction of a pattern-based taxonomy for network steganography. Six years later, in 2021, the first work towards a pattern-based taxonomy for steganography was proposed. However, this initial attempt still faced several shortcomings, e.g., the lack of patterns for several steganography domains (the work mainly focused on network steganography and covert channels), various terminology issues, and the need of providing a tutorial on how the taxonomy can be used during engineering and scientific tasks, including the paper-writing process. As the consortium who published this initial 2021-study on steganography patterns, in this paper we present the first comprehensive pattern-based taxonomy tailored to fit all known domains of steganography, including smaller and emerging areas, such as filesystem steganography and cyber-physical systems steganography. Besides, to make our contribution more effective and promote the use of the taxonomy to advance research on steganography, we also provide a thorough tutorial on its utilization. Our pattern collection is available at https://patterns.ztt.hs-worms.de.

A Generic Taxonomy for Steganography Methods

Preprint

Full-text available

Jul 2022

Weaknesses of popular and recent covert channel detection methods and a remedy

Article

Full-text available

Feb 2023
IEEE T DEPEND SECURE

Network covert channels are applied for the secret exfiltration of confidential data, the stealthy operation of malware, and legitimate purposes, such as censorship circumvention. In recent decades, some major detection methods for network covert channels have been developed. In this paper, we investigate two highly cited detection methods for covert timing channels, namely $\epsilon$ -similarity and compressibility score from Cabuk et al. (jointly cited by 930 papers and applied by thousands of researchers). We additionally analyze two recent ML-based detection methods: GAS (2022) and SnapCatch (2021). While all these detection methods must be considered valuable for the analysis of typical covert timing channels, we show that these methods are not reliable when a covert channel's behavior is slightly modified. In particular, we demonstrate that when confronted with a simple covert channel that we call $\epsilon$ - $\kappa$ libur, all detection methods can be circumvented or their performance can be significantly reduced although the covert channel still provides a high bitrate. In comparison to previous timing channels that circumvent these methods, $\epsilon$ - $\kappa$ libur is much simpler and eliminates the need of altering previously recorded traffic. Moreover, we propose an enhanced $\epsilon$ -similarity that can detect the classical covert timing channel as well as $\epsilon$ - $\kappa$ libur.

Covert Channel Communication as an Emerging Security Threat in 2.5D/3D Integrated Systems

Article

Full-text available

Feb 2023
SENSORS-BASEL

In this paper, first, a broad overview of existing covert channel communication-based security attacks is provided. Such covert channels establish a communication link between two entities that are not authorized to share data. The secret data is encoded into different forms of signals, such as delay, temperature, or hard drive location. These signals and information are then decoded by the receiver to retrieve the secret data, thereby mitigating some of the existing security measures. The important steps of covert channel attacks are described, such as data encoding, communication protocol, data decoding, and models to estimate communication bandwidth and bit error rate. Countermeasures against covert channels and existing covert channel detection techniques are also summarized. In the second part of the paper, the implications of such attacks for emerging packaging technologies, such as 2.5D/3D integration are discussed. Several covert channel threat models for 2.5D/3D ICs are also proposed.

A Comprehensive Review of Tunnel Detection on Multilayer Protocols: From Traditional to Machine Learning Approaches

Article

Full-text available

Feb 2023

Tunnels, a key technology of traffic obfuscation, are increasingly being used to evade censorship. While providing convenience to users, tunnel technology poses a hidden danger to cybersecurity due to its concealment and camouflage capabilities. In contrast to previous studies of encrypted traffic detection, we perform the first measurement study of tunnel traffic and its unique characteristics and focus on the challenges and solutions in detecting tunnel traffic among traditional and machine learning techniques. This study covers an almost twenty-year research period from 2003 to 2022. First, we present the concepts of two types of tunnels, broad and narrow tunnels, respectively, as well as a framework for major tunnel applications, such as Tor (the second-generation onion router), proxy, VPN, and their relationships. Second, we analyze state-of-the-art methods from traditional to machine learning applications to systematize tunnel traffic detection, including HTTP, HTTPS, DNS, SSH, TCP, ICMP and IPSec. A quantitative evaluation is presented with five crucial indicators applied to the detection methods and reviews. We further discuss the research work based on datasets, feature engineering, and challenges that have are solved, partly solved and unsolved. Finally, by providing open questions and the potential directions, we hope to inspire future work in this area.

Did You See That? A Covert Channel Exploiting Recent Legitimate Traffic

Preprint

Full-text available

Dec 2022

Covert channels are unforeseen and stealthy communication channels that enable manifold adversary scenarios, such as the covert exfiltration of confidential data or the stealthy orchestration of botnets. However, they can also allow the exchange of confidential information by journalists. All covert channels described until now therefore need to craft seemingly legitimate information flows for their information exchange, mimicking unsuspicious behavior. In this paper, we present DYST (Did You See That?), which represents a new class of covert channels we call history covert channels. History covert channels can communicate almost exclusively based on unaltered legitimate traffic created by regular nodes participating in a network. Only a negligible fraction of the covert communication process requires the transfer of actual covert channel information. We extend the current taxonomy for covert channels to show how history channels can be categorized. We theoretically analyze the characteristics of history channels and show how their configuration can be optimized for two channel implementations, called DYST-Basic and DYST-Ext. We further implement a proof-of-concept code for both DYST variants and evaluate the performance (robustness, detectability, and optimization) with both, simulated and real traffic. Finally, we discuss application scenarios and potential countermeasures against DYST.

Covert Channels in Network Time Security

Conference Paper

Full-text available

Jun 2022

Avoiding Research Tribal Wars Using Taxonomies

Article

Jan 2023
COMPUTER

Every scientific domain benefits from a unified understanding and categorization of terms. This article highlights lessons learned from several years of taxonomy and terminology research in a cybersecurity domain.

Network-Based Machine Learning Detection of Covert Channel Attacks on Cyber-Physical Systems

Conference Paper

Jul 2022

Generic and Sensitive Anomaly Detection of Network Covert Timing Channels

Article

Full-text available

Jan 2022
IEEE T DEPEND SECURE

Network covert timing channels can be maliciously used to exfiltrate secrets, coordinate attacks and propagate malwares, posing serious threats to cybersecurity. Current covert timing channels normally conduct small-volume transmission under the covers of various disguising techniques, making them hard to detect especially when a detector has little priori knowledge of their traffic features. In this paper, we propose a generic and sensitive detection approach, which can simultaneously (i) identify various types of channels without their traffic knowledge and (ii) maintain reasonable performance on small traffic samples. The basis of our approach is the finding that the short-term timing behavior of covert and legitimate traffic is significantly different from the perspective of inter-packet delays' variation. This phenomenon can be a generic reference to detect various channels because it is resistant to major channel disguising techniques which only mimic long-term traffic features, while it is also a sensitive reference to spot small-volume covert transmission since it can capture traffic anomalies in a fine-grained manner. To obtain the inner patterns of inter-packet delays' variation, we design a context-sensitive feature-extraction technique. This technique transforms each raw inter-packet delay into a discrete counterpart based on its contextual properties, thus extracting its variation features and reducing traffic data complexity. Then we learn legitimate variation patterns using a neural network model, and identify samples showing anomalous variation as covert. The experimental results show that our approach effectively detects all currently representative channels in the absence of their knowledge, presenting once to twice higher sensitivity than the state-of-the-art solutions.

Covert File Transfer Protocol Based on the IP Record Route Option

Article

Full-text available

Jan 2010

Covert channels are used for secret transfer of information. Encryption only protects communication from being decoded by unauthorized parties, whereas covert channels aim to hide the very existence of communication. This paper discusses a novel covert file transfer protocol (CFTP) based on the IP record route option. The CFTP protocol is used to secretly transfer text files and short messages between hosts. Firewalls that limit the outgoing traffic to a few allowed application protocols (e.g. FTP) can be circumvented by the CFTP protocol. To demonstrate the practical efficiency of the proposed covert protocol, a user friendly tool based on the client/server technology is implemented. Compared to related research, the main contribution in this work is that it introduces a new generation of covert channels. The proposed protocol is based on a novel session-oriented mechanism that offers TCP-like features embedded inside the IP option field. It provides more sophisticated communication tools that can be used for hiding information as well as synchronizing sessions and controlling the flow of exchanged data between hosts.

The silence of the LANs: Efficient leakage resilience for IPsec VPNs

Article

Full-text available

Feb 2014
IEEE T INF FOREN SEC

Virtual Private Networks (VPNs) are increasingly used to build logically isolated networks. However, existing VPN designs and deployments neglect the problem of traffic analysis and covert channels. Hence, there are many ways to infer information from VPN traffic without decrypting it. Many proposals were made to mitigate network covert channels, but previous works remained largely theoretical or resulted in prohibitively high padding overhead and performance penalties. In this work, we (1) analyse the impact of covert channels in IPsec, (2) present several improved and novel approaches for covert channel mitigation in IPsec, (3) propose and implement a system for dynamic performance trade-offs, and (4) implement our design in the Linux IPsec stack and evaluate its performance for different types of traffic and mitigation policies. At only 24% overhead, our prototype enforces tight information-theoretic bounds on all information leakage.

Covert Communications through Network Configuration Messages

Article

Full-text available

Nov 2013
COMPUT SECUR

Covert channels are a form of hidden communication that may violate the integrity of systems. Since their birth in Multi-Level Security systems in the early 70's they have evolved considerably, such that new solutions have appeared for computer networks mainly due to vague protocols specifications. In this paper we concentrate on short-range covert channels and analyze the opportunities of concealing data in various extensively used protocols today. From this analysis we observe several features that can be effectively exploited for subliminal data transmission in the Dynamic Host Configuration Protocol (DHCP). The result is a proof-of-concept implementation, HIDE_DHCP, which integrates three different covert channels each of which accommodate to different stealthiness and capacity requirements. Finally, we provide a theoretical and experimental analysis of this tool in terms of its reliability, capacity, and detectability.

Steganography using the Extensible Messaging and Presence Protocol (XMPP)

Article

Full-text available

Sep 2013

We present here the first work to propose different mechanisms for hiding data in the Extensible Messaging and Presence Protocol (XMPP). This is a very popular instant messaging protocol used by many messaging platforms such as Google Talk, Cisco, LiveJournal and many others. Our paper describes how to send a secret message from one XMPP client to another, without raising the suspicion of any intermediaries. The methods described primarily focus on using the underlying protocol as a means for steganography, unlike other related works that try to hide data in the content of instant messages. In doing so, we provide a more robust means of data hiding and additionally offer some preliminary analysis of its general security, in particular against entropic-based steganalysis.

Limiting MitM to MitE covert-channels

Conference Paper

Full-text available

Sep 2013

We study covert channels between a MitM attacker, and her MitE 'malware', running within the protected network of a victim organisation, and how to prevent or limit such channels. Our focus is on advanced timing channels, that allow communication between the MitM and MitE, even when hosts inside the protected network are restricted to only communicate to other (local and remote) hosts in the protected network. Furthermore, we assume communication is encrypted with fixed packet size (padding). We show that these do not suffice to prevent covert channels between MitM and MitE; furthermore, we show that even if we restrict communication to a constant rate, e.g., one packet everysecond, communication from MitE to MitM is still possible.We present efficient traffic shapers against covert channels between MitM and MitE. Our solutions preserve efficiency and bounded delay (QoS), while limiting covert traffic leakage, in both directions.

Detecting covert timing channels

Conference Paper

Oct 2007

The detection of covert timing channels is of increasing interest in light of recent practice on the exploitation of covert timing channels over the Internet. However, due to the high variation in legitimate network traffic, detecting covert timing channels is a challenging task. The existing detection schemes are ineffective to detect most of the covert timing channels known to the security community. In this paper, we introduce a new entropy-based approach to detecting various covert timing channels. Our new approach is based on the observation that the creation of a covert timing channel has certain effects on the entropy of the original process, and hence, a change in the entropy of a process provides a critical clue for covert timing channel detection. Exploiting this observation, we investigate the use of entropy and conditional entropy in detecting covert timing channels. Our experimental results show that our entropy-based approach is sensitive to the current covert timing channels, and is capable of detecting them in an accurate manner.

The Implementation of Passive Covert Channels in the Linux Kernel

Article

Jan 2004

Joanna Rutkowska

Formal Pattern Specifications to Facilitate Semi-automated User Interface Generation

Conference Paper

Jul 2013

This paper depicts potentialities of formal HCI pattern specifications with regard to facilitate the semi-automated generation of user interfaces for interactive applications. In a first step existing proven and well accepted techniques in the field of model-based user interface development are highlighted and briefly reviewed. Subsequently it is discussed how we combine model-based and pattern-oriented methods within our user interface modeling and development framework in order to partly enable automated user interface generation. In this context a concrete pattern definition approach is introduced and illustrated with tangible examples from the domain of interactive knowledge sharing applications.

Reporting Insider Threats via Covert Channels

Conference Paper

May 2013

Trusted insiders that betray an organization can inflict substantial harm. In addition to having privileged access to organization resources and information, these users may be familiar with the defenses surrounding valuable assets. Computers systems at the organization need a mechanism for communicating suspicious activity that is difficult for a malicious insider (or even an outsider) to detect or block. In this work, we propose a covert channel in the Ethernet frame that allows a computer system to report activity inside other, unrelated network communication. The covert channel leverages the differences in the framing approaches used by Ethernet and IP packets to append hidden information to IP packet and transmit it to an organization's administrator. This stealthy communication is difficult for even advanced attackers and is challenging to block since it opportunistically uses unrelated communication. Further, since the transmission is tied to the Ethernet frame, the communication cannot traverse network routers, preventing security information from leaving the organization. We introduce the covert channel, incorporate it into a working prototype, and combine it with an intrusion detection system to show its promise for security event reporting.

Entropy based taxonomy of network convert channels

Article

Dec 2009

In this paper, we examine general mechanisms that a network covert channel may exploit, and we characterize the essence of network covert channels, which are decided by overt sources. So we present a taxonomy of network covert channels based on entropy of overt sources. We classify overt sources into three categories, as variety entropy, constrant entropy and fixed entropy sources, and name the network covert channels correspondingly. For each category we give the definition, meaning, and countermeasure method. Then we group classical network covert channels emerged in 30 years and representational network covert channels proposed in recent 3 years into our taxonomy framework.