ArticlePDF Available

# Pattern-Based Survey and Categorization of Network Covert Channel Techniques

Authors:

## Abstract and Figures

Network covert channels are used to hide communication inside network protocols. Various techniques for covert channels have arisen in the past few decades. We surveyed and analyzed 109 techniques developed between 1987 and 2013 and show that these techniques can be reduced to only 11 different patterns. Moreover, the majority (69.7%) of techniques can be categorized into only four different patterns (i.e., most techniques we surveyed are similar). We represent the patterns in a hierarchical catalog using a pattern language. Our pattern catalog will serve as a base for future covert channel novelty evaluation. Furthermore, we apply the concept of pattern variations to network covert channels. With pattern variations, the context of a pattern can change. For example, a channel developed for IPv4 can automatically be adapted to other network protocols. We also propose the pattern-based covert channel optimizations pattern hopping and pattern combination. Finally, we lay the foundation for pattern-based countermeasures: whereas many current countermeasures were developed for specific channels, a pattern-oriented approach allows application of one countermeasure to multiple channels. Hence, future countermeasure development can focus on patterns, and the development of real-world protection against covert channels is greatly simplified.
Content may be subject to copyright.
A preview of the PDF is not available
... Several attempts have been made to define the fundamental terminology and its domains, such as text steganography, digital media steganography, or network steganography [9,24,27,28]. One of these attempts to unify and refine the terminology led to the systematization of steganographic techniques in precise, general, and abstract templates, defined as hiding patterns [37]. Each hiding pattern is described via the Pattern Language Markup Language (PLML) allowing to outline all the various templates in a unified manner. ...
... We then present a methodology to unify the description of hiding patterns in a domain-overlapping manner. Compared to previous works (see [22,37]) emphasis will be put to provide a less ambiguous distinction between the embedding process and the representation of hidden information within the cover object. We especially focus on the embedding patterns for which a novel taxonomy is provided while existing patterns are integrated into a list of representation patterns. ...
... Given the success and the functionality of hiding patterns, we decided to keep the concept of patterns for the new taxonomy. It was further agreed that the consortium will stick to the PLML-based pattern specification that was already applied by [37]. PLML provides a comparable and unified systematic for the description and management of patterns [8] that is also applied in other areas, such as software engineering. ...
Preprint
A unified understanding of terms and their applicability is essential for every scientific discipline: steganography is no exception. Being divided into several domains (for instance, text steganography, digital media steganography, and network steganography), it is crucial to provide a unified terminology as well as a taxonomy that is not limited to some specific applications or areas. A prime attempt towards a unified understanding of terms was conducted in 2015 with the introduction of a pattern-based taxonomy for network steganography. Six years later, in 2021, the first work towards a pattern-based taxonomy for steganography was proposed. However, this initial attempt still faced several shortcomings, e.g., the lack of patterns for several steganography domains (the work mainly focused on network steganography and covert channels), various terminology issues, and the need of providing a tutorial on how the taxonomy can be used during engineering and scientific tasks, including the paper-writing process. As the consortium who published this initial 2021-study on steganography patterns, in this paper we present the first comprehensive pattern-based taxonomy tailored to fit all known domains of steganography, including smaller and emerging areas, such as filesystem steganography and cyber-physical systems steganography. Besides, to make our contribution more effective and promote the use of the taxonomy to advance research on steganography, we also provide a thorough tutorial on its utilization. Our pattern collection is available at https://patterns.ztt.hs-worms.de.
... This led to inconsistent descriptions of hiding methods -even within steganography domains [2]. For this reason, the concept of a pattern-based taxonomy was introduced by Wendzel et al. in 2015 for the domain of network steganography (mainly for the case of network covert channels) [5]. Patterns subsume hiding methods that share the same core idea. ...
... The authors proposed to describe patterns using the pattern language markup language (PLML), which provides a structured set of pattern attributes that are usually described in XML (see [6] for details). A key advantage of applying PLML is the fact that it allows to build links and derivations of patterns, which can then be used to form a taxonomy and to handle aliases since hiding methods appear under different names in the related literature [5]. ...
... Network covert channel terminology, hiding methods and countermeasures have been surveyed by Zander et al. [12], Zhiyong et al. (based on entropy) [13], Mileva et al. [14] and Wendzel et al. [5]. The overlapping domain of network steganography was surveyed by Lubacz et al. [15], where some fundamental methods were categorized. ...
Preprint
Full-text available
A unified understanding of terms and their applicability is essential for every scientific discipline: steganography is no exception. Being divided into several domains (for instance, text steganography, digital media steganography, and network steganography), it is crucial to provide a unified terminology as well as a taxonomy that is not limited to some specific applications or areas. A prime attempt towards a unified understanding of terms was conducted in 2015 with the introduction of a pattern-based taxonomy for network steganography. Six years later, in 2021, the first work towards a pattern-based taxonomy for steganography was proposed. However, this initial attempt still faced several shortcomings, e.g., the lack of patterns for several steganography domains (the work mainly focused on network steganography and covert channels), various terminology issues, and the need of providing a tutorial on how the taxonomy can be used during engineering and scientific tasks, including the paper-writing process. As the consortium who published this initial 2021-study on steganography patterns, in this paper we present the first comprehensive pattern-based taxonomy tailored to fit all known domains of steganography, including smaller and emerging areas, such as filesystem steganography and cyber-physical systems steganography. Besides, to make our contribution more effective and promote the use of the taxonomy to advance research on steganography, we also provide a thorough tutorial on its utilization. Our pattern collection is available at https://patterns.ztt.hs-worms.de.
... The considered timing covert channel of Cabuk et al. [10] modulates the IATs between consecutive network packets of a connection by intentionally delaying packets. The channel is a form of the so-called inter-packet times (or: inter-arrival times) hiding pattern [15] in network steganography, ormore generally -the element positioning pattern in steganography [16], as packets are "positioned" in time. ...
... Moreover, the timing (as well as other metadata) of network traffic is actively manipulated for network flow watermarking [20], [21]. Further, there are timing-based covert channel patterns in addition to the inter-packet times or element positioning patterns [15], [16] analyzed in this paper, such as covert channels exploiting the timing of retransmissions [22], [23], covert channels influencing the throughput of a connection over time [24], and covert timing channels that drop selected network packets [25]. ...
Article
Full-text available
Network covert channels are applied for the secret exfiltration of confidential data, the stealthy operation of malware, and legitimate purposes, such as censorship circumvention. In recent decades, some major detection methods for network covert channels have been developed. In this paper, we investigate two highly cited detection methods for covert timing channels, namely $\epsilon$ -similarity and compressibility score from Cabuk et al. (jointly cited by 930 papers and applied by thousands of researchers). We additionally analyze two recent ML-based detection methods: GAS (2022) and SnapCatch (2021). While all these detection methods must be considered valuable for the analysis of typical covert timing channels, we show that these methods are not reliable when a covert channel's behavior is slightly modified. In particular, we demonstrate that when confronted with a simple covert channel that we call $\epsilon$ - $\kappa$ libur, all detection methods can be circumvented or their performance can be significantly reduced although the covert channel still provides a high bitrate. In comparison to previous timing channels that circumvent these methods, $\epsilon$ - $\kappa$ libur is much simpler and eliminates the need of altering previously recorded traffic. Moreover, we propose an enhanced $\epsilon$ -similarity that can detect the classical covert timing channel as well as $\epsilon$ - $\kappa$ libur.
... This work shows that manipulating the power governors, which scales the CPU frequency dynamically, can create a communication channel because CPU core frequency is generally available to user processes (through sysfs or/proc/cpuinfo) [26]. Network-based covert channels rely on manipulating some part of network traffic to establish communication between networked devices [10,27]. Various fields in the Open Systems Information (OSI) model are altered in order to transmit information; one example being modulating the least significant bit of the Transmission Control Protocol (TCP) timestamp field [28]. ...
Article
Full-text available
In this paper, first, a broad overview of existing covert channel communication-based security attacks is provided. Such covert channels establish a communication link between two entities that are not authorized to share data. The secret data is encoded into different forms of signals, such as delay, temperature, or hard drive location. These signals and information are then decoded by the receiver to retrieve the secret data, thereby mitigating some of the existing security measures. The important steps of covert channel attacks are described, such as data encoding, communication protocol, data decoding, and models to estimate communication bandwidth and bit error rate. Countermeasures against covert channels and existing covert channel detection techniques are also summarized. In the second part of the paper, the implications of such attacks for emerging packaging technologies, such as 2.5D/3D integration are discussed. Several covert channel threat models for 2.5D/3D ICs are also proposed.
... TCP tunnel traffic detection methods in A • B S and A • B T were summarized by Goher [72], who briefly classified the applications in tunnel traffic. By using statistics and machine learning, Wendzel [73] identified tunnel traffic using 109 technologies that hide protocol information through tunnels, simplified them into 11 patterns, and used statistics to identify tunnel traffic. Although they gave a variety of patterns, they failed to give a formal representation or give a specific detection method for each or fixed patterns. ...
Article
Full-text available
Tunnels, a key technology of traffic obfuscation, are increasingly being used to evade censorship. While providing convenience to users, tunnel technology poses a hidden danger to cybersecurity due to its concealment and camouflage capabilities. In contrast to previous studies of encrypted traffic detection, we perform the first measurement study of tunnel traffic and its unique characteristics and focus on the challenges and solutions in detecting tunnel traffic among traditional and machine learning techniques. This study covers an almost twenty-year research period from 2003 to 2022. First, we present the concepts of two types of tunnels, broad and narrow tunnels, respectively, as well as a framework for major tunnel applications, such as Tor (the second-generation onion router), proxy, VPN, and their relationships. Second, we analyze state-of-the-art methods from traditional to machine learning applications to systematize tunnel traffic detection, including HTTP, HTTPS, DNS, SSH, TCP, ICMP and IPSec. A quantitative evaluation is presented with five crucial indicators applied to the detection methods and reviews. We further discuss the research work based on datasets, feature engineering, and challenges that have are solved, partly solved and unsolved. Finally, by providing open questions and the potential directions, we hope to inspire future work in this area.
... Network Covert Channel Detection: Several detection methods for covert channels have been proposed throughout the years. Popular ones are, e.g., compressibility score [24],similarity [25], regularity metric [25], a method from Berk et al. [26], as well as classical methods, such as Kullback-Leibler divergence test [27], Kolmogorov-Smirnov [27] or entropybased analyses [7]. All of these methods require at least a few hundred covert channel packets to provide somehow reliable detection of covert channel flows. ...
Preprint
Full-text available
Covert channels are unforeseen and stealthy communication channels that enable manifold adversary scenarios, such as the covert exfiltration of confidential data or the stealthy orchestration of botnets. However, they can also allow the exchange of confidential information by journalists. All covert channels described until now therefore need to craft seemingly legitimate information flows for their information exchange, mimicking unsuspicious behavior. In this paper, we present DYST (Did You See That?), which represents a new class of covert channels we call history covert channels. History covert channels can communicate almost exclusively based on unaltered legitimate traffic created by regular nodes participating in a network. Only a negligible fraction of the covert communication process requires the transfer of actual covert channel information. We extend the current taxonomy for covert channels to show how history channels can be categorized. We theoretically analyze the characteristics of history channels and show how their configuration can be optimized for two channel implementations, called DYST-Basic and DYST-Ext. We further implement a proof-of-concept code for both DYST variants and evaluate the performance (robustness, detectability, and optimization) with both, simulated and real traffic. Finally, we discuss application scenarios and potential countermeasures against DYST.
... Direction describes whether the covert channel is suitable for infiltration (server-to-client), exfiltration (client-to-server) or Command-and-Control (bi-directional). Pattern describes the correlating network covert channel pattern from the Pattern-based Network Covert Channel Taxonomy [32]. For this analysis, we use the revised pattern taxonomy [31] published in 2021 2 . ...
Conference Paper
Full-text available
Article
Every scientific domain benefits from a unified understanding and categorization of terms. This article highlights lessons learned from several years of taxonomy and terminology research in a cybersecurity domain.
Article
Full-text available
Network covert timing channels can be maliciously used to exfiltrate secrets, coordinate attacks and propagate malwares, posing serious threats to cybersecurity. Current covert timing channels normally conduct small-volume transmission under the covers of various disguising techniques, making them hard to detect especially when a detector has little priori knowledge of their traffic features. In this paper, we propose a generic and sensitive detection approach, which can simultaneously (i) identify various types of channels without their traffic knowledge and (ii) maintain reasonable performance on small traffic samples. The basis of our approach is the finding that the short-term timing behavior of covert and legitimate traffic is significantly different from the perspective of inter-packet delays' variation. This phenomenon can be a generic reference to detect various channels because it is resistant to major channel disguising techniques which only mimic long-term traffic features, while it is also a sensitive reference to spot small-volume covert transmission since it can capture traffic anomalies in a fine-grained manner. To obtain the inner patterns of inter-packet delays' variation, we design a context-sensitive feature-extraction technique. This technique transforms each raw inter-packet delay into a discrete counterpart based on its contextual properties, thus extracting its variation features and reducing traffic data complexity. Then we learn legitimate variation patterns using a neural network model, and identify samples showing anomalous variation as covert. The experimental results show that our approach effectively detects all currently representative channels in the absence of their knowledge, presenting once to twice higher sensitivity than the state-of-the-art solutions.
Article
Full-text available
Covert channels are used for secret transfer of information. Encryption only protects communication from being decoded by unauthorized parties, whereas covert channels aim to hide the very existence of communication. This paper discusses a novel covert file transfer protocol (CFTP) based on the IP record route option. The CFTP protocol is used to secretly transfer text files and short messages between hosts. Firewalls that limit the outgoing traffic to a few allowed application protocols (e.g. FTP) can be circumvented by the CFTP protocol. To demonstrate the practical efficiency of the proposed covert protocol, a user friendly tool based on the client/server technology is implemented. Compared to related research, the main contribution in this work is that it introduces a new generation of covert channels. The proposed protocol is based on a novel session-oriented mechanism that offers TCP-like features embedded inside the IP option field. It provides more sophisticated communication tools that can be used for hiding information as well as synchronizing sessions and controlling the flow of exchanged data between hosts.
Article
Full-text available
Virtual Private Networks (VPNs) are increasingly used to build logically isolated networks. However, existing VPN designs and deployments neglect the problem of traffic analysis and covert channels. Hence, there are many ways to infer information from VPN traffic without decrypting it. Many proposals were made to mitigate network covert channels, but previous works remained largely theoretical or resulted in prohibitively high padding overhead and performance penalties. In this work, we (1) analyse the impact of covert channels in IPsec, (2) present several improved and novel approaches for covert channel mitigation in IPsec, (3) propose and implement a system for dynamic performance trade-offs, and (4) implement our design in the Linux IPsec stack and evaluate its performance for different types of traffic and mitigation policies. At only 24% overhead, our prototype enforces tight information-theoretic bounds on all information leakage.
Article
Full-text available
Covert channels are a form of hidden communication that may violate the integrity of systems. Since their birth in Multi-Level Security systems in the early 70's they have evolved considerably, such that new solutions have appeared for computer networks mainly due to vague protocols specifications. In this paper we concentrate on short-range covert channels and analyze the opportunities of concealing data in various extensively used protocols today. From this analysis we observe several features that can be effectively exploited for subliminal data transmission in the Dynamic Host Configuration Protocol (DHCP). The result is a proof-of-concept implementation, HIDE_DHCP, which integrates three different covert channels each of which accommodate to different stealthiness and capacity requirements. Finally, we provide a theoretical and experimental analysis of this tool in terms of its reliability, capacity, and detectability.
Article
Full-text available
We present here the first work to propose different mechanisms for hiding data in the Extensible Messaging and Presence Protocol (XMPP). This is a very popular instant messaging protocol used by many messaging platforms such as Google Talk, Cisco, LiveJournal and many others. Our paper describes how to send a secret message from one XMPP client to another, without raising the suspicion of any intermediaries. The methods described primarily focus on using the underlying protocol as a means for steganography, unlike other related works that try to hide data in the content of instant messages. In doing so, we provide a more robust means of data hiding and additionally offer some preliminary analysis of its general security, in particular against entropic-based steganalysis.
Conference Paper
Full-text available
We study covert channels between a MitM attacker, and her MitE 'malware', running within the protected network of a victim organisation, and how to prevent or limit such channels. Our focus is on advanced timing channels, that allow communication between the MitM and MitE, even when hosts inside the protected network are restricted to only communicate to other (local and remote) hosts in the protected network. Furthermore, we assume communication is encrypted with fixed packet size (padding). We show that these do not suffice to prevent covert channels between MitM and MitE; furthermore, we show that even if we restrict communication to a constant rate, e.g., one packet everysecond, communication from MitE to MitM is still possible.We present efficient traffic shapers against covert channels between MitM and MitE. Our solutions preserve efficiency and bounded delay (QoS), while limiting covert traffic leakage, in both directions.
Conference Paper
The detection of covert timing channels is of increasing interest in light of recent practice on the exploitation of covert timing channels over the Internet. However, due to the high variation in legitimate network traffic, detecting covert timing channels is a challenging task. The existing detection schemes are ineffective to detect most of the covert timing channels known to the security community. In this paper, we introduce a new entropy-based approach to detecting various covert timing channels. Our new approach is based on the observation that the creation of a covert timing channel has certain effects on the entropy of the original process, and hence, a change in the entropy of a process provides a critical clue for covert timing channel detection. Exploiting this observation, we investigate the use of entropy and conditional entropy in detecting covert timing channels. Our experimental results show that our entropy-based approach is sensitive to the current covert timing channels, and is capable of detecting them in an accurate manner.
Conference Paper
This paper depicts potentialities of formal HCI pattern specifications with regard to facilitate the semi-automated generation of user interfaces for interactive applications. In a first step existing proven and well accepted techniques in the field of model-based user interface development are highlighted and briefly reviewed. Subsequently it is discussed how we combine model-based and pattern-oriented methods within our user interface modeling and development framework in order to partly enable automated user interface generation. In this context a concrete pattern definition approach is introduced and illustrated with tangible examples from the domain of interactive knowledge sharing applications.
Conference Paper
Trusted insiders that betray an organization can inflict substantial harm. In addition to having privileged access to organization resources and information, these users may be familiar with the defenses surrounding valuable assets. Computers systems at the organization need a mechanism for communicating suspicious activity that is difficult for a malicious insider (or even an outsider) to detect or block. In this work, we propose a covert channel in the Ethernet frame that allows a computer system to report activity inside other, unrelated network communication. The covert channel leverages the differences in the framing approaches used by Ethernet and IP packets to append hidden information to IP packet and transmit it to an organization's administrator. This stealthy communication is difficult for even advanced attackers and is challenging to block since it opportunistically uses unrelated communication. Further, since the transmission is tied to the Ethernet frame, the communication cannot traverse network routers, preventing security information from leaving the organization. We introduce the covert channel, incorporate it into a working prototype, and combine it with an intrusion detection system to show its promise for security event reporting.
Article
In this paper, we examine general mechanisms that a network covert channel may exploit, and we characterize the essence of network covert channels, which are decided by overt sources. So we present a taxonomy of network covert channels based on entropy of overt sources. We classify overt sources into three categories, as variety entropy, constrant entropy and fixed entropy sources, and name the network covert channels correspondingly. For each category we give the definition, meaning, and countermeasure method. Then we group classical network covert channels emerged in 30 years and representational network covert channels proposed in recent 3 years into our taxonomy framework.