Dienstag, 11. September 2018

`Countermeasure Variation' to Detect Network Covert Channels

In two three four new papers we introduce and show the concept of `countermeasure variation'. In covert channel/steganography research, the goal of a countermeasure is typically to detect, limit, or prevent a covert channel. However, there is a problem: there are just too many possible ways to create covert channels to detect them all, i.e. one needs numerous countermeasures to detect all the potential covert channels. As shown in the table, countermeasures target only one type of covert channel. For instance, the compressibility can be used to detect timing channel that signal hidden information using inter-arrival times.



However, there are new covert channels arising every now and then for which no countermeasures are known. For this reason, it would be beneficial to find some way to apply the ideas of existing countermeasures to such a new covert channel technique, i.e. to determine whether the blue question marks in the following table can be addressed.



We present the concept of Countermeasure variation (CV). Without going into details, we can say that countermeasure variation is the idea of `transforming' a given countermeasure that was designed to detect one specific covert channel of a given pattern so that it can also detect covert channels of another pattern. The core idea is to take a given countermeasure, change the parameters that are inserted into it (e.g. packet sizes instead of inter-arrival times) and adjust some threshold of its output value, and then be able to detect an entirely different covert channel with the transformed countermeasure. This would reduce the amount of required code (per covert channel that has to be detected) and the number of fundamentally different countermeasures to be applied in parallel. Also would it allow to transform existing countermeasures to upcoming covert channels.

The first paper to propose countermeasure variation and that exemplifies its feasibility was presented at CECC'18:

S. Wendzel, D. Eller, W. Mazurczyk: One Countermeasure, Multiple Patterns: Countermeasure Variation for Covert Channels, in Proc. Central European Security Conference (CECC'18), ACM, 2018.

In the CECC paper, we exemplify countermeasure variation using the so-called compressibility score originally presented by Cabuk et al. The compressibility score is used to detect covert channels of the ‘Inter-packet Times’ hiding pattern* and we show that countermeasure variation allows the application of the compressibility score to detect covert channels of the ‘Size Modulation’ pattern.
In other words, we use a countermeasure designed to detect a type of covert timing channel and apply it to a type of storage channel.

However, a much more precise definition of the term `countermeasure variation' can be found in the follow-up journal paper:

S. Wendzel, F. Link, D. Eller, W. Mazurczyk: Detection of Size Modulation Covert Channels Using Countermeasure Variation, Journal of Universal Computer Science (J.UCS), 2019/in press.

In two other papers we show that countermeasure variation works also for other hiding patterns:

1. Artificial Retransmission Pattern:

S. Zillien, S. Wendzel: Detection of covert channels in TCP retransmissions, in Proc. 23rd Nordic Conference on Secure IT Systems (NordSec), Springer, 2018.

In the NordSec paper, we describe the implementation and detection of a novel approach for a TCP retransmission-based covert channel. We implemented and evaluated two statistical detection measures that were originally designed for inter-arrival time-based network channels, namely the ε-similarity and the compressibility score (the compressibility score is the same as above for the first paper). The ε-similarity originally measures the similarity of two timing distributions. The compressibility indicates the presence of a covert channel by measuring the compression ratio of a textual representation of concatenated inter-arrival times. We modified both approaches so that they can also be applied to the detection of retransmission-based covert channels. Our initial results indicate that the ε-similarity can be considered a promising detection method for retansmission-based covert channels while the compressibility itself provides insufficient results but could potentially be used as a classification feature. In other words, there are limits to countermeasure variation. Some approaches might work well for multiple hiding patterns while they do not work well for other patterns.

2. Message Ordering Pattern:

There is one new paper (probably several other papers will follow in the coming years) where we show the feasibility of countermeasure variation for the Message Ordering (former PDU Ordering) pattern.

S. Wendzel: Protocol-independent Detection of `Messaging Ordering' Network Covert Channels, in Proc. Third International Workshop on Criminal Use of Information Hiding (CUING 2019), ACM, 2019 (in press).

A message ordering covert channel changes the order of PDUs (protocol data units, i.e. packets) transferred over the network to encode hidden information. The advantage of these channels is that they cannot be blocked easily as they do not modify header content but instead mimic typical network behavior such as TCP segments that arrive in a different order than they were sent. Contribution: In this paper, we show a protocol-independent approach to detect message ordering channels. Our approach is based on a modified compressibility score. We analyze the detectabil-ity of message ordering channels and whether several types of message ordering channels differ in their detectability. Results: Our results show that the detection of message ordering channels depends on their number of utilized PDUs. First, we performed a rough threshold selection by hand, which we later optimized using the C4.5 decision tree classifier. We were able to detect message ordering covert channels with an accuracy and F 1 score of ≥ 99.5% and a false-positive rate < 1% and < 0.1% if they use sequences of 3 or 4 PDUs, respectively. Simpler channels that only manipulate a sequence of two PDUs were detectable with an accuracy and F 1 score of 94.5% and were linked to a false-positive rate of 5.19%. We thus consider our approach suitable for real-world detection scenarios with channels utilizing 3 or 4 PDUs while the detection of channels utilizing 2 PDUs should be improved further.

___
* A summary of all known hiding patterns can be found here.

Keine Kommentare:

Kommentar veröffentlichen