Dienstag, 11. September 2018

`Countermeasure Variation' to Detect Network Covert Channels

In two upcoming papers, we introduce the concept of `countermeasure variation'. In covert channel/steganography research, the goal of a countermeasure is typically to detect, limit, or prevent a covert channel. However, there is a problem: there are just too many possible ways to create covert channels to detect them all, i.e. one needs numerous countermeasures to detect all the potential covert channels. This is impractical and results in tons of code if one would create a separate countermeasure for all of them. I personally believe that it would be better to have as few lines of code as possible that could somehow be parametrized and work for multiple covert channels.

Moreover, there are new covert channels arising every now and then for which no countermeasures are known. For this reason, it would be beneficial to find some way to apply the ideas of existing countermeasures to such a new covert channel technique.

In 2015, we initially proposed an early form of the idea of countermeasure variation in a journal paper (appeared in ACM Comp. Surv.). Countermeasure variation is the idea of `transforming' a countermeasure that was designed to detect one specific covert channel so that it can also detect other covert channels. The core idea is to take one countermeasure, change the parameters that are inserted into it (e.g. packet sizes instead of inter-arrival times) and adjust some threshold of its output value, and then be able to detect an entirely different covert channel with the countermeasure. This would reduce the amount of required code (per covert channel that has to be detected) and the number of fundamentally different countermeasures to be applied in parallel. Also would it allow to transform existing countermeasures to upcoming covert channels. However, up to now, nobody has shown the feasibility of countermeasure variation.

The first paper to show the feasibility of countermeasure variation will be presented in November 2018 at CECC:

S. Wendzel, D. Eller, W. Mazurczyk: One Countermeasure, Multiple Patterns: Countermeasure Variation for Covert Channels, in Proc. Central European Security Conference (CECC'18), ACM, 2018/in press.

In this paper, we exemplify countermeasure variation using the so-called compressibility score originally presented by Cabuk et al. The compressibility score is used to detect covert channels of the ‘inter-packet times’ hiding pattern* and we show that countermeasure variation allows the application of the compressibility score to detect covert channels of the ‘size modulation’ pattern.
In other words, we use a countermeasure designed to detect a type of covert timing channel and apply it to a type storage channel.

In the same month (two weeks later), we show that countermeasure variation also works for other countermeasures and hiding patterns. Our second paper will be presented at NordSec:

S. Zillien, S. Wendzel: Detection of covert channels in TCP retransmissions, in Proc. 23rd Nordic Conference on Secure IT Systems (NordSec), Springer, 2018 (accepted). [just contact me if you want the PDF file]

In the NordSec paper, we describe the implementation and detection of a novel approach for a TCP retransmission-based covert channel. We implemented and evaluated two statistical detection measures that were originally designed for inter-arrival time-based network channels, namely the ε-similarity and the compressibility score (the compressibility score is the same as above for the first paper). The ε-similarity originally measures the similarity of two timing distributions. The compressibility indicates the presence of a covert channel by measuring the compression ratio of a textual representation of concatenated inter-arrival times. We modified both approachs so that they can also be applied to the detection of retransmission-based covert channels. Our initial results indicate that the ε-similarity can be considered a promising detection method for retansmission-based covert channels while the compressibility itself provides insufficient results but could potentially be used as a classification feature.

In other words, there are limits to countermeasure variation. Some approaches might work well for multiple hiding patterns while they do not work well for other patterns.

* A summary of all known hiding patterns can be found here.

Keine Kommentare:

Kommentar veröffentlichen