Mittwoch, 12. Dezember 2018

Covert Channels with Quality of Service (QoS) Functionality

Classically, with the IP Type of Service (ToS) field, and nowadays with the Differentiated Services (DiffServ) field, IP can be used request route configurations, such as a route with a low delay or minimized packet loss. This allows to "configure" a transfer for different purposes. For instance, a video stream can deal with loss of a few packets but for a download, all lost packets would be required to be sent again. The umbrella term for ToS/DiffServ features is Quality of Service (QoS). Such QoS features could potentially also be used for botnet communications and their C&C channels (probably using stealthy network covert channels).

While preparing a lecture for one of the classes that I teach, I remembered something that I almost forgot: We already worked on QoS for network covert channels back in 2011. In this paper, we have shown that we can especially optimize for minimal overhead and minimized packet count for a given data transfer. This allows the optimization of a covert channel for different purposes, e.g. a password leaking program that only transfers one cracked password per hour can deal with a low throughput but requires maximum stealthiness and thus could select a method that requires to the transfer a minimum of packets. On the other hand, a program that needs a better bitrate, e.g. a covert video stream, could optimize its covert channel configuration in a different manner. The paper also mentions the fact that different protocols (or covert channel techniques) are linked to a different detectability. For instance, one could optimize the stealthiness of a multi-protocol covert channel if each protocol i (or better: each covert channel technique) is assigned a covertness level e.g., ci ∈ {1, 2, 3} (where a higher value indicates a higher covertness). To achieve this, one could then maximize some function f using linear optimization:

f = ∑ pi ci.

We consider the inclusion of all protocols using some small threshold as described in the paper. Including more protocols renders a forensic analysis more difficult. We presented also other approaches for optimization. Of course, one could also combine multiple factors for optimization, if desired.

We worked on some follow-up papers, especially in 2012, cf. [here] and [here]. But the paper mentioned above introduces the foundation for both of the 2012-papers.

Keine Kommentare:

Kommentar posten