Dienstag, 11. September 2018

`Countermeasure Variation' to Detect Network Covert Channels

In two three new papers we introduce the concept of `countermeasure variation'. In covert channel/steganography research, the goal of a countermeasure is typically to detect, limit, or prevent a covert channel. However, there is a problem: there are just too many possible ways to create covert channels to detect them all, i.e. one needs numerous countermeasures to detect all the potential covert channels. As shown in the table, countermeasures target only one type of covert channel. For instance, the compressibility can be used to detect timing channel that signal hidden information using inter-arrival times.

However, there are new covert channels arising every now and then for which no countermeasures are known. For this reason, it would be beneficial to find some way to apply the ideas of existing countermeasures to such a new covert channel technique, i.e. to determine whether the blue question marks in the following table can be addressed.

We present the concept of Countermeasure variation (CV). Without going into details, we can say that countermeasure variation is the idea of `transforming' a given countermeasure that was designed to detect one specific covert channel of a given pattern so that it can also detect other covert channels (of another pattern). The core idea is to take a given countermeasure, change the parameters that are inserted into it (e.g. packet sizes instead of inter-arrival times) and adjust some threshold of its output value, and then be able to detect an entirely different covert channel with the transformed countermeasure. This would reduce the amount of required code (per covert channel that has to be detected) and the number of fundamentally different countermeasures to be applied in parallel. Also would it allow to transform existing countermeasures to upcoming covert channels.

The first paper to propose countermeasure variation and that exemplifies its feasibility was presented at CECC'18:

S. Wendzel, D. Eller, W. Mazurczyk: One Countermeasure, Multiple Patterns: Countermeasure Variation for Covert Channels, in Proc. Central European Security Conference (CECC'18), ACM, 2018.

In the CECC paper, we exemplify countermeasure variation using the so-called compressibility score originally presented by Cabuk et al. The compressibility score is used to detect covert channels of the ‘inter-packet times’ hiding pattern* and we show that countermeasure variation allows the application of the compressibility score to detect covert channels of the ‘size modulation’ pattern.
In other words, we use a countermeasure designed to detect a type of covert timing channel and apply it to a type storage channel.

However, a much more precise definition of the term `countermeasure variation' can be found in the follow-up journal paper:

S. Wendzel, F. Link, D. Eller, W. Mazurczyk: Detection of Size Modulation Covert Channels Using Countermeasure Variation, Journal of Universal Computer Science (J.UCS), accepted.

In another paper, we show that countermeasure variation also works for other countermeasures and hiding patterns:

S. Zillien, S. Wendzel: Detection of covert channels in TCP retransmissions, in Proc. 23rd Nordic Conference on Secure IT Systems (NordSec), Springer, 2018.

In the NordSec paper, we describe the implementation and detection of a novel approach for a TCP retransmission-based covert channel. We implemented and evaluated two statistical detection measures that were originally designed for inter-arrival time-based network channels, namely the ε-similarity and the compressibility score (the compressibility score is the same as above for the first paper). The ε-similarity originally measures the similarity of two timing distributions. The compressibility indicates the presence of a covert channel by measuring the compression ratio of a textual representation of concatenated inter-arrival times. We modified both approaches so that they can also be applied to the detection of retransmission-based covert channels. Our initial results indicate that the ε-similarity can be considered a promising detection method for retansmission-based covert channels while the compressibility itself provides insufficient results but could potentially be used as a classification feature.

In other words, there are limits to countermeasure variation. Some approaches might work well for multiple hiding patterns while they do not work well for other patterns.

* A summary of all known hiding patterns can be found here.

Keine Kommentare:

Kommentar veröffentlichen