legitimate connections in the network intact or undisturbed. In other words, in order to have

Transcription

1 Volume 5, Issue 4, April 2015 ISSN: X International Journal of Advanced Research in Computer Science and Software Engineering Research Paper Available online at: Special Issue on Impact of Technology on Skill Development Conference Held at IETE Amravati Center, Maharashtra, India DMRF based Active warden for Storage Covert Channel Defense D. M. Dakhane, Dr. P. R. Deshmukh Abstract Minimal Requisite Fidelity (MRF) is a measure of information or data alteration that results in the destruction of covert communication specifically for the storage covert channels, and it is acceptable to the receiver end points. Network protocols have been design with well-defined syntax and semantics and MRF factor can be precisely define for various protocol fields and an appropriate measure of modification can be introduced for preserving the functionality overt communication, but at the same time disrupting covert communication. In this context our proposed model is Definite Minimal Requisite Fidelity (DRMF). It can be measured in conjunction with the protocol normalization. In this model an active warden is design for eliminating all possible potential storage based covert channels by normalizing the packets when they arrives at the gateway system. Index Terms Covert channels, Minimal Requisite Fidelity Network Protocols, Storage Covert Channels. I. INTRODUCTION The concept of Minimal Requisite Fidelity (MRF), which we define as the degree of signal fidelity that is both acceptable to end users and destructive to covert communications [6]. MRF determines the limit of distortion we can introduce to a carrier channel in an attempt to foil any covert or subliminal channels. For the defender, it defines an upper-bound in the amount of modifications to the channel. This gives an advantage to the defender, because potentially this can greatly decrease or eliminate the capacity of the covert channel. For unstructured carriers that lack well- defined syntax or semantics, MRF is defined by human perception, but for structured carriers, well-defined semantics give us high assurance that a warden can completely eliminate certain subliminal or covert channels. Further, the MRF paradigm, as applied to network packets, includes an emerging area of research into exploiting and correcting ambiguities that create opportunities for intrusion detection evasion. Minimal Requisite Fidelity (MRF) [1] which is introduced by Fisk et al. in the context of active wardens. MRF is a measure of distortion which can be introduced to a potential steganography or covert carrier's in order to counter a covert communication while still providing legitimate end-user acceptance of the communication. This means that the MRF is an measure which gives us potential overview about up to what extend the covert communication is blocked or eliminated by keeping the legitimate connections in the network intact or undisturbed. In other words, in order to have a better and reliable system the parameter of Minimal Requisite Fidelity must be satisfied by the active warden system respectively. er the rate of Minimal Requisite Fidelity lower is the covert communication and as the consequences of these the legitimate connection or overt communication would not be disturbed. This parameter in the context of active warden is extremely important. With this concern, we are propose the Definite Minimal Requite Fidelity parameter in the context with the design of our Active warden. In context of our proposed model the Definite Minimal Requisite Fidelity (DRMF) can be measured in conjunction with the protocol normalization. In our proposed model, the active warden which we designed, is filtering or eliminating all possible potential storage based covert channels by normalizing the packets when they arrives at the gateway. Wardens have frequently been discussed as actors in a security system, but in our model, an active warden is a network service that is architecturally similar to a firewall, but functionally quite different. Like a firewall, warden is implements a site s security policy. To prevent attacks from the outside, inside, or both, the warden modifies all traffic to remove many, if not all, of the carriers that can be used for covert channels, subliminal channels, intrusion detection evasion, and even some forms of attacks. Because this warden is a network service, it must be concerned not only with the application data that it handles, but also with the network protocols used to exchange data. One way to prevent the use of covert channels and subliminal channels across a network is to drastically alter all data that passes across that network and that may be used as a carrier. An alternate technique for preventing the successful use of covert channels is, to distort potential carriers just enough that any types of covert and subliminal channels become unusable. If done carefully, the overt users of the carriers remain unaware of these modifications. We describe this modification of traffic as imposing Definite Minimal Requisite Fidelity (DRMF). This term captures the essence of both the opportunity for data embedding and a warden s defence. The basic premise is that for any communication there is some fidelity at which the data is interpreted by the recipient. II. RELATED WORK The overall effective defence mechanisms for network 2015, IJARCSSE All Rights Reserved Page 286

2 storage channels for IPv4 are protocol scrubbers[2], traffic normalization [3] and an active wardens [1,4,5,6]. The objective for protocol scrubbers and traffic normalisers is to removing the ambiguities in network traffic. Depending upon implementing the protocol stack, ambiguous network packets have different interpretation at the receiver side. When attacker are used any kind of storage base covert channels, it certainly generate ambiguous traffic. Handley and Paxson[3], describe IP, UDP, TCP, and ICMP normalizations based on protocol specification. This work on preserving the end-to-end protocol semantics so that overt communication wills not disturb. An active warden was introduced by Simmons [7] as part of the Prisoners Problem and this same approach has been subsequently used in [1, 4, 5, 6]. Active wardens, as presented by Fisk et al. [1], are network services resembling a firewall that modify all traffic under the assumption that it is carrying steganography or covert content. This approach is for modification of all the contents those are actually forge the header field which may change the semantics of TCP, UDP IP etc. III. PROPOSE MODAL A. DMRF for Proposed System Unlike the unstructured carriers where the carrier semantics are not standardized. i.e. When payloads contains audio,video or plaintext,in such cases the structural semantics of the carriers are completely implementation specific to that application domain. However when it comes to structured carriers like TCP/IP protocol stack, the entire packets follows the strict structural semantics. Which is ultimately follows the common standard specification of TCP/IP, defined in the standard RFC's {RFC Numbers, TCP, IP, ICMP} respectively. Any network packet that are not following these semantic rules or standard or somehow lost or tampered there structural semantics are treated as a suspicious or malicious. These types of network packet are analysed by the statistical based active warden system and can be identify as a malicious packets. But in some cases the potential users of covert communications follows these structured semantics in order to look like legitimate users, but intentionally making covert communication by making slight changes into the TCP/IP semantics of the network packets in such a cases it is difficult for the active warden in order to distinguish these channels from the legitimate one's respectively. Here in this proof of concept as we discussed previously we have normalized the TCP traffic at following layers Transport, Internet, Network, as a consequences of this the normal legitimate connections that carries the transport layer payload will not going to be disturbed anymore when the traffic goes through our proposed active warden system. It means that when the traffic reaches to our active warden system we are reforming the structural semantic of the TCP/IP packet in order to eliminate any possible covert channels that are exploited by the potential covert users through it. As our proof of concept suggests that we are making the on behalf connection with the intended destination of the sender in the given network so as a result of this the sender supposed that he is directly communicating with the destination system but in practice the active warden make the TCP connection with the destination system that the sender is willing to establish a connection. So as per this rule of active warden the active warden will intercept the entire transport layer payload exchanged between the sender and receiver without disturbing or modifying the semantics or data in the transport layer payload respectively. As in the case of stenographic channels the covert or steno information can be send to the user at other side by simply embedding the covert information in TCP payloads like in the image pixels or in some other multimedia contents like audio or video, etc. So in such a cases the active warden system has to apply some strict rules over such a unstructured carriers in order to filter out or detect the covert information in transport layer payloads, etc. As a consequences of this there is a possibility that some of the legitimate or overt data in the payload may be get distorted; as a result of these rules or filtration by the active warden system. So because of this the MRF factor is gets affected making the indication that the normal connection is being distorted up to some extent. But in our case we are not normalizing the protocol semantics of application layer, as a consequences of these the MRF factor is not affected and the normal communication is also not disturbed. It is not modifying any semantics in the TCP/IP packet in order to eliminate the covert information from them, so the MRF factor or the standard semantics of the TCP/IP packets are get disturbed. In other words, the MRF or other structural semantics of the transport layer payload remains untouched when the traffic passes through our active warden system. This approaches shown in following figure 1. Fig 1. Definite Minimal Requisite Fidelity An alternate technique for preventing the successful use of covert channels is to distort potential carriers just enough that any covert and subliminal channels in those carriers become unusable. If done carefully, the overt users of the carriers remain un- aware of these modifications [1]. As we have already covered in previous discussion. The basic premise is that for any communication there is some fidelity at which the data is interpreted by the recipient. The possible intended carriers for transmission of covert information can be of two types these are, unstructured carriers and structured carriers. 2015, IJARCSSE All Rights Reserved Page 287

3 carrier forms. The term unstructured carriers are generally TABLE I used in the context of steganography, or similar king of TCP/IP FIDELITY SPECTRUM TABLE Protocol Field Purpose Fidelity covert channels. But our proposed model of active Spectrum warden is not intended for IP Type of Low removing unstructured anomalies from the network Service traffic. There are several other ways of removing the covert anomalies from the unstructured based stego channels. IP IP identificat ion This field is rarely used, thus the use of this field would be suspicious when it is set to a non null value. We should also mention that the bits 6 and 7 in this field are specified to be set to 0. The values of this field are generated randomly, by the TCP/IP stack. But for packets belonging to the same connection and the same flow, the IP identification field is incremented by 1. This field contains the IP address of the source system. This field contains the IP address of the Destination system. IP Source IP Address IP Destinatio n IP Address IP Timestam The values of the timestamps p IP should increase from a jump to option another hop. IP Protocol This field contains the type of protocol present in the Internet layer payload of the TCP/IP packet. IP Padding Bits These bits are used to align the packet length to fit the requirement. IP Checksum Used to maintain the integrity of the IP datagram. TCP ISN(initia Used for three way handshake, l sequence during the initiation of TCP number) Connection. TCP Urgent Pointer The Urgent Pointer field is interpreted only if the URG bit is set. Used in some special case when the packet needs urgent delivery. Used as flags to indicate various cases at the transport layer. Used to link to application level processes over network. TCP Reserved bits TCP Source and Destinatio n Port TCP Checksum Used to maintain the integrity of the TCP datagram. Moderate Low Moderate Low 1. Unstructured Carriers: The attacker of the covert channel can intentionally obfuscate the semantics of the TCP/IP packet in kind of several steno based covert channels, the covert channels exploiting the semantics of the transport layer payload can be considered as to be unstructured carriers, which is used to transmit covert information using these unstructured carriers; the unstructured carriers are those kind of carriers which doesn't have standard specification for the semantics of such a carriers. A simple example of such unstructured carriers can be plain text that can be transmitted as transport layer payload directly. The premises of using covert channel exploiting unstructured carriers are difficult to detect covert anomalies from these carriers. As we can see from above discussion the unstructured carriers doesn't have specification for their semantics, so it is easy for covert attacker in order to exploit covert data using these 2. Structured Carriers: The structured carriers are those which follow some strict structural semantics as per the standard specifications. Unlike the unstructured carriers like plain text which doesn't follow some fixed structural semantics, the structured carriers are agreed upon some predefined standards, which is called as to be protocol. The intended attacker of the covert channels exploit these structural semantics of the carriers in such a way that they seems to be legitimate one, but contains potential covert information which is get hidden inside the structural semantics of the TCP/IP packet such a carriers are said to be structured carriers for transmitting covert information. Many techniques has been derived in order to exploit the potential covert information using such a structured carriers respectively. The covert algorithm exploiting such a carriers target the structural semantics of the carriers in such a way that they, embed covert data in these carriers without harming the other semantics of the carrier. The term structured carriers are usually used in standard protocols like TCP/IP; the TCP/IP is an standard protocol for exchanging the data over internet today, and as it is an standard it follows some structured semantics. The covert channels can be exploited in order to use these carriers in order to transfer there covert information to the other end without awareness to the rest of the network entities respectively. The structured carriers can be exploited by the various covert algorithm techniques like nushu,lathra,rowland,etc. All of these algorithms are the storage covert channels, these channels exploits the structural semantics of the TCP/IP packet respectively. In order to eliminate the anomalies of these kinds can be done by using technique like protocol normalization, which is used by the active warden design proposed in this paper respectively. This is the reason why we are imposing our focus in order to eliminate potential covert channels through such carriers; the proposed model of active warden system eliminates the covert information that can be exploited using the various fields of the TCP/IP packet headers respectively. This examination leads to a formal expression of Minimal Requisite Fidelity. Network protocols such as the TCP/IP family of Internet protocols define both syntax for network packets as well as the semantics used by systems exchanging packets. The syntax is the data format for packets that traverse the network. This syntax is not unlike the image encoding format of some unstructured carriers. What makes structured carriers different is the additional specification of semantics that describe how a packet is interpreted and what actions the end host will make based upon that packet. In order to understand the possible feudalities that can be produced by the covert anomalies in the structured carriers can be depicted in the following table, the table 2015, IJARCSSE All Rights Reserved Page 288

4 shown below depicts the potential header fields in the function is f(pnorm[itx - Tp]) which is function which TCP/IP fields through which the covert data can be does the actual working of protocol normalization on input embedded. traffic but excluding the transport layer payload therefore itx - Tp shows the input traffic excluding transport layer The above table describes the various header fields that payload Tp respectively. From above expression it is can be exploited by the potential attacker in order to clear that the active warden does it's processing but transfer the covert information over network. In above without affecting the transport layer payload respectively. table as we can see we have listed various fields and the Therefore it is clear that if the transport layer payload is possible fidelity spectrum that can be affected as a kept untouched then the MRF factor in the context of consequences of exploiting the covert channels using these legitimate user is preserved and the MRF factor is fields. The fidelity spectrum in above table is a parameter preserved as well. which describes the potential fidelity that can affect to the But there might be another case where the MRF factor legitimate user as while the covert attacker uses above can be affected. This can be happened when the packet fields as covert channels. From this we can see that the fidelity is affected during the process of protocol degree or amount of fidelity for every TCP/IP header normalization by the active warden system, this situation fields are different and affects the legitimate data of the is important, because in case where the packet headers is overt user respectively. tampered during the process of active warden The potential cause of overt data of legitimate user can normalization this case should be depicted in terms of be categorized as low, moderate and high respectively. MRF, here we are not promising any standard formulation The degree of these categories depends on the header for the term MRF, instead just trying to elaborate the term fields used by the potential attacker to transmit the covert in the context of our proposed model of active warden. data respectively. Maximized the degree of fidelity Here as stated there can be such a situation where the spectrum increases the potential probability for distorting packet header is being tampered during the process of the legitimate data of the overt user respectively. It is normalization this case can be affected by formulating it in important to minimize such distortion of legitimate data of the following way; but here ultimately we are just the overt user. But this is covered in the context of covert guessing the probability of in what case it can be channels, here we need to assume the same situation but in happened. the context of active warden which should always persist the Minimal requisite fidelity, while eliminating the potential covert channels from the TCP/IP packet by f(1) f(itx)->f(atx)->f(otx) normalizing the TCP/IP packets respectively. f(3) f(atx) = f(pnorm[itx - Tp]) B. Formulating DMRF Fill the text from your manuscript in different sections. Here as we already described we are doing the protocol normalization at Transport, Internet and Network layers respectively. We are not manipulating the transport layer payload, so as consequences of these the MRF factor in the context of legitimate user is preserved, because no processing is done on application level data respectively. This can be expressed mathematically as below; here: f(1) f(itx)->f(atx)->f(otx) f(itx) = function generating input traffic f(atx)=function reflecting active warden system f(otx)=function reflecting output traffic from active warden system therefore, f(2) f(otx) = f(a(f(pnorm[itx - Tp]))) As we can see in above expression, it represents the functioning of active warden system. Here f(otx) is the function representing output traffic generated after the active warden does the protocol level normalization in order to eliminate the possible covert channels from the input traffic. As we stated earlier the function above f(ax) represents the active warden system, the input to this f(4) f(pnorm[itx - Tp]) = [f(pnorm[th]) + f(pnorm[ih]) + f(pnorm[nh])] Tp f(5) f(oth) = f(pnorm[th]) = f(kgen[th]) f(6) f(oih) = f(pnorm[ih]) = f(kgen[ih]) f(7) f(onh) = f(pnorm[nh]) = f(kgen[nh]) As we can see above the first line f(1) is same as stated in the last section. The second line f(3) represents function of active warden is depicted as function normalizing the TCP/IP traffic excluding the transport layer payload. Next statement f(4) shows that the function of protocol normalization by the active warden is the combination of normalizing the transport layer header f(pnorm[th]) and internet layer header f(pnorm[ih]) and network layer header f(pnorm[nh]) respectively. In the next statements f(5),f(6) and f(7) shows that what these protocol normalization functions at each layers does; as we can see above the function f(kgen[th]) depicts that the kernel at active warden system regenerates the transport layer header as consequences of simple protocol normalization and then these newly generated headers are formed in TCP/IP packet and transmitted to the intended destination as per the protocol specified by the active warden system; similarly f(kgen[ih]) and f(kgen[nh]) does the same as in the case of f(5) respectively. So from the above expressions it is clear that the function of protocol normalization f(3) is entirely kernel dependent at active warden system respectively; therefore the function of active warden system always preserve MRF factor, 2015, IJARCSSE All Rights Reserved Page 289

5 because generating the transport, internet and network From above result it is clear that the function of blocking layer headers are the part of kernel level functionality or eliminating the covert information from the TCP/IP therefore the active warden system only uses the traffic doesn't affect or harm the DMRF factor predefined conventions in order to normalize the input respectively. Because as formulated in section we traffic; also the kernel generated headers follows strict seen that the DMRF factor corresponds to the amount of structural semantics as a result of this the MRF factor is fidelity the legitimate data with respect to the percentage preserved because the normalization is does by following of covert data eliminated or blocked is negligible in the standard semantics as per the W3c community. context of legitimate data for the overt users. C. DMRF Result Analysis In this section we can describe how the MRF factor can be depicted in terms of result as shown in the following figure the flowing figure depicts how the active warden system eliminates the covert data transmitted through TCP SQN reference model and IP ID reference model respectively. On the X-axis it shows percentage of blocking the covert information respectively. In the following chart it actually shows that even though the active warden system eliminates the covert data but it also preserves the factor of DMRF respectively. IV. CONCLUSION DMRF for the proposed active warden is the measure of efficiency of the active warden against different kinds of the storage covert channels. As our experimental results that the proposed an active warden is proved most efficient against the NUSHU and covert_tcp (rowlands code). Where it blocks 100% of the covert data. And against the reference model the DMRF of active warden varies depending upon the tcp / IPv4, 8/16/32 bit reference model. For NUSHU and covert_tcp the DMRF of active warden is highest. for reference model it is quite high though it is slightly lower than that of NUSHU. Fig 2. Comparison of TCP SQN and IPID Reference Model From these results we can say that as we embed more number of bits per packet for the covert communication the chances of the data getting blocked by the active warden increases. This is because the probability of occurrence of same bit on a particular position decreases with increase in the number of bits we are embedding in a packet. For example if we embed only one bit in the packet the chances of this bit remain the same even after passing through active warden is 50%. As one bit can either be 0 or 1 so after passing through active warden the bit can be 0 or 1 only. That means the probability of data bit remains the same will be 1/2 = 0.5 = 50%. Similarly if we increase the number of bits and now we are embedding two data bits the chances of both the bits remaining same will be 25 % for 8 bit data per packet it will become 1 / 256. Where 256 is the number to total combinations that can be formed out of 8 bits. In other 255 combinations at least 1 bit will be different so the actual data we want to communicate will be disturbed. For 16 bit data per packet it becomes 1 / and for 32 bit data per packet it becomes 1 / REFERENCES [1] Gina Fisk, Mike Fisk, Christos Papadopoulos, and Joshua Neil. Eliminating steganography in Internet traffic with active wardens. In Job Oostveen, editor, Information Hiding: Preproceedings of the Fifth International Workshop, pages 29 46, Noordwijkerhout, The Netherlands,October 7-9, Springer. [2] G. Robert Malan, David Watson, Farnam Jahanian, and Paul Howell. Transport and application protocol scrubbing. In Proceedings of the IEEE INFOCOM 2002 Conference, pages , Tel-Aviv, Israel, March 26-30, [3] Mark Handley and Vern Paxson. Network intrusion detection: Evasion, traffic normalization, and end-to-end protocol semantics. In Proceeding of the 10th USENIX Security Symposium, Washington, DC, USA, August 13-17, USENIX Association [4] Ross Anderson. Stretching the limits of steganography. In Ross Anderson, editor, Information Hiding: Proceedings of the First International Workshop, pages 39 48, Cambridge, U.K., May 30-June 01, Springer. [5] Ross J. Anderson and Fabien A.P. Petitcolas. On the limits of steganography. In IEEE Journal of Selected Areas in Communications: Special Issue on Copyright and Privacy Protection, pages , May [6] Scott Craver. On public-key steganography in the presence of an active warden. In David Aucsmith, editor, Information Hiding: Proceedings of the Second International Workshop, pages , Portland, Oregon, U.S.A., April 14-17, Springer. [7] Gustavus J. Simmons. The prisoners problem and the subliminal channel. In David Chaum, editor, Advances in Cryptology, Proceedings of CRYPTO 83, pages Plenum Press, , IJARCSSE All Rights Reserved Page 290

6 AUTHOR D M Dakhane. Associate Professor, Computer Science & Engineering Department Sipna College of Engineering & Technology, Amravati. Dr. P R. Deshmukh. Professor Electronics & Tele-communication Department P D Polytechnic, Amravati. 2015, IJARCSSE All Rights Reserved Page 291