Detecting Covert Timing Channels Using Normalizing Weights

Similar documents
Analysis of Attacks and Defense Mechanisms for QoS Signaling Protocols in MANETs

Wei Wang, Mehul Motani and Vikram srinivasan Department of Electrical & Computer Engineering National University of Singapore, Singapore

Cryptography and Network Security. Prof. D. Mukhopadhyay. Department of Computer Science and Engineering. Indian Institute of Technology, Kharagpur

Basic Concepts in Intrusion Detection

Lecture 12 Malware Defenses. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides based on Bailey s ECE 422

CLACK: A Network Covert Channel Based on Partial Acknowledgment Encoding

Resist Intruders Manipulation via Context-based TCP/IP Packet Matching

CYBER ATTACKS EXPLAINED: WIRELESS ATTACKS

Identifying Stepping Stone Attack using Trace Back Based Detection Approach

Evading Network Anomaly Detection Sytems - Fogla,Lee. Divya Muthukumaran

MTAT Research Seminar in Cryptography Building a secure aggregation database

Semantic Security Analysis of SCADA Networks to Detect Malicious Control Commands in Power Grids

CSE 565 Computer Security Fall 2018

A Covert Timing Channel Based on DCT Domain of Inter Packet Delay Sequence

Authors. Passive Data Link Layer Wireless Device Driver Fingerprinting. Agenda OVERVIEW. Problems. Device Drivers

Multivariate Correlation Analysis based detection of DOS with Tracebacking

Multimedia Congestion Control: Circuit Breakers for RTP Sessions draft-ietf-avtcore-rtp-circuit-breakers-07

New Approach towards Covert Communication using TCP-SQN Reference Model

Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security. Chapter 8

A Security Analysis of the Precise Time Protocol

Last lecture we talked about how Intrusion Detection works. Today we will talk about the attacks. Intrusion Detection. Shell code

Secure coding practices

1-7 Attacks on Cryptosystems

Computer Based Image Algorithm For Wireless Sensor Networks To Prevent Hotspot Locating Attack

EXPERIMENTAL STUDY OF FLOOD TYPE DISTRIBUTED DENIAL-OF- SERVICE ATTACK IN SOFTWARE DEFINED NETWORKING (SDN) BASED ON FLOW BEHAVIORS

Implementation of AODV Protocol and Detection of Malicious Nodes in MANETs

Towards measuring anonymity

High Assurance Evaluations Challenges in Formal Security Policy Modeling & Covert Channel Analysis. Sai Pulugurtha September 24, 2008

Congestion Control In The Internet Part 2: How it is implemented in TCP. JY Le Boudec 2014

McPAD and HMM-Web: two different approaches for the detection of attacks against Web applications

Cyber Resiliency & Agility Call to Action

Mapping Internet Sensors with Probe Response Attacks

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 3 Protecting Systems

EC-Council V9 Exam

Means for Intrusion Detection. Intrusion Detection. INFO404 - Lecture 13. Content

EFFECTIVE INTRUSION DETECTION AND REDUCING SECURITY RISKS IN VIRTUAL NETWORKS (EDSV)

Behavior-Based Covert Channel in Cyberspace

Congestion Control In The Internet Part 2: How it is implemented in TCP. JY Le Boudec 2015

Integrating Network QoS and Web QoS to Provide End-to-End QoS

Fast and Evasive Attacks: Highlighting the Challenges Ahead

AN AD HOC NETWORK is a group of nodes without requiring

HOW TO CHOOSE A NEXT-GENERATION WEB APPLICATION FIREWALL

ANALYSIS AND EVALUATION OF DISTRIBUTED DENIAL OF SERVICE ATTACKS IDENTIFICATION METHODS

Experiments with Applying Artificial Immune System in Network Attack Detection

Session key establishment protocols

Session key establishment protocols

Visualizing Network Data for Intrusion Detection. Kulsoom Abdullah, Chris Lee, Gregory Conti, John A. Copeland June 16, 2005

Robust Defenses for Cross-Site Request Forgery Review

SECURE CLOUD BACKUP AND RECOVERY

set active-probe (PfR)

Transporting Voice by Using IP

Congestion Control In The Internet Part 2: How it is implemented in TCP. JY Le Boudec 2015

Introduction Challenges with using ML Guidelines for using ML Conclusions

Anomaly Detection in Communication Networks

PROFESSIONAL SERVICES

Using Threat Analytics to Protect Privileged Access and Prevent Breaches

A Hybrid Approach for Misbehavior Detection in Wireless Ad-Hoc Networks

Ruijie Anti-ARP Spoofing

90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation

CHAPTER 5 PROPAGATION DELAY

Forensic Network Analysis in the Time of APTs

H3C S9500 QoS Technology White Paper

Practical Lazy Scheduling in Wireless Sensor Networks. Ramana Rao Kompella and Alex C. Snoeren

Providing SCADA network data sets for intrusion detection research Antoine Lemay (ÉPM) José M. Fernandez (ÉPM) WORLD-CLASS ENGINEERING

Packet Length Based Steganography Detection in Transport Layer

Polymorphic Blending Attacks. Slides by Jelena Mirkovic

AUTOMATED SECURITY ASSESSMENT AND MANAGEMENT OF THE ELECTRIC POWER GRID

Covert Channels through External Interference

Intro to Niara. no compromise behavioral analytics. Tomas Muliuolis HPE Aruba Baltics Lead

Predicting connection quality in peer-to-peer real-time video streaming systems

ECE 285 Class Project Report

A SYSTEM FOR DETECTION AND PRVENTION OF PATH BASED DENIAL OF SERVICE ATTACK

A Security Evaluation of DNSSEC with NSEC Review

External Supplier Control Obligations. Cyber Security

Mapping Internet Sensors with Probe Response Attacks

VULNERABILITY ASSESSMENT: SYSTEM AND NETWORK PENETRATION TESTING. Presented by: John O. Adeika Student ID:

Why You Should Consider a Hardware Based Protocol Analyzer?

Dynamic Energy-based Encoding and Filtering in Sensor Networks (DEEF)

Kishin Fatnani. Founder & Director K-Secure. Workshop : Application Security: Latest Trends by Cert-In, 30 th Jan, 2009

Scribe Notes -- October 31st, 2017

(In)security of ecient tree-based group key agreement using bilinear map

Voice, Video and Data Convergence:

Cisco Advanced Malware Protection (AMP) for Endpoints

You will discuss topics related to ethical hacking, information risks, and security techniques which hackers will seek to circumvent.

Interconnecting Components

Networking interview questions

PURDUE UNIVERSITY GRADUATE SCHOOL Thesis Acceptance

NGN: Carriers and Vendors Must Take Security Seriously

n Explain penetration testing concepts n Explain vulnerability scanning concepts n Reconnaissance is the first step of performing a pen test

A Lightweight Statistical Authentication Protocol for Access Control in Wireless LANs

Version 1/2018. GDPR Processor Security Controls

Juniper Vendor Security Requirements

Detection of Resource-Drained Attacks on SIP-Based Wireless VoIP Networks

General Data Protection Regulation

Securing the supply chain: A multi-pronged approach

Firewalls, Tunnels, and Network Intrusion Detection

Off-Path TCP Exploits : Global Rate Limit Considered Dangerous

Real-Time Protocol (RTP)

Lecture 2: Streaming Algorithms for Counting Distinct Elements

Operational Security Capabilities for IP Network Infrastructure

Transcription:

Detecting Covert Timing Channels Using Normalizing Weights Edna Milgo TSYS Department of computer Science Columbus State University Georgia, USA milgo edna@colstate.edu Submitted on 06/04/2009 Abstract Covert timing channels utilized unused space in the packets to breach security of a network traffic. The information is send based on whether synchronization occurred over a given time or not. The pattern of on and off, can later be interpreted by the attacker as a series of 1 s or 0 s and may even be used to send large information in a short time. Attackers evade detection by mimicking a legitimate traffic and even varying the delays so as to evade detection.we propose a method which captures both the regularities and the irregularities in a network to determine whether it is legitimate or covert timing channels. We use weighted values to normalize the irregular patterns, and based on the normalize distribution graph, the system can determine if it is covert timing channel or not. 1 Introduction Covert channels are illegitimate network channels which could be used by attacker to breach security policies by sending information without the knowledge of the sender [1, 4]. Covert Timing channels uses synchronized timing to communicate information by either delaying synchronization for a given interval, or skipping the interval. Covert timing channels causes security breach by channeling sensitive private information when exploited by malicious software [5, 4].Covert timing channes are classified based on its connection with the legitimate channel. Active covert timing channel creates a new connection besides a legitimate one and utilize it to communicate, whereas, passive covert timing channels finds unused packet space in the legitimate traffic without creating a new connection. Passive covert channels are hard to detect due to their dependence nature on legitimate traffic, hence hard to distinguish them. Another classification is based on the resource affected namely: storage and timing [1]. Storage convert channels are used to directly or indirectly write or read from a memory location. Timing covert channels utilized the CPU synchronization to convey a message each time a clock is triggered. The attacker system have first to negotiate the mode of communication with the attacked system [1]. First they identify the start signal and the time interval of each communication. They 1

also agree on the silent period definition. The receiver will then analyze the information based on when the trigger was made, where a connection represents 1 and silence 0.The receiver can then formulate a meaningful information based on the binary bits. The regularity of the traffic pattern of covert channels could be used to distinguish them from the legitimate traffic, but attackers have device ways to evade this by varying the delay time at a given interval. Many research works have been done on ways of disrupting or stopping covert timing channels [3], most of which uses statistical methods of detection. These statistical tools alone are suitable if a strict statistical pattern can be followed by the attacker i.e. the channel communication is regular. Attackers have harden their detection by varying the pattern by introducing some delays from to the connection which brings irregularity in the pattern. Another challenge to the statistical approach is that there is need to collect sufficient amount of data from a covert channel to be able to analyst and proof that the communication has been compromised. This brings two major concerns to the system. 1) the attacker will be identified after he has already gathered information from the system. This is because the attacker will have an undisrupted communication during the analysis session, and 2) resource which includes the bandwidth, memory location and system time are wasted during this time of data analysis and in some cases a very detailed analysis may turn out to be legitimate. This shows that there is need to achieve a fast and approximate detector of the covert channel and the process should not consume a lot of resources. In [2], the author proposed an entropy approach for detecting covert timing channels where they follow an irregular pattern by using distribution bins. This method is suitable when the data range is small but may have varying results where the data is large. We present an approach based on the entropy approach, and introduce a weight w, which is a measure of the rate of delay and is used to normalize the distribution graph. The main contributions in this scheme are: Design a covert timing channel detection method which is prone to high jitter and irregular patterns. We normalize our distribution graphs based on the weighted value of the delay intervals. Design a real time detection which optimizes the bandwidth and faster so as to avoid causing unnecessary traffic. The data is sampled randomly and the weight calculation and analysis is done offline. Our approach is based on both statistical evaluation and fuzzy logic. The rest of the paper is organized as follows: Related work is described in section 2 and the proposed scheme in section 3. In section 4, we present conclusion and directions for future work. 2

2 Related work Various covert channels have been developed and used to test the system s vulnerability to covert timing channels. Most of the research had been focused on the active covert timing channels detection. Cabuk in [1], describes a scheme which could be used to detect and block covert timing channels on the TCP/IP section of the network layer. He first describes how the attacker could utilize the data section of the packet due to its inconsistence pattern and the size and then demostrate how a the irreqularity of the traffic can be used to distiguish it from legitimate traffic. In [2], the author proposed an entropy approach to detect covert timing channels. Their approach test the irregularity in the traffic pattern, rather that the distribution of the traffic, to identify a covert channel. They use binning strategy to achieve conditional entropy to for a given traffic. This method is however limited where the dataset is big and the bins will tend to be so large that the function is reduced. The approach uses estimations based on the corrected conditional entropy to determine the entropy rate. Gianvecchio et.al. [3], designed a model of the covert channel and used filters to characterize the features of legitimate traffic, while an analyzer fits the observed traffic to a model. In their scheme a model is believed to imitate the features of an ordinary traffic. This approach however may have the limitations where the training data may not always represent the varying characteristics of the current network, and where the attacker tries to evade detection by borrowing some of the features of a normal traffic. 3 Proposed Solution Distribution function An distribution graph is generated based on the idea proposed in [2].The number of bins and the area is then computed, such that each bin has the same area under the curve, but different widths. This approach is used based on its resistance to randomness in small data and to bring a uniform representation of the data, since the data is selected randomly. Time interval and weight The weight wis a measure between 0 and 1, where the value represents how irregular the pattern is in a network traffic. The time interval between any delay is measured and assigned a weight based on the difference between the current delay period and the preceding delay. The all the delays have the same interval i.e. the delay is uniform, the weight is 0 and there will be no normalization in the distribution function. The zero weight scenario is a regular covert timing channel. In a situation where the delay varies in every clock trigger, the weight is close to 1, and the distributed graph will be skewed upwards. 3

Normalization Once the weight has been determined, the original graph is then normalized where adjustments are made to every bin based on the weighted value of the delay. For high weights, the bins are altered in such a way that the variance and the mean are increased, but the distribution remain unchanged. Results The normalized graph tend to be follow a distributed function, which when compared to known functions of normal network traffic, the system can determine whether it is legitimate or not.a legitimate traffic follows a normal or a Poisson distribution while a covert channel follows a Kolmogorov chain distribution. 4 Conclusion The proposed approach is suitable to both regular and irregular timing patterns. The approach uses weighted value to normalize the distribution of an irregular pattern. This approach uses the algorithm proposed by [2] in the second part of the processing, where the weight is applied to the graph to adjust the binning scheme. The scheme utilizes the fuzzy error detection and weighted error correction to achieve a constant and well distributed graph. The scheme has the limitation in the extra time used to compute the weights and normalize the graph. This duration is however negligible when dealing with small data sets. Our future work will include the more input detection such as the error detection in order to achieve a higher normalizing value. The weights will also be extended to capture the weighted mean in the analysis stage. References [1] S. Cabuk, C. E. Brodley, and C. Shields. Ip covert timing channels: design and detection. CCS 04: Proceedings of the 11th ACM conference on Computer and communications security, pages 178 187, 2004. [2] S. Gianvecchio and H. Wang. Detecting covert timing channels: an entropy-based approach. 2nd In,ternational Conference on i-warfare and Security, pages 307 316, 2007. [3] S. Gianvecchio, H. Wang, D. Wijesekera, and S. Jajodia. Model-based covert timing channels:automated modeling and evasion. Lecture Notes in Computer Science, pages 211 230, 2008. [4] R. C. Newman. Covert computer and network communications. Proceedings of the 4th annual conference on Information security curriculum development, pages 1 8, 2007. 4

[5] A. B. Shaffer, M. Auguston, C. E. Irvine, and T. E. Levin. A security domain model to assess software for exploitable covert channels. Proceedings of the third ACM SIGPLAN workshop on Programming languages and analysis for security, pages 45 56, 2008. 5

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback