This Article 
   
 Share 
   
 Bibliographic References 
   
 Add to: 
 
Digg
Furl
Spurl
Blink
Simpy
Google
Del.icio.us
Y!MyWeb
 
 Search 
   
2013 IEEE Security and Privacy Workshops
Reporting Insider Threats via Covert Channels
San Francisco, CA, USA USA
May 23-May 24
ISBN: 978-1-4799-0458-7
Trusted insiders that betray an organization can inflict substantial harm. In addition to having privileged access to organization resources and information, these users may be familiar with the defenses surrounding valuable assets. Computers systems at the organization need a mechanism for communicating suspicious activity that is difficult for a malicious insider (or even an outsider) to detect or block.In this work, we propose a covert channel in the Ethernet frame that allows a computer system to report activity inside other, unrelated network communication. The covert channel leverages the differences in the framing approaches used by Ethernet and IP packets to append hidden information to IP packet and transmit it to an organization's administrator. This stealthy communication is difficult for even advanced attackers and is challenging to block since it opportunistically uses unrelated communication. Further, since the transmission is tied to the Ethernet frame, the communication cannot traverse network routers, preventing security information from leaving the organization.We introduce the covert channel, incorporate it into a working prototype, and combine it with an intrusion detection system to show its promise for security event reporting.
Index Terms:
Network Security,Insider Threats,Covert Channels
Citation:
David N. Muchene, Klevis Luli, Craig A. Shue, "Reporting Insider Threats via Covert Channels," spw, pp.68-71, 2013 IEEE Security and Privacy Workshops, 2013
Usage of this product signifies your acceptance of the Terms of Use.