The Community for Technology Leaders
RSS Icon
Issue No.06 - Nov.-Dec. (2012 vol.9)
pp: 890-902
Xiapu Luo , The Hong Kong Polytechnic University, Hong Kong
Edmond W.W. Chan , The Hong Kong Polytechnic University, Hong Kong
Peng Zhou , The Hong Kong Polytechnic University, Hong Kong
Rocky K.C. Chang , The Hong Kong Polytechnic University, Hong Kong
The problem of communicating covertly over the Internet has recently received considerable attention from both industry and academic communities. However, the previously proposed network covert channels are plagued by their unreliability and very low data rate. In this paper, we show through a new class of timing channels coined as Cloak that it is possible to devise a 100 percent reliable covert channel and yet offer a much higher data rate (up to an order of magnitude) than the existing timing channels. Cloak is novel in several aspects. First, Cloak uses the different combinations of N packets sent over X flows in each round to represent a message. The combinatorial nature of the encoding methods increases the channel capacity largely with (N,X). Second, based on the well-known 12-fold Way, Cloak offers 10 different encoding and decoding methods, each of which has a unique tradeoff among several important considerations, such as channel capacity and camouflage capability. Third, the packet transmissions modulated by Cloak can be carefully crafted to mimic normal TCP flows for evading detection. We have implemented Cloak and evaluated it in the PlanetLab and a controlled testbed. The results show that it is not uncommon for Cloak to have an order of channel goodput improvement over the IP Timing channel and JitterBug. Moreover, Cloak does not suffer from any message loss under various loss and reordering scenarios.
Timing, Decoding, Encoding, Watermarking, Channel capacity, Internet, covert channel detection, Network covert channel, timing channel, Enumerative Combinatorics, TCP
Xiapu Luo, Edmond W.W. Chan, Peng Zhou, Rocky K.C. Chang, "Robust Network Covert Communications Based on TCP and Enumerative Combinatorics", IEEE Transactions on Dependable and Secure Computing, vol.9, no. 6, pp. 890-902, Nov.-Dec. 2012, doi:10.1109/TDSC.2012.64
[1] G. Shah, A. Molina, and M. Blaze, "Keyboards and Covert Channels," Proc. 15th USENIX Conf. Security Symp. , 2006.
[2] A. Singh, O. Nordstro, C. Lu, and A. Santos, "Malicious ICMP Tunneling: Defense against the Vulnerability," Proc. Australasian Conf. Information Security and Privacy, 2003.
[3] S. Schechter and M. Smith, "Access for Sale: A New Class of Worm," Proc. ACM Workshop Rapid Malcode (WORM), 2003.
[4] R. Rogers and M. Devost, Hacking a Terror Network: The Silence Threat of Covert Channels. Syngress, 2005.
[5] M. Bauer, "New Covert Channels in HTTP: Adding Unwitting Web Browsers to Anonymity Sets," Proc. ACM Workshop Privacy in the Electronic Soc., 2003.
[6] K. Borders and A. Prakash, "Web Tap: Detecting Covert Web Traffic," Proc. 11th ACM Conf. Computer and Comm. Security (CCS), 2004.
[7] N. Feamster, M. Balazinska, G. Harfst, H. Balakrishnan, and D. Karger, "Infranet: Circumventing Censorship and Surveillance," Proc. 11th USENIX Security Symp., 2002.
[8] N. Feamster, M. Balazinska, W. Wang, H. Balakrishnan, and D. Karger, "Thwarting Web Cenorship with Untrusted Messenger Discovery," Proc. Privacy Enhancing Technologies (PET) Workshop, 2003.
[9] S. Burnett, N. Feamster, and S. Vempala, "Chipping Away at Censorship with User-Generated Content," Proc. USENIX Security Symp., 2010.
[10] X. Wang and D. Reeves, "Robust Correlation of Encrypted Attack Traffic through Stepping Stones by Watermarking the Interpacket Timing," Proc. 10th ACM Conf. Computer and Comm. Security (CCS), 2003.
[11] X. Wang, S. Chen, and S. Jajodia, "Tracking Anonymous Peer-to-Peer VoIP Calls on the Internet," Proc. 12th ACM Conf. Computer and Comm. Security (CCS), 2005.
[12] D. Forte, C. Maruti, M. Vetturi, and M. Zambelli, "SecSyslog: An Approach to Secure Logging Based on Covert Channels," Proc. First Int'l Workshop Systematic Approaches to Digital Forensic Eng. (SADFE), 2005.
[13] M. Bishop, Introduction to Computer Security. Addison-Wesley, 2005.
[14] D. Watson, M. Smart, G. Malan, and F. Jahanian, "Protocol Scrubbing: Network Security through Transparent Flow Modification," IEEE/ACM Trans. Networking, vol. 12, no. 2, pp. 261-273, Apr. 2004.
[15] M. Handley, C. Kreibich, and V. Paxson, "Network Intrusion Detection: Evasion, Traffic Normalization, and End-to-End Protocol Semantics," Proc. USENIX Security Symp., 2001.
[16] G. Fisk, M. Fisk, C. Papadopoulos, and J. Neil, "Eliminating Steganography in Internet Traffic with Active Wardens," Proc. Information Hiding Workshop, 2002.
[17] R. Stanley, Enumerative Combinatorics. Cambridge Univ. Press, 1997.
[18] S. Zander, G. Armitage, and P. Branch, "A survey of Covert Channels and Countermeasures in Computer Network Protocols," IEEE Comm. Surveys and Tutorials, vol. 9, no. 3, pp. 44-57, Third Quarter 2007.
[19] K. Ahsan and D. Kundur, "Practical Data Hiding in TCP/IP," Proc. Workshop Multimedia Security, 2002.
[20] R. Chakinala, A. Kumarasubramanian, R. Manokaran, G. Noubir, C. Pandu Rangan, and R. Sundaram, "Steganographic Communication in Ordered Channels," Proc. Eighth Int'l Conf. Information Hiding, pp. 42-57, 2007.
[21] A. El-Atawy and E. Al-Shaer, "Building Covert Channels over the Packet Reordering Phenomenon," Proc. IEEE INFOCOM, 2009.
[22] X. Luo, P. Zhou, E. Chan, R. Chang, and W. Lee, "A Combinatorial Approach to Network Covert Communications with Applications in Web Leaks," Proc. IEEE/IFIP 41st Int'l Conf. Dependable Systems & Networks (DSN), 2011.
[23] H. Khan, Y. Javed, S. Khayam, and F. Mirza, "Embedding a Covert Channel in Active Network Connections," Proc. IEEE GlobeCom, 2009.
[24] S. Cabuk, C. Brodley, and C. Shields, "IP Covert Timing Channels: Design and Detection," Proc. 11th ACM Conf. Computer and Comm. Security (CCS), 2004.
[25] V. Berk, A. Giani, and G. Cybenko, "Detection of Covert Channel Encoding in Network Packet Delays," Technical Report TR2005536, Dept. of Computer Science, Dartmouth College, 2005.
[26] S. Gianvecchio and H. Wang, "Detecting Covert Timing Channels: An Entropy-Based Approach," Proc. 14th ACM Conf. Computer and Comm. Security (CCS), 2007.
[27] R. Walls, K. Kothari, and M. Wright, "Liquid: A Detection-Resistant Covert Timing Channel Based on IPD Shaping," Computer Networks, vol. 55, no. 6, pp. 1217-1228, Apr. 2011.
[28] S. Gianvecchio, H. Wang, D. Wijesekera, and S. Jajodia, "Model-Based Covert Timing Channels: Automated Modeling and Evasion," Proc. 11th Int'l Symp. Recent Advances in Intrusion Detection (RAID), 2008.
[29] S. Sellke, C. Wang, S. Bagchi, and N. Shroff, "Covert TCP/IP Timing Channels: Theory to Implementation," Proc. IEEE INFOCOM, 2009.
[30] Y. Liu, F. Armknecht, D. Ghosal, S. Katzenbeisser, A. Sadeghi, and S. Schulz, "Robust and Undetectable Covert Timing Channels for i.i.d. Traffic," Proc. Information Hiding Conf., 2010.
[31] S. Zander, G. Armitage, and P. Branch, "Stealthier Inter-Packet Timing Covert Channels," Proc. 10th Int'l IFIP TC 6 Conf. Networking, 2011.
[32] X. Luo, E. Chan, and R. Chang, "TCP Covert Timing Channels: Design and Detection," Proc. IEEE/IFIP Int'l Conf. Dependable Systems & Networks (DSN), 2008.
[33] Y. Liu, D. Ghosal, F. Armknecht, A. Sadeghi, S. Schulz, and S. Katzenbeisser, "Hide and Seek in Time - Robust Covert Timing Channels," Proc. 14th European Conf. Research in Computer Security (ESORICS), 2009.
[34] W. Yu, X. Fu, S. Graham, D. Xuan, and W. Zhao, "DSSS-Based Flow Marking Technique for Invisible Traceback," Proc. IEEE Symp. Security and Privacy, 2007.
[35] Z. Ling, J. Luo, W. Yu, X. Fu, D. Xuan, and W. Jia, "A New Cell Counter Based Attack Against Tor," Proc. 16th ACM Conf. Computer and Comm. Security (CCS), 2009.
[36] X. Wang, S. Chen, and S. Jajodia, "Network Flow Watermarking Attack on Low-Latency Anonymous Communication Systems," Proc. IEEE Symp. Security and Privacy, 2007.
[37] A. Houmansadr, N. Kiyavash, and N. Borisov, "RAINBOW: A Robust and Invisible Non-Blind Watermark for Network Flows," Proc. Network and Distributed Systems Security Symp. (NDSS), 2009.
[38] A. Houmansadr and N. Borisov, "SWIRL: A Scalable Watermark to Detect Correlated Network Flows," Proc. Network and Distributed Systems Security Symp. (NDSS), 2011.
[39] X. Luo, P. Zhou, J. Zhang, R. Perdisci, W. Lee, and R. Chang, "Exposing Invisible Timing-Based Traffic Watermarks with BACKLIT," Proc. 27th Ann. Computer Security Applications Conf. (ACSAC), 2011.
[40] X. Luo, J. Zhang, R. Perdisci, and W. Lee, "On the Secrecy of Spread-Spectrum Flow Watermarks," Proc. 15th European Conf. Research in Computer Security (ESORICS), 2010.
[41] W. Hu, "Reducing Timing Channels with Fuzzy Time," J. Computer Security, vol. 1, pp. 233-254, 1992.
[42] J. Giles and B. Hajek, "An Information-Theoretic and Game-Theoretic Study of Timing Channels," IEEE Trans. Information Theory, vol. 48, no. 9, pp. 2455-2477, Sept. 2002.
[43] M. Kang, I. Moskowitz, and S. Chincheck, "The Pump: A Decade of Covert Fun," Proc. 21st Ann. Computer Security Applications Conf. (ACSAC), 2005.
[44] I. Moskowitz and M. Kang, "Covert Channels - Here to Stay?" Proc. Ninth Ann. Conf. Computer Assurance Safety, Reliability, Fault Tolerance, Concurrency and Real-Time, Security and Security (COMPASS), 1994.
[45] N. Ogurtsov, H. Orman, R. Schroeppel, and S. O'Malley, "Covert Channel Elimination Protocols," Technical Report TR96-14, The Univ. of Arizona, 1996.
[46] R. Yeung, A First Course in Information Theory. Kluwer Academic, 2002.
[47] H. Lee, E. Chang, and M. Chan, "Pervasive Random Beacon in the Internet for Covert Coordination," Proc. Information Hiding Workshop, 2005.
[48] D. Kreher and D. Stinson, Combinatorial Algorithms: Generation, Enumeration and Search. CRC press, 1998.
[49] H. Wilf, "East Side, West Side: An Introduction to Combinatorial Families with Maple Programming," http://www.cis.upenn. edu/~wilflecnotes.html , 2002.
[50] W. Myrvold and F. Ruskey, "Ranking and Unranking Permutations in Linear Time," Information Processing Letters, vol. 79, pp. 281-284, 2001.
[51] B. Sharma and R. Khanna, "On m-ary Gray codes," Information Sciences, vol. 15, no. 1, pp. 31-43, 1978.
[52] X. Luo, E. Chan, P. Zhou, and R. Chang, "Supplemental Material to 'Robust Network Covert Communication Based on TCP and Enumerative Combinatorics'," 2012.
[53] X. Luo, E. Chan, and R. Chang, "CLACK: A Network Covert Channel Based on Partial Acknowledgment Encoding," Proc. IEEE GLOBECOM, 2009.
[54] "Packet Traces from WIDE Backbone," jpmawi/, 2012.
[55] V. Paxson, "LBNL/ICSI Enterprise Tracing Project," , 2005.
47 ms
(Ver 2.0)

Marketing Automation Platform Marketing Automation Tool