Anjan K,Srinath N K,Jibi Abraham

DOI: https://doi.org/10.48550/arXiv.1506.04931

2015-06-16

Cryptography and Security

Abstract:Covert channels is a vital setup in the analysing the strength of security in a network.Covert Channel is illegitimate channelling over the secured channel and establishes a malicious conversation.The trapdoor set in such channels proliferates making covert channel sophisticated to detect their presence in network firewall.This is due to the intricate covert scheme that enables to build robust covert channel over the network.From an attacker's perspective this will ameliorate by placing multiple such trapdoors in different protocols in the rudimentary protocol stack. This leads to a unique scenario of Hybrid Covert Channel, where different covert channel trapdoors exist at the same instance of time in same layer of protocol stack. For detection agents to detect such event is complicated due to lack of knowledge over the different covert schemes. To improve the knowledge of the detection engine to detect the hybrid covert channel scenario it is required to explore all possible clandestine mediums used in the formation of such channels. This can be explored by different schemes available and their entropy impact on hybrid covert channel. The environment can be composed of resources and subject under at-tack and subject which have initiated the attack (attacker). The paper sets itself an objective to understand the different covert schemes and the attack scenario (modelling) and possibilities of covert mediums along with metric for detection.

Yogesh Heda,Rinku Shah

DOI: https://doi.org/10.1109/conecct.2015.7383926

2015-07-01

Abstract:Secret communication via network has always been an area of interest for attackers. Secrete communication provide a way to discovers and leak information such that system security policies are violated. Covert channel concept for passing data secretly over a communication network existed from many years. Covert channel designer are continuously improving design techniques which create difficult to detect such channels. These channels are different from encryption and steganography. Use of covert attack may be a serious security threat as they can be used for malicious activities. Covert channels exist in most of communication system and allow individual to communicate secretly. It has not only attracted the trusted parties to communicate with each other secretly but has also attracted the hackers/attackers. Existing literature suggests that it is difficult to detect and prevent covert channel communication using traditional accuracy systems. This paper presents detailed survey of existing covert channel design, detection and prevention techniques. The author also presents the classification and comparison of the covert channel design and detection techniques.

Serdar Cabuk,Carla E. Brodley,Clay Shields

DOI: https://doi.org/10.1145/1513601.1513604

2009-04-01

ACM Transactions on Information and System Security

Abstract:A covert channel can occur when an attacker finds and exploits a shared resource that is not designed to be a communication mechanism. A network covert channel operates by altering the timing of otherwise legitimate network traffic so that the arrival times of packets encode confidential data that an attacker wants to exfiltrate from a secure area from which she has no other means of communication. In this article, we present the first public implementation of an IP covert channel, discuss the subtle issues that arose in its design, and present a discussion on its efficacy. We then show that an IP covert channel can be differentiated from legitimate channels and present new detection measures that provide detection rates over 95%. We next take the simple step an attacker would of adding noise to the channel to attempt to conceal the covert communication. For these noisy IP covert timing channels, we show that our online detection measures can fail to identify the covert channel for noise levels higher than 10%. We then provide effective offline search mechanisms that identify the noisy channels.

Ammar T. Zahary,Nesmah A. Al-Khulaidi,Muneer A. S Hazaa,Adel A. Nasser

DOI: https://doi.org/10.1109/eSmarTA59349.2023.10293582

2023-10-10

Abstract:The use of covert communications has become more widespread recently as a solution to the information security issue. Information security can be partially solved by the discovery and creation of covert routes. Covert channel use is still in its early phases, even though information security concerns are growing as a result of quick technology advancements. As a result, several problems and concerns need to be resolved, and the future plan is foggy. This paper seeks to give a thorough comparison of earlier and more recent attempts in this field. It offers a survey of the literature on the drawbacks and gaps in conventional detection techniques, emphasizing the most recent techniques for discovering and creating these covert channels while carefully considering machine learning and deep learning-based detection techniques. Additionally, it broadens the topic to cover the crucial function that these channels play in technology. Timing channels, storage channels, and hybrid channels are just a few of the ways covert channels may be utilized to transfer data. They can be used to get around security measures like intrusion detection systems and firewalls. Additionally, they may be used to steal confidential data from a system, including passwords, credit card numbers, and intellectual property. System security is seriously threatened by covert channels, and more study on covert channel production and detection is required to stay up with the changing threat environment.

Engineering,Computer Science

Muawia A. Elsadig,Yahia A. Fadlalla

DOI: https://doi.org/10.1109/ieeegcc.2017.8447997

2017-05-01

Abstract:advanced developments in intrusion detection systems (IDS) and computer network technology encourage hackers to find new ways to leak confidential information without being detected. When the interpretation of a security model adopted by a system is violated by a communication between two users, or processes operating on their behalf, it is said that the two users are communicating indirectly or covertly. A network covert channel refers to any communication channel that can be exploited by a process to transfer information in a manner that violates a system's security policy. Loopholes in network protocols attract covert channel exploitation. This paper sheds light on network covert channel countermeasures and the most recent detection and prevention methods of such channels. The achievements and limitations of these countermeasures are discussed. The paper further introduces the concept of network covert channel triangle (DSM - Development, Switching, and Micro-protocol); three elements that have the most direct positive impact in a network covert channel environment. In addition, the paper reflects on the challenges such covert channels impose.

Baojun Zhang,Xuezeng Pan,Jiebing Wang

DOI: https://doi.org/10.1109/fskd.2007.348

2007-01-01

Abstract:The current network is complicated due to the high- throughput and the multiformity of actions. A hybrid intru- sion detection system (HIDSFCN) is proposed in this study to satisfy the current network. It combines the advantages of all kinds of IDS and put forwards our own solvents to those key problems in current research. Experiment results demonstrate that our HIDSFCN is of high performance and good practicability.

Mrinal Ashish Khadse,Dhananjay Manohar Dakhane

DOI: https://doi.org/10.1002/cpe.8316

2024-10-28

Concurrency and Computation Practice and Experience

Abstract:A covert network channel is a communication channel in which the message is secretly transmitted to the recipient. Sometimes, covert network channels are vulnerable to multiple attacks. Therefore, the message must be properly secure. In most cases, the covert channel is used to ensure data protection and allow users to freely access the Internet. In this paper, several recent studies are reviewed on covert network channels and examine the existing works from 2015 to 2024. This review article also discusses the undetectability and reliability of different types of covert network channels. Furthermore, a detailed description of the covert network channel's ability to hide in containers is provided. Existing research on covert network channels explains a few techniques for detecting attacks in secret data communication. However, several machine learning and deep learning techniques have been discussed in this article. Additionally, this article describes the accuracy of detection through an overview of current technologies. In addition, various countermeasures to prevent attacks in covert channels are also discussed in detail. However, in this case, the bandwidth limitations, data set limitations, and covert channel capacity are clearly defined, which will help future researchers build covert network channels and detect attacks. Finally, this work considers the challenges faced by covert network channels and the future scope of application.

computer science, theory & methods, software engineering

Muawia A. Elsadig,Ahmed Gafar

DOI: https://doi.org/10.1109/access.2022.3164392

IF: 3.9

2022-01-01

IEEE Access

Abstract:The advanced development of computer networks and communication technologies has made covert communications easier to construct, faster, undetectable and more secure than ever. A covert channel is a path through which secret messages can be leaked by violating a system security policy. The detection of such dangerous, unwatchable, and hidden threats is still one of the most challenging aspects. This threat exploits methods that are not dedicated to communication purposes, meaning that traditional security measures fail to detect its existence. This review has introduced a brief introduction of covert channel definitions, types and developments, with a particular focus on detection techniques using machine learning (ML) approaches. It provides a thorough review of the most common covert channels and ML techniques that are used to counter them, as well as addressing their achievements and limitations. In addition, this paper introduces a comparative experimental study for some common ML approaches that are commonly used in this field. Accordingly, the performance of these classifiers was evaluated and reported. The paper concludes that our information is still at risk, nothing is said to be secured and more work on the detection of covert channels is required.

computer science, information systems,telecommunications,engineering, electrical & electronic

Haozhi Li,Tian Song,Yating Yang

DOI: https://doi.org/10.1109/tdsc.2022.3207573

2022-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Network covert timing channels can be maliciously used to exfiltrate secrets, coordinate attacks and propagate malwares, posing serious threats to cybersecurity. Current covert timing channels normally conduct small-volume transmission under the covers of various disguising techniques, making them hard to detect especially when a detector has little priori knowledge of their traffic features. In this paper, we propose a generic and sensitive detection approach, which can simultaneously (i) identify various types of channels without their traffic knowledge and (ii) maintain reasonable performance on small traffic samples. The basis of our approach is the finding that the short-term timing behavior of covert and legitimate traffic is significantly different from the perspective of inter-packet delays' variation. This phenomenon can be a generic reference to detect various channels because it is resistant to major channel disguising techniques which only mimic long-term traffic features, while it is also a sensitive reference to spot small-volume covert transmission since it can capture traffic anomalies in a fine-grained manner. To obtain the inner patterns of inter-packet delays' variation, we design a context-sensitive feature-extraction technique. This technique transforms each raw inter-packet delay into a discrete counterpart based on its contextual properties, thus extracting its variation features and reducing traffic data complexity. Then we learn legitimate variation patterns using a neural network model, and identify samples showing anomalous variation as covert. The experimental results show that our approach effectively detects all currently representative channels in the absence of their knowledge, presenting once to twice higher sensitivity than the state-of-the-art solutions.

computer science, information systems, software engineering, hardware & architecture

Hanaa Nafea,Kashif Kifayat,Qi Shi,Kashif Naseer Qureshi,Bob Askwith

DOI: https://doi.org/10.1109/access.2019.2961609

IF: 3.9

2020-01-01

IEEE Access

Abstract:Cyber-attacks are causing losses amounted to billions of dollars every year due to data breaches and Vulnerabilities. The existing tools for data leakage prevention and detection are often bypassed by using various different types of sophisticated techniques such as network steganography for stealing the data. This is due to several weaknesses which can be exploited by a threat actor in of existing detection systems. The weaknesses are high time and memory training complexities as well as large training datasets. These challenges become worse when the amount of generated data increasing in every second in many realms. In addition, the number of false positives is high which make them inaccurate. Finally, there is a lack of a framework catering the needs such as raising alerts as well as data monitoring and updating/adapting of a threshold value used for checking the data packets for covert data. In order to overcome these weaknesses, this paper proposes a novel framework that includes elements such as continuous data monitoring, threshold maintenance, and alert notification. This paper also proposes a model based on statistical measures to detects covert data leakages, especially for non-linear chaotic data. The main advantage of proposed model is its capability to provide results with tolerance/threshold values much more efficiently. Experiment are indicated that the proposed framework has low false positives and outperforms over various existing techniques in terms of accuracy and efficiency.

computer science, information systems,telecommunications,engineering, electrical & electronic

Sebastian Zander,Grenville Armitage,Philip Branch

DOI: https://doi.org/10.1109/comst.2007.4317620

2007-01-01

Abstract:Covert channels are used for the secret transfer of information. Encryption only protects communication from being decoded by unauthorised parties, whereas covert channels aim to hide the very existence of the communication. Initially, covert channels were identified as a security threat on monolithic systems i.e. mainframes. More recently focus has shifted towards covert channels in computer network protocols. The huge amount of data and vast number of different protocols in the Internet seems ideal as a high-bandwidth vehicle for covert communication. This article is a survey of the existing techniques for creating covert channels in widely deployed network and application protocols. We also give an overview of common methods for their detection, elimination, and capacity limitation, required to improve security in future computer networks.

computer science, information systems,telecommunications

Luca Caviglione

DOI: https://doi.org/10.3390/app11041641

2021-02-11

Applied Sciences

Abstract:Network covert channels are increasingly used to endow malware with stealthy behaviors, for instance to exfiltrate data or to orchestrate nodes of a botnet in a cloaked manner. Unfortunately, the detection of such attacks is difficult as network covert channels are often characterized by low data rates and defenders do not know in advance where the secret information has been hidden. Moreover, neutralization or mitigation are hard tasks, as they require to not disrupt legitimate flows or degrade the quality perceived by users. As a consequence, countermeasures are tightly coupled to specific channel architectures, leading to poorly generalizable and often scarcely scalable approaches. In this perspective, this paper investigates trends and challenges in the development of countermeasures against the most popular network covert channels. To this aim, we reviewed the relevant literature by considering approaches that can be effectively deployed to detect general injection mechanisms or threats observed in the wild. Emphasis has been put on enlightening trajectories that should be considered when engineering mitigation techniques or planning the research to face the increasing wave of information-hiding-capable malware. Results indicate that many works are extremely specialized and an effective strategy for taming security risks caused by network covert channels may benefit from high-level and general approaches. Moreover, mechanisms to prevent the exploitation of ambiguities should be already considered in early design phases of both protocols and services.

Ivan Miketic,Krithika Dhananjay,Emre Salman

DOI: https://doi.org/10.3390/s23042081

IF: 3.9

2023-02-13

Sensors

Abstract:In this paper, first, a broad overview of existing covert channel communication-based security attacks is provided. Such covert channels establish a communication link between two entities that are not authorized to share data. The secret data is encoded into different forms of signals, such as delay, temperature, or hard drive location. These signals and information are then decoded by the receiver to retrieve the secret data, thereby mitigating some of the existing security measures. The important steps of covert channel attacks are described, such as data encoding, communication protocol, data decoding, and models to estimate communication bandwidth and bit error rate. Countermeasures against covert channels and existing covert channel detection techniques are also summarized. In the second part of the paper, the implications of such attacks for emerging packaging technologies, such as 2.5D/3D integration are discussed. Several covert channel threat models for 2.5D/3D ICs are also proposed.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Robert J. Walls,Kush Kothari,Matthew Wright

DOI: https://doi.org/10.1016/j.comnet.2010.11.007

IF: 5.493

2011-04-01

Computer Networks

Abstract:Covert timing channels provide a way to surreptitiously leak information from an entity in a higher-security level to an entity in a lower level. The difficulty of detecting or eliminating such channels makes them a desirable choice for adversaries that value stealth over throughput. When one considers the possibility of such channels transmitting information across network boundaries, the threat becomes even more acute. A promising technique for detecting covert timing channels focuses on using entropy-based tests. This method is able to reliably detect known covert timing channels by using a combination of entropy and conditional entropy to detect anomalies in shape and regularity, respectively. This dual approach is intended to make entropy-based detection robust against both current and future channels. In this work, we show that entropy-based detection can be defeated by a channel that intelligently and adaptively manipulates the metrics used for detection. Specifically, we propose a new passive covert channel that uses a portion of the inter-packet delays in a compromised stream to smooth out the shape distortions detected by the entropy test. As a passive channel, it is not as prone to regularity-based detection as previously proposed active channels. We introduce a model for analyzing the effect of our techniques on the entropy of the channel and empirically investigate the accuracy of the model. In network experiments and simulation, we validate this model and demonstrate that the proposed channel successfully evades entropy-based detection and other known tests while maintaining reasonable throughput.

computer science, information systems,telecommunications,engineering, electrical & electronic, hardware & architecture

JingZheng Wu,Liping Ding,Yongji Wang,Wei Han

DOI: https://doi.org/10.1109/ssiri.2011.17

2011-01-01

Abstract:Covert channel analysis is an important requirement when building secure information systems, and identification is the most difficult task. Although some approaches were presented, they are either experimental or constrained to some particular systems. This paper presents a practical approach based on directed information flow graph taking advantage of the source code analysis. The approach divides the whole system into serval independent modules and analyzes them respectively. All the shared variables and their caller functions are found out from the source codes and modeled into directed information flow graphs. When the information flow branches are visible and modifiable to the external interface, a potential covert channel exists. Contributions made in this paper are as follows: a modularized analysis scheme is proved and reduces the workloads of identifying, a directed information flow graph algorithm is presented and used to model the covert channels, more than 30 covert channels have been identified in Linux kernel source code using this scheme, and a typical channel scenario is constructed.

Yi Wang,Ping Chen,Yi Ge,Bing Mao,Li Xie

DOI: https://doi.org/10.1109/ares.2009.141

2009-01-01

Abstract:This paper discusses the network covert timing channel. This channel modulates network packet's time properties to transfer information secretly. Much work has been done in inventing and utilizing network covert timing channels, however, there is not so much work in other areas such as detecting and handling covert channels. Covert channel detection is difficult, what's more, it often needs human analysis to confirm whether a suspect is a real covert channel. However we figured out that we can try to control covert channels without knowing whether there are covert channels in using, which means our approach does not rely on the detection of covert channels at all. A network traffic controller is proposed to undermine the network covert timing channel communication mechanism. We will show how our method works and why our traffic control strategy is especially efficient to handle network covert timing channels.

Jing Tian,Gang Xiong,Zhen Li,Gaopeng Gou

DOI: https://doi.org/10.1155/2020/8892896

IF: 1.968

2020-08-05

Security and Communication Networks

Abstract:In order to protect user privacy or guarantee free access to the Internet, the network covert channel has become a hot research topic. It refers to an information channel in which the messages are covertly transmitted under the network environment. In recent years, many new construction schemes of network covert channels are proposed. But at the same time, network covert channel has also received the attention of censors, leading to many attacks. The network covert channel refers to an information channel in which the messages are covertly transmitted under the network environment. Many users exploit the network covert channel to protect privacy or guarantee free access to the Internet. Previous construction schemes of the network covert channel are based on information steganography, which can be divided into CTCs and CSCs. In recent years, there are some covert channels constructed by changing the transmission network architecture. On the other side, some research work promises that the characteristics of emerging network may better fit the construction of the network covert channel. In addition, the covert channel can also be constructed by changing the transmission network architecture. The proxy and anonymity communication technology implement this construction scheme. In this paper, we divide the key technologies for constructing network covert channels into two aspects: communication content level (based on information steganography) and transmission network level (based on proxy and anonymity communication technology). We give an comprehensively summary about covert channels at each level. We also introduce work for the three new types of network covert channels (covert channels based on streaming media, covert channels based on blockchain, and covert channels based on IPv6). In addition, we present the attacks against the network covert channel, including elimination, limitation, and detection. Finally, the challenge and future research trend in this field are discussed.

computer science, information systems,telecommunications