Zukui Wang,Liusheng Huang,Wei Yang,Zhiqiang He

DOI: https://doi.org/10.1109/CSCWD.2018.8465339

2018-01-01

Abstract:With the rapid development of mobile technologies, LTE is turning to be a wonderful carrier for covert channels. Existing detection for covert storage channel (CSC) are almost packet analysis based methods. In this paper, we present an entropy-based method for detecting CSC in Sequence Number (SN) fields of PDCP and RLC layer, which is seen as the most difficult to be detected. We simulate the LTE network in NS3 platform, and propose a Protocol Data Unit (PDU) based blind method to calculate the distance between the SN of PDU and its first left neighbor, instead of analyzing the packets or extracting the value of SN from the PDU. Our experimental results have demonstrated that the proposed detection method is sensitive to the hidden information in the SN fields of PDCP and RLC layer. It can detect them in an accurate manner, and can be conducted in both real-time online and offline storage detection.

Guangliang Xu,Wei Yang,Liusheng Huang

DOI: https://doi.org/10.1049/iet-ifs.2017.0394

2018-01-01

IET Information Security

Abstract:Covert channels transmit secret information by using the existing resources which were not designed for communication. As a major approach to information leakage, covert channels are rapidly gaining popularity with the exponentially growth of cloud and network resources. Long Term Evolution Advance (LTE-A) has dominated the mobile telecommunication networks, which brings an elevation of the risk of covert channels. In this study, the authors propose a supervised learning scheme based on support vector machine (SVM) for the covert channel detection in LTE-A. Based on the fact that the covert channel using the header fields of LTE-A protocol would change the regularity, goodness of fit or correlation of the data traffic, they present behaviour characteristics statistics index (CSI) in the LTE-A protocol to evaluate the changes. According to CSI, they extract the classification feature vectors from the data traffic stream, based on which an SVM classifier used for classifying the channel as covert or overt is trained for testing on the channel under investigation. Experiment results show that the authors' proposed detection scheme is high-efficiency in terms of detection accuracy, sensitivity and specificity, which has great potential to serve as a new idea for the detection of covert channel in LTE-A.

Zukui Wang,Liusheng Huang,Wei Yang,Zhiqiang He

DOI: https://doi.org/10.2991/icwcsn-16.2017.80

2017-01-01

Abstract:In this paper, we have analyzed the sub-protocol stack of Long Term Evolution Advanced (LTE-A) System, and proposed a hybrid covert channel, called HyLTEsteg, designed for LTE-A System. The HyLTEsteg uses covert timing channels (CTC), which is fitted the legitimate data stream of network, as a trigger for covert storage channels (CSC). And the CSC utilizes the sequence number (SN) fields of Radio Link Control (RLC) layer and Packet Data Convergence Protocol (PDCP) layer to transmit hidden information. The performance of the HyLTEsteg's anti-detection and hidden information transmission are evaluated and analyzed.

LU Lianhao,PING Lingdi,PAN Xuezeng

DOI: https://doi.org/10.3969/j.issn.1000-3428.2006.21.054

2006-01-01

Abstract:The research of covert channel analysis on Tuling SecOS2.0/4 is reported.A new covert channel identification method--modified semantic information flow method is proposed.It has less workload,can directly analyze the source code and exclude the false result,also helps the covert channel handling.It uses this method to identify the cover channels of the Tuling SecOS,computes the bandwidths accurately,and handles the covert channels according to different security policies.The result shows conform to the requirement of Level 4 security operating system in relevant national standards.

Jiaxuan Han,Cheng Huang,Fan Shi,Jiayong Liu

DOI: https://doi.org/10.1016/j.cose.2020.101952

2020-10-01

Abstract:<p>Information leakage is becoming increasingly serious in today' s network environment. Faced with increasingly forceful network defence strategies, attackers are also constantly trying to steal important information from systems. As for security researchers, the most troublesome way of information stealing is the covert channel. Generally, the covert channel is divided into the covert storage channel (CSC) and the covert timing channel (CTC). For the covert storage channel, there are already many effective methods to detect it. However, the detection of the covert timing channel is still in the research stage. The basis for implementing the covert timing channel is to control the sending time of packets, so most researches about the covert timing channel detection are based on the time interval between packets. Based on this idea, we refer to the method adopted in the researches of the malicious traffic detection and propose a covert timing channel detection method based on the k-NearestNeighbor (kNN) algorithm. This method uses a series of statistics related to the time interval and payload length as features to train a machine learning model and using 10-fold cross-validation to improve model performance. The experiment result proves that the model has a great detection effect, the detection accuracy is 0.96, and the Area Under Curve (AUC) value the model is 0.9737.</p>

computer science, information systems

Baoquan Ren,Ji He,Xiaodan Zhang,Xudong Zhong,Hongjun Li,Xiangwu Gong,Tianzhu Hu

DOI: https://doi.org/10.1109/NaNA60121.2023.00083

2023-08-01

Abstract:This work explores the efficacy of multidimensional (Multi-D) signal features in detecting covert communication, specifically considering time-domain features, frequency-time features, frequency offset, and SNR. To this end, we propose two novel machine learning (ML)-based detection schemes utilizing these signal features: a supervised learning approach employing k-nearest neighbors (KNN) and an unsupervised learning approach leveraging density-based spatial clustering of applications with noise (DBSCAN). To assess the performance of these schemes, we construct a covert communication testbed that enables the extraction of signal features in diverse electro-magnetic environments. Our experimental results show that both the KNN-based and DBSCAN-based schemes outperform traditional energy-based detection methods, and that our proposed schemes are more effective in identifying covert communication in complex electromagnetic environments.

Engineering,Computer Science

Xiaosong Zhang,Ling Pang,Linhong Guo,Yuanzhang Li

DOI: https://doi.org/10.1007/978-3-030-62223-7_28

2020-01-01

Abstract:Covert channel is an important way to transmit covert message and implement covert communication through the network. However, the existing research on covert channel cannot meet the security requirements of covert communication in the complex mobile networks. There are problems such as low transmission capacity, insufficient adaptability to network complexity, and difficulty in countering the detection of covert channels by adversaries. In this paper, we preprocess video traffics over mobile network, and extract traffic features to build a target model. We analysis traffic data by machine learning method to improve the undetectability of the covert channel. Based on the characteristics of real-time interactive communication, gray code and interval block are employed to improve the robustness of covert communication in the complex network environment. A cover channel over VoLTE video traffic, which is based on video packet reordering supported by machine learning algorithms, is proposed to realize the awareness and confrontation of detection attacks on the network side. The covert channel is built over mobile network to ensure end-to-end reliable covert communication under complex network conditions.

Guangliang Xu,Wei Yang,Liusheng Huang

DOI: https://doi.org/10.1016/j.jnca.2018.02.001

IF: 7.574

2018-01-01

Journal of Network and Computer Applications

Abstract:As a major approach to information leakage, covert channels are rapidly gaining popularity with the exponentially growing of cloud computing and network resources. Long Term Evolution Advance (LTE-A) has dominated the 4th generation (4G) of mobile telecommunication networks, however, this brings an elevation of the risk of covert channels. This paper constructs a Covert Channel in LTE-A circumstance which can ensure the accuracy and effectiveness of the covert communication. Delayed Packet One Indicator (DPOI) is a Covert Timing Channel (CTC) model evolved from classic network CTC. Firstly, we use High-level Petri Nets (HLPN) to model the structure and behavior of the DPOI, especially the process of encoding/decoding and synchronization, according to which, we perform formal verification of the model's major shortcomings. Secondly, we propose HYBRID DPOI, an improved hybrid covert channel model which introduced Covert Storage Channel (CSC) in MAC layer for synchronizing. Moreover, we model the structure and behavior of the HYBRID DPOI using the HLPN to demonstrate the accuracy and effectiveness of our proposed model. At last, we analyze and evaluate the HYBRID DPOI. The results show that the proposed model in LTE-A circumstance is reliable and effective, which provides a new idea for covert channel construction.

Xiaohang Wang,Hengli Huang,Ruolin Chen,Yingtao Jiang,Amit Kumar Singh,Mei Yang,Letian Huang

DOI: https://doi.org/10.1109/tc.2022.3189578

IF: 3.183

2023-03-15

IEEE Transactions on Computers

Abstract:In response to growing security challenges facing many-core systems imposed by thermal covert channel (TCC) attacks, a number of threshold-based detection methods have been proposed. In this paper, we show that these threshold-based detection methods are inadequate to detect TCCs that harness advanced signaling and specific modulation techniques. Since the frequency representation of a TCC signal is found to have multiple side lobes, this important feature shall be explored to enhance the TCC detection capability. To this end, we present a pattern-classification-based TCC detection method using an artificial neural network that is trained with a large volume of spectrum traces of TCC signals. After proper training, this classifier is applied at runtime to infer TCCs, should they exist. The proposed detection method is able to achieve a detection accuracy of 99%, even in the presence of the stealthiest TCCs ever discovered. Because of its low runtime overhead ( <0.187%) and low energy overhead ( <0.072%), this proposed detection method can be indispensable in fighting against TCC attacks in many-core systems. With such a high accuracy in detecting TCCs, powerful countermeasures, like the ones based on dynamic voltage and frequency scaling (DVFS), can be rightfully applied to neutralize any malicious core participating in - TCC attack.

engineering, electrical & electronic,computer science, hardware & architecture

Haozhi Li,Tian Song,Yating Yang

DOI: https://doi.org/10.1109/tdsc.2022.3207573

2022-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Network covert timing channels can be maliciously used to exfiltrate secrets, coordinate attacks and propagate malwares, posing serious threats to cybersecurity. Current covert timing channels normally conduct small-volume transmission under the covers of various disguising techniques, making them hard to detect especially when a detector has little priori knowledge of their traffic features. In this paper, we propose a generic and sensitive detection approach, which can simultaneously (i) identify various types of channels without their traffic knowledge and (ii) maintain reasonable performance on small traffic samples. The basis of our approach is the finding that the short-term timing behavior of covert and legitimate traffic is significantly different from the perspective of inter-packet delays&#x27; variation. This phenomenon can be a generic reference to detect various channels because it is resistant to major channel disguising techniques which only mimic long-term traffic features, while it is also a sensitive reference to spot small-volume covert transmission since it can capture traffic anomalies in a fine-grained manner. To obtain the inner patterns of inter-packet delays&#x27; variation, we design a context-sensitive feature-extraction technique. This technique transforms each raw inter-packet delay into a discrete counterpart based on its contextual properties, thus extracting its variation features and reducing traffic data complexity. Then we learn legitimate variation patterns using a neural network model, and identify samples showing anomalous variation as covert. The experimental results show that our approach effectively detects all currently representative channels in the absence of their knowledge, presenting once to twice higher sensitivity than the state-of-the-art solutions.

computer science, information systems, software engineering, hardware & architecture

Xiaosong Zhang,Chen Liang,Quan-Xin Zhang,Yuanzhang Li,Jun Zheng,Yu-an Tan

DOI: https://doi.org/10.1016/j.ins.2018.03.007

IF: 8.1

2018-01-01

Information Sciences

Abstract:Covert timing channels (CTCs) can transmit covert messages by modulating the timing behavior of an entity in overt network communication. In majority of existing solutions, the covert messages are hidden in inter-packet delays (IPDs) of legitimate traffic. These proposals are not suitable for voice over LTE (VoLTE) as IPDs of VoLTE traffic are sensitive to modulation and easy to be detected if changed. In order to build CTCs in such scenario, we propose a robust and undetectable CTC by packet rearrangement which can modulate covert message into number of packets between RTCP packets of VoLTE traffic. To improve the robustness, we employ Gray code to encode the covert message for mitigating the packet loss and reordering. To remain undetectable, we design the variable code length scheme to modulate the number of packets for fitting the distribution of overt traffic. Moreover, the design ensures tunability of different parameters, so that optimum trade-off between robustness and undetectability can be achieved at run-time. To the best of our knowledge, this work is the first to build a CTC using RTCP packet rearrangement suitable for VoLTE traffic. The experimental evaluation proves that the proposed CTC is statistically undetectable and outperforms the IPD-based CTCs in terms of robustness.

Zhiqiang He,Liusheng Huang,Wei Yang,Zukui Wang

DOI: https://doi.org/10.1109/iccsnt.2016.8070240

2016-01-01

Abstract:Long Term Evolution Advanced (LTE-A) is the fourth generation (4G) wireless cellular communication standard. A covert channel is a noticeable threat to network security because it is able to transfer data under the overt channel. In this paper, a new class of covert channel coined as SNsteg is proposed, designed for LTE-A system. The SNsteg peculiarly utilizes the feature of Sequence Number (SN) fields in the headers of protocol stacks such as RLC (Radio Link Control) and PDCP (Packet Data Convergence Protocol). Subsequently, there are some analyses and evaluations of this covert channel.

Shuhua Huang,Weiwei Liu,Guangjie Liu,Yuewei Dai,Huiwen Bai

DOI: https://doi.org/10.1155/2021/5569745

IF: 1.968

2021-06-05

Security and Communication Networks

Abstract:With the development of wireless communication technology, more and more information leakage is realized through a wireless covert channel, which brings great challenges to the security of wireless communication. Compared with the wireless covert channel on the upper layer, the wireless covert channel based on the physical layer (WCC-P) has better concealment and greater capacity. As the most widely used scheme of WCC-P, the wireless covert channel with the modulation of the constellation point (WCC-MC) has attracted more and more attention. In this paper, a deep learning scheme based on amplitude-phase characteristics is proposed to detect and classify the WCC-MC scheme. We first extract the amplitude and phase characteristic of error vector magnitude (EVM) and constellation points and then map the amplitude and phase characteristic to the grayscale image, respectively. Finally, the generated feature images are trained, detected, and classified with the adjusted convolution neural network. The experimental results show that the detection accuracy of our proposed scheme can reach 98.5%, and the classification accuracy can reach 81.7%.

computer science, information systems,telecommunications

Xiaosong Zhang,Linhong Guo,Yuan Xue,Hongwei Jiang,Lu Liu,Quanxin Zhang

DOI: https://doi.org/10.1007/978-981-15-0758-8_7

2019-01-01

Abstract:In the existing network covert channel research, the transmission of secret messages is one-way, lacking confirmation feedback on whether the secret message is successfully accepted. However, VoLTE has real-time interactive features, and the data packets between the sender and the receiver are transmitted in both directions, which facilitates the construction of a two-way covert channel with feedback. Therefore, we propose a hybrid covert channel over mobile networks, which includes a sender-to-receiver covert timing channel that modulates covert message through actively dropping packets during the silence periods and a reverse covert storage channel that hides the acceptance of the covert message as feedback information into the feedback control information field of the RTCP packet. The sender evaluates the current attack severity according to the feedback and adjusts the real-time parameters of the covert timing channel to weigh the robustness and other performance. Experimental results show that this solution can effectively feedback the transmission of the covert message while keeping undetectable and robust.

Linhong Guo,Xiaosong Zhang

DOI: https://doi.org/10.1088/1742-6596/1325/1/012108

2019-01-01

Journal of Physics Conference Series

Abstract:VoLTE (voice over LTE) is widely popular and the potential target for covert communications. The transmission of continuous and large amounts of data over VoLTE enables the construction of a covert channel. The existing covert channel construction scheme based on IPD (inter-packet delay) cannot be applied to VoLTE due to the particularity of the IPD of VoLTE traffics. In this paper, we propose a covert channel with intelligent confrontation for VoLTE traffic. It modulates messages in the relative relationship of voice and video packets based on learning of the characteristics of active attack traffic. The experimental results indicate that the proposed covert channel is undetectable and robust.

Shen Weiguo,Chen Jiepeng,Zheng Shilian,Zhang Luxin,Pei Zhangbin,Lu Weidang,Yang Xiaoniu

DOI: https://doi.org/10.23919/jcc.fa.2023-0710.202409

2024-10-01

China Communications

Abstract:In recent years, deep learning has been gradually used in communication physical layer receivers and has achieved excellent performance. In this paper, we employ deep learning to establish covert communication systems, enabling the transmission of signals through high-power signals present in the prevailing environment while maintaining covertness, and propose a convolutional neural network (CNN) based model for covert communication receivers, namely DeepCCR. This model leverages CNN to execute the signal separation and recovery tasks commonly performed by traditional receivers. It enables the direct recovery of covert information from the received signal. The simulation results show that the proposed DeepCCR exhibits significant advantages in bit error rate (BER) compared to traditional receivers in the face of noise and multipath fading. We verify the covert performance of the covert method proposed in this paper using the maximum-minimum eigenvalue ratio-based method and the frequency domain entropy-based method. The results indicate that this method has excellent covert performance. We also evaluate the mutual influence between covert signals and opportunity signals, indicating that using opportunity signals as cover can cause certain performance losses to covert signals. When the interference-to-signal power ratio (ISR) is large, the impact of covert signals on opportunity signals is minimal.

telecommunications

Santu Sardar,Amit K. Mishra,Mohammed Zafar Ali Khan

DOI: https://doi.org/10.1049/iet-rsn.2018.5231

2019-04-16

Abstract:We demonstrated a vehicle detection and classification method based on Long Term Evolution (LTE) communication infrastructure based environment sensing instrument, termed as LTE-CommSense by the authors. This technology is a novel passive sensing system which focuses on the reference signals embedded in the sub-frames of LTE resource grid. It compares the received signal with the expected reference signal, extracts the evaluated channel state information (CSI) and analyzes it to estimate the change in the environment. For vehicle detection and subsequent classification, our setup is similar to a passive radar in forward scattering radar (FSR) mode. Instead of performing the radio frequency (RF) signals directly, we take advantage of the processing that happens in a LTE receiver user equipment (UE). We tap into the channel estimation and equalization block and extract the CSI value. CSI value reflects the property of the communication channel between communication base station (eNodeB) and UE. We use CSI values for with and vehicle and without vehicle case in outdoor open road environment. Being a receiver only system, there is no need for any transmission and related regulations. Therefore, this system is low cost, power efficient and difficult to detect. Also, most of its processing will be done by the existing LTE communication receiver (UE). In this paper, we establish our claim by analyzing field-collected data. Live LTE downlink (DL) signal is captured using modeled LTE UE using software defined radio (SDR). The detection analysis and classification performance shows promising results and ascertains that, LTE-CommSense is capable of detection and classification of different types of vehicles in outdoor road environment.

Networking and Internet Architecture

Sridhar Patthi,Sugandha Singh,Ila Chandana Kumari P

DOI: https://doi.org/10.1007/s11042-023-17781-w

IF: 2.577

2024-01-07

Multimedia Tools and Applications

Abstract:The proliferation of wireless networks as a primary data transmission channel has brought about a surge in data volume but also raised security threats and privacy concerns. Intrusion Detection Systems (IDS) have proven effective in safeguarding data transmission, yet they struggle to detect minor or rare attacks that mimic normal traffic. To address this challenge, we propose a novel two-layer classification model integrating K-nearest neighbor (KNN) and support vector machines (SVMs). In the first layer, KNN classifies data into Normal, Major, and Minor Attack categories, while the second layer further distinguishes Major Attacks into DoS or Probe and Minor Attacks into U2R or R2. Our framework incorporates Common Correlated Feature Selection (CCFS) to optimize feature discrimination, partitioning training data into three groups. Furthermore, we explore data preprocessing techniques to enhance data interpretation and maintain statistical normalcy in traffic connection features. Our experimental analysis utilizes the NSL-KDD dataset, demonstrating that our approach significantly improves detection rates, particularly for Minor Attacks, achieving a remarkable 92.33% detection rate for U2R and 91.33% for R2L attacks. This represents a substantial 10% enhancement over existing methods, outperforming Multi-Layer Perceptron (MLP) by 13.23%, Random Forest (RF) by 10.11%, J48- Decision Tree (DT) by 9.23%, and Naïve Bayes (NB) by 9.42% and 8.17% in terms of detection rates. These results underscore the effectiveness of our approach in enhancing intrusion detection performance.

computer science, information systems, theory & methods,engineering, electrical & electronic, software engineering

Yuanchi FANG,Die HU

DOI: https://doi.org/10.11805/TKYDA201603.0350

2016-01-01

Abstract:To improve the spectral efficiency, 3rd Generation Partnership Project(3GPP) Long Term Evolution(LTE) usually adopts frequency reuse-1 system,which leads to co-channel interference among neighbor cells. Co-channel interference increases the difficulty of cell detection, especially when two neighbor cells use the same Primary Synchronization Signal(PSS). In such cases, since it is difficult to obtain the channel frequency response(CFR) for the Secondary Synchronization Signal(SSS) by directly using the PSS,the detection rate for the cell with weak signal will significantly degrade. To address the above issue, this paper proposes a cell detection algorithm for the LTE system with co-channel interference. The proposed method first presents a reasonable model for the received signals,and then estimates the CFR of the cell with strong signal by solving the equations. After that,the interference is cancelled and the cell with weak signal is detected. Simulation results show that the proposed algorithm can significantly improve the detection rate of the cell with weak signal. Even when Signal-Noise Ratio(SNR)is 10 dB, the detection rate of the proposed algorithm can achieve 70%. When SNR is 20dB, the detection rate can be above 90%,which significantly outperforms the typical cell detection algorithm whose detection rate is only 50%.