Zukui Wang,Liusheng Huang,Wei Yang,Zhiqiang He

DOI: https://doi.org/10.1109/cyberc.2017.30

2017-01-01

Abstract:With the rapid development of cellular network systems, LTE is turning to be a wonderful carrier for covert channels. In this paper, we present a method based on the k-nearest neighbor (KNN) classification for detecting hidden information in Sequence Number (SN) fields of PDCP and RLC layer, which is known as the most difficult covert storage channel (CSC) to be detected. Our classifier is trained by the fingerprints extracted from overt traffic packets, and obtains the distribution zone of the distance between the SNs and their neighbors. The width of the distribution zone is seen as a confidence metric to the traffic data for detection. We simulate our proposed approach in NS3 platform, and the results have demonstrated that our proposed detection method is sensitive to the hidden information in the SN fields of the PDCP and RLC layer. It can detect them in an accurate manner, and can be used for both online and offline detection.

Guangliang Xu,Wei Yang,Liusheng Huang

DOI: https://doi.org/10.1049/iet-ifs.2017.0394

2018-01-01

IET Information Security

Abstract:Covert channels transmit secret information by using the existing resources which were not designed for communication. As a major approach to information leakage, covert channels are rapidly gaining popularity with the exponentially growth of cloud and network resources. Long Term Evolution Advance (LTE-A) has dominated the mobile telecommunication networks, which brings an elevation of the risk of covert channels. In this study, the authors propose a supervised learning scheme based on support vector machine (SVM) for the covert channel detection in LTE-A. Based on the fact that the covert channel using the header fields of LTE-A protocol would change the regularity, goodness of fit or correlation of the data traffic, they present behaviour characteristics statistics index (CSI) in the LTE-A protocol to evaluate the changes. According to CSI, they extract the classification feature vectors from the data traffic stream, based on which an SVM classifier used for classifying the channel as covert or overt is trained for testing on the channel under investigation. Experiment results show that the authors' proposed detection scheme is high-efficiency in terms of detection accuracy, sensitivity and specificity, which has great potential to serve as a new idea for the detection of covert channel in LTE-A.

Zukui Wang,Liusheng Huang,Wei Yang,Zhiqiang He

DOI: https://doi.org/10.2991/icwcsn-16.2017.80

2017-01-01

Abstract:In this paper, we have analyzed the sub-protocol stack of Long Term Evolution Advanced (LTE-A) System, and proposed a hybrid covert channel, called HyLTEsteg, designed for LTE-A System. The HyLTEsteg uses covert timing channels (CTC), which is fitted the legitimate data stream of network, as a trigger for covert storage channels (CSC). And the CSC utilizes the sequence number (SN) fields of Radio Link Control (RLC) layer and Packet Data Convergence Protocol (PDCP) layer to transmit hidden information. The performance of the HyLTEsteg's anti-detection and hidden information transmission are evaluated and analyzed.

LU Lianhao,PING Lingdi,PAN Xuezeng

DOI: https://doi.org/10.3969/j.issn.1000-3428.2006.21.054

2006-01-01

Abstract:The research of covert channel analysis on Tuling SecOS2.0/4 is reported.A new covert channel identification method--modified semantic information flow method is proposed.It has less workload,can directly analyze the source code and exclude the false result,also helps the covert channel handling.It uses this method to identify the cover channels of the Tuling SecOS,computes the bandwidths accurately,and handles the covert channels according to different security policies.The result shows conform to the requirement of Level 4 security operating system in relevant national standards.

Guangliang Xu,Wei Yang,Liusheng Huang

DOI: https://doi.org/10.1016/j.jnca.2018.02.001

IF: 7.574

2018-01-01

Journal of Network and Computer Applications

Abstract:As a major approach to information leakage, covert channels are rapidly gaining popularity with the exponentially growing of cloud computing and network resources. Long Term Evolution Advance (LTE-A) has dominated the 4th generation (4G) of mobile telecommunication networks, however, this brings an elevation of the risk of covert channels. This paper constructs a Covert Channel in LTE-A circumstance which can ensure the accuracy and effectiveness of the covert communication. Delayed Packet One Indicator (DPOI) is a Covert Timing Channel (CTC) model evolved from classic network CTC. Firstly, we use High-level Petri Nets (HLPN) to model the structure and behavior of the DPOI, especially the process of encoding/decoding and synchronization, according to which, we perform formal verification of the model's major shortcomings. Secondly, we propose HYBRID DPOI, an improved hybrid covert channel model which introduced Covert Storage Channel (CSC) in MAC layer for synchronizing. Moreover, we model the structure and behavior of the HYBRID DPOI using the HLPN to demonstrate the accuracy and effectiveness of our proposed model. At last, we analyze and evaluate the HYBRID DPOI. The results show that the proposed model in LTE-A circumstance is reliable and effective, which provides a new idea for covert channel construction.

Zhou, Guangxia,Xu, Wen,Bauch, Gerhard

2015-01-01

Abstract:Advanced interference-aware detectors are being studied for 3GPP LTE-A to mitigate interference in multi-cell networks. In practical applications, imperfect channel estimates over noisy channels are inevitable. Ignoring them leads to severe performance degradation. The aim of this paper is to investigate a method for an interference-aware maximum likelihood detector to mitigate the impact of channel estimation errors. Simulation results for typical 3GPP LTE/LTE-A show the new method can provide flexibility and ability to deal with the channel estimation errors and to achieve a better trade-off between complexity (e.g., in terms of operations) and performance (e.g., in terms of error rate) in interference-limited scenarios. The proposed lowcomplexity CEN-ML sphere detector can have a gain of more than 5dB than the other investigated detectors for 16-QAM at a target coded block error rate of 0.01.

Zhiqiang He,Liusheng Huang,Wei Yang,Zukui Wang

DOI: https://doi.org/10.1109/iccsnt.2016.8070240

2016-01-01

Abstract:Long Term Evolution Advanced (LTE-A) is the fourth generation (4G) wireless cellular communication standard. A covert channel is a noticeable threat to network security because it is able to transfer data under the overt channel. In this paper, a new class of covert channel coined as SNsteg is proposed, designed for LTE-A system. The SNsteg peculiarly utilizes the feature of Sequence Number (SN) fields in the headers of protocol stacks such as RLC (Radio Link Control) and PDCP (Packet Data Convergence Protocol). Subsequently, there are some analyses and evaluations of this covert channel.

S. Gianvecchio,Haining Wang

DOI: https://doi.org/10.1109/tdsc.2010.46

2011-11-01

IEEE Transactions on Dependable and Secure Computing

Abstract:The detection of covert timing channels is of increasing interest in light of recent exploits of covert timing channels over the Internet. However, due to the high variation in legitimate network traffic, detecting covert timing channels is a challenging task. Existing detection schemes are ineffective at detecting most of the covert timing channels known to the security community. In this paper, we introduce a new entropy-based approach to detecting various covert timing channels. Our new approach is based on the observation that the creation of a covert timing channel has certain effects on the entropy of the original process, and hence, a change in the entropy of a process provides a critical clue for covert timing channel detection. Exploiting this observation, we investigate the use of entropy and conditional entropy in detecting covert timing channels. Our experimental results show that our entropy-based approach is sensitive to the current covert timing channels and is capable of detecting them in an accurate manner.

computer science, information systems, software engineering, hardware & architecture

Xiaosong Zhang,Chen Liang,Quan-Xin Zhang,Yuanzhang Li,Jun Zheng,Yu-an Tan

DOI: https://doi.org/10.1016/j.ins.2018.03.007

IF: 8.1

2018-01-01

Information Sciences

Abstract:Covert timing channels (CTCs) can transmit covert messages by modulating the timing behavior of an entity in overt network communication. In majority of existing solutions, the covert messages are hidden in inter-packet delays (IPDs) of legitimate traffic. These proposals are not suitable for voice over LTE (VoLTE) as IPDs of VoLTE traffic are sensitive to modulation and easy to be detected if changed. In order to build CTCs in such scenario, we propose a robust and undetectable CTC by packet rearrangement which can modulate covert message into number of packets between RTCP packets of VoLTE traffic. To improve the robustness, we employ Gray code to encode the covert message for mitigating the packet loss and reordering. To remain undetectable, we design the variable code length scheme to modulate the number of packets for fitting the distribution of overt traffic. Moreover, the design ensures tunability of different parameters, so that optimum trade-off between robustness and undetectability can be achieved at run-time. To the best of our knowledge, this work is the first to build a CTC using RTCP packet rearrangement suitable for VoLTE traffic. The experimental evaluation proves that the proposed CTC is statistically undetectable and outperforms the IPD-based CTCs in terms of robustness.

Haozhi Li,Tian Song,Yating Yang

DOI: https://doi.org/10.1109/tdsc.2022.3207573

2022-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Network covert timing channels can be maliciously used to exfiltrate secrets, coordinate attacks and propagate malwares, posing serious threats to cybersecurity. Current covert timing channels normally conduct small-volume transmission under the covers of various disguising techniques, making them hard to detect especially when a detector has little priori knowledge of their traffic features. In this paper, we propose a generic and sensitive detection approach, which can simultaneously (i) identify various types of channels without their traffic knowledge and (ii) maintain reasonable performance on small traffic samples. The basis of our approach is the finding that the short-term timing behavior of covert and legitimate traffic is significantly different from the perspective of inter-packet delays' variation. This phenomenon can be a generic reference to detect various channels because it is resistant to major channel disguising techniques which only mimic long-term traffic features, while it is also a sensitive reference to spot small-volume covert transmission since it can capture traffic anomalies in a fine-grained manner. To obtain the inner patterns of inter-packet delays' variation, we design a context-sensitive feature-extraction technique. This technique transforms each raw inter-packet delay into a discrete counterpart based on its contextual properties, thus extracting its variation features and reducing traffic data complexity. Then we learn legitimate variation patterns using a neural network model, and identify samples showing anomalous variation as covert. The experimental results show that our approach effectively detects all currently representative channels in the absence of their knowledge, presenting once to twice higher sensitivity than the state-of-the-art solutions.

computer science, information systems, software engineering, hardware & architecture

Zhiqiang He,Liusheng Huang,Wei Yang,Zukui Wang

DOI: https://doi.org/10.1007/978-3-319-70139-4_89

2017-01-01

Abstract:Worldwide, the Long Term Evolution Advanced technology has an unprecedented development and popularization in recent years. With the advantages of mobile communication technology, more and more researchers are focused on the security of mobile communication. Until then, some researches about covert channels over the 4th generation mobile communication technology had been proposed. Cantor Expansion is a permutation to a bijection of natural number, so it can be used as a coding scheme for a covert channel. In this paper, a novel class of covert channel based on Cantor Expansion (for decoding) and its inverse operation (for encoding) is proposed and designed for this mobile network. The description, analyses and evaluation of this covert channel will be present in the main part of this paper. Moreover, the peak value of camouflage capability can reach 1470 kbps. Nevertheless it doesnt affect the bandwidth of overt channel and it is difficult to be detected.

Jiaxuan Han,Cheng Huang,Fan Shi,Jiayong Liu

DOI: https://doi.org/10.1016/j.cose.2020.101952

2020-10-01

Abstract:<p>Information leakage is becoming increasingly serious in today' s network environment. Faced with increasingly forceful network defence strategies, attackers are also constantly trying to steal important information from systems. As for security researchers, the most troublesome way of information stealing is the covert channel. Generally, the covert channel is divided into the covert storage channel (CSC) and the covert timing channel (CTC). For the covert storage channel, there are already many effective methods to detect it. However, the detection of the covert timing channel is still in the research stage. The basis for implementing the covert timing channel is to control the sending time of packets, so most researches about the covert timing channel detection are based on the time interval between packets. Based on this idea, we refer to the method adopted in the researches of the malicious traffic detection and propose a covert timing channel detection method based on the k-NearestNeighbor (kNN) algorithm. This method uses a series of statistics related to the time interval and payload length as features to train a machine learning model and using 10-fold cross-validation to improve model performance. The experiment result proves that the model has a great detection effect, the detection accuracy is 0.96, and the Area Under Curve (AUC) value the model is 0.9737.</p>

computer science, information systems

Xiaosong Zhang,Ling Pang,Linhong Guo,Yuanzhang Li

DOI: https://doi.org/10.1007/978-3-030-62223-7_28

2020-01-01

Abstract:Covert channel is an important way to transmit covert message and implement covert communication through the network. However, the existing research on covert channel cannot meet the security requirements of covert communication in the complex mobile networks. There are problems such as low transmission capacity, insufficient adaptability to network complexity, and difficulty in countering the detection of covert channels by adversaries. In this paper, we preprocess video traffics over mobile network, and extract traffic features to build a target model. We analysis traffic data by machine learning method to improve the undetectability of the covert channel. Based on the characteristics of real-time interactive communication, gray code and interval block are employed to improve the robustness of covert communication in the complex network environment. A cover channel over VoLTE video traffic, which is based on video packet reordering supported by machine learning algorithms, is proposed to realize the awareness and confrontation of detection attacks on the network side. The covert channel is built over mobile network to ensure end-to-end reliable covert communication under complex network conditions.

Xiaosong Zhang,Linhong Guo,Yuan Xue,Hongwei Jiang,Lu Liu,Quanxin Zhang

DOI: https://doi.org/10.1007/978-981-15-0758-8_7

2019-01-01

Abstract:In the existing network covert channel research, the transmission of secret messages is one-way, lacking confirmation feedback on whether the secret message is successfully accepted. However, VoLTE has real-time interactive features, and the data packets between the sender and the receiver are transmitted in both directions, which facilitates the construction of a two-way covert channel with feedback. Therefore, we propose a hybrid covert channel over mobile networks, which includes a sender-to-receiver covert timing channel that modulates covert message through actively dropping packets during the silence periods and a reverse covert storage channel that hides the acceptance of the covert message as feedback information into the feedback control information field of the RTCP packet. The sender evaluates the current attack severity according to the feedback and adjusts the real-time parameters of the covert timing channel to weigh the robustness and other performance. Experimental results show that this solution can effectively feedback the transmission of the covert message while keeping undetectable and robust.

Yang HUANG,Jian-hua LIU,Chun-ping OUYANG,Wei YANG

DOI: https://doi.org/10.3969/j.issn.1000-1220.2019.12.015

2019-01-01

Abstract:LTE-A(Long Term Evolution-Advanced)is a mobile communication standard based on the enhancement of Long Term E-volution(LTE). The rapid development of LTE-A,with a growing base of users,makes it a potential and promising target for covert channels. In this paper,we propose a novel and robust timing covert channel,called TCCBL,designed for LTE-A systems. This method leverages both the SN(Sequence Number)field in the header of PDU(Packet Data Unit)and Padding bits in the payload of PDU. Spe-cifically,we utilize a pre-shared hash function and an independent variable parameter to achieve varying embedding rules thus ensure the security and flexibility of our proposed covert channel.

Anjan K,Srinath N K,Jibi Abraham

DOI: https://doi.org/10.48550/arXiv.1506.04931

2015-06-16

Cryptography and Security

Abstract:Covert channels is a vital setup in the analysing the strength of security in a network.Covert Channel is illegitimate channelling over the secured channel and establishes a malicious conversation.The trapdoor set in such channels proliferates making covert channel sophisticated to detect their presence in network firewall.This is due to the intricate covert scheme that enables to build robust covert channel over the network.From an attacker's perspective this will ameliorate by placing multiple such trapdoors in different protocols in the rudimentary protocol stack. This leads to a unique scenario of Hybrid Covert Channel, where different covert channel trapdoors exist at the same instance of time in same layer of protocol stack. For detection agents to detect such event is complicated due to lack of knowledge over the different covert schemes. To improve the knowledge of the detection engine to detect the hybrid covert channel scenario it is required to explore all possible clandestine mediums used in the formation of such channels. This can be explored by different schemes available and their entropy impact on hybrid covert channel. The environment can be composed of resources and subject under at-tack and subject which have initiated the attack (attacker). The paper sets itself an objective to understand the different covert schemes and the attack scenario (modelling) and possibilities of covert mediums along with metric for detection.

Linhong Guo,Xiaosong Zhang

DOI: https://doi.org/10.1088/1742-6596/1325/1/012108

2019-01-01

Journal of Physics Conference Series

Abstract:VoLTE (voice over LTE) is widely popular and the potential target for covert communications. The transmission of continuous and large amounts of data over VoLTE enables the construction of a covert channel. The existing covert channel construction scheme based on IPD (inter-packet delay) cannot be applied to VoLTE due to the particularity of the IPD of VoLTE traffics. In this paper, we propose a covert channel with intelligent confrontation for VoLTE traffic. It modulates messages in the relative relationship of voice and video packets based on learning of the characteristics of active attack traffic. The experimental results indicate that the proposed covert channel is undetectable and robust.

Xiaosong Zhang,Liehuang Zhu,Xianmin Wang,Changyou Zhang,Hongfei Zhu,Yu-an Tan

DOI: https://doi.org/10.1016/j.jnca.2018.11.001

IF: 7.574

2018-01-01

Journal of Network and Computer Applications

Abstract:Covert timing channels hide covert message in some timing behavior of an entity. The most common entity is the inter-packet delays (IPDs) which are modulated to represent the covert message. However, since the IPDs of voice over LTE (VoLTE) traffic are limited within a small range have obvious regularity, modifications to IPDs during modulation are easily detected. Therefore, in this paper, we propose a method for building a VoLTE covert channel, which is based on interleaving reordering of voice packets and video packets over VoLTE mixed traffics. Since the number of video packets in the voice packet interval is random, the covert message can be modulated into the numbers of video packets. Moreover, this method helps to increase the capacity of the covert channel. The approach employs Gray code to improve robustness against network jitter. To achieve the undetectability of the covert channel, the method adopts modular operation and the block composed of voice packet intervals to reduce the distribution difference between the covert traffic and the overt traffic. To deal with different adversary models, two different schemes are designed including the one based on video frames and another based on video packets. The difference between the two schemes is whether the rearranged video packets belong to the same video frame. The experimental results show that this solution can achieve high capacity while keeping undetectable and robust.

Lintao Li,Jiayi Lv,Xin Ma,Yue Han,Jiaqi Feng

DOI: https://doi.org/10.3390/electronics12051075

IF: 2.9

2023-02-22

Electronics

Abstract:In this work, we mainly focus on low probability detection (LPD) and low probability interception (LPI) wireless communication in cyber-physical systems. An LPD signal waveform based on multi-carrier modulation and an under-sampling method for signal detection is introduced. The application of the proposed LPD signal for physical layer security is discussed in a typical wireless-tap channel model, which consists of a transmitter (Alice), an intended receiver (Bob), and an eavesdropper (Eve). Since the under-sampling method at Bob's end depends very sensitively on accurate sampling clock and channel state information (CSI), which can hardly be obtained by Eve, the security transmission is initialized as Bob transmits a pilot for Alice to perform channel sounding and clock synchronization by invoking the channel reciprocal principle. Then, Alice sends a multi-carrier information-bearing signal constructed according to Bob's actual sampling clock and the CSI between the two. Consequently, Bob can coherently combine the sub-band signals after sampling, while Eve can only obtain a destructive combination. Finally, we derived the closed-form expressions of detection probability at Bob's and Eve's ends when the energy detector is employed. Simulation results show that the bit error rate (BER) at Alice's end is gradually decreased with the increase in the signal-to-noise ratio (SNR) in both the AWGN and fading channels. Meanwhile, the BER at Eve's end is always unacceptably high no matter how the SNR changes.

engineering, electrical & electronic,computer science, information systems,physics, applied