Haozhi Li,Tian Song,Yating Yang

DOI: https://doi.org/10.1109/tdsc.2022.3207573

2022-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Network covert timing channels can be maliciously used to exfiltrate secrets, coordinate attacks and propagate malwares, posing serious threats to cybersecurity. Current covert timing channels normally conduct small-volume transmission under the covers of various disguising techniques, making them hard to detect especially when a detector has little priori knowledge of their traffic features. In this paper, we propose a generic and sensitive detection approach, which can simultaneously (i) identify various types of channels without their traffic knowledge and (ii) maintain reasonable performance on small traffic samples. The basis of our approach is the finding that the short-term timing behavior of covert and legitimate traffic is significantly different from the perspective of inter-packet delays' variation. This phenomenon can be a generic reference to detect various channels because it is resistant to major channel disguising techniques which only mimic long-term traffic features, while it is also a sensitive reference to spot small-volume covert transmission since it can capture traffic anomalies in a fine-grained manner. To obtain the inner patterns of inter-packet delays' variation, we design a context-sensitive feature-extraction technique. This technique transforms each raw inter-packet delay into a discrete counterpart based on its contextual properties, thus extracting its variation features and reducing traffic data complexity. Then we learn legitimate variation patterns using a neural network model, and identify samples showing anomalous variation as covert. The experimental results show that our approach effectively detects all currently representative channels in the absence of their knowledge, presenting once to twice higher sensitivity than the state-of-the-art solutions.

computer science, information systems, software engineering, hardware & architecture

Jiaxuan Han,Cheng Huang,Fan Shi,Jiayong Liu

DOI: https://doi.org/10.1016/j.cose.2020.101952

2020-10-01

Abstract:<p>Information leakage is becoming increasingly serious in today' s network environment. Faced with increasingly forceful network defence strategies, attackers are also constantly trying to steal important information from systems. As for security researchers, the most troublesome way of information stealing is the covert channel. Generally, the covert channel is divided into the covert storage channel (CSC) and the covert timing channel (CTC). For the covert storage channel, there are already many effective methods to detect it. However, the detection of the covert timing channel is still in the research stage. The basis for implementing the covert timing channel is to control the sending time of packets, so most researches about the covert timing channel detection are based on the time interval between packets. Based on this idea, we refer to the method adopted in the researches of the malicious traffic detection and propose a covert timing channel detection method based on the k-NearestNeighbor (kNN) algorithm. This method uses a series of statistics related to the time interval and payload length as features to train a machine learning model and using 10-fold cross-validation to improve model performance. The experiment result proves that the model has a great detection effect, the detection accuracy is 0.96, and the Area Under Curve (AUC) value the model is 0.9737.</p>

computer science, information systems

Xiaolong Zhuang,Yonghong Chen,Hui Tian

DOI: https://doi.org/10.1002/ett.4978

IF: 3.6

2024-05-10

Transactions on Emerging Telecommunications Technologies

Abstract:Abstract Network covert channels use network resources to transmit data covertly, and their existence will seriously threaten network security. Therefore, an effective method is needed to prevent and detect them. Current network covert timing channel detection methods often incorporate machine learning methods in order to achieve generalized detection, but they consume a large amount of computational resources. In this paper, we propose a generalized detection framework for covert channels based on perceptual hashing without relying on machine learning methods. And we propose a one‐dimensional data feature descriptor for feature extraction of perceptual hash for the data characteristics of covert timing channels. We first generate the hash sequence of the corresponding channel to get the average hash, which is used for comparison in the test phase. The experimental results show that the feature descriptor can capture the feature differences of one‐dimensional data well. When compared to machine learning methods, this perceptual hashing algorithms enable faster traffic detection. Meanwhile, our method is able to detect the effectiveness with the smallest coverage window compared with the latest solutions. Moreover, it exhibits robustness in jitter network environment.

telecommunications

Yao Shen,Liusheng Huang,Xiaorong Lu,Wei Yang

DOI: https://doi.org/10.1002/sec.1081

IF: 1.968

2015-01-01

Security and Communication Networks

Abstract:Covert channels are malicious conversations disguised in legitimate network communications, allowing information leak to the unauthorized or unknown receiver. Various network steganographic schemes that modify the header fields of transmission control protocol/Internet protocol (TCP/IP) have been proposed in recent years. People before conducted detection research based on the surface content of the header field and did not take into account the differences between the behavior characters of covert channels and the inherent behavior regularities of the header fields. Up to date, there is little comprehensive research on the steganalysis against the storage covert channels. In this paper, we focus on the detection of storage covert channels and introduce a novel comprehensive detection method based on the protocol behaviors. The protocol behavior characters are utilized to evaluate the regularities or correlations of header fields between adjacent packets according to the conventional use. First, the behavior features of the header fields in TCP/IP are extracted; a support vector machine is then applied to the behavior feature sets for discovering the existence of covert channels. Some recognized covert channel tools are detected in our detection experiment. Experimental results and discussion show that our detection method is of effectiveness. Copyright (c) 2014 John Wiley & Sons, Ltd.

Yao Shen,Wei Yang,Liusheng Huang

DOI: https://doi.org/10.1016/j.jnca.2017.10.019

IF: 7.574

2017-01-01

Journal of Network and Computer Applications

Abstract:Application-layer covert channels have been extensively studied in recent years. Ubiquitous application packets serving as covert carriers contain a considerable potential channel capacity. However, undetectability is still a challenging task to be resolved for practicability, as almost all existing covert channels are frustrated by specific detection methods. In this paper, we focus on the problem of undetectable application-layer covert channels. We found a natural HTTP behavior that distribution relationships between HTTP requests and flows are dynamic when opening a webpage. Motivated by this finding, we present a behavior-based covert channel, Lost in HTTP Behaviors (LiHB). LiHB embeds secret messages into request-flow distributions using combinatorics without changing any packet contents. Furthermore, LiHB achieves automatic coding with no need for a codebook. In particular, LiHB is able to penetrate web proxy to transmit information stealthily. To overcome limitations of LiHB, we propose an enhanced secure HTTP behavior-based covert channel (HBCC), which is statistically undetectable by shape and regularity tests. HBCC employs an independent and identically distributed (i.i.d.) inter-request delay (IRD) generator to maintain the request distribution of legitimate traffic, and mimics normal browsing patterns based on the frequent traversal sequences. Experimental results show LiHB and HBCC have a good performance and reliability, and HBCC outperforms LiHB in terms of channel capacity and undetectability.

章思宇,邹福泰,王鲁华,陈铭

DOI: https://doi.org/10.3969/j.issn.1000-436x.2013.05.017

2013-01-01

Journal of Communications

Abstract:To propose an effective detection method for DNS-based covert channel,traffic characteristics were thor-oughly studied.12 features were extracted from DNS packets to distinguish covert channels from legitimate DNS queries.Statistical characteristics of these features are used as input of the machine learning classifier.Experimental results show that the decision tree model detects all 22 covert channels used in training,and is capable of detecting untrained covert channels.Several DNS tunnels were detected during the evaluation on campus network's live DNS traffic.

Serdar Cabuk,Carla E. Brodley,Clay Shields

DOI: https://doi.org/10.1145/1513601.1513604

2009-04-01

ACM Transactions on Information and System Security

Abstract:A covert channel can occur when an attacker finds and exploits a shared resource that is not designed to be a communication mechanism. A network covert channel operates by altering the timing of otherwise legitimate network traffic so that the arrival times of packets encode confidential data that an attacker wants to exfiltrate from a secure area from which she has no other means of communication. In this article, we present the first public implementation of an IP covert channel, discuss the subtle issues that arose in its design, and present a discussion on its efficacy. We then show that an IP covert channel can be differentiated from legitimate channels and present new detection measures that provide detection rates over 95%. We next take the simple step an attacker would of adding noise to the channel to attempt to conceal the covert communication. For these noisy IP covert timing channels, we show that our online detection measures can fail to identify the covert channel for noise levels higher than 10%. We then provide effective offline search mechanisms that identify the noisy channels.

YAO WANG,MINGZENG HU,BIN LI

2004-01-01

Abstract:Covert channels and tunneling approaches are becoming a severe threat to information security. Penetration tools are employed to transit sensitive information through authorized streams. Since many current solutions are based on expert's experiences or latter-wit, a self-learning detection and analysis system is starved for. A data mining framework for Covert Channel Detection and Analysis System (CCDAS) is presented in this paper. It utilizes protocol analysis method to reassemble each network connections according to all kinds of protocol specifications, and apply data mining programs to construct features that can accurately distinguish the abnormal behaviors of covert channels from the normal activities. The main components of CCDAS (namely Protocol Analyzer, Feature Constructor and Class Identifier) work together and detect various emerging covert channels automatically.

Anjan K,Jibi Abraham,Mamatha Jadhav,Mamatha Jadhav V

DOI: https://doi.org/10.48550/arXiv.1101.0104

2010-12-30

Cryptography and Security

Abstract:Computer network is unpredictable due to information warfare and is prone to various attacks. Such attacks on network compromise the most important attribute, the privacy. Most of such attacks are devised using special communication channel called "Covert Channel". The word "Covert" stands for hidden or non-transparent. Network Covert Channel is a concealed communication path within legitimate network communication that clearly violates security policies laid down. The non-transparency in covert channel is also referred to as trapdoor. A trapdoor is unintended design within legitimate communication whose motto is to leak information. Subliminal channel, a variant of covert channel works similarly except that the trapdoor is set in a cryptographic algorithm. A composition of covert channel with subliminal channel is the "Hybrid Covert Channel". Hybrid covert channel is homogenous or heterogeneous mixture of two or more variants of covert channels either active at same instance or at different instances of time. Detecting such malicious channel activity plays a vital role in removing threat to the legitimate network. In this paper, we present a study of multi-trapdoor covert channels and introduce design of a new detection engine for hybrid covert channel in transport layer visualized in TCP and SSL.

Xiaochun Yun,Jiang Xie,Shuhao Li,Yongzheng Zhang,Peishuai Sun

DOI: https://doi.org/10.1016/j.cose.2022.102834

2023-09-07

Abstract:Malicious communication behavior is the network communication behavior generated by malware (bot-net, spyware, etc.) after victim devices are infected. Experienced adversaries often hide malicious information in HTTP traffic to evade detection. However, related detection methods have inadequate generalization ability because they are usually based on artificial feature engineering and outmoded datasets. In this paper, we propose an HTTP-based Malicious Communication traffic Detection Model (HMCD-Model) based on generated adversarial flows and hierarchical traffic features. HMCD-Model consists of two parts. The first is a generation algorithm based on WGAN-GP to generate HTTP-based malicious communication traffic for data enhancement. The second is a hybrid neural network based on CNN and LSTM to extract hierarchical spatial-temporal features of traffic. In addition, we collect and publish a dataset, HMCT-2020, which consists of large-scale malicious and benign traffic during three years (2018-2020). Taking the data in HMCT-2020(18) as the training set and the data in other datasets as the test set, the experimental results show that the HMCD-Model can effectively detect unknown HTTP-based malicious communication traffic. It can reach F1 = 98.66% in the dataset HMCT-2020(19-20), F1 = 90.69% in the public dataset CIC-IDS-2017, and F1 = 83.66% in the real traffic, which is 20+% higher than other representative methods on average. This validates that HMCD-Model has the ability to discover unknown HTTP-based malicious communication behavior.

Cryptography and Security,Networking and Internet Architecture

Fei Wang,Liusheng Huang,Haibo Miao,Miaomiao Tian

DOI: https://doi.org/10.1002/sec.822

IF: 1.968

2013-01-01

Security and Communication Networks

Abstract:In this paper, we propose a novel distributed covert channel in HTTP. Different from traditional covert channels in HTTP, the channel deploys multiple HTTP clients to dilute steganographic features. In a proper multiple-to-multiple transmission model based on the modulation of URLs, the channel is efficient and reliable. With a Poisson request generator, simulating behaviors of normal HTTP visitors, the covert traffic has a legitimate HTTP appearance that helps it be undetectable. The transmission experiments prove that the channel is error free and has a high transmission rate. The results of the undetectability experiment show that the channel is adjustable. By adjusting a certain parameter, the channel can trade off two different features, the transmission rate and the undetectability, which can meet different demands in practical applications. Copyright © 2013 John Wiley & Sons, Ltd.

Hanaa Nafea,Kashif Kifayat,Qi Shi,Kashif Naseer Qureshi,Bob Askwith

DOI: https://doi.org/10.1109/access.2019.2961609

IF: 3.9

2020-01-01

IEEE Access

Abstract:Cyber-attacks are causing losses amounted to billions of dollars every year due to data breaches and Vulnerabilities. The existing tools for data leakage prevention and detection are often bypassed by using various different types of sophisticated techniques such as network steganography for stealing the data. This is due to several weaknesses which can be exploited by a threat actor in of existing detection systems. The weaknesses are high time and memory training complexities as well as large training datasets. These challenges become worse when the amount of generated data increasing in every second in many realms. In addition, the number of false positives is high which make them inaccurate. Finally, there is a lack of a framework catering the needs such as raising alerts as well as data monitoring and updating/adapting of a threshold value used for checking the data packets for covert data. In order to overcome these weaknesses, this paper proposes a novel framework that includes elements such as continuous data monitoring, threshold maintenance, and alert notification. This paper also proposes a model based on statistical measures to detects covert data leakages, especially for non-linear chaotic data. The main advantage of proposed model is its capability to provide results with tolerance/threshold values much more efficiently. Experiment are indicated that the proposed framework has low false positives and outperforms over various existing techniques in terms of accuracy and efficiency.

computer science, information systems,telecommunications,engineering, electrical & electronic

Liang QIANG,Bin LI,Mingzeng Hu

DOI: https://doi.org/10.3969/j.issn.1000-3428.2005.15.084

2005-01-01

Abstract:Illegal communications by covert channel in network become an important way to threaten the network security. The paper gives thegeneral way for constructing a covert channel and brings a channel based on HTTP protocol to get better secrecy, anti-shielding property, as theopinion of attacker.

Wei Wei,Jinjiu Li,Longbing Cao,Yuming Ou,Jiahang Chen

DOI: https://doi.org/10.1007/s11280-012-0178-0

2012-07-19

World Wide Web

Abstract:Sophisticated online banking fraud reflects the integrative abuse of resources in social, cyber and physical worlds. Its detection is a typical use case of the broad-based Wisdom Web of Things (W2T) methodology. However, there is very limited information available to distinguish dynamic fraud from genuine customer behavior in such an extremely sparse and imbalanced data environment, which makes the instant and effective detection become more and more important and challenging. In this paper, we propose an effective online banking fraud detection framework that synthesizes relevant resources and incorporates several advanced data mining techniques. By building a contrast vector for each transaction based on its customer’s historical behavior sequence, we profile the differentiating rate of each current transaction against the customer’s behavior preference. A novel algorithm, ContrastMiner, is introduced to efficiently mine contrast patterns and distinguish fraudulent from genuine behavior, followed by an effective pattern selection and risk scoring that combines predictions from different models. Results from experiments on large-scale real online banking data demonstrate that our system can achieve substantially higher accuracy and lower alert volume than the latest benchmarking fraud detection system incorporating domain knowledge and traditional fraud detection methods.

Fei Wang,Liusheng Huang,Zhili Chen,Haibo Miao,Wei Yang

DOI: https://doi.org/10.1007/978-3-319-04283-1_15

2014-01-01

Abstract:The web tunnel is a common attack technique in the Internet and it is very easy to be implemented but extremely difficult to be detected. In this paper, we propose a novel web tunnel detection method which focuses on protocol behaviors. By analyzing the interaction processes in web communications, we give a scientific definition to web sessions that are our detection objects. Under the help of the definition, we extract four first-order statistical features which are widely used in previous research of web sessions. Utilizing the packet lengths and inter-arrival times in the transport layer, we divide TCP packets into different classes and discover some statistical correlations of them in order to extract another three second-order statistical features of web sessions. Further, the seven features are regarded as a 7-dimentional feature vector. Exploiting the vector, we adopt a support vector machine classifier to distinguish tunnel sessions from legitimate web sessions. In the experiment, our method performs very well and the detection accuracies of HTTP tunnels and HTTPS tunnels are 82.5% and 91.8% respectively when the communication traffic is above 500 TCP packets.

Chi-Kuan Chiu,Hsiao-Hsien Chang,Ching-Hao Mao,Te-En Wei

DOI: https://doi.org/10.1109/desec.2018.8625111

2018-12-01

Abstract:Malware and backdoor usually hide their malicious activities to communicate with C&amp;C server through HTTP protocol. Various techniques for stealth are developed which directly leads security system&#x27;s failure to detect hacker&#x27;s activities. This paper focuses on profiling fingerprints of browsers running on different client-side host to detect anomaly among outbound HTTP traffics at behavioral and semantic level. Patterns describing fake header are also elaborately designed using graph structure and become significant features in the proposed method for the subsequent detection. Performance of proposed approach are evaluated with data from realistic environment and compare to state-of-the-art. Results show that the proposed method delivers accuracy up to 99%, also for the counterfeit fingerprint&#x27;s detection it even achieve 100% recall, while the alternative approach totally failed under this scenario.

Muawia A. Elsadig,Ahmed Gafar

DOI: https://doi.org/10.1109/access.2022.3164392

IF: 3.9

2022-01-01

IEEE Access

Abstract:The advanced development of computer networks and communication technologies has made covert communications easier to construct, faster, undetectable and more secure than ever. A covert channel is a path through which secret messages can be leaked by violating a system security policy. The detection of such dangerous, unwatchable, and hidden threats is still one of the most challenging aspects. This threat exploits methods that are not dedicated to communication purposes, meaning that traditional security measures fail to detect its existence. This review has introduced a brief introduction of covert channel definitions, types and developments, with a particular focus on detection techniques using machine learning (ML) approaches. It provides a thorough review of the most common covert channels and ML techniques that are used to counter them, as well as addressing their achievements and limitations. In addition, this paper introduces a comparative experimental study for some common ML approaches that are commonly used in this field. Accordingly, the performance of these classifiers was evaluated and reported. The paper concludes that our information is still at risk, nothing is said to be secured and more work on the detection of covert channels is required.

computer science, information systems,telecommunications,engineering, electrical & electronic