Anjan K,Jibi Abraham,Mamatha Jadhav,Mamatha Jadhav V

DOI: https://doi.org/10.48550/arXiv.1101.0104

2010-12-30

Cryptography and Security

Abstract:Computer network is unpredictable due to information warfare and is prone to various attacks. Such attacks on network compromise the most important attribute, the privacy. Most of such attacks are devised using special communication channel called "Covert Channel". The word "Covert" stands for hidden or non-transparent. Network Covert Channel is a concealed communication path within legitimate network communication that clearly violates security policies laid down. The non-transparency in covert channel is also referred to as trapdoor. A trapdoor is unintended design within legitimate communication whose motto is to leak information. Subliminal channel, a variant of covert channel works similarly except that the trapdoor is set in a cryptographic algorithm. A composition of covert channel with subliminal channel is the "Hybrid Covert Channel". Hybrid covert channel is homogenous or heterogeneous mixture of two or more variants of covert channels either active at same instance or at different instances of time. Detecting such malicious channel activity plays a vital role in removing threat to the legitimate network. In this paper, we present a study of multi-trapdoor covert channels and introduce design of a new detection engine for hybrid covert channel in transport layer visualized in TCP and SSL.

Ammar T. Zahary,Nesmah A. Al-Khulaidi,Muneer A. S Hazaa,Adel A. Nasser

DOI: https://doi.org/10.1109/eSmarTA59349.2023.10293582

2023-10-10

Abstract:The use of covert communications has become more widespread recently as a solution to the information security issue. Information security can be partially solved by the discovery and creation of covert routes. Covert channel use is still in its early phases, even though information security concerns are growing as a result of quick technology advancements. As a result, several problems and concerns need to be resolved, and the future plan is foggy. This paper seeks to give a thorough comparison of earlier and more recent attempts in this field. It offers a survey of the literature on the drawbacks and gaps in conventional detection techniques, emphasizing the most recent techniques for discovering and creating these covert channels while carefully considering machine learning and deep learning-based detection techniques. Additionally, it broadens the topic to cover the crucial function that these channels play in technology. Timing channels, storage channels, and hybrid channels are just a few of the ways covert channels may be utilized to transfer data. They can be used to get around security measures like intrusion detection systems and firewalls. Additionally, they may be used to steal confidential data from a system, including passwords, credit card numbers, and intellectual property. System security is seriously threatened by covert channels, and more study on covert channel production and detection is required to stay up with the changing threat environment.

Engineering,Computer Science

Yogesh Heda,Rinku Shah

DOI: https://doi.org/10.1109/conecct.2015.7383926

2015-07-01

Abstract:Secret communication via network has always been an area of interest for attackers. Secrete communication provide a way to discovers and leak information such that system security policies are violated. Covert channel concept for passing data secretly over a communication network existed from many years. Covert channel designer are continuously improving design techniques which create difficult to detect such channels. These channels are different from encryption and steganography. Use of covert attack may be a serious security threat as they can be used for malicious activities. Covert channels exist in most of communication system and allow individual to communicate secretly. It has not only attracted the trusted parties to communicate with each other secretly but has also attracted the hackers/attackers. Existing literature suggests that it is difficult to detect and prevent covert channel communication using traditional accuracy systems. This paper presents detailed survey of existing covert channel design, detection and prevention techniques. The author also presents the classification and comparison of the covert channel design and detection techniques.

S. Gianvecchio,Haining Wang

DOI: https://doi.org/10.1109/tdsc.2010.46

2011-11-01

IEEE Transactions on Dependable and Secure Computing

Abstract:The detection of covert timing channels is of increasing interest in light of recent exploits of covert timing channels over the Internet. However, due to the high variation in legitimate network traffic, detecting covert timing channels is a challenging task. Existing detection schemes are ineffective at detecting most of the covert timing channels known to the security community. In this paper, we introduce a new entropy-based approach to detecting various covert timing channels. Our new approach is based on the observation that the creation of a covert timing channel has certain effects on the entropy of the original process, and hence, a change in the entropy of a process provides a critical clue for covert timing channel detection. Exploiting this observation, we investigate the use of entropy and conditional entropy in detecting covert timing channels. Our experimental results show that our entropy-based approach is sensitive to the current covert timing channels and is capable of detecting them in an accurate manner.

computer science, information systems, software engineering, hardware & architecture

Muawia A. Elsadig,Yahia A. Fadlalla

DOI: https://doi.org/10.1109/ieeegcc.2017.8447997

2017-05-01

Abstract:advanced developments in intrusion detection systems (IDS) and computer network technology encourage hackers to find new ways to leak confidential information without being detected. When the interpretation of a security model adopted by a system is violated by a communication between two users, or processes operating on their behalf, it is said that the two users are communicating indirectly or covertly. A network covert channel refers to any communication channel that can be exploited by a process to transfer information in a manner that violates a system's security policy. Loopholes in network protocols attract covert channel exploitation. This paper sheds light on network covert channel countermeasures and the most recent detection and prevention methods of such channels. The achievements and limitations of these countermeasures are discussed. The paper further introduces the concept of network covert channel triangle (DSM - Development, Switching, and Micro-protocol); three elements that have the most direct positive impact in a network covert channel environment. In addition, the paper reflects on the challenges such covert channels impose.

Serdar Cabuk,Carla E. Brodley,Clay Shields

DOI: https://doi.org/10.1145/1513601.1513604

2009-04-01

ACM Transactions on Information and System Security

Abstract:A covert channel can occur when an attacker finds and exploits a shared resource that is not designed to be a communication mechanism. A network covert channel operates by altering the timing of otherwise legitimate network traffic so that the arrival times of packets encode confidential data that an attacker wants to exfiltrate from a secure area from which she has no other means of communication. In this article, we present the first public implementation of an IP covert channel, discuss the subtle issues that arose in its design, and present a discussion on its efficacy. We then show that an IP covert channel can be differentiated from legitimate channels and present new detection measures that provide detection rates over 95%. We next take the simple step an attacker would of adding noise to the channel to attempt to conceal the covert communication. For these noisy IP covert timing channels, we show that our online detection measures can fail to identify the covert channel for noise levels higher than 10%. We then provide effective offline search mechanisms that identify the noisy channels.

Muawia A. Elsadig,Ahmed Gafar

DOI: https://doi.org/10.1109/access.2022.3164392

IF: 3.9

2022-01-01

IEEE Access

Abstract:The advanced development of computer networks and communication technologies has made covert communications easier to construct, faster, undetectable and more secure than ever. A covert channel is a path through which secret messages can be leaked by violating a system security policy. The detection of such dangerous, unwatchable, and hidden threats is still one of the most challenging aspects. This threat exploits methods that are not dedicated to communication purposes, meaning that traditional security measures fail to detect its existence. This review has introduced a brief introduction of covert channel definitions, types and developments, with a particular focus on detection techniques using machine learning (ML) approaches. It provides a thorough review of the most common covert channels and ML techniques that are used to counter them, as well as addressing their achievements and limitations. In addition, this paper introduces a comparative experimental study for some common ML approaches that are commonly used in this field. Accordingly, the performance of these classifiers was evaluated and reported. The paper concludes that our information is still at risk, nothing is said to be secured and more work on the detection of covert channels is required.

computer science, information systems,telecommunications,engineering, electrical & electronic

Haozhi Li,Tian Song,Yating Yang

DOI: https://doi.org/10.1109/tdsc.2022.3207573

2022-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Network covert timing channels can be maliciously used to exfiltrate secrets, coordinate attacks and propagate malwares, posing serious threats to cybersecurity. Current covert timing channels normally conduct small-volume transmission under the covers of various disguising techniques, making them hard to detect especially when a detector has little priori knowledge of their traffic features. In this paper, we propose a generic and sensitive detection approach, which can simultaneously (i) identify various types of channels without their traffic knowledge and (ii) maintain reasonable performance on small traffic samples. The basis of our approach is the finding that the short-term timing behavior of covert and legitimate traffic is significantly different from the perspective of inter-packet delays' variation. This phenomenon can be a generic reference to detect various channels because it is resistant to major channel disguising techniques which only mimic long-term traffic features, while it is also a sensitive reference to spot small-volume covert transmission since it can capture traffic anomalies in a fine-grained manner. To obtain the inner patterns of inter-packet delays' variation, we design a context-sensitive feature-extraction technique. This technique transforms each raw inter-packet delay into a discrete counterpart based on its contextual properties, thus extracting its variation features and reducing traffic data complexity. Then we learn legitimate variation patterns using a neural network model, and identify samples showing anomalous variation as covert. The experimental results show that our approach effectively detects all currently representative channels in the absence of their knowledge, presenting once to twice higher sensitivity than the state-of-the-art solutions.

computer science, information systems, software engineering, hardware & architecture

Mrinal Ashish Khadse,Dhananjay Manohar Dakhane

DOI: https://doi.org/10.1002/cpe.8316

2024-10-28

Concurrency and Computation Practice and Experience

Abstract:A covert network channel is a communication channel in which the message is secretly transmitted to the recipient. Sometimes, covert network channels are vulnerable to multiple attacks. Therefore, the message must be properly secure. In most cases, the covert channel is used to ensure data protection and allow users to freely access the Internet. In this paper, several recent studies are reviewed on covert network channels and examine the existing works from 2015 to 2024. This review article also discusses the undetectability and reliability of different types of covert network channels. Furthermore, a detailed description of the covert network channel's ability to hide in containers is provided. Existing research on covert network channels explains a few techniques for detecting attacks in secret data communication. However, several machine learning and deep learning techniques have been discussed in this article. Additionally, this article describes the accuracy of detection through an overview of current technologies. In addition, various countermeasures to prevent attacks in covert channels are also discussed in detail. However, in this case, the bandwidth limitations, data set limitations, and covert channel capacity are clearly defined, which will help future researchers build covert network channels and detect attacks. Finally, this work considers the challenges faced by covert network channels and the future scope of application.

computer science, theory & methods, software engineering

Sebastian Zander,Grenville Armitage,Philip Branch

DOI: https://doi.org/10.1109/comst.2007.4317620

2007-01-01

Abstract:Covert channels are used for the secret transfer of information. Encryption only protects communication from being decoded by unauthorised parties, whereas covert channels aim to hide the very existence of the communication. Initially, covert channels were identified as a security threat on monolithic systems i.e. mainframes. More recently focus has shifted towards covert channels in computer network protocols. The huge amount of data and vast number of different protocols in the Internet seems ideal as a high-bandwidth vehicle for covert communication. This article is a survey of the existing techniques for creating covert channels in widely deployed network and application protocols. We also give an overview of common methods for their detection, elimination, and capacity limitation, required to improve security in future computer networks.

computer science, information systems,telecommunications

Hanaa Nafea,Kashif Kifayat,Qi Shi,Kashif Naseer Qureshi,Bob Askwith

DOI: https://doi.org/10.1109/access.2019.2961609

IF: 3.9

2020-01-01

IEEE Access

Abstract:Cyber-attacks are causing losses amounted to billions of dollars every year due to data breaches and Vulnerabilities. The existing tools for data leakage prevention and detection are often bypassed by using various different types of sophisticated techniques such as network steganography for stealing the data. This is due to several weaknesses which can be exploited by a threat actor in of existing detection systems. The weaknesses are high time and memory training complexities as well as large training datasets. These challenges become worse when the amount of generated data increasing in every second in many realms. In addition, the number of false positives is high which make them inaccurate. Finally, there is a lack of a framework catering the needs such as raising alerts as well as data monitoring and updating/adapting of a threshold value used for checking the data packets for covert data. In order to overcome these weaknesses, this paper proposes a novel framework that includes elements such as continuous data monitoring, threshold maintenance, and alert notification. This paper also proposes a model based on statistical measures to detects covert data leakages, especially for non-linear chaotic data. The main advantage of proposed model is its capability to provide results with tolerance/threshold values much more efficiently. Experiment are indicated that the proposed framework has low false positives and outperforms over various existing techniques in terms of accuracy and efficiency.

computer science, information systems,telecommunications,engineering, electrical & electronic

Ivan Miketic,Krithika Dhananjay,Emre Salman

DOI: https://doi.org/10.3390/s23042081

IF: 3.9

2023-02-13

Sensors

Abstract:In this paper, first, a broad overview of existing covert channel communication-based security attacks is provided. Such covert channels establish a communication link between two entities that are not authorized to share data. The secret data is encoded into different forms of signals, such as delay, temperature, or hard drive location. These signals and information are then decoded by the receiver to retrieve the secret data, thereby mitigating some of the existing security measures. The important steps of covert channel attacks are described, such as data encoding, communication protocol, data decoding, and models to estimate communication bandwidth and bit error rate. Countermeasures against covert channels and existing covert channel detection techniques are also summarized. In the second part of the paper, the implications of such attacks for emerging packaging technologies, such as 2.5D/3D integration are discussed. Several covert channel threat models for 2.5D/3D ICs are also proposed.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Luca Caviglione

DOI: https://doi.org/10.3390/app11041641

2021-02-11

Applied Sciences

Abstract:Network covert channels are increasingly used to endow malware with stealthy behaviors, for instance to exfiltrate data or to orchestrate nodes of a botnet in a cloaked manner. Unfortunately, the detection of such attacks is difficult as network covert channels are often characterized by low data rates and defenders do not know in advance where the secret information has been hidden. Moreover, neutralization or mitigation are hard tasks, as they require to not disrupt legitimate flows or degrade the quality perceived by users. As a consequence, countermeasures are tightly coupled to specific channel architectures, leading to poorly generalizable and often scarcely scalable approaches. In this perspective, this paper investigates trends and challenges in the development of countermeasures against the most popular network covert channels. To this aim, we reviewed the relevant literature by considering approaches that can be effectively deployed to detect general injection mechanisms or threats observed in the wild. Emphasis has been put on enlightening trajectories that should be considered when engineering mitigation techniques or planning the research to face the increasing wave of information-hiding-capable malware. Results indicate that many works are extremely specialized and an effective strategy for taming security risks caused by network covert channels may benefit from high-level and general approaches. Moreover, mechanisms to prevent the exploitation of ambiguities should be already considered in early design phases of both protocols and services.

Robert J. Walls,Kush Kothari,Matthew Wright

DOI: https://doi.org/10.1016/j.comnet.2010.11.007

IF: 5.493

2011-04-01

Computer Networks

Abstract:Covert timing channels provide a way to surreptitiously leak information from an entity in a higher-security level to an entity in a lower level. The difficulty of detecting or eliminating such channels makes them a desirable choice for adversaries that value stealth over throughput. When one considers the possibility of such channels transmitting information across network boundaries, the threat becomes even more acute. A promising technique for detecting covert timing channels focuses on using entropy-based tests. This method is able to reliably detect known covert timing channels by using a combination of entropy and conditional entropy to detect anomalies in shape and regularity, respectively. This dual approach is intended to make entropy-based detection robust against both current and future channels. In this work, we show that entropy-based detection can be defeated by a channel that intelligently and adaptively manipulates the metrics used for detection. Specifically, we propose a new passive covert channel that uses a portion of the inter-packet delays in a compromised stream to smooth out the shape distortions detected by the entropy test. As a passive channel, it is not as prone to regularity-based detection as previously proposed active channels. We introduce a model for analyzing the effect of our techniques on the entropy of the channel and empirically investigate the accuracy of the model. In network experiments and simulation, we validate this model and demonstrate that the proposed channel successfully evades entropy-based detection and other known tests while maintaining reasonable throughput.

computer science, information systems,telecommunications,engineering, electrical & electronic, hardware & architecture

Steffen Wendzel,Sebastian Zander,Bernhard Fechner,Christian Herdin

DOI: https://doi.org/10.1145/2684195

IF: 16.6

2015-04-16

ACM Computing Surveys

Abstract:Network covert channels are used to hide communication inside network protocols. Various techniques for covert channels have arisen in the past few decades. We surveyed and analyzed 109 techniques developed between 1987 and 2013 and show that these techniques can be reduced to only 11 different patterns. Moreover, the majority (69.7%) of techniques can be categorized into only four different patterns (i.e., most techniques we surveyed are similar). We represent the patterns in a hierarchical catalog using a pattern language. Our pattern catalog will serve as a base for future covert channel novelty evaluation. Furthermore, we apply the concept of pattern variations to network covert channels. With pattern variations, the context of a pattern can change. For example, a channel developed for IPv4 can automatically be adapted to other network protocols. We also propose the pattern-based covert channel optimizations pattern hopping and pattern combination. Finally, we lay the foundation for pattern-based countermeasures: whereas many current countermeasures were developed for specific channels, a pattern-oriented approach allows application of one countermeasure to multiple channels. Hence, future countermeasure development can focus on patterns, and the development of real-world protection against covert channels is greatly simplified.

computer science, theory & methods

Jiaxuan Han,Cheng Huang,Fan Shi,Jiayong Liu

DOI: https://doi.org/10.1016/j.cose.2020.101952

2020-10-01

Abstract:<p>Information leakage is becoming increasingly serious in today' s network environment. Faced with increasingly forceful network defence strategies, attackers are also constantly trying to steal important information from systems. As for security researchers, the most troublesome way of information stealing is the covert channel. Generally, the covert channel is divided into the covert storage channel (CSC) and the covert timing channel (CTC). For the covert storage channel, there are already many effective methods to detect it. However, the detection of the covert timing channel is still in the research stage. The basis for implementing the covert timing channel is to control the sending time of packets, so most researches about the covert timing channel detection are based on the time interval between packets. Based on this idea, we refer to the method adopted in the researches of the malicious traffic detection and propose a covert timing channel detection method based on the k-NearestNeighbor (kNN) algorithm. This method uses a series of statistics related to the time interval and payload length as features to train a machine learning model and using 10-fold cross-validation to improve model performance. The experiment result proves that the model has a great detection effect, the detection accuracy is 0.96, and the Area Under Curve (AUC) value the model is 0.9737.</p>

computer science, information systems

JingZheng Wu,Liping Ding,Yongji Wang,Wei Han

DOI: https://doi.org/10.1109/ssiri.2011.17

2011-01-01

Abstract:Covert channel analysis is an important requirement when building secure information systems, and identification is the most difficult task. Although some approaches were presented, they are either experimental or constrained to some particular systems. This paper presents a practical approach based on directed information flow graph taking advantage of the source code analysis. The approach divides the whole system into serval independent modules and analyzes them respectively. All the shared variables and their caller functions are found out from the source codes and modeled into directed information flow graphs. When the information flow branches are visible and modifiable to the external interface, a potential covert channel exists. Contributions made in this paper are as follows: a modularized analysis scheme is proved and reduces the workloads of identifying, a directed information flow graph algorithm is presented and used to model the covert channels, more than 30 covert channels have been identified in Linux kernel source code using this scheme, and a typical channel scenario is constructed.