Performance of Selected Noisy Covert Channels and Their Countermeasures in IP Networks
Encryption alone secures communication by preventing adversaries from
easily decoding one’s transmissions. Covert channels go one step
further by attempting to hide the very existence of communication. They hide inside legitimate overt
network traffic. Huge amounts of traffic make the Internet an ideal
vehicle for covert communications.
Most existing covert channels are simple and in principle easy to
detect or eliminate. The more complex channels are usually harder to
detect and eliminate, but typically suffer from channel noise. Previous work has only partly analysed the
performance of noisy channels and their countermeasures and has not
compared different types of channels.
We characterise the trade-offs between channel simplicity, capacity and
ease of detection and elimination by investigating the performance of
selected noisy covert channels and their countermeasures. Not all chosen channels are entirely new,
but we propose novel improved encoding schemes. We also develop
techniques for reliable data transmission. We analyse the theoretical
channel capacities as well as empirically measure achievable
throughputs. We show that the Internet’s potential to support
more sophisticated covert channels is considerably greater than
suggested by most existing simple channels.
First, we analyse a channel in the IP Time-to-live (TTL) header field.
We develop new stealthier encoding schemes that also provide a slightly
increased capacity. The channel
has a comparatively high capacity of up to a few hundred bits per
second depending on the overt traffic, but is easy to detect and
eliminate. Next, we analyse an inter-packet gap timing channel. We
develop novel stealthy encoding schemes because previous schemes are
easy to detect. The channel only has up to 70–80% of the TTL
channel’s capacity, but is harder to detect. However, it can
still be eliminated.
Then we propose and analyse a novel indirect channel in multiplayer
game traffic. The channel is impractical to eliminate, but is still
detectable. The capacity is up to 10–20
bits per second – lower than that of direct channels. Next, we
analyse an indirect timing channel that transmits bits via temperature
changes. We develop an improved version of the channel that has
increased capacity. Still the capacity is only 10–20 bits per
hour, but the channel is potentially hard to detect and eliminate.
Finally, we develop techniques to detect and eliminate the covert
channels and evaluate their effectiveness. While the proposed
elimination methods are effective but channelspecific, we demonstrate
that machine-learning techniques detect different covert channels with
over 95% accuracy.
Intro [pdf]
Chapter 1: Introduction [pdf]
Chapter 2: Covert Channels [pdf]
Chapter 3: Time-to-Live Covert Channels [pdf]
Chapter 4: Packet-Timing Covert Channels [pdf]
Chapter 5: Covert Channels in Multiplayer Games [pdf]
Chapter 6: Temperature-based Covert Channels [pdf]
Chapter 7: Countermeasures [pdf]
Chapter 8: Conclusions and Future Work [pdf]
References [pdf]
Appendix A: Covert Channels Software Framework [pdf]
Appendix B: Time-to-Live Covert Channels [pdf]
Appendix C: Packet Timing Covert Channels [pdf]
Appendix D: Covert Channels in Multiplayer Games [pdf]
Appendix E: Temperature-based Covert Channels [pdf]
Appendix F: Netem Accuracy [pdf]
|
