asUDP-basedgameandVoIPtracandTCPtrac,oftenarenotiidbecausethereisaut - PDF document

asUDP-basedgameandVoIPtracandTCPtrac,oftenarenotiidbecausethereisauto-correlation.Thechannelproposedin[2,3]iseasytodetectwithsuchapplications.Thechannelin[2,3]requiresaccessiblesequencenumbersintheoverttrac.Oth-erwiseanylostpacketsdesynchronisecovertsenderandreceiver.TCPprovidesse-quencenumbers,butnotallUDP-basedtrachassequencenumbers,ortheymaynotbeaccessibleiftheprotocolisencrypted.Weproposeanimprovedchannel,basedontechniquesforinformationhidinginimages(steganography),whichishardertodetectwhenIPGsarenotiid.Ournewtech-niquegeneratestherandomnumbersneededforencodingfromthepacketsthemselves,whichmakesthechannelrobustenoughforusewithallUDP-basedprotocols.First,wemotivateourworkbydemonstratingthatseveralapplicationshaveauto-correlatedIPGs.Wethenpresenttheimprovedcovertchannel.Weshowthatfortracwithauto-correlatedIPGstheexistingtimingchanneliseasytodetectwith~80%accu-racyandafalsepositiverateof0.5%1.Ournewchannelismuchhardertodetect.Thedetectionaccuracyreducestoonly~9%withafalsepositiverateof0.5%.Adrawbackofournewchannelisareducedrobustnessagainstnetworkjitter.However,basedonaproof-of-conceptimplementationweshowthatthechannelcapacityisstillhighenoughforpracticaluse,evenacrossuncongestedInternetpathswithmorethan10hops.Thecapacityrangesfromafewbitspersecondtooverhundredbitspersecond,dependingontheoverttrac'spacketrateandnetworkjitter.Thepaperisorganisedasfollows.Section2outlinesrelatedwork.InSection3weshowthatseveralapplicationsoftenhaveauto-correlatedIPGs.InSection4weproposeournewchannel.InSection5weanalysethedetectionaccuracyforthechannelin[2,3]andourimprovedchannelusingmachinelearning.InSection6weanalysethecapacityofourimprovedchannel.Section7concludesandoutlinesfuturework.2RelatedWorkThepossibilityofencodingcovertchannelsinthetimingofpackets(orframes)wasidentiedearlybyPadlipskyetal.[5].However,allthetimingchannelsproposedpriortoBerk'swork[6]werebasedonencodinginvaryingpacketratesovertimeasopposedtoencodinginIPGvaluesdirectly.Forspacereasonswedonotdiscussthemhereandinsteadreferthereaderto[1].Berketal.introducedpacket-timingchannelswherethecovertinformationisen-codedintheIPGsofconsecutivepackets[6].TheycomparedchannelswithtwoIPGsandmultipleIPGs,anddevelopedamechanismbywhichthesendercanpicktheoptimalsymboldistributioninmulti-symbolchannels.Shaetal.developeda“bug”thathooksintotheconnectionbetweenkeyboardandcomputerandex-ltratesallkeystrokesbymodulatingtheIPGsofnetworktracsendbythevictim[7].Gian-vecchioetal.latershowedthatbothofthesechannelsareeasytodetect[8].Gianvecchioetal.[2]developedastealthierIPGtimingchannelandevaluateditsperformance.TheyproposedtotamodeltotheIPGdistributionofrealtracandthenusethemodeltogenerateacovertchannelwithidenticaldistribution.IftheIPGs 1Inrealitymostowsarenormalows,soadetector'sfalsepositiveratemustbeloworcovertchannelsareeectivelymasked(seeSection5). Fig.1.Averageauto-correlationforQ3client-to-server(left),Skype(middle)andTCP(right)trac(zoomedy-axis)Weanalysetheauto-correlationofIPGsandleastsignicantpartsofIPGs.Wedenetheleastsignicantpartas:dlsp=dmodl=d�$d l%l;(3)wheredistheIPGandlisthesizeoftheleastsignicantpart.Forexample,iftheIPGis21.75msandl=1msthendlsp=0:75ms(sub-millisecondpart).3.2ResultsFigure1showstheaverageACFsofQ3client-to-server,SkypeandTCPtracforthefullIPGsanddecreasingleastsignicantparts(100).TheaverageACFofthefullIPGsdecaysmorerapidlythanindividualACFs(e.g.theoneshowninFigure2(left)),asindividualACFshavelowsandhighsatdierentplaces.StillitissignicantlylargerthantheaverageACFforsmallleastsignicantparts.FortheUDP-basedapplicationsIPGsareoftenatleastmoderatelycorrelated.How-ever,smallerleastsignicantpartsofIPGsarelargelyuncorrelated.Thesizeoftheleastsignicantpartwherecorrelationdiminishesdependsontheapplication.TheTCPowsshowlesscorrelation,butmanyowsstillhavelowtomoderatecorrelation.IPGsofapplicationswherepacketsendtimesarehuman-drivenandeectivelyrandomwereshowntobeiid(e.g.Telnet[4]).However,forotherapplicationsauto-correlationofIPGstendstoexistbecauseoflarge-time-scalebehaviours,suchasthecongestionwindowgrowth/collapseforTCPortheapplication'sencodingforgamesorVoIPoverUDP.Networkjitterreducesexistingcorrelations,butevenaftermanyhopsoftenthereissomecorrelation.Furthermore,ifthewardenisclosetothecovertsender,theIPGsobservedarelargelyunaectedbynetworkjitter.Thesmalltime-scalebehaviour(exposedbylookingonlyattheleastsignicantpartofIPGs)isjitteredbylargelyuncorrelatednoise,forexamplequeuingdelaysateachhop.Ournewencodingtechniqueexploitsthiseect. Fig.2.Auto-correlationofIPGsofnormalQ3trac(left),covertchannelin[2,3](middle)andsub-bandencodingwithl=5ms(right)4.2ImprovedsynchronisationThebasicencodingworksonlyiftheoverttrachasaccessiblesequencenumbers.OtherwiseanypacketlosspermanentlydesynchronisesAliceandBob.Furthermore,ifBobisunabletoobserveatransmission'sstarthecanneversynchronisewithAlice.SynchronisationcanbeimprovedbycomputingRfromthepacketsthemselves.LetHbeagoodhashfunctionthatmapstheinputsasevenlyaspossibleovertheoutputrange(uniformdistribution).LetBdenotesomepartofanovertpacketthatisimmutableonthepathfromAlicetoBob,andletbibethevalueofBforthei-thpacket.Randomnumbersaregeneratedasfollows:ri=H(bi):(8)WeassumethattheinputsbivarysucientlysothattheoutputofHisapprox-imatelyuniformlydistributed.Previousworkonpacketsamplingandone-waydelaymeasurementshowedthatgenerallythisisthecaseifBischosenproperly,andsug-gestedseveralsuitablechoicesforHandB[14].TCPretransmissionsmaycausethesameinputsbirepeatedly,butusingTCPheaderinformationAliceandBobcan`ignore'them.AliceandBobneedtoagreeonHandB.ItispossibleforawardentoguessHandBandthereforetodetectthecovertchannel,sincethechoicesforHandBarelimited.AliceandBobcanusekeyedhashfunctionsusedforMessageAuthenticationCodes(MACs)forhighersecurity.Withourimprovedsynchronisationtechniquelostpacketscanstillcauselostbits,butneverapermanentdesynchronisation.4.3Sub-bandencodingNowwepresentournewencodingschemethatismuchstealthierifIPGsarenotiid.TheschemeencodescovertbitsonlyintotheleastsignicantpartofIPGsasdenedinEquation3.LetlbethesizeoftheleastsignicantpartoftheIPGs.Theparameterldeterminesthetrade-obetweenstealthandrobustness.LetDbetherangeofIPGs(maximumminustheminimum).ThenanIPGdistributiontypicallyspansm=dD=lesub-bandsof 5DetectionWeuseclassiersconstructedbyasupervisedMachineLearning(ML)algorithm.Dur-ingtrainingsupervisedMLtechniquesbuildclassiersbasedondatainstanceswithclasslabelsattached,sothatthedatainstancesare`optimally'separatedintothedier-entclassesbasedoncharacteristics(features)oftheinstancesotherthantheclasslabel.Theclassiersarethenusedtoclassifydatainstancesofunknownclass.5.1DatasetsandFeaturesAsnormaltracweusedthedatasetsfromSection3.Thecoverttracwascreatedbasedonthesedatasetsusingsub-bandencoding.ForeachnormalowwegeneratedonecorrespondingcovertchannelbasedonthesameIPGdistribution.Weusedtherst5000IPGsofeachow.Thecovertdatawasuniformlyrandomdistributed,asifAliceandBobusedencryption.Eachdatasethadthesamenumberofcovertandnormalowstoavoidbiasoftheclassiertowardsalargerclass.LetX=[X1;:::;Xn]beaseriesofIPGsofaowwithvaluesx1;:::;xn.ForeachXwecomputedtherstorderentropy(Entropy)andanestimateoftheentropyrate(En-tropyRate)usingthecorrectedconditionalentropy(CCE)[8].Therstorderentropyisusefulforcomparingtheshapeofdistributionsofrandomvariables,andtheentropyrateisusefulforcomparingtheregularityoftimeseries.ForcomputingtheCCEweusedequiprobablebinningofthedataasin[8].TodeterminethenumberofbinsQweperformedinitialtestsandfoundQ=5maximisedtheclassicationaccuracy.Wealsocomputedafeaturebasedonthetwo-sampleKolmogorov-Smirnov(KS)test,whichteststhehypothesisthattwosamplesweredrawnfromthesamedistribution.AlowKSteststatisticmeansthatthedistributionsaresimilarwhereasahighKSteststatisticmeansthedistributionsaredierent.TheKStestisapplicabletoavarietyofdatawithdierentdistributions.Sinceweneedafeaturethatreectshowdierentadistributionisfromthesetofdistributionscharacterisingnormaltrac,wecomputedthesetofKSteststatisticsbetweenadatainstance(covertornormal)andallinstancesofnormaltrac(excludingtestsofanormalinstancewithitself)andusethemeanofallKSstatistics(MeanKS).5.2MachineLearningPreviousresearchshowedthatforclassicationofnetworktracthebetterMLtech-niquesprovidesimilaraccuracy,butdiergreatlyregardingtrainingtimeandclassi-cationspeed[15].WeusedtheC4.5decisiontreeclassier[16]–morepreciselyitsimplementationintheWaikatoEnvironmentforKnowledgeAnalysis(WEKA)[17],becauseithadperformedwellpreviously[15].Usingadecisiontreealgorithmalsohastheadvantagethatahumancaninterprettheresultingclassier,althoughwithincreas-ingsizeofthetreethisbecomesdicult.C4.5selectsfeaturesinorderofmaximisinganentropy-basedgainratio.Themostusefulfeaturesarealwaysusedatthetopofthetreeandirrelevantfeaturesarelargelyignored.Hence,C4.5isnotadverselyaectedbyirrelevantfeatureslikesomeothertechniquesandfeaturepre-selectionisnotnecessary.C4.5attemptstoavoidover-tting Fig.3.Precisionandrecallofcoverttracclassforbasicencodingandsub-bandencod-ingdependingonleastsignicantpartl Fig.4.ROCcurvesofcoverttracclassforthebasiccovertchannelproposedin[2,3]andsub-bandencodingwithl=5ms6ChannelCapacityWeproposeamodeltocomputethechannelcapacity,describeourexperimentalsetup,andpresentthemeasuredchannelcapacitiesbasedondierentnetworkjitter.6.1ChannelModelWeassumethechannel'soutputonlydependsontheinputandtheerrorsbutnotonpre-viousinputs(memorylesschannel)andwefocusonabinarychannel(onebitencodedperIPG).Timingjittercausesbitsubstitutionerrors.Undertimingjitterwesubsumepackettiminginaccuraciesatthecovertsender,timestampinginaccuraciesatthecovertreceiverandnetworkjitter.Inourtestbedexperimentstheresultingerrorrateswereapproximatelysymmetric.HencewemodelthechannelasBinarySymmetricChannel(BSC)withacapacity[18]:C=1�H(p)=1+p
log2(p)+(1�p)
log2(1�p);(11)whereH(:)isthebinaryentropyandpistheprobabilityoftimingerrors.Thecapac-ityCisinbitsperIPG(bitspersymbol).GivenanaveragerateofIPGsfStheaveragetransmissionrateinbitspersecondis:R=C
fS:(12)6.2TestbedandMethodologyWeimplementedaprototypeofsub-bandencoding,usingtheCovertChannelsEval-uationFramework(CCHEF)[19],whichwascarefullydesignedtomaximiseAlice's packettimingaccuracy.However,sinceitisauserspaceprogramitcompeteswithotheruserspaceprogramsforCPUtime.OtherprogramsusingalotofCPUtimedecreasethetimingaccuracy.Toavoidthisweusedreal-timeLinux2.6.20andranAliceandBobasreal-timeprocesseswithhighpriority.Wealsosetthekernel'stickfrequencyto10kHztoreducethesizeoftimeslices.OurtestbedconsistedoftwocomputersconnectedviaaFastEthernetswitch.Weusedscptoperformletransferscappedat2Mbit/s,andSSHtoperformremoteinter-activeshellsessions.WegeneratedQ3withbotsasplayers.Eachexperimentlasting20minuteswasrepeatedthreetimesandwereporttheaveragestatistics.NetworkdelayandjitterwereemulatedusingLinuxNetem[20].Thenetworkdelaywasemulatedus-ingParetodistributionswithameanof25msandstandarddeviations()of0,0.1,0.2,0.3,0.5,1and2msineachdirection,sincepreviousresearchsuggestedthatnetworkjitterisheavy-tailed[21],andNetemonlysupportsUniform,GaussianandParetojitterdistributions.Settingthekernelticktimerfrequencyto10kHzensureddelayemulationwasaccurateto100µs.Figure5showsCDFsoftheabsoluteIPDelayVariation(IPDV[22]),bothinthetestbedwithParetodistributionswithdierentandmeasuredacrosstwoInternetpaths.The8-hopInternetpath'sRTTwasapproximately32ms,andthe13-hoppath'sRTTwasapproximately46ms.Weestimatedtheone-waydelaytohalfthemeasuredRTT.BothInternetpath'sIPDVCDFsliebetweenthetestbedCDFsfor=[0:3;0:5].TheIPGmodelswerebuiltasfollows.First,wemeasuredtheIPGdistributionofeachapplicationatthesource,unaectedbytimingjitter.Wethenaddedasmallamountofnoise.Withouttheaddednoisethecovertchannelwouldnotworkwellforapplica-tionswithverynarrowIPGdistribution,suchasQ3client-to-serverandscptrac.Thenoiserepresentstimingjittercausedbythenetwork,orahighCPUornetworkinterfaceloadofthesourcehost,whichthewardenwouldalsoencounterinreality.Ourmodelswerehistogramswithsmallbinsizesof100µs,asourtracsourcescannotbemodelledwellwithstandardstatisticaldistributions.ForQ3andSSHtraf-cthelocationofthesub-bandswaschosensuchthatpeaksinthedistributionsareapproximatelyinthemiddleofbands.6.3MaximumtransmissionratesWemeasuredtheerrorratesofthechannelbasedonthenetworkjitterandcomputedthemaximumtransmissionratesusingEquations11and12.Figure6showsthemaximumratesforsub-bandencodingforasub-bandsizeofl=5ms.Weselectedthissizebecauseitprovidesacceptablenoiselevelsfor0:5msatareasonablylowdetectionaccuracy(seeSection5).NotethatforTCPtracthechannelcanonlybeencodedinonedirectionduetothetimingdependenciesbetweenpacketsinbothdirections.MultipleTCPowscouldbeusedtoachievefull-duplexcommunication.Sub-bandencodinghassignicantlyhighererrorrateswithQ3client-to-servertraf-corscpcomparedtoQ3server-to-clienttracorSSH(notshown).However,thetransmissionratesarestillmuchhigherforQ3client-to-servertracandscpbecauseofthemuchhigherpacketrates.Sub-bandencodinghaslowerrorratesandreason-ablyhighcapacitiesatlowlevelsofjittertypicalofuncongestedpaths.Transmissionratesareuptooverhundredbitspersecond.Ifthenetworkjitterishighthecapacityis References1.S.Zander,G.Armitage,P.Branch.ASurveyofCovertChannelsandCountermeasuresinComputerNetworkProtocols.IEEECommunicationsSurveysandTutorials,9(3):44–57,October2007.2.S.Gianvecchio,H.Wang,D.Wijesekera,S.Jajodia.Model-BasedCovertTimingChan-nels:AutomatedModelingandEvasion.InRecentAdvancesinIntrusionDetection(RAID),September2008.3.S.H.Sellke,C.-C.Wang,S.Bagchi,N.B.Shro.CovertTCP/IPTimingChannels:TheorytoImplementation.InConferenceonComputerCommunications(INFOCOM),April2009.4.V.Paxson.End-to-endInternetPacketDynamics.IEEE/ACMTransactionsonNetworking,7(3):277–292,1999.5.M.A.Padlipsky,D.W.Snow,P.A.Karger.LimitationsofEnd-to-EndEncryptioninSecureComputerNetworks.TechnicalReportESD-TR-78-158,MitreCorporation,August1978.6.V.Berk,A.Giani,G.Cybenko.DetectionofCovertChannelEncodinginNetworkPacketDelays.TechnicalReportTR2005-536,DartmouthCollege,November2005.7.G.Shah,A.Molina,M.Blaze.KeyboardsandCovertChannels.InUSENIXSecurity,August2006.8.S.Gianvecchio,H.Wang.DetectingCovertTimingChannels:AnEntropy-BasedApproach.InACMConferenceonComputerandCommunicationSecurity(CCS),November2007.9.X.Luo,E.W.W.Chan,R.K.C.Chang.TCPCovertTimingChannels:DesignandDetec-tion.InIEEE/IFIPConferenceonDependableSystemsandNetworks(DSN),June2008.10.Y.Liu,D.Ghosal,F.Armknecht,A.-R.Sadeghi,S.Schulz,S.Katzenbeisser.HideandSeekinTime–RobustCovertTimingChannels.InEuropeanSymposiumonResearchinComputerSecurity,September2009.11.Quake3.http://www.idsoftware.com.12.P.Branch,A.Heyde,G.Armitage.RapidIdenticationofSkypeTrac.InACMNetworkandOperatingSystemSupportforDigitalAudioandVideo(NOSSDAV),June2009.13.M2CMeasurementDataRepository,December2003.http://traces.simpleweb.org/.14.C.Henke,C.Schmoll,T.Zseby.EmpiricalEvaluationofHashFunctionsforPacketIDGen-erationinSampledMultipointMeasurements.InPassiveandActiveMeasurement(PAM)Workshop,pages197–206,2009.15.N.Williams,S.Zander,G.Armitage.APreliminaryPerformanceComparisonofFiveMa-chineLearningAlgorithmsforPracticalIPTracFlowClassication.SIGCOMMCom-puterCommunicationReview,36(5),October2006.16.R.Kohavi,J.R.Quinlan.Decision-treeDiscovery,chapter16.1.3,pages267–276.OxfordUniversityPress,2002.17.I.H.Witten,EibeFrank."DataMining:PracticalMachineLearningToolsandTechniques–2ndEdition.MorganKaufmann,SanFrancisco,2005.18.T.M.Cover,J.A.Thomas.ElementsofInformationTheory.WileySeriesinTelecommuni-cations.JohnWiley&Sons,1991.19.S.Zander.CCHEF-CovertChannelsEvaluationFramework,2007.http://caia.swin.edu.au/cv/szander/cc/cchef/.20.LinuxFoundation.Netem,2008.http://www.linuxfoundation.org/en/Net:Netem.21.L.Rizo,D.Torres,J.Dehesa,D.Muñoz.CauchyDistributionforJitterinIPNetworks.InInternationalConferenceonElectronics,CommunicationsandComputers,pages35–40,2008.22.C.DemichelisandP.Chimento.IPPacketDelayVariationMetricforIPPerformanceMet-rics(IPPM).RFC3393,IETF,November2002.http://www.ietf.org/rfc/rfc3393.txt.