Presentation is loading. Please wait.

Presentation is loading. Please wait.

Using a Novel Blending Method Over Multiple Network Connections for Secure Communications Jaime C. Acosta and John Medrano U.S. Army Research Laboratory.

Similar presentations


Presentation on theme: "Using a Novel Blending Method Over Multiple Network Connections for Secure Communications Jaime C. Acosta and John Medrano U.S. Army Research Laboratory."— Presentation transcript:

1 Using a Novel Blending Method Over Multiple Network Connections for Secure Communications Jaime C. Acosta and John Medrano U.S. Army Research Laboratory

2 Motivation –Network attack steps –Locate a network –Analyze traffic –Identify target –Scan nodes for vulnerabilities –Execute exploit –Issue –Node addresses and traffic flows

3 Motivation –Covert Communication –Traditionally seen as adversarial –Data exfiltration –From a defensive perspective –Hide data in decoy traffic –Hide node endpoints –Avoid scanning –Avoid suspicion for critical data

4 Covert Communication –Timing channels –Timing anomalies –Generally low throughput –Data channels –Unused fields, invalid messages –Once documented identification is trivial

5 Objectives –Scalable throughput –Reliable –Dynamic insertion point selection

6 Research Question Can we leverage characteristics of network flows for covert, secure communication?

7 Envisioned Approach A F ED CB

8 Conn1 Conn2 Conn3 Conn4 Conn5 Conn6 Conn7 Conn8 A F ED CB Connections: 1. Unidirectional 2. Fixed size messages sharing the same a. source and destination MAC, IP, and ports b. protocol type 3. Have an update rate 4. Have a complexity measure

9 Envisioned Approach Connection Name Communication Rate Connection Complexity Conn15 msg/secLow Conn210 msg/secMed Conn31 msg/secHigh... Conn1 Conn2 Conn3 Conn4 Conn5 Conn6 Conn7 Conn8 Promiscuous Traffic Covert Communicators A F ED C B

10 Envisioned Approach Connection Name Communication Rate Connection Complexity Conn15 msg/secLow Conn210 msg/secMed Conn31 msg/secHigh... Conn1 Conn2 Conn3 Conn4 Conn5 Conn6 Conn7 Conn8 Promiscuous Traffic Covert Communicators Hide data within high-complexity payloads A F ED C B

11 Methodology –Implement a system –Parameters for determining insertion points –Evaluate –Vary parameter values –Measure throughput and reliability

12 Network Blending Communication System (NBCS) Network Analysis Subsystem Display Subsystem Communications Subsystem Configuration

13 NBCS Analysis Subsystem Network b0b1b2b3b4 b0b1b2b3b4 Connection 1 b0b1b2b3b4 Packets during window Connection 2 Connection 3

14 NBCS Analysis Subsystem Network b0b1b2b3b4 b0b1b2b3b4 Connection 1 b0b1b2b3b4 Packets during window Connection 2 Connection 3

15 NBCS Analysis Subsystem Min/Max = byteComplexities

16 NBCS Analysis Subsystem Network b0b1b2b3b4 b0b1b2b3b4 Connection 1 b0b1b2b3b4 Packets during window c0c1c2c3c4 byteComplexities sum Connection 1 complexity C Connection 2 Connection 3 Freq. Distribution

17 NBCS system Network Analysis Subsystem Display Subsystem Communications Subsystem Configuration

18 Communications Subsystem Connection 1 with sufficient complexity … Covert data queue Connection 4 with sufficient complexity … Latest packets with sufficient byteComplexities

19 Communications Subsystem Connection 1 with sufficient complexity … Covert data queue Connection 4 with sufficient complexity … Latest packets with sufficient byteComplexities Attach Sync and Checksum Bytes check rateToUse

20 Communications Subsystem Connection 1 with sufficient complexity … Covert data queue Connection 4 with sufficient complexity … Latest packets with sufficient byteComplexities

21 NBCS System Network Analysis Subsystem Display Subsystem Communications Subsystem Configuration

22 Display Subsystem

23 Requirements – How it can be done –Hub –Promiscuous by default –Switch –Port mirroring –Wireless –Within distance –Multicast –Within group

24 Requirements – How it can be done –Hub –Promiscuous by default –Switch –Port mirroring –Wireless –Within distance –Multicast –Within group

25 Evaluation - Network Setup Load ALoad B Overt Nodes612 Packets/sec Bytes/sec95KB – 115KB2.7MB – 3.5MB # of Connections15-20 (6 UDP)40-50 (6 UDP)

26 Evaluation –Controlled (favoring low detectability) –Window Size = 1000ms –Sync Bytes = 2 –Checksum Bytes = 2 –Protocol to Use = UDP –Rate Threshold = 10 –Rate to Use = 0.1

27 Evaluation –Independent –Byte Complexity Threshold [ ] –Dependent –Throughput –Packet loss –Procedure –Covert sender and receiver start simultaneously –Covert data buffer is always full –Run for 5 minutes

28 Results - Throughput

29 Results – Packet Loss

30 Future Work –More beneficial to hide covert data based on byte similarity? –Wireless and multicast traffic? –Automatic parameter tuning in real time depending on network characteristics?

31 Questions

32 Preliminary Wireless Tests

33

34 NBCS Analysis Subsystem Network b0b1b2b3b4 b0b1b2b3b4 Connection 1 b0b1b2b3b4 Packets during window Connection 2 Connection 3

35 NBCS Analysis Subsystem Sample byte complexities

36 NBCS Analysis Subsystem Network b0b1b2b3b4 b0b1b2b3b4 Connection 1 b0b1b2b3b4 Packets during window c0c1c2c3c4 byteComplexities sum Connection 1 complexity C Connection 2 Connection 3 Min Max


Download ppt "Using a Novel Blending Method Over Multiple Network Connections for Secure Communications Jaime C. Acosta and John Medrano U.S. Army Research Laboratory."

Similar presentations


Ads by Google