Presentation is loading. Please wait.

Presentation is loading. Please wait.

U.S. Army Research Laboratory

Published byAlejandro Townsend Modified over 10 years ago

Similar presentations

Presentation on theme: "U.S. Army Research Laboratory"— Presentation transcript:

1 U.S. Army Research Laboratory
Using a Novel Blending Method Over Multiple Network Connections for Secure Communications Jaime C. Acosta and John Medrano U.S. Army Research Laboratory

2 Motivation Network attack steps Issue Locate a network Analyze traffic
Identify target Scan nodes for vulnerabilities Execute exploit Issue Node addresses and traffic flows Vis: can I run scans on the machines Gen: does this look like proprietary, insider attackers could analyze interesting, or in a war scenario, someone could go look at traffic. (if non-ip, unknown protocols, etc…). Even if on different band, may be seen one day, but this will be hidden under noses, so won’t look anomalous.

3 From a defensive perspective
Motivation Covert Communication Traditionally seen as adversarial Data exfiltration From a defensive perspective Hide data in decoy traffic Hide node endpoints Avoid scanning Avoid suspicion for critical data Vis: can I run scans on the machines Gen: does this look like proprietary, insider attackers could analyze interesting, or in a war scenario, someone could go look at traffic. (if non-ip, unknown protocols, etc…). Even if on different band, may be seen one day, but this will be hidden under noses, so won’t look anomalous.

4 Covert Communication Timing channels Timing anomalies Generally low throughput Data channels Unused fields, invalid messages Once documented identification is trivial

5 Objectives Scalable throughput Reliable Dynamic insertion point selection

6 Research Question Can we leverage characteristics of network flows for covert, secure communication?

7 Envisioned Approach A B C D E F
This research is a first step, (hub, then multicast, wireless, then drivers, etc) Define connections: Connections are fixed size, unidirectional network flows among two nodes. State benefits here.

8 Envisioned Approach A B C D E F Connections: 1. Unidirectional
2. Fixed size messages sharing the same a. source and destination MAC, IP, and ports b. protocol type 3. Have an update rate 4. Have a complexity measure This research is a first step, (hub, then multicast, wireless, then drivers, etc) Define connections: Connections are fixed size, unidirectional network flows among two nodes. State benefits here.

9 Envisioned Approach A B C D E F ... Promiscuous Traffic
Covert Communicators Conn1 A B Conn3 Connection Name Communication Rate Connection Complexity Conn1 5 msg/sec Low Conn2 10 msg/sec Med Conn3 1 msg/sec High ... C Conn2 Conn4 Promiscuous Traffic Conn5 Conn7 D E F This research is a first step, (hub, then multicast, wireless, then drivers, etc) Define connections: Connections are fixed size, unidirectional network flows among two nodes. State benefits here. Conn6 Conn8

10 Hide data within high-complexity payloads
Envisioned Approach Hide data within high-complexity payloads Covert Communicators Conn1 Connection Name Communication Rate Connection Complexity Conn1 5 msg/sec Low Conn2 10 msg/sec Med Conn3 1 msg/sec High ... A B Conn3 C Conn2 Conn4 Promiscuous Traffic Conn5 Conn7 D E F This research is a first step, (hub, then multicast, wireless, then drivers, etc) Define connections: Connections are fixed size, unidirectional network flows among two nodes. State benefits here. Conn6 Conn8

11 Methodology Implement a system Evaluate
Parameters for determining insertion points Evaluate Vary parameter values Measure throughput and reliability

12 Network Blending Communication System (NBCS)
Analysis Subsystem Display Subsystem Communications Subsystem Configuration Highlight one at a time and describe each.

13 NBCS Analysis Subsystem
Network Connection 1 b0 b1 b2 b3 b4 Packets during window b0 b1 b2 b3 b4 b0 b1 b2 b3 b4 Separate onto multiple slides. Keep this, but give example values for b0-b4 and c0-c4? Say that c0-c4 are histograms. Insert a max/min from connection1 to byte complexities. Packets from the network are kept in connections. After each window, the complexity for each byte is calculated by summing the complexity of each byte in the connection Connection 2 Connection 3

14 NBCS Analysis Subsystem
Network Connection 1 b0 b1 b2 b3 b4 Packets during window b0 b1 b2 b3 b4 b0 b1 b2 b3 b4 Separate onto multiple slides. Keep this, but give example values for b0-b4 and c0-c4? Say that c0-c4 are histograms. Insert a max/min from connection1 to byte complexities. Packets from the network are kept in connections. After each window, the complexity for each byte is calculated by summing the complexity of each byte in the connection Connection 2 Connection 3

15 NBCS Analysis Subsystem
Say we’re assuming unknown covert data, so a minimum of 0 will give a complexity of 0. Min/Max = byteComplexities

16 NBCS Analysis Subsystem
Network Connection 1 b0 b1 b2 b3 b4 Packets during window b0 b1 b2 b3 b4 b0 b1 b2 b3 b4 Freq. Distribution sum c0 c1 c2 c3 c4 C byteComplexities Connection 1 complexity Separate onto multiple slides. Keep this, but give example values for b0-b4 and c0-c4? Say that c0-c4 are histograms. Insert a max/min from connection1 to byte complexities. Packets from the network are kept in connections. After each window, the complexity for each byte is calculated by summing the complexity of each byte in the connection Connection 2 Connection 3

17 Communications Subsystem
NBCS system Network Analysis Subsystem Display Subsystem Communications Subsystem Configuration

18 Communications Subsystem
Covert data queue Connection 1 with sufficient complexity Latest packets with sufficient byteComplexities Change green to blue and change blue to something else to match previous slide. Separate onto multiple slides. After each window, the latest packets with sufficient complexity are selected (one per connection). The green areas show the series of bytes with sufficient complexity. Connection 4 with sufficient complexity

19 Communications Subsystem
Covert data queue Connection 1 with sufficient complexity Latest packets with sufficient byteComplexities check rateToUse Change green to blue and change blue to something else to match previous slide. Separate onto multiple slides. After each window, the latest packets with sufficient complexity are selected (one per connection). The green areas show the series of bytes with sufficient complexity. Connection 4 with sufficient complexity Attach Sync and Checksum Bytes

20 Communications Subsystem
Covert data queue Connection 1 with sufficient complexity Latest packets with sufficient byteComplexities Change green to blue and change blue to something else to match previous slide. Separate onto multiple slides. After each window, the latest packets with sufficient complexity are selected (one per connection). The green areas show the series of bytes with sufficient complexity. Connection 4 with sufficient complexity

21 Communications Subsystem
NBCS System Network Analysis Subsystem Display Subsystem Communications Subsystem Configuration

22 Display Subsystem

23 Requirements – How it can be done
Hub Promiscuous by default Switch Port mirroring Wireless Within distance Multicast Within group

24 Requirements – How it can be done
Hub Promiscuous by default Switch Port mirroring Wireless Within distance Multicast Within group Started with the simplest case

25 Evaluation - Network Setup
Load A Load B Overt Nodes 6 12 Packets/sec 80-100 Bytes/sec 95KB – 115KB 2.7MB – 3.5MB # of Connections 15-20 (6 UDP) 40-50 (6 UDP)

26 Controlled (favoring low detectability) Window Size = 1000ms
Evaluation Controlled (favoring low detectability) Window Size = 1000ms Sync Bytes = 2 Checksum Bytes = 2 Protocol to Use = UDP Rate Threshold = 10 Rate to Use = 0.1 Startup procedure covert receiver started 5 seconds after covert sender send buffer always full

27 Byte Complexity Threshold [0.1-0.9] Dependent Throughput Packet loss
Evaluation Independent Byte Complexity Threshold [ ] Dependent Throughput Packet loss Procedure Covert sender and receiver start simultaneously Covert data buffer is always full Run for 5 minutes Startup procedure covert receiver started 5 seconds after covert sender send buffer always full

28 Results - Throughput

29 Results – Packet Loss

30 Future Work More beneficial to hide covert data based on byte similarity? Wireless and multicast traffic? Automatic parameter tuning in real time depending on network characteristics?

31 Questions

32 Preliminary Wireless Tests

33 Preliminary Wireless Tests

34 NBCS Analysis Subsystem
Network Connection 1 b0 b1 b2 b3 b4 Packets during window b0 b1 b2 b3 b4 b0 b1 b2 b3 b4 Separate onto multiple slides. Keep this, but give example values for b0-b4 and c0-c4? Say that c0-c4 are histograms. Insert a max/min from connection1 to byte complexities. Packets from the network are kept in connections. After each window, the complexity for each byte is calculated by summing the complexity of each byte in the connection Connection 2 Connection 3

35 NBCS Analysis Subsystem
Separate onto multiple slides Will include better slide from q review. the value ranges for the bytes are stored in eight bins (x-axis). Each time a new packet is received, the bin corresponding to the byte value is incremented (y-axis). The leftmost histogram is for a byte that exhibits a predominate value with some occurrences of surrounding values. The middle histogram shows a byte value that is mostly evenly distributed (which is most favored for covert data placement), while the rightmost graph shows a byte value that has three discrete value ranges Sample byte complexities

36 NBCS Analysis Subsystem
Network Connection 1 b0 b1 b2 b3 b4 Packets during window b0 b1 b2 b3 b4 b0 b1 b2 b3 b4 Min Max sum c0 c1 c2 c3 c4 C byteComplexities Connection 1 complexity Separate onto multiple slides. Keep this, but give example values for b0-b4 and c0-c4? Say that c0-c4 are histograms. Insert a max/min from connection1 to byte complexities. Packets from the network are kept in connections. After each window, the complexity for each byte is calculated by summing the complexity of each byte in the connection Connection 2 Connection 3

Download ppt "U.S. Army Research Laboratory"

Similar presentations

Storage System Integration with High Performance Networks Jon Bakken and Don Petravick FNAL.

Storage System Integration with High Performance Networks Jon Bakken and Don Petravick FNAL.
IEEE INFOCOM 2004 MultiNet: Connecting to Multiple IEEE 802.11 Networks Using a Single Wireless Card.

IEEE INFOCOM 2004 MultiNet: Connecting to Multiple IEEE Networks Using a Single Wireless Card.
1 Routing Protocols I. 2 Routing Recall: There are two parts to routing IP packets: 1. How to pass a packet from an input interface to the output interface.

1 Routing Protocols I. 2 Routing Recall: There are two parts to routing IP packets: 1. How to pass a packet from an input interface to the output interface.
Umut Girit 200535027.  One of the core members of the Internet Protocol Suite, the set of network protocols used for the Internet. With UDP, computer.

Umut Girit  One of the core members of the Internet Protocol Suite, the set of network protocols used for the Internet. With UDP, computer.
Extensible Networking Platform 1 1 - IWAN 2005 Extensible Network Configuration and Communication Framework Todd Sproull and John Lockwood

Extensible Networking Platform IWAN 2005 Extensible Network Configuration and Communication Framework Todd Sproull and John Lockwood
1 Internet Networking Spring 2004 Tutorial 13 LSNAT - Load Sharing NAT (RFC 2391)

1 Internet Networking Spring 2004 Tutorial 13 LSNAT - Load Sharing NAT (RFC 2391)
Multiple constraints QoS Routing Given: - a (real time) connection request with specified QoS requirements (e.g., Bdw, Delay, Jitter, packet loss, path.

Multiple constraints QoS Routing Given: - a (real time) connection request with specified QoS requirements (e.g., Bdw, Delay, Jitter, packet loss, path.
Characterization of 802.11 Wireless Networks in the Home Mark Yarvis, Konstantina Papagiannaki and W. Steven Conner Presenter - Bob Kinicki.

Characterization of Wireless Networks in the Home Mark Yarvis, Konstantina Papagiannaki and W. Steven Conner Presenter - Bob Kinicki.
Spatial Reuse Ring Networks Chun-Hung Chen Department of Computer Science and Information Engineering National Taipei University of Technology 2003.10.24.

Spatial Reuse Ring Networks Chun-Hung Chen Department of Computer Science and Information Engineering National Taipei University of Technology
Shivkumar KalyanaramanRensselaer Q1-1 ECSE-6600: Internet Protocols Quiz 1 Time: 60 min (strictly enforced) Points: 50 YOUR NAME: Be brief, but DO NOT.

Shivkumar KalyanaramanRensselaer Q1-1 ECSE-6600: Internet Protocols Quiz 1 Time: 60 min (strictly enforced) Points: 50 YOUR NAME: Be brief, but DO NOT.
Stream Control Transmission Protocol 網路前瞻技術實驗室 陳旻槿.

Stream Control Transmission Protocol 網路前瞻技術實驗室 陳旻槿.
ITIS 6167/8167: Network and Information Security Weichao Wang.

ITIS 6167/8167: Network and Information Security Weichao Wang.
Reduced TCP Window Size for Legacy LAN QoS Niko Färber July 26, 2000.

Reduced TCP Window Size for Legacy LAN QoS Niko Färber July 26, 2000.
1 Spring Semester 2007, Dept. of Computer Science, Technion Internet Networking recitation #12 LSNAT - Load Sharing NAT (RFC 2391)

1 Spring Semester 2007, Dept. of Computer Science, Technion Internet Networking recitation #12 LSNAT - Load Sharing NAT (RFC 2391)
Low Latency Wireless Video Over 802.11 Networks Using Path Diversity John Apostolopolous Wai-tian Tan Mitchell Trott Hewlett-Packard Laboratories Allen.

Low Latency Wireless Video Over Networks Using Path Diversity John Apostolopolous Wai-tian Tan Mitchell Trott Hewlett-Packard Laboratories Allen.
Gursharan Singh Tatla Transport Layer 16-May-2011 1

Gursharan Singh Tatla Transport Layer 16-May
Internet Relay Chat Security Issues By Kelvin Lau and Ming Li.

Internet Relay Chat Security Issues By Kelvin Lau and Ming Li.
Virtual LANs. VLAN introduction VLANs logically segment switched networks based on the functions, project teams, or applications of the organization regardless.

Virtual LANs. VLAN introduction VLANs logically segment switched networks based on the functions, project teams, or applications of the organization regardless.
Wireshark and TCP/IP Basics ACM SIG-Security Lance Pendergrass.

Wireshark and TCP/IP Basics ACM SIG-Security Lance Pendergrass.
Connecting LANs, Backbone Networks, and Virtual LANs

Connecting LANs, Backbone Networks, and Virtual LANs

Similar presentations

Ads by Google