Download presentation
Presentation is loading. Please wait.
Published byGary McGee Modified over 9 years ago
1
Model-Based Covert Timing Channels: Automated Modeling and Evasion Steven Gianvecchio 1, Haining Wang 1, Duminda Wijesekera 2, and Sushil Jajodia 2 1 College of William and Mary 2 George Mason University
2
RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion 2 Outline Background Covert Timing Channels Model-Based Framework Experimental Evaluation Capacity Detection Resistance Conclusion
3
RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion 3 Outline Background Covert Timing Channels Model-Based Framework Experimental Evaluation Capacity Detection Resistance Conclusion
4
RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion 4 Background Covert Channels manipulate shared resources to transfer information hide communication (or extra communication) exfiltrate sensitive data (e.g., keys, passwords)
5
RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion 5 Background Types of Covert Channels shared resource is the type covert storage channels (e.g., packet header fields) covert timing channels (e.g., packet arrival times)
6
RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion 6 Outline Background Covert Timing Channels Model-Based Framework Experimental Evaluation Capacity Detection Resistance Conclusion
7
RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion 7 Main Goals high capacity strong detection resistance Capacity – bits/time unit, not bits/symbol Covert Timing Channels
8
RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion 8 Covert Timing Channels OPtimal Capacity (OPC) send information as fast as possible E(X) is small (1,000s of packets/second) Fixed-average Packet Rate (FPR) send information as fast as possible with a fixed-average packet rate E(X) is fixed (a few packets/second)
9
RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion 9 Outline Background Covert Timing Channels Model-Based Framework Experimental Evaluation Capacity Detection Resistance Conclusion
10
RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion 10 Model-Based Framework The Framework filters and analyzes legitimate traffic encodes and transmits covert traffic
11
RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion 11 Components Filter filters input for the specified type of traffic (e.g., outgoing HTTP) outputs legitimate IPDs
12
RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion 12 Components Analyzer fits the legitimate IPDs to several models using MLE (blocks of 100 IPDs) selects the model with the lowest RMSE
13
RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion 13 Components Encoder uses the IDF of the model generates covert IPDs that mimic the legitimate traffic
14
RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion 14 Encoding / Decoding 1. Continuize 2. Encode 3. Decode 4. Discretize
15
RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion 15 Components Transmitter sends out packets with covert IPDs Receiver and Decoder receive packets and decode message
16
RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion 16 Model-Based Framework Implementation Details components run in user space filter, encoder, transmitter written in C; plus inline assembly for RDTSC analyzer written in MATLAB
17
RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion 17 Outline Background Covert Timing Channels Model-Based Framework Experimental Evaluation Capacity Detection Resistance Conclusion
18
RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion 18 Experimental Evaluation Test Scenarios LAN, WAN East-to-East, WAN East-to-West LANWAN-EEWAN-EW distance0.3 mi525 mi2660 mi RTT1.7ms59.6ms87.2ms IPDV2.5e-052.41e-032.1e-04 hops31813 IPDV – inter-packet delay variation
19
RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion 19 Test Setup MB-HTTP Weibull – avg. λ = 0.0371, avg. k = 0.3010 E(X) is 0.3385 (~3 packets/second) OPC E(X) is 7.31e-3 to 7.87e-5 (1,515 to 12,777 packets/second) FPR Exponential – λ = 2.954 E(X) is 0.3385 (~3 packets/second)
20
RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion 20 Theoretical Capacity channel LANWAN-EEWAN-EW CPPCPSCPPCPSCPPCPS MB-HTTP 9.3927.764.1212.196.8420.21 OPC 0.506,3950.5068.800.50758.54 FPR 12.6337.326.1518.179.5928.35 CPP – capacity/packet, CPS = capacity/second LAN, WAN East-East, WAN East-West OPC has highest capacity
21
RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion 21 Theoretical Capacity channel LANWAN-EEWAN-EW CPPCPSCPPCPSCPPCPS MB-HTTP 9.3927.764.1212.196.8420.21 OPC 0.506,3950.5068.800.50758.54 FPR 12.6337.326.1518.179.5928.35 CPP – capacity/packet, CPS = capacity/second LAN, WAN East-East, WAN East-West MB-HTTP and FPR are close
22
RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion 22 Empirical Capacity WAN East-East MB-HTTP versus FPR capacity and bit error degrade quickly
23
RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion 23 Empirical Capacity WAN East-West MB-HTTP versus FPR capacity and bit error degrade slowly
24
RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion 24 Empirical Capacity channel LANWAN-EEWAN-EW CPPCPSCPPCPSCPPCPS MB-HTTP 6.7419.932.156.355.1815.31 OPC 0.8510,8990.6691.280.981,512 FPR 10.9532.354.6313.679.3727.69 CPP – capacity/packet, CPS = capacity/second LAN, WAN East-East, WAN East-West OPC again has the highest capacity
25
RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion 25 Empirical Capacity channel LANWAN-EEWAN-EW CPPCPSCPPCPSCPPCPS MB-HTTP 6.7419.932.156.355.1815.31 OPC 0.8510,8990.6691.280.981,512 FPR 10.9532.354.6313.679.3727.69 CPP – capacity/packet, CPS = capacity/second LAN, WAN East-East, WAN East-West MB-HTTP and FPR are still close
26
RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion 26 Tests of Shape: Kolmogorov-Smirnov test – where s 1 and s 2 are distribution functions Tests of Regularity: The regularity test (Cabuk 2004) – 26 Detection Resistance
27
RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion 27 KSTEST LEGIT-HTTPMB-HTTP FPROPC sample size meanstddevm.s.d.m.s.dm.s.d 100x2,000.193.110.196.093.92.0.99.0 100x10,000.141.103.157.087.92.0.99.0 100x50,000.096.122.073.92.0.99.0 100x250,000.069.066.096.036.92.0.99.0 KSTEST scores high mean and low s.d. for FPR and OPC
28
RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion 28 KSTEST LEGIT-HTTPMB-HTTP FPROPC sample size meanstddevm.s.d.m.s.dm.s.d 100x2,000.193.110.196.093.92.0.99.0 100x10,000.141.103.157.087.92.0.99.0 100x50,000.096.122.073.92.0.99.0 100x250,000.069.066.096.036.92.0.99.0 KSTEST scores similar mean and s.d. for LEGIT and MB-HTTP
29
RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion 29 KSTEST KSTEST distribution similar distributions for LEGIT-HTTP and MB- HTTP scores
30
RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion 30 KSTEST KSTEST distribution LEGIT-HTTP and MB-HTTP overlap even with 250,000 packets
31
RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion 31 KSTEST LEGIT-HTTPMB-HTTP FPROPC sample sizeFPTP 100x2,000.01 1.00 100x10,000.01 1.00 100x50,000.01 1.00 100x250,000.01.021.00 KSTEST detection rates FPR and OPC are detected easily
32
RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion 32 KSTEST LEGIT-HTTPMB-HTTP FPROPC sample sizeFPTP 100x2,000.01 1.00 100x10,000.01 1.00 100x50,000.01 1.00 100x250,000.01.021.00 KSTEST detection rates FP equals TP for LEGIT and MB-HTTP
33
RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion 33 regularity LEGIT-HTTPMB-HTTP FPROPC sample sizemean 100x2,000 w=100 43.8038.210.340.00 100x2,000 w=250 23.7422.870.260.00 regularity scores similar mean for LEGIT and MB-HTTP
34
RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion 34 regularity LEGIT-HTTPMB-HTTP FPROPC sample sizeFPTP 100x2,000 w=100.01.001.00 100x2,000 w=250.01.001.00 regularity detection rates MB-HTTP is not detected at all
35
RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion 35 regularity LEGIT-HTTPMB-HTTP FPROPC sample sizeFPTP 100x2,000 w=100.01.001.00 100x2,000 w=250.01.001.00 regularity detection rates again FPR and OPC are detected easily
36
RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion 36 Outline Background Covert Timing Channels Model-Based Framework Experimental Evaluation Capacity Detection Resistance Conclusion
37
RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion 37 Conclusion Model-Based Covert Timing Channels can be built automatically effective even in coast-to-coast scenario capacity is very close to FPR much stronger detection resistance than FPR and OPC
38
RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion 38 Conclusion (cont.) Future Work investigate detection methods for model- based covert timing channels explore other more advanced covert timing channel designs (e.g., non-parametric models)
39
RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion 39 Questions? Thank You!
Similar presentations
© 2024 SlidePlayer.com Inc.
All rights reserved.