Presentation is loading. Please wait.

Presentation is loading. Please wait.

Model-Based Covert Timing Channels: Automated Modeling and Evasion Steven Gianvecchio 1, Haining Wang 1, Duminda Wijesekera 2, and Sushil Jajodia 2 1 College.

Similar presentations


Presentation on theme: "Model-Based Covert Timing Channels: Automated Modeling and Evasion Steven Gianvecchio 1, Haining Wang 1, Duminda Wijesekera 2, and Sushil Jajodia 2 1 College."— Presentation transcript:

1 Model-Based Covert Timing Channels: Automated Modeling and Evasion Steven Gianvecchio 1, Haining Wang 1, Duminda Wijesekera 2, and Sushil Jajodia 2 1 College of William and Mary 2 George Mason University

2 RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion 2 Outline  Background  Covert Timing Channels  Model-Based Framework  Experimental Evaluation  Capacity  Detection Resistance  Conclusion

3 RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion 3 Outline  Background  Covert Timing Channels  Model-Based Framework  Experimental Evaluation  Capacity  Detection Resistance  Conclusion

4 RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion 4 Background  Covert Channels  manipulate shared resources to transfer information  hide communication (or extra communication)  exfiltrate sensitive data (e.g., keys, passwords)

5 RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion 5 Background  Types of Covert Channels  shared resource is the type  covert storage channels (e.g., packet header fields)  covert timing channels (e.g., packet arrival times)

6 RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion 6 Outline  Background  Covert Timing Channels  Model-Based Framework  Experimental Evaluation  Capacity  Detection Resistance  Conclusion

7 RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion 7  Main Goals  high capacity  strong detection resistance  Capacity –  bits/time unit, not bits/symbol Covert Timing Channels

8 RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion 8 Covert Timing Channels  OPtimal Capacity (OPC)  send information as fast as possible  E(X) is small (1,000s of packets/second)  Fixed-average Packet Rate (FPR)  send information as fast as possible with a fixed-average packet rate  E(X) is fixed (a few packets/second)

9 RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion 9 Outline  Background  Covert Timing Channels  Model-Based Framework  Experimental Evaluation  Capacity  Detection Resistance  Conclusion

10 RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion 10 Model-Based Framework  The Framework  filters and analyzes legitimate traffic  encodes and transmits covert traffic

11 RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion 11 Components  Filter  filters input for the specified type of traffic (e.g., outgoing HTTP)  outputs legitimate IPDs

12 RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion 12 Components  Analyzer  fits the legitimate IPDs to several models using MLE (blocks of 100 IPDs)  selects the model with the lowest RMSE

13 RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion 13 Components  Encoder  uses the IDF of the model  generates covert IPDs that mimic the legitimate traffic

14 RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion 14 Encoding / Decoding  1. Continuize  2. Encode  3. Decode  4. Discretize

15 RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion 15 Components  Transmitter  sends out packets with covert IPDs  Receiver and Decoder  receive packets and decode message

16 RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion 16 Model-Based Framework  Implementation Details  components run in user space  filter, encoder, transmitter written in C; plus inline assembly for RDTSC  analyzer written in MATLAB

17 RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion 17 Outline  Background  Covert Timing Channels  Model-Based Framework  Experimental Evaluation  Capacity  Detection Resistance  Conclusion

18 RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion 18 Experimental Evaluation  Test Scenarios  LAN, WAN East-to-East, WAN East-to-West LANWAN-EEWAN-EW distance0.3 mi525 mi2660 mi RTT1.7ms59.6ms87.2ms IPDV2.5e-052.41e-032.1e-04 hops31813 IPDV – inter-packet delay variation

19 RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion 19 Test Setup  MB-HTTP  Weibull – avg. λ = 0.0371, avg. k = 0.3010  E(X) is 0.3385 (~3 packets/second)  OPC  E(X) is 7.31e-3 to 7.87e-5 (1,515 to 12,777 packets/second)  FPR  Exponential – λ = 2.954  E(X) is 0.3385 (~3 packets/second)

20 RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion 20 Theoretical Capacity channel LANWAN-EEWAN-EW CPPCPSCPPCPSCPPCPS MB-HTTP 9.3927.764.1212.196.8420.21 OPC 0.506,3950.5068.800.50758.54 FPR 12.6337.326.1518.179.5928.35 CPP – capacity/packet, CPS = capacity/second  LAN, WAN East-East, WAN East-West  OPC has highest capacity

21 RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion 21 Theoretical Capacity channel LANWAN-EEWAN-EW CPPCPSCPPCPSCPPCPS MB-HTTP 9.3927.764.1212.196.8420.21 OPC 0.506,3950.5068.800.50758.54 FPR 12.6337.326.1518.179.5928.35 CPP – capacity/packet, CPS = capacity/second  LAN, WAN East-East, WAN East-West  MB-HTTP and FPR are close

22 RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion 22 Empirical Capacity  WAN East-East  MB-HTTP versus FPR  capacity and bit error degrade quickly

23 RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion 23 Empirical Capacity  WAN East-West  MB-HTTP versus FPR  capacity and bit error degrade slowly

24 RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion 24 Empirical Capacity channel LANWAN-EEWAN-EW CPPCPSCPPCPSCPPCPS MB-HTTP 6.7419.932.156.355.1815.31 OPC 0.8510,8990.6691.280.981,512 FPR 10.9532.354.6313.679.3727.69 CPP – capacity/packet, CPS = capacity/second  LAN, WAN East-East, WAN East-West  OPC again has the highest capacity

25 RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion 25 Empirical Capacity channel LANWAN-EEWAN-EW CPPCPSCPPCPSCPPCPS MB-HTTP 6.7419.932.156.355.1815.31 OPC 0.8510,8990.6691.280.981,512 FPR 10.9532.354.6313.679.3727.69 CPP – capacity/packet, CPS = capacity/second  LAN, WAN East-East, WAN East-West  MB-HTTP and FPR are still close

26 RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion 26 Tests of Shape:  Kolmogorov-Smirnov test – where s 1 and s 2 are distribution functions Tests of Regularity:  The regularity test (Cabuk 2004) – 26 Detection Resistance

27 RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion 27 KSTEST LEGIT-HTTPMB-HTTP FPROPC sample size meanstddevm.s.d.m.s.dm.s.d 100x2,000.193.110.196.093.92.0.99.0 100x10,000.141.103.157.087.92.0.99.0 100x50,000.096.122.073.92.0.99.0 100x250,000.069.066.096.036.92.0.99.0  KSTEST scores  high mean and low s.d. for FPR and OPC

28 RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion 28 KSTEST LEGIT-HTTPMB-HTTP FPROPC sample size meanstddevm.s.d.m.s.dm.s.d 100x2,000.193.110.196.093.92.0.99.0 100x10,000.141.103.157.087.92.0.99.0 100x50,000.096.122.073.92.0.99.0 100x250,000.069.066.096.036.92.0.99.0  KSTEST scores  similar mean and s.d. for LEGIT and MB-HTTP

29 RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion 29 KSTEST  KSTEST distribution  similar distributions for LEGIT-HTTP and MB- HTTP scores

30 RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion 30 KSTEST  KSTEST distribution  LEGIT-HTTP and MB-HTTP overlap even with 250,000 packets

31 RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion 31 KSTEST LEGIT-HTTPMB-HTTP FPROPC sample sizeFPTP 100x2,000.01 1.00 100x10,000.01 1.00 100x50,000.01 1.00 100x250,000.01.021.00  KSTEST detection rates  FPR and OPC are detected easily

32 RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion 32 KSTEST LEGIT-HTTPMB-HTTP FPROPC sample sizeFPTP 100x2,000.01 1.00 100x10,000.01 1.00 100x50,000.01 1.00 100x250,000.01.021.00  KSTEST detection rates  FP equals TP for LEGIT and MB-HTTP

33 RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion 33 regularity LEGIT-HTTPMB-HTTP FPROPC sample sizemean 100x2,000 w=100 43.8038.210.340.00 100x2,000 w=250 23.7422.870.260.00  regularity scores  similar mean for LEGIT and MB-HTTP

34 RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion 34 regularity LEGIT-HTTPMB-HTTP FPROPC sample sizeFPTP 100x2,000 w=100.01.001.00 100x2,000 w=250.01.001.00  regularity detection rates  MB-HTTP is not detected at all

35 RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion 35 regularity LEGIT-HTTPMB-HTTP FPROPC sample sizeFPTP 100x2,000 w=100.01.001.00 100x2,000 w=250.01.001.00  regularity detection rates  again FPR and OPC are detected easily

36 RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion 36 Outline  Background  Covert Timing Channels  Model-Based Framework  Experimental Evaluation  Capacity  Detection Resistance  Conclusion

37 RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion 37 Conclusion  Model-Based Covert Timing Channels  can be built automatically  effective even in coast-to-coast scenario  capacity is very close to FPR  much stronger detection resistance than FPR and OPC

38 RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion 38 Conclusion (cont.)  Future Work  investigate detection methods for model- based covert timing channels  explore other more advanced covert timing channel designs (e.g., non-parametric models)

39 RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion 39 Questions? Thank You!


Download ppt "Model-Based Covert Timing Channels: Automated Modeling and Evasion Steven Gianvecchio 1, Haining Wang 1, Duminda Wijesekera 2, and Sushil Jajodia 2 1 College."

Similar presentations


Ads by Google