Presentation is loading. Please wait.

Presentation is loading. Please wait.

Model-Based Covert Timing Channels: Automated Modeling and Evasion Steven Gianvecchio 1, Haining Wang 1, Duminda Wijesekera 2, and Sushil Jajodia 2 1 College.

Published byGary McGee Modified over 8 years ago

Similar presentations

Presentation on theme: "Model-Based Covert Timing Channels: Automated Modeling and Evasion Steven Gianvecchio 1, Haining Wang 1, Duminda Wijesekera 2, and Sushil Jajodia 2 1 College."— Presentation transcript:

1 Model-Based Covert Timing Channels: Automated Modeling and Evasion Steven Gianvecchio 1, Haining Wang 1, Duminda Wijesekera 2, and Sushil Jajodia 2 1 College of William and Mary 2 George Mason University

2 RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion 2 Outline  Background  Covert Timing Channels  Model-Based Framework  Experimental Evaluation  Capacity  Detection Resistance  Conclusion

3 RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion 3 Outline  Background  Covert Timing Channels  Model-Based Framework  Experimental Evaluation  Capacity  Detection Resistance  Conclusion

4 RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion 4 Background  Covert Channels  manipulate shared resources to transfer information  hide communication (or extra communication)  exfiltrate sensitive data (e.g., keys, passwords)

5 RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion 5 Background  Types of Covert Channels  shared resource is the type  covert storage channels (e.g., packet header fields)  covert timing channels (e.g., packet arrival times)

6 RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion 6 Outline  Background  Covert Timing Channels  Model-Based Framework  Experimental Evaluation  Capacity  Detection Resistance  Conclusion

7 RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion 7  Main Goals  high capacity  strong detection resistance  Capacity –  bits/time unit, not bits/symbol Covert Timing Channels

8 RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion 8 Covert Timing Channels  OPtimal Capacity (OPC)  send information as fast as possible  E(X) is small (1,000s of packets/second)  Fixed-average Packet Rate (FPR)  send information as fast as possible with a fixed-average packet rate  E(X) is fixed (a few packets/second)

9 RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion 9 Outline  Background  Covert Timing Channels  Model-Based Framework  Experimental Evaluation  Capacity  Detection Resistance  Conclusion

10 RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion 10 Model-Based Framework  The Framework  filters and analyzes legitimate traffic  encodes and transmits covert traffic

11 RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion 11 Components  Filter  filters input for the specified type of traffic (e.g., outgoing HTTP)  outputs legitimate IPDs

12 RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion 12 Components  Analyzer  fits the legitimate IPDs to several models using MLE (blocks of 100 IPDs)  selects the model with the lowest RMSE

13 RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion 13 Components  Encoder  uses the IDF of the model  generates covert IPDs that mimic the legitimate traffic

14 RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion 14 Encoding / Decoding  1. Continuize  2. Encode  3. Decode  4. Discretize

15 RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion 15 Components  Transmitter  sends out packets with covert IPDs  Receiver and Decoder  receive packets and decode message

16 RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion 16 Model-Based Framework  Implementation Details  components run in user space  filter, encoder, transmitter written in C; plus inline assembly for RDTSC  analyzer written in MATLAB

17 RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion 17 Outline  Background  Covert Timing Channels  Model-Based Framework  Experimental Evaluation  Capacity  Detection Resistance  Conclusion

18 RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion 18 Experimental Evaluation  Test Scenarios  LAN, WAN East-to-East, WAN East-to-West LANWAN-EEWAN-EW distance0.3 mi525 mi2660 mi RTT1.7ms59.6ms87.2ms IPDV2.5e-052.41e-032.1e-04 hops31813 IPDV – inter-packet delay variation

19 RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion 19 Test Setup  MB-HTTP  Weibull – avg. λ = 0.0371, avg. k = 0.3010  E(X) is 0.3385 (~3 packets/second)  OPC  E(X) is 7.31e-3 to 7.87e-5 (1,515 to 12,777 packets/second)  FPR  Exponential – λ = 2.954  E(X) is 0.3385 (~3 packets/second)

20 RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion 20 Theoretical Capacity channel LANWAN-EEWAN-EW CPPCPSCPPCPSCPPCPS MB-HTTP 9.3927.764.1212.196.8420.21 OPC 0.506,3950.5068.800.50758.54 FPR 12.6337.326.1518.179.5928.35 CPP – capacity/packet, CPS = capacity/second  LAN, WAN East-East, WAN East-West  OPC has highest capacity

21 RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion 21 Theoretical Capacity channel LANWAN-EEWAN-EW CPPCPSCPPCPSCPPCPS MB-HTTP 9.3927.764.1212.196.8420.21 OPC 0.506,3950.5068.800.50758.54 FPR 12.6337.326.1518.179.5928.35 CPP – capacity/packet, CPS = capacity/second  LAN, WAN East-East, WAN East-West  MB-HTTP and FPR are close

22 RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion 22 Empirical Capacity  WAN East-East  MB-HTTP versus FPR  capacity and bit error degrade quickly

23 RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion 23 Empirical Capacity  WAN East-West  MB-HTTP versus FPR  capacity and bit error degrade slowly

24 RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion 24 Empirical Capacity channel LANWAN-EEWAN-EW CPPCPSCPPCPSCPPCPS MB-HTTP 6.7419.932.156.355.1815.31 OPC 0.8510,8990.6691.280.981,512 FPR 10.9532.354.6313.679.3727.69 CPP – capacity/packet, CPS = capacity/second  LAN, WAN East-East, WAN East-West  OPC again has the highest capacity

25 RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion 25 Empirical Capacity channel LANWAN-EEWAN-EW CPPCPSCPPCPSCPPCPS MB-HTTP 6.7419.932.156.355.1815.31 OPC 0.8510,8990.6691.280.981,512 FPR 10.9532.354.6313.679.3727.69 CPP – capacity/packet, CPS = capacity/second  LAN, WAN East-East, WAN East-West  MB-HTTP and FPR are still close

26 RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion 26 Tests of Shape:  Kolmogorov-Smirnov test – where s 1 and s 2 are distribution functions Tests of Regularity:  The regularity test (Cabuk 2004) – 26 Detection Resistance

27 RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion 27 KSTEST LEGIT-HTTPMB-HTTP FPROPC sample size meanstddevm.s.d.m.s.dm.s.d 100x2,000.193.110.196.093.92.0.99.0 100x10,000.141.103.157.087.92.0.99.0 100x50,000.096.122.073.92.0.99.0 100x250,000.069.066.096.036.92.0.99.0  KSTEST scores  high mean and low s.d. for FPR and OPC

28 RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion 28 KSTEST LEGIT-HTTPMB-HTTP FPROPC sample size meanstddevm.s.d.m.s.dm.s.d 100x2,000.193.110.196.093.92.0.99.0 100x10,000.141.103.157.087.92.0.99.0 100x50,000.096.122.073.92.0.99.0 100x250,000.069.066.096.036.92.0.99.0  KSTEST scores  similar mean and s.d. for LEGIT and MB-HTTP

29 RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion 29 KSTEST  KSTEST distribution  similar distributions for LEGIT-HTTP and MB- HTTP scores

30 RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion 30 KSTEST  KSTEST distribution  LEGIT-HTTP and MB-HTTP overlap even with 250,000 packets

31 RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion 31 KSTEST LEGIT-HTTPMB-HTTP FPROPC sample sizeFPTP 100x2,000.01 1.00 100x10,000.01 1.00 100x50,000.01 1.00 100x250,000.01.021.00  KSTEST detection rates  FPR and OPC are detected easily

32 RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion 32 KSTEST LEGIT-HTTPMB-HTTP FPROPC sample sizeFPTP 100x2,000.01 1.00 100x10,000.01 1.00 100x50,000.01 1.00 100x250,000.01.021.00  KSTEST detection rates  FP equals TP for LEGIT and MB-HTTP

33 RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion 33 regularity LEGIT-HTTPMB-HTTP FPROPC sample sizemean 100x2,000 w=100 43.8038.210.340.00 100x2,000 w=250 23.7422.870.260.00  regularity scores  similar mean for LEGIT and MB-HTTP

34 RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion 34 regularity LEGIT-HTTPMB-HTTP FPROPC sample sizeFPTP 100x2,000 w=100.01.001.00 100x2,000 w=250.01.001.00  regularity detection rates  MB-HTTP is not detected at all

35 RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion 35 regularity LEGIT-HTTPMB-HTTP FPROPC sample sizeFPTP 100x2,000 w=100.01.001.00 100x2,000 w=250.01.001.00  regularity detection rates  again FPR and OPC are detected easily

36 RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion 36 Outline  Background  Covert Timing Channels  Model-Based Framework  Experimental Evaluation  Capacity  Detection Resistance  Conclusion

37 RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion 37 Conclusion  Model-Based Covert Timing Channels  can be built automatically  effective even in coast-to-coast scenario  capacity is very close to FPR  much stronger detection resistance than FPR and OPC

38 RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion 38 Conclusion (cont.)  Future Work  investigate detection methods for model- based covert timing channels  explore other more advanced covert timing channel designs (e.g., non-parametric models)

39 RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion 39 Questions? Thank You!

Download ppt "Model-Based Covert Timing Channels: Automated Modeling and Evasion Steven Gianvecchio 1, Haining Wang 1, Duminda Wijesekera 2, and Sushil Jajodia 2 1 College."

Similar presentations

Network II.5 simulator ..

Network II.5 simulator ..
1 Routing Protocols I. 2 Routing Recall: There are two parts to routing IP packets: 1. How to pass a packet from an input interface to the output interface.

1 Routing Protocols I. 2 Routing Recall: There are two parts to routing IP packets: 1. How to pass a packet from an input interface to the output interface.
CENG 3331 Introduction to Telecommunications and Networks.

CENG 3331 Introduction to Telecommunications and Networks.
VSMC MIMO: A Spectral Efficient Scheme for Cooperative Relay in Cognitive Radio Networks 1.

VSMC MIMO: A Spectral Efficient Scheme for Cooperative Relay in Cognitive Radio Networks 1.
CloudWatcher: Network Security Monitoring Using OpenFlow in Dynamic Cloud Networks or: How to Provide Security Monitoring as a Service in Clouds? Seungwon.

CloudWatcher: Network Security Monitoring Using OpenFlow in Dynamic Cloud Networks or: How to Provide Security Monitoring as a Service in Clouds? Seungwon.
10/14/2005Caltech1 Reliable State Machines Dr. Gary R Burke California Institute of Technology Jet Propulsion Laboratory.

10/14/2005Caltech1 Reliable State Machines Dr. Gary R Burke California Institute of Technology Jet Propulsion Laboratory.
GWDAW 16/12/2004 Inspiral analysis of the Virgo commissioning run 4 Leone B. Bosi VIRGO coalescing binaries group on behalf of the VIRGO collaboration.

GWDAW 16/12/2004 Inspiral analysis of the Virgo commissioning run 4 Leone B. Bosi VIRGO coalescing binaries group on behalf of the VIRGO collaboration.
Battle of Botcraft: Fighting Bots in Online Games with Human Observational Proofs Steven Gianvecchio, Zhenyu Wu, Mengjun Xie, and Haining Wang.

Battle of Botcraft: Fighting Bots in Online Games with Human Observational Proofs Steven Gianvecchio, Zhenyu Wu, Mengjun Xie, and Haining Wang.
Queuing Network Models for Delay Analysis of Multihop Wireless Ad Hoc Networks Nabhendra Bisnik and Alhussein Abouzeid Rensselaer Polytechnic Institute.

Queuing Network Models for Delay Analysis of Multihop Wireless Ad Hoc Networks Nabhendra Bisnik and Alhussein Abouzeid Rensselaer Polytechnic Institute.
Tuning Skype Redundancy Control Algorithm for User Satisfaction Te-Yuan Huang, Kuan-Ta Chen, Polly Huang Proceedings of the IEEE Infocom Conference Rio.

Tuning Skype Redundancy Control Algorithm for User Satisfaction Te-Yuan Huang, Kuan-Ta Chen, Polly Huang Proceedings of the IEEE Infocom Conference Rio.
Comparison of different MIMO-OFDM signal detectors for LTE

Comparison of different MIMO-OFDM signal detectors for LTE
PHY Covert Channels: Can you see the Idles? Ki Suh Lee Cornell University Joint work with Han Wang, and Hakim Weatherspoon 1 첩자첩자 Chupja.

PHY Covert Channels: Can you see the Idles? Ki Suh Lee Cornell University Joint work with Han Wang, and Hakim Weatherspoon 1 첩자첩자 Chupja.
Western Michigan University Covert Timing Channels Omar Darwish Instructor: Professor Elise de Doncker.

Western Michigan University Covert Timing Channels Omar Darwish Instructor: Professor Elise de Doncker.
LBVC: Towards Low-bandwidth Video Chats on Smartphones Xin Qi, Qing Yang, David T. Nguyen, Gang Zhou, Ge Peng College of William and Mary 1.

LBVC: Towards Low-bandwidth Video Chats on Smartphones Xin Qi, Qing Yang, David T. Nguyen, Gang Zhou, Ge Peng College of William and Mary 1.
PROJECT PRESENTATION “ Analyzing Factors that affect VoIP Call Quality ” Presented By: Vamsi Krishna Karnati 11/24/2014.

PROJECT PRESENTATION “ Analyzing Factors that affect VoIP Call Quality ” Presented By: Vamsi Krishna Karnati 11/24/2014.
Emulatore di Protocolli di Routing per reti Ad-hoc Alessandra Giovanardi DI – Università di Ferrara Pattern Project Area 3: Problematiche di instradamento.

Emulatore di Protocolli di Routing per reti Ad-hoc Alessandra Giovanardi DI – Università di Ferrara Pattern Project Area 3: Problematiche di instradamento.
1 “Multiplexing Live Video Streams & Voice with Data over a High Capacity Packet Switched Wireless Network” Spyros Psychis, Polychronis Koutsakis and Michael.

1 “Multiplexing Live Video Streams & Voice with Data over a High Capacity Packet Switched Wireless Network” Spyros Psychis, Polychronis Koutsakis and Michael.
IP: The Internet Protocol

IP: The Internet Protocol
Digital Data Transmission ECE 457 Spring 2005. Information Representation Communication systems convert information into a form suitable for transmission.

Digital Data Transmission ECE 457 Spring Information Representation Communication systems convert information into a form suitable for transmission.
The Capacity of Wireless Ad Hoc Networks

The Capacity of Wireless Ad Hoc Networks

Similar presentations

Ads by Google