Recently, two new papers got accepted at J.UCS and the CUING workshop. One presents a countermeasure for the Size Modulation pattern and the other presents a countermeasure for the Message Ordering pattern.
#1: Steffen Wendzel, Florian Link, Daniela Eller, Wojciech Mazurczyk:
Detection of Size Modulation Covert Channels Using Countermeasure
Variation, Journal of Universal Computer Science (J.UCS), accepted.
Abstract: Network covert channels enable stealthy communications for malware
and data exfiltration. For this reason, developing effective
countermeasures for these threats is important for the protection of
individuals and organizations. However, due to the large number of
available covert channel techniques, it is considered impractical to
develop countermeasures for all existing covert channels.
In recent years, researchers started to develop countermeasures that
(instead of only countering one particular hiding technique) can be
applied to a whole family of similar hiding techniques. These families
are referred to as hiding patterns.
Considering above, the main contribution of this paper is to introduce
the concept of countermeasure variation. Countermeasure
variation is a slight modification of a given countermeasure that was
designed to detect covert channels of one specific hiding pattern so
that the countermeasure can also detect covert channels that are
representing other hiding patterns.
We exemplify countermeasure variation using the compressibility score,
the epsilon-similarity and the regularity metric originally presented
by Cabuk et al. All three methods are used to detect covert channels
that utilize the Inter-packet Times pattern and we show that
countermeasure variation allows the application of these countermeasures
to detect covert channels of the Size Modulation pattern, too.
#2: Steffen Wendzel: Protocol-independent Detection of `Messaging Ordering'
Network Covert Channels, in Proc. Third International Workshop on
Criminal Use of Information Hiding (CUING 2019), accepted.
Abstract: Detection methods are available for several known covert channels.
However, a type of covert channel that received little attention within
the last decade is the "message ordering" channel. Such a covert
channel changes the order of PDUs (protocol data units, i.e. packets)
transferred over the network to encode hidden information. The advantage
of these channels is that they cannot be blocked easily as they do not
modify header content but instead mimic typical network behavior such as
TCP segments that arrive in a different order than they were sent.
Contribution: In this paper, we show a protocol-independent approach to
detect message ordering channels. Our approach is based on a modified
compressibility score. We analyze the detectabil-ity of message ordering
channels and whether several types of message ordering channels differ
in their detectability.
Results: Our results show that the detection of message ordering
channels depends on their number of utilized PDUs. First, we performed a
rough threshold selection by hand, which we later optimized using the
C4.5 decision tree classifier. We were able to detect message ordering
covert channels with an accuracy and F 1 score of ≥ 99.5% and a
false-positive rate < 1% and < 0.1% if they use sequences of 3 or 4
PDUs, respectively. Simpler channels that only manipulate a sequence of
two PDUs were detectable with an accuracy and F 1 score of 94.5% and
were linked to a false-positive rate of 5.19%. We thus consider our
approach suitable for real-world detection scenarios with channels
utilizing 3 or 4 PDUs while the detection of channels utilizing 2 PDUs
should be improved further.