Model-Based Covert Timing Channels: Automated Modeling and Evasion - PowerPoint PPT Presentation

1 / 39

About This Presentation

Title:

Model-Based Covert Timing Channels: Automated Modeling and Evasion

Description:

Title: Measurement and Classification of Humans and Bots in Internet Chat Author: Steven Gianvecchio Last modified by: Steven Gianvecchio Created Date – PowerPoint PPT presentation

Number of Views:121

Avg rating:3.0/5.0

Slides: 40

Provided by: StevenGia8

Category:

more less

Transcript and Presenter's Notes

Title: Model-Based Covert Timing Channels: Automated Modeling and Evasion

1
Model-Based Covert Timing ChannelsAutomated
Modeling and Evasion

Steven Gianvecchio1, Haining Wang1, Duminda
Wijesekera2, and Sushil Jajodia2
1College of William and Mary
2George Mason University

2
Outline

Background
Covert Timing Channels
Model-Based Framework
Experimental Evaluation
Capacity
Detection Resistance
Conclusion

3
Outline

Background
Covert Timing Channels
Model-Based Framework
Experimental Evaluation
Capacity
Detection Resistance
Conclusion

4
Background

Covert Channels
manipulate shared resources to transfer
information
hide communication (or extra communication)
exfiltrate sensitive data (e.g., keys, passwords)

5
Background

Types of Covert Channels
shared resource is the type
covert storage channels
(e.g., packet header fields)
covert timing channels
(e.g., packet arrival times)

6
Outline

Background
Covert Timing Channels
Model-Based Framework
Experimental Evaluation
Capacity
Detection Resistance
Conclusion

7
Covert Timing Channels

Main Goals
high capacity
strong detection resistance
Capacity
bits/time unit, not bits/symbol

8
Covert Timing Channels

OPtimal Capacity (OPC)
send information as fast as possible
E(X) is small (1,000s of packets/second)
Fixed-average Packet Rate (FPR)
send information as fast as possible with a
fixed-average packet rate
E(X) is fixed (a few packets/second)

9
Outline

Background
Covert Timing Channels
Model-Based Framework
Experimental Evaluation
Capacity
Detection Resistance
Conclusion

10
Model-Based Framework

The Framework
filters and analyzes legitimate traffic
encodes and transmits covert traffic

11
Components

Filter
filters input for the specified type of traffic
(e.g., outgoing HTTP)
outputs legitimate IPDs

12
Components

Analyzer
fits the legitimate IPDs to several models using
MLE (blocks of 100 IPDs)
selects the model with the lowest RMSE

13
Components

Encoder
uses the IDF of the model
generates covert IPDs that mimic the legitimate
traffic

14
Encoding / Decoding

1. Continuize
2. Encode
3. Decode
4. Discretize

15
Components

Transmitter
sends out packets with covert IPDs
Receiver and Decoder
receive packets and decode message

16
Model-Based Framework

Implementation Details
components run in user space
filter, encoder, transmitter written in C plus
inline assembly for RDTSC
analyzer written in MATLAB

17
Outline

Background
Covert Timing Channels
Model-Based Framework
Experimental Evaluation
Capacity
Detection Resistance
Conclusion

18
Experimental Evaluation

Test Scenarios
LAN, WAN East-to-East, WAN East-to-West

LAN WAN-EE WAN-EW
distance 0.3 mi 525 mi 2660 mi
RTT 1.7ms 59.6ms 87.2ms
IPDV 2.5e-05 2.41e-03 2.1e-04
hops 3 18 13
IPDV inter-packet delay variation IPDV inter-packet delay variation IPDV inter-packet delay variation IPDV inter-packet delay variation
19
Test Setup

MB-HTTP
Weibull avg. ? 0.0371, avg. k 0.3010
E(X) is 0.3385 (3 packets/second)
OPC
E(X) is 7.31e-3 to 7.87e-5
(1,515 to 12,777 packets/second)
FPR
Exponential ? 2.954
E(X) is 0.3385 (3 packets/second)

20
Theoretical Capacity

LAN, WAN East-East, WAN East-West
OPC has highest capacity

channel LAN LAN WAN-EE WAN-EE WAN-EW WAN-EW
channel CPP CPS CPP CPS CPP CPS
MB-HTTP 9.39 27.76 4.12 12.19 6.84 20.21
OPC 0.50 6,395 0.50 68.80 0.50 758.54
FPR 12.63 37.32 6.15 18.17 9.59 28.35
CPP capacity/packet, CPS capacity/second CPP capacity/packet, CPS capacity/second CPP capacity/packet, CPS capacity/second CPP capacity/packet, CPS capacity/second CPP capacity/packet, CPS capacity/second CPP capacity/packet, CPS capacity/second CPP capacity/packet, CPS capacity/second
21
Theoretical Capacity

LAN, WAN East-East, WAN East-West
MB-HTTP and FPR are close

WAN East-East
MB-HTTP versus FPR
capacity and bit error degrade quickly

23
Empirical Capacity

WAN East-West
MB-HTTP versus FPR
capacity and bit error degrade slowly

24
Empirical Capacity

LAN, WAN East-East, WAN East-West
OPC again has the highest capacity

channel LAN LAN WAN-EE WAN-EE WAN-EW WAN-EW
channel CPP CPS CPP CPS CPP CPS
MB-HTTP 6.74 19.93 2.15 6.35 5.18 15.31
OPC 0.85 10,899 0.66 91.28 0.98 1,512
FPR 10.95 32.35 4.63 13.67 9.37 27.69
CPP capacity/packet, CPS capacity/second CPP capacity/packet, CPS capacity/second CPP capacity/packet, CPS capacity/second CPP capacity/packet, CPS capacity/second CPP capacity/packet, CPS capacity/second CPP capacity/packet, CPS capacity/second CPP capacity/packet, CPS capacity/second
25
Empirical Capacity

LAN, WAN East-East, WAN East-West
MB-HTTP and FPR are still close

Tests of Shape
Kolmogorov-Smirnov test
where s1 and s2 are distribution functions
Tests of Regularity
The regularity test (Cabuk 2004)

26
27
KSTEST

KSTEST scores
high mean and low s.d. for FPR and OPC

LEGIT-HTTP LEGIT-HTTP MB-HTTP MB-HTTP FPR FPR OPC OPC
sample size mean stddev m. s.d. m. s.d m. s.d
100x2,000 .193 .110 .196 .093 .92 .0 .99 .0
100x10,000 .141 .103 .157 .087 .92 .0 .99 .0
100x50,000 .096 .096 .122 .073 .92 .0 .99 .0
100x250,000 .069 .066 .096 .036 .92 .0 .99 .0
28
KSTEST

KSTEST scores
similar mean and s.d. for LEGIT and MB-HTTP

KSTEST distribution
similar distributions for LEGIT-HTTP and MB-HTTP
scores

30
KSTEST

KSTEST distribution
LEGIT-HTTP and MB-HTTP overlap even with 250,000
packets

31
KSTEST

KSTEST detection rates
FPR and OPC are detected easily

LEGIT-HTTP MB-HTTP FPR OPC
sample size FP TP TP TP
100x2,000 .01 .01 1.00 1.00
100x10,000 .01 .01 1.00 1.00
100x50,000 .01 .01 1.00 1.00
100x250,000 .01 .02 1.00 1.00
32
KSTEST

KSTEST detection rates
FP equals TP for LEGIT and MB-HTTP

LEGIT-HTTP MB-HTTP FPR OPC
sample size FP TP TP TP
100x2,000 .01 .01 1.00 1.00
100x10,000 .01 .01 1.00 1.00
100x50,000 .01 .01 1.00 1.00
100x250,000 .01 .02 1.00 1.00
33
regularity

regularity scores
similar mean for LEGIT and MB-HTTP

LEGIT-HTTP MB-HTTP FPR OPC
sample size mean mean mean mean
100x2,000 w100 43.80 38.21 0.34 0.00
100x2,000 w250 23.74 22.87 0.26 0.00
34
regularity

regularity detection rates
MB-HTTP is not detected at all

LEGIT-HTTP MB-HTTP FPR OPC
sample size FP TP TP TP
100x2,000 w100 .01 .00 1.00 1.00
100x2,000 w250 .01 .00 1.00 1.00
35
regularity

regularity detection rates
again FPR and OPC are detected easily

LEGIT-HTTP MB-HTTP FPR OPC
sample size FP TP TP TP
100x2,000 w100 .01 .00 1.00 1.00
100x2,000 w250 .01 .00 1.00 1.00
36
Outline

Background
Covert Timing Channels
Model-Based Framework
Experimental Evaluation
Capacity
Detection Resistance
Conclusion

37
Conclusion

Model-Based Covert Timing Channels
can be built automatically
effective even in coast-to-coast scenario
capacity is very close to FPR
much stronger detection resistance than FPR and
OPC

38
Conclusion (cont.)

Future Work
investigate detection methods for model-based
covert timing channels
explore other more advanced covert timing channel
designs (e.g., non-parametric models)

39
Questions?
Thank You!

Write a Comment

User Comments (0)