TY - GEN
T1 - Victim-aware adaptive covert channels
AU - Bortolameotti, Riccardo
AU - van Ede, Thijs
AU - Continella, Andrea
AU - Everts, Maarten
AU - Jonker, Willem
AU - Hartel, Pieter
AU - Peter, Andreas
PY - 2019
Y1 - 2019
N2 - We investigate the problem of detecting advanced covert channel techniques, namely victim-aware adaptive covert channels. An adaptive covert channel is considered victim-aware when the attacker mimics the content of its victim’s legitimate communication, such as application-layer metadata, in order to evade detection from a security monitor. In this paper, we show that victim-aware adaptive covert channels break the underlying assumptions of existing covert channel detection solutions, thereby exposing a lack of detection mechanisms against this threat. We first propose a toolchain, Chameleon, to create synthetic datasets containing victim-aware adaptive covert channel traffic. Armed with Chameleon, we evaluate state-of-the-art detection solutions and we show that they fail to effectively detect stealthy attacks. The design of detection techniques against these stealthy attacks is challenging because their network characteristics are similar to those of benign traffic. We explore a deception-based detection technique that we call HoneyTraffic, which generates network messages containing honey tokens, while mimicking the victim’s communication. Our approach detects victim-aware adaptive covert channels by observing inconsistencies in such tokens, which are induced by the attacker attempting to mimic the victim’s traffic. Although HoneyTraffic has limitations in detecting victim-aware adaptive covert channels, it complements existing detection methods and, in combination with them, it can to make evasion harder for an attacker.
AB - We investigate the problem of detecting advanced covert channel techniques, namely victim-aware adaptive covert channels. An adaptive covert channel is considered victim-aware when the attacker mimics the content of its victim’s legitimate communication, such as application-layer metadata, in order to evade detection from a security monitor. In this paper, we show that victim-aware adaptive covert channels break the underlying assumptions of existing covert channel detection solutions, thereby exposing a lack of detection mechanisms against this threat. We first propose a toolchain, Chameleon, to create synthetic datasets containing victim-aware adaptive covert channel traffic. Armed with Chameleon, we evaluate state-of-the-art detection solutions and we show that they fail to effectively detect stealthy attacks. The design of detection techniques against these stealthy attacks is challenging because their network characteristics are similar to those of benign traffic. We explore a deception-based detection technique that we call HoneyTraffic, which generates network messages containing honey tokens, while mimicking the victim’s communication. Our approach detects victim-aware adaptive covert channels by observing inconsistencies in such tokens, which are induced by the attacker attempting to mimic the victim’s traffic. Although HoneyTraffic has limitations in detecting victim-aware adaptive covert channels, it complements existing detection methods and, in combination with them, it can to make evasion harder for an attacker.
KW - Covertchannels
KW - Intrusion detection system
KW - Network security
UR - http://www.scopus.com/inward/record.url?scp=85077508499&partnerID=8YFLogxK
U2 - 10.1007/978-3-030-37228-6_22
DO - 10.1007/978-3-030-37228-6_22
M3 - Conference contribution
AN - SCOPUS:85077508499
SN - 9783030372279
VL - 304
T3 - Lecture Notes of the Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering, LNICST
SP - 450
EP - 471
BT - Security and Privacy in Communication Networks - 15th EAI International Conference, SecureComm 2019, Proceedings
A2 - Chen, Songqing
A2 - Choo, Kim-Kwang Raymond
A2 - Fu, Xinwen
A2 - Lou, Wenjing
A2 - Mohaisen, Aziz
PB - Springer
T2 - 15th International Conference on Security and Privacy in Communication Networks, SecureComm 2019
Y2 - 23 October 2019 through 25 October 2019
ER -