download vol 5, no 3&4, year 2012 - IARIA Journals

More documents

Recommendations

Info

International Journal on Advances in Telecommunications, vol 5 no 3 & 4, year 2012, http://www.iariajournals.org/telecommunications/ time of 11 seconds. The resulting throughput value is 127.4 bps, considerable improvement over the previous case. D. Covertness Analysis By evaluating the impact our proposed channel has in an operating wireless network, we can work to reduce its detectability by making use of traffic profile analysis. Figure 16 is a partial magnification of the traffic profile of a busy channel during a normal working day at campus, where the black (lower) line represents the normal network traffic, and the red (upper) line shows the normal traffic plus the traffic due to covert (forged) frames. As we can see in Figure 16, the difference between the red line and the black line corresponds to the amount of traffic added by the use of the covert channel. Since the network traffic is fairly heavy, the presence of the covert channel is not obvious; our traffic just blends in with the overall traffic. Selected portion of network traffic profile showing the additional traffic generated by the use of the proposed covert channel (red top line). Applying the same reasoning to a low traffic channel, in the same campus area, during a normal working day, we can notice a substantial difference. Figure 17 shows the traffic profile of an available but modestly used channel, and without any covert traffic. Figure 17. Traffic profile of a low usage WiFi channel on campus. Figure 16. Traffic profile of a low usage WiFi channel on campus Figure 18 clearly shows the impact our covert transmissions have in the traffic profile of such channel. The traffic peaks are the result of injecting forged frames. In this case, our covert message being transmitted was a random sequence of 3500 bits. Zooming in and splitting the two types of traffic, as seen in Figure18, reveals the presence of an abnormal amount of traffic. In this case, there is a significant difference between the two types of traffic, with or without covert transmissions. Figure 18. Selected portion of network traffic profile showing the additional traffic generated by the use of the proposed covert channel (red top line). Figure 19 displays the traffic profile when using different rates of transmission and their impact. The stealthiness of the channel can be improved by spacing the transmission of forged frames. How the covert traffic can be made less visible by introducing spacing between frames is illustrated below. One of the down sides of this manipulation is the obvious reduction of throughput. Segment (a) in Figure 19 corresponds to normal frame transmission with no additional 2012, © Copyright by authors, Published under agreement with IARIA - www.iaria.org 138
International Journal on Advances in Telecommunications, vol 5 no 3 & 4, year 2012, http://www.iariajournals.org/telecommunications/ (a) spacing between the frames, i.e., no delay was introduced between transmitted frames. For this segment, the total transmission time is approximately two minutes at a measured average of 30 frames per second. In segment (b), frames are sent once every two seconds, resulting in a total transmission time of 2 hours and 12 minutes. Finally, segment (c) is shown only partially; we sent one frame every four seconds for a total transmission time of 4.5 hours. The important aspect is that the difference between the legitimate and covert traffic becomes smaller and smaller as the spacing increases; at some point, it is possible to make it almost invisible as we extend the spacing. On the other hand, the throughput is degrading proportionally. Another technique to camouflage our use of the covert channel is to space the forged frames transmission in a nonuniform way instead of sending the frames at regular time intervals. Although considered, this variation was not tested. V. CONCLUSIONS This work presented, implemented, and tested a MAC layer 802.11 covert channel. We used the PV field in the MAC header to hide and transfer the covert information. Within the MAC header we used the PV field, as well as the flag bits, to hide our message. The proposed covert channel was implemented by developing the necessary code in Python. A GUI chat console is used for message transmission. In our approach, users only have to run a single Python script in order to access the chat console. The test bed used for experiments operated in a Linux environment. Robustness to errors in the covert channel is improved by the use of forward error correction and bit interleaving. Results indicate significant improvement in the error performance of the channel for low interference rates. Detectability of the use of the proposed covert channel was also investigated, demonstrating a method of minimizing our exposure to such type of analysis. Throughput is severely affected once we try to reduce our traffic profile footprint. The achieved throughput of the covert channel was measured under two different scenarios, in which we changed the size of the payload. The maximum channel data rate was also determined. The case of 6-bit payload along with convolutional coding and interleaving yielded the highest measured throughput. (b) Figure 19. Selected portion of network traffic profile showing the effect of different transmition rates. This proof of concept can benefit considerably from future work. This may include code optimization in order to increase the frame rate, testing other error correction algorithms, and embedding this covert channel into legitimate traffic, directly at a firmware level, instead of relying on the injection of forged frames. REFERENCES [1] R. Gonçalves, M. Tummala, and J. McEachen, "A MAC Layer Covert Channel in 802.11 Networks", The Third International Conference on Emerging Network Intelligence EMERGING 2011, November 20-25, 2011 - Lisbon, Portugal [2] Institute of Electrical and Electronics Engineers, 802.11, Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Specifications (accessed January 17, 2011). http://ieeexplore.ieee.org [3] D. McGrath, "WLAN chip set shipments projected to double," in EE Times, 2/17/2011. (accessed March 17, 2011) http://www.eetimes.com/electronics-news/4213260/WLANchip-set-shipments-projected-to-double [4] H. Yang, F. Ricciato, S. Lu, and L. Zhang, "Securing a wireless world," in Proceedings of the IEEE, vo1.94, Issue 2, pp. 442-454, February 2006. [5] Y. Xiao, C. Bandela, and Y. Pan, "Vulnerabilities and security enhancements for the IEEE 802.11 WLANs," in Proceedings of the IEEE Global Telecommunications Conference (GLOBECOM) 2005, pp. 1655-1659, 2005. [6] T.E. Calhoun, R. Newman, and R. Beyah, "Authentication in 802.11 LANs Using a Covert Side Channel," in Communications, 2009. ICC '09. IEEE International Conference, pp. 1-6, 14-18 June 2009. [7] E. Couture, "Covert Channels," SANS Institute InfoSec Reading Room (accessed January 17, 2011). http://www.sans.org/reading_room/whitepapers/detection/cov ert-channels_33413 [8] A. Giani, V. H. Berk, and G. V. Cybenko, "Data Exfiltration and Covert Channels," Process Query Systems, Thayer School of Engineering at Dartmouth (accessed February 02, 2011). http://www.pqsnet.net/~vince/papers/SPIE06_exfil.ps.gz [9] D.T. Ha, G. Yan, S. Eidenbenz, and H.Q. Ngo, "On the effectiveness of structural detection and defense against P2Pbased botnets," in Dependable Systems & Networks, 2009. DSN '09. IEEE/IFIP International Conference, pp. 297-306, June 29 2009-July 2 2009. [10] S. Hammouda, L. Maalej, and Z. Trabelsi, "Towards Optimized TCP/IP Covert Channels Detection, IDS and Firewall Integration," in New Technologies, Mobility and Security, 2008. NTMS '08., pp.1-5, 5-7 Nov. 2008. 2012, © Copyright by authors, Published under agreement with IARIA - www.iaria.org (c) 139
Page 2 and 3: The International Journal on Advanc
Page 4 and 5: Javier Barria, Imperial College Lon
Page 6 and 7: Adrian Matei, Orange Romania S.A, p
Page 8 and 9: International Journal on Advances i
Page 10 and 11: pages: 274 - 283 Maximal Rate of Mo
Page 88 and 89:
International Journal on Advances i
Page 90 and 91:
Page 92 and 93:
Page 94 and 95:
Page 96 and 97:
Page 98 and 99:
Page 100 and 101:
Page 102 and 103:
Page 104 and 105:
Page 106 and 107:
Page 108 and 109:
Page 110 and 111:
Page 112 and 113:
Page 114 and 115:
Page 116 and 117:
Page 118 and 119:
Page 120 and 121:
Page 122 and 123:
Page 124 and 125:
Page 126 and 127:
Page 128 and 129:
Page 130 and 131:
Page 132 and 133:
Page 134 and 135:
Page 136 and 137:
Page 138 and 139:
Page 140 and 141:
Page 142 and 143:
Page 144 and 145:
Page 146 and 147:
Page 148 and 149:
Page 150 and 151:
Page 152 and 153:
Page 154 and 155:
Page 156 and 157:
Page 158 and 159:
Page 160 and 161:
Page 162 and 163:
Page 164 and 165:
Page 166 and 167:
Page 168 and 169:
Page 170 and 171:
Page 172 and 173:
Page 174 and 175:
Page 176 and 177:
Page 178 and 179:
Page 180 and 181:
Page 182 and 183:
Page 184 and 185:
Page 186 and 187:
Page 188 and 189:
Page 190 and 191:
Page 192 and 193:
Page 194 and 195:
Page 196 and 197:
show all

download vol 5, no 3&4, year 2012 - IARIA Journals

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?