Chapter 3 Time-to-live Covert Channels - CAIA

More documents

Recommendations

Info

CHAPTER 3. TIME-TO-LIVE COVERT CHANNELS Section 3.1. For performance reasons we did not use the full traces, but selected repre- sentative pieces. We used 24 hours of the CAIA, Grangenet, Bell, Twente and Waikato traces, and six hours of the Leipzig trace (each containing between 20 and 261 million packets). We used traffic in both directions. In a first pass we computed the TTL error for each packet in each trace as described in Section 3.1.5. Then during the actual covert channel emulation the TTL field was modified according to the pre-computed TTL error after the covert channel modulation. Alice and Bob used all overt packets available for the covert channel. Alice sent uniform random covert data, as if the data had been encrypted. Because of the random input data we repeated each experiment three times and report the mean error rate. Since the standard deviations are very small we do not include errors bars in the graphs. Let A be the amplitude of the modulation schemes (difference between the signal level of logical zero and one). For direct schemes A = 1, for DUB A = 2∆ and for all other techniques A = ∆. From Section 3.1 it is clear that only one bit per packet (direct, mapped schemes) or packet pair (differential schemes) can be encoded and A must be minimal, as otherwise the channel would not look like normal TTL variation 4 . Hence in our experiments we used binary channels and the TTL amplitude was only varied within a narrow range (1 ≤ A ≤ 6) to investigate its influence on the error rate. For direct encoding schemes we assumed knowledge of the true hop count at the receiver. For mapped schemes we considered the cases where the receiver 1) knows the mapping and 2) learns the mapping from the extra zero bit (see Section 3.2). Alice can only modify the TTL field to values between a minimum value and the maximum value of 255. She must avoid setting small TTL values that could result in packets being discarded on the way to the receiver. This limitation inevitably causes bit errors for schemes that increase TTL and tend to wrap-around (MEI and DUB). For schemes that decrease TTL bit errors are unlikely for small A as initial TTL values are usually at least 64 (see Section 3.2.2). In our experiments we leveraged the fact that the trace files were captured on end hosts or access routers to select the minimum TTL value. If a packet traversed ≤ 4 hops the minimum TTL was set to 31 minus the hops already traversed (outgoing packet). If a packet traversed > 4 hops the minimum TTL value was set to 4 (incoming packet). In practice other strategies could be used, for example Alice could select the minimum TTL for each packet based on its destination address. 4 If used as side channel, encoding multiple bits with larger amplitudes is perfectly reasonable. 59
Error rate 1e−02 1e−04 1e−06 1e−08 MED0 MED AMI DED MEI0 MEI 1 2 3 4 5 6 7 Amplitude A DEI DUB CHAPTER 3. TIME-TO-LIVE COVERT CHANNELS Error rate 1e−02 5e−03 1e−03 5e−04 1e−04 5e−05 1e−05 MED0 MED AMI DED MEI0 MEI 1 2 3 4 5 6 7 Amplitude A Figure 3.12: Error rate for different modulation schemes and amplitudes for the CAIA trace (left) and the Leipzig trace (right) (y-axis is logarithmic) 3.5.2 Error rate Figure 3.12 shows the error rate for the CAIA and Leipzig datasets depending on the different modulation schemes and A (results for other traces are in Appendix B.3). Overall the error rates for A ≤ 2 are similar to the average rate of TTL changes (see Section 3.1). A notable exception is DUB for the CAIA trace. Since this trace contains a large number of very long flows the probability for TTL wrap-arounds is much higher than for the other traces. The error rate for MEI and DUB actually increases for increasing A because the probability of wrap-arounds increases. MEI0 and MED0 have higher error rates than MEI and MED. This is because often the probability that the first special zero bit is wrong is higher than the average error rate, since TTL changes occur more frequently at the start of flows (see Section 3.1). Both direct schemes and mapped schemes perform equally well for A = 1 as predicted by the error probabilities (see Appendix B.2). In general the error rate does not decrease proportionally with increasing A because the empirical error distributions have long tails as shown in Section 3.1.5. Figure 3.13 compares the performance of the different modulation schemes averaged across all traces. For A = 1 the error rate varies between 0.1% and 1%, and MED performs best, followed by MEI, AMI and the direct schemes. For larger amplitudes MED and AMI outperform all other schemes. MEI and MED clearly outperform MEI0 and MED0. We investigated if the error rate for mapped and differential schemes can be reduced by using hop count differences instead of TTL differences. The receiver converts all TTL values to hop counts. This eliminates errors when the TTL was changed by middleboxes but the hop count is the same (see Section 3.1.3). For example, the TTLs 56 and 120 are different but the hop count is 8 in both cases assuming the usual initial TTL values. Our 60 DEI DUB
Page 1 and 2: Chapter 3 CHAPTER 3. TIME-TO-LIVE C
Page 3 and 4: CHAPTER 3. TIME-TO-LIVE COVERT CHAN
Page 5 and 6: Proportion ≤≤ x 1.0 0.8 0.6 0.4
Page 11 and 12: Capacity (bits/packet) 1.00 0.95 0.
Page 13 and 14: 0 1 1-p L 1-p L p L p L CHAPTER 3.
Page 21: Algorithm 3.3 Block decoding algori
Page 27 and 28: Proportion ≤ x 1.0 0.8 0.6 0.4 0.
Page 29 and 30: Block corruption rate Block corrupt
Page 31 and 32: Throughput (bits/s) 60 50 40 30 20
Page 33 and 34: Throughput (bits/s) 200 150 100 50

Chapter 3 Time-to-live Covert Channels - CAIA

Create successful ePaper yourself

Delete template?

Save as template?