Application Layer Covert Channel Analysis and ... - Bill Buchanan

More documents

Recommendations

Info

Z. Kwecka, BSc (Hons) Network Computing, 2006 28Figure 3-6 Protocol-based Detection (Kwecka, 2006)(c) Behaviour-based Detection employs methods of creating profiles of the entirenetwork user. Thus, if any user suddenly changes it usual habits, or behaviourof the user becomes suspicious, an alarm is raised.These various ways of detection of covert channels may be characterised based onthe sensitivity and cost (processing) required for their execution. Thus, protocolbaseddetection systems are usually very simple to implement, and they do notrequire high processing power, however they can detect only a badly writtenimplementations of covert channels. Signature-based detection is slightly moresensitive and will raise an alarm whenever signature of the specific protocolimplementation does not match an entry in a base of allowed message originators.Consequently, the level of processing is usually higher than this of protocol-baseddetection, but still moderate. The behaviour-based approach to the detection ofmalicious packets seems to the most sensitive and very efficient, however, still not100% precise and prone to false positives. Additionally it is characterised by ahigh processing requirements.3.6 ConclusionsThis chapter has identified three Application Layer protocols: DNS, HTTP and SMTPas the ones, which may be employed to carry a covert payload. Also methods ofcreating covert channels were noted. Thus, an important conclusion about therequirements for covert channel implementation may be drawn, since all form ofcovert channels need some optional fields, values or behaviours to operate. It can beassumed then, that by limiting a number of optional functions of a given protocol,possibility of implementing a covert channel in this protocol is also reduced.Finally, the chapter discussed ways of detecting covert channel implementation andidentified three different methods, each of different characteristic. Protocol, signatureand behaviour based detection is possible, however the first one will detect only thebadly constructed threats and the last one is capable of detection of virtually anycovert channel. The greater the sensitivity of the detection method, the greater is theprocessing requirement. Thus, the design of the Covert Channel Detection Systemprototype described in Chapter 4, focused on implementing all three detectionmethods, as various levels of protection in a configuration, which should not affectthe monitored network.
Z. Kwecka, BSc (Hons) Network Computing, 2006 294 Design4.1 IntroductionThis chapter describes how the findings of the Literature Review (Chapter 3) wereused to design the prototype of the Covert Channel Detection System. Thus, thetypical environment for operation of such a system was defined as well as ways toevaluate the prototype.4.2 Evaluation EnvironmentThe project aims and literature review have helped us to define the most likelyscenarios of usage for Application Layer Covert Channel Detections and Filteringsystem. We perceive covert channels together with protocol tunneling as a large threatto information security. Therefore, in this project we decided to focus on detectingand filtering possible covert channels traffic outgoing from secure perimeters (i.e.intranets of various organizations), as to protect against arbitrary information leakage.The literature review has identified that most networks are protected by state-full rulebased firewalls, with Proxy servers being implemented sporadically.FIREWALLINTERNETINTRANETFigure 4-1 Firewall Protected IntranetThe literature review has also shown that a state-full firewall is incapable of providinga reasonable level of protection from threats where connections originate inside thesecure perimeter. More precisely, most configurations of state-full firewalls permitany connections that originated from the protected intranet as long as the protocolsused are permitted by the Security Policy. Thus, there is no option to provide finegrain filtering. Certainly some organizations use Proxy servers, or even servicesprovided by specialist content filtering companies, such as Bloxx 4 . However theirfocus once again is concentrated on protection from outside threats. Thus, if theperpetrator was an “insider”, or a hacker, who managed to trick somebody insidesecure perimeter to run malicious software, the company would not be able to blockthe breach in security taking place, if it would exploit policy permitted Internetprotocols. Thus our test network will reassemble basic model of institutional network(intranet) connected to the Interned via state-full firewall (Figure 4.1 illustrates thissetup). Consequently the next sections of the design process will focus on the designof detection and filtering tools that if located in similar network could help to preventinformation leakage exploiting protocol tunnelling and covert channels.4.3 Covert Channels Detection SystemThe literature review has identified three different ways of covert channels detection:4 www.bloxx.com
Page 1 and 2: Application Layer Covert ChannelAna
Page 3 and 4: Z. Kwecka, BSc (Hons) Network Compu
Page 11: Z. Kwecka, BSc (Hons) Network Compu
Page 79 and 80:
Z. Kwecka, BSc (Hons) Network Compu
Page 81 and 82:
Page 83 and 84:
Page 85 and 86:
Page 87 and 88:
Page 89 and 90:
Page 91 and 92:
Page 93 and 94:
Page 95 and 96:
Page 97 and 98:
Page 99 and 100:
Page 101 and 102:
Page 103 and 104:
Page 105 and 106:
Page 107 and 108:
Page 109 and 110:
Page 111 and 112:
Page 113:
Page 116 and 117:
Page 118 and 119:
Page 120 and 121:
Page 122 and 123:
Page 124 and 125:
Page 126 and 127:
Page 128 and 129:
Page 130 and 131:
Page 132 and 133:
Page 134 and 135:
Page 136 and 137:
Page 138:
show all

Application Layer Covert Channel Analysis and ... - Bill Buchanan

Create successful ePaper yourself

Delete template?

Save as template?