Application Layer Covert Channel Analysis and ... - Bill Buchanan

Z. Kwecka, BSc (Hons) Network Computing, 2006 344.4.6 Experiment 6 – Analysing Prototype’s Load on TestNetworkAnother important parameter of the proposed solution to covert channels’ detection isits load on the system it is going to be implemented in. Thus, this experiment willmeasure the time difference in accessing a predefined set of websites when theprototype Proxy filtering agent is inline with the traffic and when the websites areaccessed directly. For the purpose of this experiment there is a need of designing anapplication, which could measure the time taken for a full page download. Thus,ideally, this application would communicate with the HTTP client software, orincorporate HTTP client software itself.The software required for this experiment:- Inline Filtering Agent- Browser Timer – An application capable of either generating HTTP requestsitself or triggering requests using standard WWW browsers, which couldmeasure the time taken for a full website download.4.4.7 Experiment 7 – Code Mobility CheckThe C# .NET was chosen for the prototype’s development language and one of thereasons behind this choice was the mobility of the code. Thus, applications developedshould be capable of optimal operation on any Windows based platform, withWinPCap installed. Hence, in this experiment components, of the prototype will betested on variety of hosts running different operating systems. This should help toevaluate the programming language chosen. Consequently the experiment will requireheterogonous test network.4.5 ConclusionThis chapter gave a high level view of the components necessary for development ofthe Covert Channel Detection System prototype. We have suggested that the systemshould consist of unless two different types of software agents:- Inline Filtering Agent (IFA)- Sniffer Detection Agent (SDA)The reason behind the suggestion that different types of detection applications arenecessary is the load on the system. We consider behaviour-based detection systemsas very resource consuming and therefore as unsuitable to be employed in the samemachine as real time covert channel filtering agent. Also this chapter have suggestedhow the prototype evaluation may be performed in practice, by designing an overviewof various experiments. Thus, following applications will be required to test the finalsystem and produce results:- Browser Caller- HTTP Dumper- OffLine HTTP Analyser- Filtering Proxy- Data Hiding Proxy- Browser TimerLooking at the list of the software development required for this project, we candistinguish 3 different families of applications, i.e. HTTP Analysers, HTTP Proxiesand HTTP Traffic Generators. Thus, at we hope that implementation of genericfoundations for those applications will be possible, so that particular implementations