Z. Kwecka, BSc (Hons) Network Computing, 2006 54This was performed using different Proxy configurations, with Host 2 set asoriginator. These configurations were:- no Proxy- Proxy hosted on low processing power machine (Host 3) without load- Proxy hosted on low processing power machine (Host 3) with load- Proxy hosted on high processing power machine (Host 1) without load- Proxy hosted on high processing power machine (Host 1) with loadFigure 6-4 illustrates the results, i.e. median time between the request <strong>and</strong> response.We can see that the configuration where Inline Filtering Agent was running on theheavily loaded machine with the lowest processing power in the test network (Host 3)slowed down a typical operation by 1.7sec. Surprising result, however, is that ofInline Filtering Agent being executed on Host 1 (high power PC) with no load. Here atypical download operation took less time than in the scenario with no Proxy used.Since browser on Host 2 was not allowed to keep cache, this fact could only beexplained, by slightly different network conditions. Thus, after short investigation wehave identified that the data in ‘no Proxy’ configuration were collected around21:00GMT, where the ‘Host 1 – No load’ setup was tested at 22:30GMT <strong>and</strong> by thattime load of our ISP link to the Internet as well as load of target websites was slightlysmaller. Still, the test error introduced is small <strong>and</strong> we consider that the delay addedby the Inline Filtering Agent is negligible <strong>and</strong> would not affect the operation of aproduction network, especially considering the fact that 100% HTTP/1.1 compliantProxy implementation would lower the number of internal <strong>and</strong> external TCPconnections opened. Thus, by the means of persistent connections, such a Proxywould actually be able to speed up WWW transactions, with most popular (among theuser of the intranet) websites.6.2.7 Experiment 7 – Code Mobility CheckDuring this experiment we have tried to execute the prototype on every host in the testnetwork, to check how mobile is the code produced. As described earlier each host, inthe test network runs slightly different operating system. The tests shown that InlineFiltering Agent executes on all the operating systems used <strong>and</strong> it doesn’t require anyspecial libraries installed. At the same time, Sniffer Detection Agent wasimplemented based on WinPcap library, which was installed on each host prior totesting. Even so that the installation was successful on all four machines, during theexperiment Sniffer Detection Agent would not run on the Starter Edition <strong>and</strong> HomeEdition platforms. We have expected this, from Home Edition software which was notdesigned to perform any low level operations, however bearing in mind that MicrosoftWindows Starter Edition is actually based on Windows Professional, the fact thesoftware didn’t operate on this platform was surprising. However, information foundon Microsoft website confirmed that, Starter Edition restrictions are not onlyhardware restrictions (this platform will run only on low level computers with lessthan 256MB of RAM <strong>and</strong> less than 80GB of disk space) but also some elements of theProfessional version were removed, to restrict platforms use in professionalenvironment. However the core of the problem has been identified as ‘npptools.dll’missing from both systems. Thus, after coping this library from Host 1 runningWindows XP Professional onto Host 3 <strong>and</strong> 4 the problem has been fixed. Therefore,we consider our prototype as operational on all major releases of Windows operatingsystems, but the Sniffer Detection Agent prototype will require installation process tomake sure WinPcap <strong>and</strong> ‘npptools.dll’ are present.
Z. Kwecka, BSc (Hons) Network Computing, 2006 556.3 ConclusionsFirst set of experiments performed has proved that recognition of the connectionoriginator is possible, eve if the user agent field of the HTTP protocol is obfuscated.Therefore signatures of four commonly used browsers were identified for the use inthe prototype. Then the set of information sent in a request for a certain web pageswas reduced, <strong>and</strong> from the response codes received the conclusions may be drownthat, a percentage of headers in HTTP st<strong>and</strong>ard is sent in the request but never used bythe receiving server in connection with typical requests. Thus, Accept, Accept-Encoding <strong>and</strong> Accept-Language have been identified as headers, which in Englishspeaking environment, are redundant if using typical multifunction web browser.The evaluation of the prototype has been performed <strong>and</strong> all the covert channelscenarios, that the IFA was designed to detect, has raised an alert when executed.Additionally five agents of various MS Windows based software were detected. Thus,it has been established that some application hijack proxy setting of the InternetExplorer.
- Page 1 and 2:
Application Layer Covert ChannelAna
- Page 3 and 4: Z. Kwecka, BSc (Hons) Network Compu
- Page 5 and 6: Z. Kwecka, BSc (Hons) Network Compu
- Page 7 and 8: Z. Kwecka, BSc (Hons) Network Compu
- Page 9 and 10: Z. Kwecka, BSc (Hons) Network Compu
- Page 11: Z. Kwecka, BSc (Hons) Network Compu
- Page 14: Z. Kwecka, BSc (Hons) Network Compu
- Page 17 and 18: Z. Kwecka, BSc (Hons) Network Compu
- Page 19 and 20: Z. Kwecka, BSc (Hons) Network Compu
- Page 21 and 22: Z. Kwecka, BSc (Hons) Network Compu
- Page 23 and 24: Z. Kwecka, BSc (Hons) Network Compu
- Page 25: Z. Kwecka, BSc (Hons) Network Compu
- Page 28 and 29: Z. Kwecka, BSc (Hons) Network Compu
- Page 30 and 31: Z. Kwecka, BSc (Hons) Network Compu
- Page 32 and 33: Z. Kwecka, BSc (Hons) Network Compu
- Page 34 and 35: Z. Kwecka, BSc (Hons) Network Compu
- Page 36 and 37: Z. Kwecka, BSc (Hons) Network Compu
- Page 38 and 39: Z. Kwecka, BSc (Hons) Network Compu
- Page 40 and 41: Z. Kwecka, BSc (Hons) Network Compu
- Page 42 and 43: Z. Kwecka, BSc (Hons) Network Compu
- Page 44 and 45: Z. Kwecka, BSc (Hons) Network Compu
- Page 46 and 47: Z. Kwecka, BSc (Hons) Network Compu
- Page 48 and 49: Z. Kwecka, BSc (Hons) Network Compu
- Page 50 and 51: Z. Kwecka, BSc (Hons) Network Compu
- Page 52 and 53: Z. Kwecka, BSc (Hons) Network Compu
- Page 56: Z. Kwecka, BSc (Hons) Network Compu
- Page 60 and 61: Z. Kwecka, BSc (Hons) Network Compu
- Page 63 and 64: Z. Kwecka, BSc (Hons) Network Compu
- Page 65 and 66: Z. Kwecka, BSc (Hons) Network Compu
- Page 67 and 68: Z. Kwecka, BSc (Hons) Network Compu
- Page 69 and 70: Z. Kwecka, BSc (Hons) Network Compu
- Page 71 and 72: Z. Kwecka, BSc (Hons) Network Compu
- Page 73 and 74: Z. Kwecka, BSc (Hons) Network Compu
- Page 75 and 76: Z. Kwecka, BSc (Hons) Network Compu
- Page 77 and 78: Z. Kwecka, BSc (Hons) Network Compu
- Page 79 and 80: Z. Kwecka, BSc (Hons) Network Compu
- Page 81 and 82: Z. Kwecka, BSc (Hons) Network Compu
- Page 83 and 84: Z. Kwecka, BSc (Hons) Network Compu
- Page 85 and 86: Z. Kwecka, BSc (Hons) Network Compu
- Page 87 and 88: Z. Kwecka, BSc (Hons) Network Compu
- Page 89 and 90: Z. Kwecka, BSc (Hons) Network Compu
- Page 91 and 92: Z. Kwecka, BSc (Hons) Network Compu
- Page 93 and 94: Z. Kwecka, BSc (Hons) Network Compu
- Page 95 and 96: Z. Kwecka, BSc (Hons) Network Compu
- Page 97 and 98: Z. Kwecka, BSc (Hons) Network Compu
- Page 99 and 100: Z. Kwecka, BSc (Hons) Network Compu
- Page 101 and 102: Z. Kwecka, BSc (Hons) Network Compu
- Page 103 and 104: Z. Kwecka, BSc (Hons) Network Compu
- Page 105 and 106:
Z. Kwecka, BSc (Hons) Network Compu
- Page 107 and 108:
Z. Kwecka, BSc (Hons) Network Compu
- Page 109 and 110:
Z. Kwecka, BSc (Hons) Network Compu
- Page 111 and 112:
Z. Kwecka, BSc (Hons) Network Compu
- Page 113:
Z. Kwecka, BSc (Hons) Network Compu
- Page 116 and 117:
Z. Kwecka, BSc (Hons) Network Compu
- Page 118 and 119:
Z. Kwecka, BSc (Hons) Network Compu
- Page 120 and 121:
Z. Kwecka, BSc (Hons) Network Compu
- Page 122 and 123:
Z. Kwecka, BSc (Hons) Network Compu
- Page 124 and 125:
Z. Kwecka, BSc (Hons) Network Compu
- Page 126 and 127:
Z. Kwecka, BSc (Hons) Network Compu
- Page 128 and 129:
Z. Kwecka, BSc (Hons) Network Compu
- Page 130 and 131:
Z. Kwecka, BSc (Hons) Network Compu
- Page 132 and 133:
Z. Kwecka, BSc (Hons) Network Compu
- Page 134 and 135:
Z. Kwecka, BSc (Hons) Network Compu
- Page 136 and 137:
Z. Kwecka, BSc (Hons) Network Compu
- Page 138:
Z. Kwecka, BSc (Hons) Network Compu