Assessing the Feasibility of Machine Learning to Detect Network - - PowerPoint PPT Presentation

assessing the feasibility of machine learning to detect
SMART_READER_LITE
LIVE PREVIEW

Assessing the Feasibility of Machine Learning to Detect Network - - PowerPoint PPT Presentation

Nov 08, 2022 227 likes •397 views

Assessing the Feasibility of Machine Learning to Detect Network Covert Channels Name: Diogo Barradas PhD Stage: Planner Advisors: Prof. Lus Rodrigues & Prof. Nuno Santos Research Area: Privacy-Enhancing Technologies Diogo Barradas - EuroSys

slide-1
SLIDE 1

Diogo Barradas - EuroSys Doctoral Workshop 2018

Assessing the Feasibility of Machine Learning to Detect Network Covert Channels

Name: Diogo Barradas PhD Stage: Planner Advisors: Prof. Luís Rodrigues & Prof. Nuno Santos Research Area: Privacy-Enhancing Technologies

slide-2
SLIDE 2

Diogo Barradas - EuroSys Doctoral Workshop 2018

What’s All This About?

2

  • What’s the Problem?

○ Current unobservability assessments of covert channels are flawed

slide-3
SLIDE 3

Diogo Barradas - EuroSys Doctoral Workshop 2018

What’s All This About?

3

  • What’s the Problem?

○ Current unobservability assessments of covert channels are flawed

  • Why Should We Care?

○ Inaccurate unobservability assessments can place human lives in jeopardy

slide-4
SLIDE 4

Diogo Barradas - EuroSys Doctoral Workshop 2018

What’s All This About?

4

  • What’s the Problem?

○ Current unobservability assessments of covert channels are flawed

  • Why Should We Care?

○ Inaccurate unobservability assessments can place human lives in jeopardy

  • What Are You Going To Do About It?

○ Develop a robust framework for the unobservability assessment of covert channels

slide-5
SLIDE 5

Diogo Barradas - EuroSys Doctoral Workshop 2018

What’s All This About?

5

  • What’s the Problem?

○ Current unobservability assessments of covert channels are flawed

  • Why Should We Care?

○ Inaccurate unobservability assessments can place human lives in jeopardy

  • What Are You Going To Do About It?

○ Develop a robust framework for the unobservability assessment of covert channels

  • Then What?

○ Foster the design of new tools to circumvent repressive network control

slide-6
SLIDE 6

Diogo Barradas - EuroSys Doctoral Workshop 2018

Multiple Tools Generate Covert Channels in the Internet

6

  • Recent approaches tunnel data through encrypted protocols

○ e.g. Skype

slide-7
SLIDE 7

Diogo Barradas - EuroSys Doctoral Workshop 2018

Covert Channels through Multimedia Protocol Tunneling

7

Facet Unidirectional (A/V) Video Transmission DeltaShaper Bidirectional (V) Arbitrary Data Transmission

7

slide-8
SLIDE 8

Diogo Barradas - EuroSys Doctoral Workshop 2018

Adversaries can Learn from Encrypted Traffic

8

  • Traffic analysis can detect unusual patterns in (encrypted) network flows
  • Covert data must be carefully modulated to evade detection

○ Security => Unobservability

Encrypted Traffic Analysis

slide-9
SLIDE 9

Diogo Barradas - EuroSys Doctoral Workshop 2018

Existing Unobservability Claims are Questionable

9

  • Ad hoc covert channel evaluation

○ Similarity-based classifiers only ○ Unobservability measured against independently built classifiers

  • Lack of theoretical reasoning in covert channel design

○ Covert data embedding is guided through black-box experimentation

slide-10
SLIDE 10

Diogo Barradas - EuroSys Doctoral Workshop 2018

Research Questions

10

  • Are state-of-the-art covert channels observable?
  • Can we better assess the unobservability of current tools?
  • Can we accurately characterize covert data carrier protocols?
  • Is it possible to provide theoretical bounds to unobservability?
slide-11
SLIDE 11

Diogo Barradas - EuroSys Doctoral Workshop 2018

Research Questions

11

  • Are state-of-the-art covert channels observable?
  • Can we better assess the unobservability of current tools?
  • Can we accurately characterize covert data carrier protocols?
  • Is it possible to provide theoretical bounds to unobservability?
slide-12
SLIDE 12

Diogo Barradas - EuroSys Doctoral Workshop 2018

Similarity-Based Detection

  • Unobservability claims are dependent on the classifier
  • Similarity-based classifiers cannot accurately detect covert traffic

○ ROC AUC:

System / Classifier Chi-Square Earth Mover’s Distance Facet 0.83 0.58 DeltaShaper 0.74 0.57

slide-13
SLIDE 13

Diogo Barradas - EuroSys Doctoral Workshop 2018

Similarity-Based Detection

  • Unobservability claims are dependent on the classifier
  • Similarity-based classifiers cannot accurately detect covert traffic

○ ROC AUC:

System / Classifier Chi-Square Earth Mover’s Distance Facet 0.83 0.58 DeltaShaper 0.74 0.57

slide-14
SLIDE 14

Diogo Barradas - EuroSys Doctoral Workshop 2018

Decision Tree-Based Detection

  • Largely undermine previous unobservability claims

○ Facet: ROC AUC = 0.99 (vs 0.83) ○ DeltaShaper: ROC AUC = 0.95 (vs 0.74)

  • Provide us insight on useful features for identifying covert channels
slide-15
SLIDE 15

Diogo Barradas - EuroSys Doctoral Workshop 2018

Takeaways

  • Ensuring unobservability is desirable for covert channels
  • Past unobservability assessments are flawed
  • Goal: build a rigorous framework for the assessment of unobservability

15

https://web.ist.utl.pt/diogo.barradas

Thank You!