covert channel detection using flow data
play

Covert channel detection using flow-data Guido Pineda Reyes MSc. - PowerPoint PPT Presentation

Mar 27, 2023 •133 likes •594 views

Covert channel detection using flow-data Guido Pineda Reyes MSc. Systems and Networking Engineering University of Amsterdam July 3, 2014 Guido Pineda Reyes (UvA) Covert channel detection using flow-data July 3, 2014 1 / 46 Outline

  1. Covert channel detection using flow-data Guido Pineda Reyes MSc. Systems and Networking Engineering University of Amsterdam July 3, 2014 Guido Pineda Reyes (UvA) Covert channel detection using flow-data July 3, 2014 1 / 46

  2. Outline Introduction 1 Research questions 2 Approach 3 Data analysis 4 ICMP DNS HTTP Algorithms 5 Implementation 6 ICMP DNS HTTP Conclusions 7 Q&A 8 Guido Pineda Reyes (UvA) Covert channel detection using flow-data July 3, 2014 2 / 46

  3. Covert Channels Definition Lampson, 1973 “... A communication channel that is used for information transmission, but that is not intended for communications...” National Computer Security Centre Maryland Meade, 1985 “Communication channel that can be exploited ... to transfer information in a manner that violates the system’s security policy” Guido Pineda Reyes (UvA) Covert channel detection using flow-data July 3, 2014 3 / 46

  4. Malicious usage Data exfiltration Intrusion maintenance Botnet control Malware updates Gathering of sensitive information ... Guido Pineda Reyes (UvA) Covert channel detection using flow-data July 3, 2014 4 / 46

  5. Chosen techniques ICMP tunnel ICMP reverse shell DNS tunnel HTTP reverse shell Guido Pineda Reyes (UvA) Covert channel detection using flow-data July 3, 2014 5 / 46

  6. Flow-data Overview Netflow is a monitoring tool Describes the method for a collector to export statistics about IP packets passing an observation point. Netflow v10 aka IPFIX (RFC 5101) Payload is not included Flow Packets with a set of common properties: source address and port number ingress interface destination address and port number network layer protocol type of service (TOS) Guido Pineda Reyes (UvA) Covert channel detection using flow-data July 3, 2014 6 / 46

  7. Research questions Is it possible to detect network-based covert channel malicious activity by using flow-data? How do the selected covert channel techniques work? What is the difference between normal traffic and covert channel traffic behaviour using the chosen techniques? What algorithms can be used to detect network-based covert channel traffic? How can this results be validated? Guido Pineda Reyes (UvA) Covert channel detection using flow-data July 3, 2014 7 / 46

  8. Approach Data gathering Regular traffic Protocol Total bytes (MB) Total packets Total bidirectional flows ICMP 698.5 3445152 169 DNS 1638.6 3981600 53490 HTTP 1956.27 1818293 40107 Guido Pineda Reyes (UvA) Covert channel detection using flow-data July 3, 2014 8 / 46

  9. Approach Data gathering Malicious traffic Technique Total bytes (MB) Total packets Total bidirectional flows ICMP tunneling 3957.08 4491868 30 ICMP reverse shell 196.2 3481308 75 DNS tunneling 2746.7 3376230 172 HTTP reverse shell 311.39 470985 166 Guido Pineda Reyes (UvA) Covert channel detection using flow-data July 3, 2014 9 / 46

  10. Approach Experimental environment Guido Pineda Reyes (UvA) Covert channel detection using flow-data July 3, 2014 10 / 46

  11. IPFIX templates Export template: ICMP Field Description IPV4 SRC ADDR IPv4 source address IPV4 DST ADDR IPv4 destination address PROTOCOL IP protocol byte IN BYTES Incoming flow bytes (src - > dst) IN PKTS Incoming flow packets (src - > dst) OUT BYTES Outgoing flow bytes (dst - > src) OUT PKTS Outgoing flow packets (dst - > src) MIN TTL Min flow TTL MAX TTL Max flow TTL ICMP TYPE ICMP Type * 256 + ICMP code Guido Pineda Reyes (UvA) Covert channel detection using flow-data July 3, 2014 11 / 46

  12. IPFIX templates Export template: DNS Field Description IPV4 SRC ADDR IPv4 source address IPV4 DST ADDR IPv4 destination address PROTOCOL IP protocol byte IN BYTES Incoming flow bytes (src - > dst) IN PKTS Incoming flow packets (src - > dst) OUT BYTES Outgoing flow bytes (dst - > src) OUT PKTS Outgoing flow packets (dst - > src) MIN TTL Min flow TTL MAX TTL Max flow TTL DNS QUERY DNS query DNS QUERY ID DNS query transaction Id DNS QUERY TYPE DNS query type (e.g. 1=A, 2=NS..) DNS RET CODE DNS return code (e.g. 0=no error) Guido Pineda Reyes (UvA) Covert channel detection using flow-data July 3, 2014 12 / 46

  13. IPFIX templates Export template: HTTP Field Description IPV4 SRC ADDR IPv4 source address IPV4 DST ADDR IPv4 destination address PROTOCOL IP protocol byte IN BYTES Incoming flow bytes (src- > dst) IN PKTS Incoming flow packets (src- > dst) OUT BYTES Outgoing flow bytes (dst- > src) OUT PKTS Outgoing flow packets (dst- > src) MIN TTL Min flow TTL MAX TTL Max flow TTL TCP FLAGS Cumulative of all flow TCP flags HTTP URL HTTP URL HTTP METHOD HTTP METHOD HTTP RET CODE HTTP return code (e.g. 200, 304...) Guido Pineda Reyes (UvA) Covert channel detection using flow-data July 3, 2014 13 / 46

  14. Outline Introduction 1 Research questions 2 Approach 3 Data analysis 4 ICMP DNS HTTP Algorithms 5 Implementation 6 ICMP DNS HTTP Conclusions 7 Q&A 8 Guido Pineda Reyes (UvA) Covert channel detection using flow-data July 3, 2014 14 / 46

  15. ICMP tunnel Packet ratio distribution Regular ICMP ICMP tunnel Guido Pineda Reyes (UvA) Covert channel detection using flow-data July 3, 2014 15 / 46

  16. ICMP tunnel Bytes per packet distribution Regular ICMP ICMP tunnel Guido Pineda Reyes (UvA) Covert channel detection using flow-data July 3, 2014 16 / 46

  17. ICMP reverse shell TTL distribution Regular ICMP ICMP reverse shell Guido Pineda Reyes (UvA) Covert channel detection using flow-data July 3, 2014 17 / 46

  18. Outline Introduction 1 Research questions 2 Approach 3 Data analysis 4 ICMP DNS HTTP Algorithms 5 Implementation 6 ICMP DNS HTTP Conclusions 7 Q&A 8 Guido Pineda Reyes (UvA) Covert channel detection using flow-data July 3, 2014 18 / 46

  19. DNS tunnel Packet ratio distribution Regular DNS DNS tunnel Guido Pineda Reyes (UvA) Covert channel detection using flow-data July 3, 2014 19 / 46

  20. Regular DNS Packet distribution per unique destination IP Guido Pineda Reyes (UvA) Covert channel detection using flow-data July 3, 2014 20 / 46

  21. DNS tunnel Packet distribution per unique destination IP Destination IP A Destination IP B Guido Pineda Reyes (UvA) Covert channel detection using flow-data July 3, 2014 21 / 46

  22. DNS tunnel Packet distribution per unique destination IP Destination IP C (Tunnel server) Guido Pineda Reyes (UvA) Covert channel detection using flow-data July 3, 2014 22 / 46

  23. Regular DNS DNS QUERY TYPE analysis DNS QUERY TYPE # of flows % Type 1 40395 75.5 A 2 1807 3.39 NS 6 4 0.007 SOA 12 438 0.08 PTR 16 1 0.002 TXT 28 2461 4.6 AAAA 33 18 0.03 SRV 43 723 1.35 DS 48 8083 15.03 DNSKEY Guido Pineda Reyes (UvA) Covert channel detection using flow-data July 3, 2014 23 / 46

  24. DNS tunnel DNS QUERY TYPE analysis DNS QUERY TYPE # of flows % 12 60 34.88 10 57 33.14 1 26 15.12 0 13 7.56 16 5 2.92 5 3 1.74 15 3 1.74 33 3 1.74 255 1 0.58 28 1 0.58 Guido Pineda Reyes (UvA) Covert channel detection using flow-data July 3, 2014 24 / 46

  25. Outline Introduction 1 Research questions 2 Approach 3 Data analysis 4 ICMP DNS HTTP Algorithms 5 Implementation 6 ICMP DNS HTTP Conclusions 7 Q&A 8 Guido Pineda Reyes (UvA) Covert channel detection using flow-data July 3, 2014 25 / 46

  26. HTTP TCP FLAGS analysis Cumulative OR-ed of TCP FLAGS for all packets in one flow. For regular HTTP traffic, this value is well distributed. But, for malicious HTTP traffic, every flow has the TCP FLAGS value = 27 Guido Pineda Reyes (UvA) Covert channel detection using flow-data July 3, 2014 26 / 46

  27. Regular HTTP TCP FLAGS analysis TCP FLAG # of flows Meaning % 24 22088 ACK+PUSH 55,0727 26 10284 ACK+PUSH+SYN 25,6414 27 5039 ACK+PUSH+SYN+FIN 12,5639 19 2223 ACK+FIN+SYN 5,5427 17 163 ACK+FIN 0,4064 31 162 ACK+PUSH+RST+SYN+FIN 0,4039 30 93 ACK+PUSH+RST+SYN 0,2319 23 38 ACK+RST+SYN+FIN 0,0947 25 15 ACK+PSH+FIN 0,0374 21 1 ACK+RST+FIN 0,0025 18 1 ACK+SYN 0,0025 Guido Pineda Reyes (UvA) Covert channel detection using flow-data July 3, 2014 27 / 46

  28. HTTP HTTP METHOD analysis per unique destination IP # of Flows with method: Destination IP address GET POST HEAD EMPTY A 104 - 1722 105 B 114 - 1482 107 C 267 25 849 94 D - - - 979 E 18 - 729 3 F 700 - - 10 G 628 - - 33 H - - - 618 I - - 555 4 J 371 136 - 39 Guido Pineda Reyes (UvA) Covert channel detection using flow-data July 3, 2014 28 / 46

  29. HTTP HTTP METHOD analysis per unique destination IP For HTTP reverse shell traffic, the amount of POST and GET methods per unique destination IP address is about 50% each. Guido Pineda Reyes (UvA) Covert channel detection using flow-data July 3, 2014 29 / 46

  30. Algorithms Description Using a data-set provided by the sponsoring company. HTTP traffic generated by 150 different web crawlers (64095 flows) DNS traffic (35219 flows) ICMP traffic (12352 flows) Guido Pineda Reyes (UvA) Covert channel detection using flow-data July 3, 2014 30 / 46

  31. Proposed alorithms ICMP Guido Pineda Reyes (UvA) Covert channel detection using flow-data July 3, 2014 31 / 46

  32. Proposed alorithms DNS Guido Pineda Reyes (UvA) Covert channel detection using flow-data July 3, 2014 32 / 46

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

A covert channel A covert channel hiding data in in packet headers packet headers hiding data

A covert channel A covert channel hiding data in in packet headers packet headers hiding data

A covert channel A covert channel hiding data in in packet headers packet headers hiding data Craig Rowland s covert_tcp proof s covert_tcp proof- -of of- -concept program concept program Craig Rowland David Morgan Covert

251 views • 6 slides
Covert Channel Detection Using Process Query Systems Annarita Giani Vincent Berk George Cybenko

Covert Channel Detection Using Process Query Systems Annarita Giani Vincent Berk George Cybenko

Covert Channel Detection Using Process Query Systems Annarita Giani Vincent Berk George Cybenko Institute for Security Technology Studies Thayer School of Engineering Dartmouth College Hanover, NH FLoCon 2005 1 MOTIVATION CNN.COM

234 views • 19 slides
+ Side Channel and Covert Channel A1acks on Microkernel

+ Side Channel and Covert Channel A1acks on Microkernel

+ Side Channel and Covert Channel A1acks on Microkernel Architectures WAMOS 2015 Advanced Opera3ng Systems Hochschule RheinMain Alexander Baumgrtner and

539 views • 25 slides
Abusing the Windows WiFi native API to create a covert channel Andrs Blanco Ezequiel Gutesman

Abusing the Windows WiFi native API to create a covert channel Andrs Blanco Ezequiel Gutesman

Abusing the Windows WiFi native API to create a covert channel Andrs Blanco Ezequiel Gutesman 1 Outline Covert Channels Attack Vectors and Scenarios IEEE 802.11 Fundamentals Covert Channel Design Implementation

766 views • 38 slides
Covert and Side Channels Robert Brotzman-Smith Covert Channels Any communication channel that

Covert and Side Channels Robert Brotzman-Smith Covert Channels Any communication channel that

Covert and Side Channels Robert Brotzman-Smith Covert Channels Any communication channel that can be exploited by a process to transfer information in a manner that violates the systems security policy US DoD 1985 Basically a

1.04k views • 67 slides
Covert channels in TCP/IP: attack and defence The creation and detection of TCP/IP steganography

Covert channels in TCP/IP: attack and defence The creation and detection of TCP/IP steganography

Covert channels in TCP/IP: attack and defence The creation and detection of TCP/IP steganography for covert channels and device fingerprinting Steven J. Murdoch and Stephen Lewis http://www.cl.cam.ac.uk/users/ { sjm217 , srl32 } Computer

1.12k views • 37 slides
Covert channels in TCP/IP: attack and defence The creation and detection of TCP/IP steganography

Covert channels in TCP/IP: attack and defence The creation and detection of TCP/IP steganography

Covert channels in TCP/IP: attack and defence The creation and detection of TCP/IP steganography for covert channels and device fingerprinting Steven J. Murdoch and Stephen Lewis http://www.cl.cam.ac.uk/users/ { sjm217 , srl32 } Computer

915 views • 36 slides
VMS SAN Technology Spring 2002 John Covert 3C01 Fibre Channel Fibre Channel Fibre Channel

VMS SAN Technology Spring 2002 John Covert 3C01 Fibre Channel Fibre Channel Fibre Channel

VMS SAN Technology Spring 2002 John Covert 3C01 Fibre Channel Fibre Channel Fibre Channel ANSI standard network and storage interconnect OpenVMS, and most others, use it for SCSI storage TCI/IP and VIA also possible 1.06

460 views • 19 slides
I DPID It My Way! A Covert Timing Channel in Software-Defined Networks Robert Kro sche,

I DPID It My Way! A Covert Timing Channel in Software-Defined Networks Robert Kro sche,

I DPID It My Way! A Covert Timing Channel in Software-Defined Networks Robert Kro sche, Kashyap Thimmaraju , Liron Schiff and Stefan Schmid IFIP Networking 2018 14-16 May, 2018, Zurich, Switzerland 1 Outline 1. Motivation 2. Covert

999 views • 95 slides
1 What Is Control-Flow Analysis? Loop Concepts Control-flow analysis discovers the flow of

1 What Is Control-Flow Analysis? Loop Concepts Control-flow analysis discovers the flow of

Control-Flow Analysis and Loop Detection Context Last time Data-flow Speeding up data-flow analysis Flow of data values from defs to uses Could alternatively be represented as a data dependence Today Control-flow analysis

516 views • 5 slides
Considerations for Scan Detection Using Flow Data. 1 Ov Over erview iew Scans and scan

Considerations for Scan Detection Using Flow Data. 1 Ov Over erview iew Scans and scan

Considerations for Scan Detection Using Flow Data. 1 Ov Over erview iew Scans and scan detection goals and objectives A review of Threshold Random Walk Real time vs. Flow based approaches Bi-flows and Oracles Extensions

522 views • 18 slides
The Program Counter Security Model: Automatic Detection and Removal of Control-Flow Side Channel

The Program Counter Security Model: Automatic Detection and Removal of Control-Flow Side Channel

The Program Counter Security Model: Automatic Detection and Removal of Control-Flow Side Channel Attacks David Molnar , Matt Piotrowski, David Schultz, and David Wagner UC-Berkeley and MIT Regular Cryptographic Attacks Key k Idealized

423 views • 11 slides
Covert and Side Channel Attacks and Defenses Mengjia Yan Fall 2020 Based on slides from

Covert and Side Channel Attacks and Defenses Mengjia Yan Fall 2020 Based on slides from

Covert and Side Channel Attacks and Defenses Mengjia Yan Fall 2020 Based on slides from Christopher W. Fletcher Reminder Lab assignment will be released 09/21 Monday Recommend to read Cache missing for fun and profit. (2005).

1.03k views • 66 slides
Covert and Side Channel Attacks and Defenses Mengjia Yan Fall 2020 Based on slides from

Covert and Side Channel Attacks and Defenses Mengjia Yan Fall 2020 Based on slides from

Covert and Side Channel Attacks and Defenses Mengjia Yan Fall 2020 Based on slides from Christopher W. Fletcher Reminder Lab assignment will be released 09/21 Monday Recommend to read Cache missing for fun and profit. (2005).

562 views • 38 slides
IP Covert Timing Channels: Design and Detection By Serdar Cabuk, Carla E. Brodley, Clay

IP Covert Timing Channels: Design and Detection By Serdar Cabuk, Carla E. Brodley, Clay

IP Covert Timing Channels: Design and Detection By Serdar Cabuk, Carla E. Brodley, Clay Shields. Outline Positive Traits Problems Questions Extensions Other Covert Channels Discussion Positive Traits What are the

496 views • 34 slides
Bankrupt Covert Channel: Turning Network Predictability into Vulnerability Dmitrii Ustiugov ,

Bankrupt Covert Channel: Turning Network Predictability into Vulnerability Dmitrii Ustiugov ,

Bankrupt Covert Channel: Turning Network Predictability into Vulnerability Dmitrii Ustiugov , Plamen Petrov, Siavash Katebzadeh, Boris Grot University of Edinburgh This work is supported by ARM Center of Excellence at University of Edinburgh

564 views • 30 slides
Ele lect ron ronic ic V Vis isit it Verif rific icat at ion ion February 19, 19, 2019

Ele lect ron ronic ic V Vis isit it Verif rific icat at ion ion February 19, 19, 2019

Ele lect ron ronic ic V Vis isit it Verif rific icat at ion ion February 19, 19, 2019 2019 W EL ELCOME E Restroom location HCPF Introductions 2 Agenda 1. Introductions 2. Brief Overview of EVV 3. Review State EVV

670 views • 51 slides
Jack Creek Park Capital Improvement Project Public Information Meeting October 2, 2017

Jack Creek Park Capital Improvement Project Public Information Meeting October 2, 2017

Jack Creek Park Capital Improvement Project Public Information Meeting October 2, 2017 Consultants & Designers, Inc. Integrating Engineering and Environment 7455 New Ridge Road, Suite T Phone: (410) 694-9401 Hanover, Maryland

374 views • 25 slides
What are the three questions my audience would ask me? Coding standards XDebug Customize: Color

What are the three questions my audience would ask me? Coding standards XDebug Customize: Color

What are the three questions my audience would ask me? Coding standards XDebug Customize: Color Schemes How to use: tabs Plugins: ctrlp leader-fef Adding things to your .vimrc.after http://drupal.org/node/29325

147 views • 3 slides
OMNeT++ Community Summit, 2016 An outline of the new IEEE 802.11 model in the INET framework

OMNeT++ Community Summit, 2016 An outline of the new IEEE 802.11 model in the INET framework

OMNeT++ Community Summit, 2016 An outline of the new IEEE 802.11 model in the INET framework Brno University of Technology Czech Republic September 15-16, 2016 Levente Mszros Quick Recap The old model was a dead end Design

520 views • 37 slides
Report on Back-to-School Planning Efforts School Committee Meeting July 22, 2020 Agenda

Report on Back-to-School Planning Efforts School Committee Meeting July 22, 2020 Agenda

Report on Back-to-School Planning Efforts School Committee Meeting July 22, 2020 Agenda Current School Reopening Guidance from DESE Survey Data Guiding Principles for Our Planning Efforts Draft Frameworks In-Person

693 views • 21 slides
Preparing)for)the)Future)of)Ar1ficial)Intelligence) Ed#Felten# #

Preparing)for)the)Future)of)Ar1ficial)Intelligence) Ed#Felten# #

Preparing)for)the)Future)of)Ar1ficial)Intelligence) Ed#Felten# # Center#for#Informa0on#Technology#Policy# Department#of#Computer#Science# Woodrow#Wilson#School#of#Public#and#Interna0onal#Affairs# Princeton#University# Anthony#Foxx#

822 views • 42 slides
SpaceWire RMAP Protocol SpaceWire Working Group Meeting Steve Parkes University of Dundee RMAP

SpaceWire RMAP Protocol SpaceWire Working Group Meeting Steve Parkes University of Dundee RMAP

SpaceWire RMAP Protocol SpaceWire Working Group Meeting Steve Parkes University of Dundee RMAP Review Final review before ECSS Changes since last meeting/draft C Go through book section by section Review suggestions for

1.42k views • 75 slides
TCP Tuning for the Web Jason Cook - @macros - jason@fastly.com Wednesday, June 19, 13 Me

TCP Tuning for the Web Jason Cook - @macros - jason@fastly.com Wednesday, June 19, 13 Me

TCP Tuning for the Web Jason Cook - @macros - jason@fastly.com Wednesday, June 19, 13 Me Co-founder and Operations at Fastly Former Operations Engineer at Wikia Lots of Sysadmin and Linux consulting Wednesday, June 19, 13 Wednesday,

685 views • 46 slides

More recommend