Victim-Aware Adaptive Covert Channels | SpringerLink
Skip to main content
Springer Nature Link
Log in

Victim-Aware Adaptive Covert Channels

  • Conference paper
  • First Online:
Security and Privacy in Communication Networks (SecureComm 2019)

  • 1378 Accesses

Abstract

We investigate the problem of detecting advanced covert channel techniques, namely victim-aware adaptive covert channels. An adaptive covert channel is considered victim-aware when the attacker mimics the content of its victim’s legitimate communication, such as application-layer metadata, in order to evade detection from a security monitor. In this paper, we show that victim-aware adaptive covert channels break the underlying assumptions of existing covert channel detection solutions, thereby exposing a lack of detection mechanisms against this threat. We first propose a toolchain, Chameleon, to create synthetic datasets containing victim-aware adaptive covert channel traffic. Armed with Chameleon, we evaluate state-of-the-art detection solutions and we show that they fail to effectively detect stealthy attacks. The design of detection techniques against these stealthy attacks is challenging because their network characteristics are similar to those of benign traffic. We explore a deception-based detection technique that we call HoneyTraffic, which generates network messages containing honey tokens, while mimicking the victim’s communication. Our approach detects victim-aware adaptive covert channels by observing inconsistencies in such tokens, which are induced by the attacker attempting to mimic the victim’s traffic. Although HoneyTraffic has limitations in detecting victim-aware adaptive covert channels, it complements existing detection methods and, in combination with them, it can to make evasion harder for an attacker.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
¥17,985 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
JPY 3498
Price includes VAT (Japan)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
JPY 5719
Price includes VAT (Japan)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
JPY 7149
Price includes VAT (Japan)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

Notes

  1. 1.

    Please note that in the original work [14] there is no clear guidance about the quantities of data needed for the calibration step.

References

  1. Rossow, C., et al: Sandnet: network traffic analysis of malicious software. In: BADGERS, pp. 78–88. ACM (2011)

    Google Scholar 

  2. Stone-Gross, B., et al.: Your Botnet is my Botnet: analysis of a Botnet takeover. In: CCS, pp. 635–647. ACM (2009)

    Google Scholar 

  3. Continella, A., et al.: ShieldFS: a self-healing, ransomware-aware filesystem. In: ACSAC. ACM (2016)

    Google Scholar 

  4. Continella, A., Carminati, M., Polino, M., Lanzi, A., Zanero, S., Maggi, F.: Prometheus: analyzing webinject-based information stealers. J. Comput. Secur. 25, 117–137 (2017)

    Article  Google Scholar 

  5. Wendzel, S., Zander, S., Fechner, B., Herdin, C.: Pattern-based survey and categorization of network covert channel techniques. ACM CSUR 47(3), 50 (2015)

    Google Scholar 

  6. Houmansadr, A., Brubaker, C., Shmatikov, V.: The parrot is dead: observing unobservable network communications. In: IEEE S&P, pp. 65–79 (2013)

    Google Scholar 

  7. Dyer, K.P., Coull, S.E., Ristenpart, T., Shrimpton, T.: Protocol misidentification made easy with format-transforming encryption. In: CCS, pp. 61–72. ACM (2013)

    Google Scholar 

  8. Wright, C.V., Coull, S.E., Monrose, F.: Traffic morphing: an efficient defense against statistical traffic analysis. In: NDSS (2009)

    Google Scholar 

  9. Moghaddam, H.M., Li, B., Derakhshani, M., Goldberg, I.: SkypeMorph: protocol obfuscation for tor bridges. In: ACM CCS 2012, pp. 97–108 (2012)

    Google Scholar 

  10. Weinberg, Z., Wang, J., Yegneswaran, V., Briesemeister, L., Cheung, S., Wang, F., Boneh, D.: StegoTorus: a camouflage proxy for the tor anonymity system. In: ACM CCS 2012, pp. 109–120 (2012)

    Google Scholar 

  11. FAKEM RAT: Malware Disguised as Windows Messenger and Yahoo! Messenger. https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-fakem-rat.pdf

  12. Bortolameotti, R. et al.: DECANTeR: detection of anomalous outbound HTTP traffic by passive application fingerprinting. In: ACSAC, pp. 373–386. ACM (2017)

    Google Scholar 

  13. Borders, K., Prakash, A.: Web tap: detecting covert web traffic. In: CCS, pp. 110–120. ACM (2004)

    Google Scholar 

  14. Schwenk, G., Rieck, K.: Adaptive detection of covert communication in http requests. In: EC2ND, pp. 25–32. IEEE (2011)

    Google Scholar 

  15. Fogla, P., Sharif, M.I., Perdisci, R., Kolesnikov, O.M., Lee, W.: Polymorphic blending attacks. In: USENIX Security 2006 (2006)

    Google Scholar 

  16. Fogla, P., Lee, W.: Evading network anomaly detection systems: formal reasoning and practical techniques. In: ACM CCS 2006, pp. 59–68 (2006)

    Google Scholar 

  17. Davis, J.J., Foo, E.: Automated feature engineering for HTTP tunnel detection. Comput. Secur. 59, 166–185 (2016)

    Article  Google Scholar 

  18. Casenove, M.: Exfiltrations using polymorphic blending techniques: analysis and countermeasures. In: Cyber Conflict: Architectures in Cyberspace (CyCon), pp. 217–230. IEEE (2015)

    Google Scholar 

  19. Yarochkin, F.V., Dai, S.-Y., Lin, C.-H., Huang, Y., Kuo, S.-Y.: Towards adaptive covert communication system. In: PRDC, pp. 153–159. IEEE (2008)

    Google Scholar 

  20. EMOTET Returns, Starts Spreading via Spam Botnet. https://blog.trendmicro.com/trendlabs-security-intelligence/emotet-returns-starts-spreading-via-spam-botnet/

  21. PNFilter Malware Now Exploiting Endpoints, Not Just Routers. https://duo.com/decipher/vpnfilter-malware-now-exploiting-endpoints-not-just-routers

  22. Zarras, A., Papadogiannakis, A., Gawlik, R., Holz, T.: Automated generation of models for fast and precise detection of http-based malware. In: PST, pp. 249–256. IEEE (2014)

    Google Scholar 

  23. Han, X., Kheir, N., Balzarotti, D.: Deception techniques in computer security: a research perspective. ACM Comput. Surv. 51(4), 80:1–80:36 (2018)

    Article  Google Scholar 

  24. Durumeric, Z., et al.: The security impact of https interception. In: NDSS (2017)

    Google Scholar 

  25. Sharafaldin, I., Lashkari, A.H., Ghorbani, A.A.: Toward generating a new intrusion detection dataset and intrusion traffic characterization. In: ICISSP (2018)

    Google Scholar 

  26. Sommer, R., Paxson, V.: Outside the closed world: On using machine learning for network intrusion detection. In: S&P, pp. 305–316. IEEE (2010)

    Google Scholar 

  27. Borders, K., Prakash, A.: Quantifying information leaks in outbound web traffic. In: IEEE S&P 2009, pp. 129–140 (2009)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. University of Twente, Enschede, The Netherlands

    Riccardo Bortolameotti, Thijs van Ede, Maarten Everts, Willem Jonker & Andreas Peter

  2. University of California, Santa Barbara, Santa Barbara, USA

    Andrea Continella

  3. Delft University of Technology, Delft, The Netherlands

    Pieter Hartel

Authors
  1. Riccardo Bortolameotti
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Thijs van Ede
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Andrea Continella
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Maarten Everts
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Willem Jonker
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Pieter Hartel
    View author publications

    You can also search for this author in PubMed Google Scholar

  7. Andreas Peter
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Riccardo Bortolameotti .

Editor information

Editors and Affiliations

  1. George Mason University, Fairfax, VA, USA

    Songqing Chen

  2. The University of Texas at San Antonio, San Antonio, TX, USA

    Kim-Kwang Raymond Choo

  3. Boston University, Lowell, MA, USA

    Xinwen Fu

  4. Virginia Tech, Blacksburg, VA, USA

    Wenjing Lou

  5. University of Central Florida, Orlando, FL, USA

    Aziz Mohaisen

Rights and permissions

Reprints and permissions

Copyright information

© 2019 ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Bortolameotti, R. et al. (2019). Victim-Aware Adaptive Covert Channels. In: Chen, S., Choo, KK., Fu, X., Lou, W., Mohaisen, A. (eds) Security and Privacy in Communication Networks. SecureComm 2019. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 304. Springer, Cham. https://doi.org/10.1007/978-3-030-37228-6_22

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-37228-6_22

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-37227-9

  • Online ISBN: 978-3-030-37228-6

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation