Victim-Aware Adaptive Covert Channels

Riccardo Bortolameotti*, Thijs Sebastiaan van Ede, Maarten Hinderik Everts, Willem Jonker, Pieter Hendrik Hartel, Andreas Peter, Andrea Continella

*Corresponding author for this work

Research output: Chapter in Book/Report/Conference proceedingConference contributionAcademicpeer-review

1 Citation (Scopus)
1 Downloads (Pure)

Abstract

We investigate the problem of detecting advanced covert channel techniques, namely victim-aware adaptive covert channels. An adaptive covert channel is considered victim-aware when the attacker mimics the content of its victim’s legitimate communication, such as application-layer metadata, in order to evade detection from a security monitor. In this paper, we show that victim-aware adaptive covert channels break the underlying assumptions of existing covert channel detection solutions, thereby exposing a lack of detection mechanisms against this threat. We first propose a toolchain, Chameleon, to create synthetic datasets containing victim-aware adaptive covert channel traffic. Armed with Chameleon, we evaluate state-of-the-art detection solutions and we show that they fail to effectively detect stealthy attacks. The design of detection techniques against these stealthy attacks is challenging because their network characteristics are similar to those of benign traffic. We explore a deception-based detection technique that we call HoneyTraffic, which generates network messages containing honey tokens, while mimicking the victim’s communication. Our approach detects victim-aware adaptive covert channels by observing inconsistencies in such tokens, which are induced by the attacker attempting to mimic the victim’s traffic. Although HoneyTraffic has limitations in detecting victim-aware adaptive covert channels, it complements existing detection methods and, in combination with them, it can to make evasion harder for an attacker.

Original languageEnglish
Title of host publicationSecurity and Privacy in Communication Networks - 15th EAI International Conference, SecureComm 2019, Proceedings
Subtitle of host publication15th EAI International Conference, SecureComm 2019, Orlando, FL, USA, October 23-25, 2019, Proceedings, Part I
EditorsSongqing Chen, Kim-Kwang Raymond Choo, Xinwen Fu, Wenjing Lou, Aziz Mohaisen
Pages450-471
Number of pages22
ISBN (Electronic)978-3-030-37228-6
DOIs
Publication statusPublished - 2019
Event15th EAI International Conference, SecureComm 2019 - Crowne Plaza Orlando-Downtown, Orlando, United States
Duration: 23 Oct 201925 Oct 2019
Conference number: 15

Publication series

NameLecture Notes of the Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering, LNICST
Volume304 LNICST
ISSN (Print)1867-8211

Conference

Conference15th EAI International Conference, SecureComm 2019
Abbreviated titleSecureComm 2019
CountryUnited States
CityOrlando
Period23/10/1925/10/19

Keywords

  • Covertchannels
  • Intrusion detection system
  • Network security

Fingerprint Dive into the research topics of 'Victim-Aware Adaptive Covert Channels'. Together they form a unique fingerprint.

Cite this