Raising flags: Detecting covert storage channels using relative entropy
Title | Raising flags: Detecting covert storage channels using relative entropy |
Publication Type | Conference Paper |
Year of Publication | 2017 |
Authors | Chow, J., Li, X., Mountrouidou, X. |
Conference Name | 2017 IEEE International Conference on Intelligence and Security Informatics (ISI) |
Date Published | July 2017 |
Publisher | IEEE |
ISBN Number | 978-1-5090-6727-5 |
Keywords | anomaly detection, coding schemes, compositionality, covert channels, covert storage channel, covert storage channels, CSC messages, encoding, Entropy, IP addresses, IP networks, IP pair, network traffic, normal traffic, Protocols, pubcrawl, raising flags, receiver operating characteristic, Receivers, regular traffic data sets, regular traffic packets, relative entropy, Resiliency, ROC curves, Scalability, secret messages, TCP flag frequency distribution, TCP flag header, TCP/IP network packets, telecommunication traffic, Testing, Timing, transport protocols, Unix systems |
Abstract | This paper focuses on one type of Covert Storage Channel (CSC) that uses the 6-bit TCP flag header in TCP/IP network packets to transmit secret messages between accomplices. We use relative entropy to characterize the irregularity of network flows in comparison to normal traffic. A normal profile is created by the frequency distribution of TCP flags in regular traffic packets. In detection, the TCP flag frequency distribution of network traffic is computed for each unique IP pair. In order to evaluate the accuracy and efficiency of the proposed method, this study uses real regular traffic data sets as well as CSC messages using coding schemes under assumptions of both clear text, composed by a list of keywords common in Unix systems, and encrypted text. Moreover, smart accomplices may use only those TCP flags that are ever appearing in normal traffic. Then, in detection, the relative entropy can reveal the dissimilarity of a different frequency distribution from this normal profile. We have also used different data processing methods in detection: one method summarizes all the packets for a pair of IP addresses into one flow and the other uses a sliding moving window over such a flow to generate multiple frames of packets. The experimentation results, displayed by Receiver Operating Characteristic (ROC) curves, have shown that the method is promising to differentiate normal and CSC traffic packet streams. Furthermore the delay of raising an alert is analyzed for CSC messages to show its efficiency. |
URL | http://ieeexplore.ieee.org/document/8004869/ |
DOI | 10.1109/ISI.2017.8004869 |
Citation Key | chow_raising_2017 |
- TCP flag frequency distribution
- Receivers
- regular traffic data sets
- regular traffic packets
- relative entropy
- Resiliency
- ROC curves
- Scalability
- secret messages
- receiver operating characteristic
- TCP flag header
- TCP/IP network packets
- telecommunication traffic
- testing
- timing
- transport protocols
- Unix systems
- IP addresses
- coding schemes
- Compositionality
- covert channels
- covert storage channel
- covert storage channels
- CSC messages
- encoding
- Entropy
- Anomaly Detection
- IP networks
- IP pair
- network traffic
- normal traffic
- Protocols
- pubcrawl
- raising flags