e ntropy b ased d etection a nd b ehavioral a nalysis of h ybrid c overt c hannelin s ecured ...

882019 E NTROPY B ASED D ETECTION A ND B EHAVIORAL A NALYSIS OF H YBRID C OVERT C HANNELIN S ECURED C OMMUhellip

httpslidepdfcomreaderfulle-ntropy-b-ased-d-etection-a-nd-b-ehavioral-a-nalysis-of-h-ybrid-c-overt-c 115

International Journal of Network Security amp Its Applications (IJNSA) Vol7 No3 May 2015

DOI 105121ijnsa20157304 39

ENTROPY B ASED DETECTION A NDBEHAVIORAL

A NALYSIS OF H YBRID COVERT CHANNELIN SECURED

COMMUNICATION

Anjan K1 Srinath N K

1 and Jibi Abraham

2

1Department of Computer Science and Engineering

R V College of Engineering BengaluruIndia2Department of Computer Engineering and Information Technology

College of Engineering Pune India

A BSTRACT

Covert channels is a vital setup in the analysing the strength of security in a network Covert Channel is

illegitimate channelling over the secured channel and establishes a malicious conversation The trap-door

set in such channels proliferates making covert channel sophisticated to detect their presence in network

firewall This is due to the intricate covert scheme that enables to build robust covert channel over the

network From an attackers perspective this will ameliorate by placing multiple such trapdoors in

different protocols in the rudimentary protocol stack This leads to a unique scenario of ldquoHybrid Covert

Channel where different covert channel trapdoors exist at the same instance of time in same layer of

protocol stack For detection agents to detect such event is complicated due to lack of knowledge over the

different covert schemes To improve the knowledge of the detection engine to detect the hybrid covert

channel scenario it is required to explore all possible clandestine mediums used in the formation of such

channels This can be explored by different schemes available and their entropy impact on hybrid covert

channel The environment can be composed of resources and subject under at-tack and subject whichhave initiated the attack (attacker) The paper sets itself an objective to understand the different covert

schemes and the attack scenario (modelling) and possibilities of covert mediums along with metric for

detection

K EYWORDS

Covert Channel Subliminal Channel Network Forensics Kleptography Trapdoors Covert Schemes

1INTRODUCTION

Global internet consists of massive devices connected to it with numerous applications running onit There is frequent inherent threat of intentional exposure of the confidential and sensitive

information over secured channel Such threats are implemented using Covert Channel whichcompromises very important attribute Privacyof secured channel Covert channel is defined indifferent ways based on scenarios of establishment of covert channel and is non-concrete

ldquoAn enforced illicit signaling channel that allows a user to

surreptitiouslycontravene the multi-level separation policy and un-observability

requirements of the [target of evaluation]



International Journal of Net

This clearly states the policcommunication channel was en

simple covert channel can be vichannel in the communication

Covertchannelinformationexchaimplementation of such langua

proliferated into multiple protoc

complex to detect such clan-desmechanism for ameliorated deve

have such multiple trapdoors eit

Multiple trapdoors can be imple

the different covert channel va

coherent covert channel Such cChannel [3] is homogeneous co

instance of time Hybrid covertto assess the composition of the

is depicted in [3] and figure 2

Fig2

The covert channel was first in[11] Extensive work is carried o

forensics [6] based Scenario bato understand the detection bett

basis for detection Modelling th

ork Security amp Its Applications (IJNSA) Vol7 No3 M

violation constraint but does not considerisaged as a communication channel by the syste

ualizedin [3] where channel comprises of both co

Fig1 Covert Channel Visualization

geisbasedcovertlanguagespre-negotiated by the coges uses intricate encoding schemes These sche

ols where each such protocol will be a trapdoor

tine mediums SETUP attack [18] makes uses oflopment of covert channel A hybrid covert channel

er in the same layer on in different layers

ented in the same layer or in different layersImpl

iants at the same instance of time tends to behav

annel is termed as ldquoHybrid Covert Channel Aposition of two or more covert channel variants exi

hannel may not have strict composition It becomeHybrid Covert Channel An instance of the hybrid c

Hybrid Covert Channel in Transport Layer

roduced in the traditional confinement problem asut in devising the detection methods which can be o

sed analysis of the covert channel detections [3][7]r Monitoring the unusual traffic [14] in the netwo

e covert timing channel process as Poissonrsquos distrib

ay 2015

40

whether thedesigner A

ert and overt

ert users andmes may be

his makes it

ulti-trapdoorscenario may

mentation of

e as a single

ybrid Covertsting at same

complicatedovert channel

described inn real-time or

is performedk stream is a

tion is also a




way to detect such activity ISequence Charts (MSC) [9]Thi

to detect hybrid covert channel b

2COVERT COMMUNICA

In Network communication cov(a) covert data exchange an

(b) covert indication

In covert data exchange covert

in rudimentary protocols This

pipeline problem where there e

inside the other such that d2lt d1

transportation of crude oil In F

known or undocumented in thlegitimate pipe This type of the

schemes will be simple placemeclandestine field in the traditinetwork covert channel

Second form of covert communlanguage not known to others I

encoding scheme to leak inform1 is the language that covertenvironment This sophisticate

decoding the language might be

The best real time classical exaleaks the answers to Student Y

presence of invigilating officertriggers an event to student Y

coughs Same schema holds gocontinuous clock events that coYSome of the other forms of co


llegitimate information flows can be tracked thropaper employs a statistical protocol based entropy

ased on analysis made on packet headers

ION TYPES

rt communication amongst a pair of users can take

ata is exchanged between the covert users by hidi

form of covert communication can best be un

ists two pipesp1 and p2 of diameters d1 and d2 res

These pipes are setup between two geographicaligure 3 the inner pipe p2 of diameter d2 is the co

design and used for smuggling oil The outer pcovert communication type will not have pre-defi

nt of covert data (trapdoor creation) directly in tonal network protocol stack This channel is call

Fig3 Classical Pipeline Problem

ication is the covert indication Covert users comn Figure 4 the covert sender and receiver share a

ation This information encoding scheme as seen frsers employ to communicate in a secured legiti

communication is visible to our detection eng

uite difficult in many situations

ple of such communication is Examination Proble or an objective type examination paper in an exami

For each choice in a question student X makesFor instance to communicate choice A to student

d in case network communication where covert umunicate some form of action to be performed b

ert indication in network scenario include

ay 2015

41

ugh Messagedetection [1]

two forms

g covert data

erstood with

ectively one

laces for thevert pipe not

ipe p1 is theed encoding

the identifiedd as simple

unicate in ainformation

m the figureate network

ine however

m Student Xnation hall in

gesture thatY student X

er X triggersy covert user




bull Encoding ASCII chara

mathematical operation

bull Repeated sending of ack

is listening to Receiverto this server This val

character

bull

Retrieving the packet

information to the cover

bull Using logical operators l

3COVERT CHANNEL VA

Covert channel are categorizedcommunication like the shared

the communication The covert c

bull Noisy Covert Chann

both Overt and covertbull Noiseless Covert Ch

parties

bull Storage Covert Chaindirectly read or writesRW in hard disk

bull Timing Covert Chanmodulating the resourc

receiver

bull Simple Network Cov

rudimentary protocols

bull Steganographic Cha

receiver collude to pcommunication is hap

bull Subliminal Channel

typically proved undet

bull Supraliminal Chann

semantic content of c

similar to mimic funct


Fig4 Classical Examination Problem

ter set in Sequence number Decoding the same

n sequence number This can either be in TCP or I

nowledge packet to an unknown server where the c

has to count the number of time the acknowledge paue can later on mapped to ASCII table for retrie

sorting order numbering in IPSec frames whi

receiver

ike the XOR with sequence number to get the cover

IANTS

based on different aspects of the overall entities inresources backdoortrapdoor placement and partie

hannel general classification is given below ndash

l [14] is a communication channel which has

usersnnel [14] is the communication channel used sol

nel [14] involves the sender and the receiver eith

in to storage location The implementation can be

nel [14] [13] involves the sender signalling the i

s in such a way that real response time is obs

ert Channel [14] (SNCC) exists by creating

used in network protocol suite

nel [3] is a means of communication wher

revent an observer being able to reliably detening

[15]- is a covert channel in a cryptographi

ectable

l [12] - A supraliminal channel encodes infor

ver data generating innocent communication

ions

ay 2015

42

by applying

IP ID fields

vert receiver

cket was sentving suitable

h serves as

t data

volved in thes involved in

presence of

ely by covert

er directly or

on file-lock

formation by

erved by the

trapdoor in

sender and

ect whether

algorithm

ation in the

in a manner




bull Hybrid Covert Chan

covert channels existi

covert channel is diff

Mixed composition o

channel and is of ainstance noisy covert

network layer or appli

4ATTACK MODELLING

The attack modelling [4] can be

these scenarios are designed and

in direct or encoded format diclandestine medium in the net

using encoding scheme and that

The intricate design choosing oway for successful undetectablemediums may be difficult and h

is given below and will be used

This important formation scenari

41Scenario - 1

The attack scenarios have threeand Eve is legitimate entityuslegitimate users hence it is sce

Bob and Eve is legitimate chan

covert channel Alice and B

information and is mentioned in

While Eve is communicating wiover the covert channel Once

would also stop communicatio

snatched from Bobs machine Tstrong trapdoor so as to thwartHybrid covert channel Such po

Network Covert Channel in the I


nel [4] is co-existence of two or more differeng at same instance of time The composition o

icult to assess from third party which is tryi

covert channel variants behave as single coh

reatest threat to the legitimate network envirchannel in transport layer with subliminal

ation layer

based on different scenarios and placement covert

built to fulfil certain objectives Covert users can

ect communication is merely placement of covertork protocol Alternatively the covert user can

is known only to the covert users

f clandestine mediums (trapdoors) and encoding scestablishment of covert channel Detecting such

ence detection metric called covertness index is us

or assessment in the attack scenarios

os of covert channels where attack can be devised is

ntities - Alice Bob and Eve Alice and Bob are coer The scenario comprises of the combinationario of noisy covert channel The channel establi

el comprising of covert channel and between Ali

b have pre-established channel to communicat

dotted lines in the figure 5

th Bob over legitimate channel Alice would extracwhen the communication between Bob and Eve i

with Bob Further Alice and eve can share th

he covert channel implemented between Alice andthe detection methods Such trapdoors can be d

ssible composition can be Subliminal channel in t

P both at network layer

ay 2015

43

t variants off the Hybrid

g to detect

erent covert

onment Forchannel in

sers Each of

communicate

data over ancommunicate

heme paves astrong covertdThe metric

given below

vert attackersf covert andhed between

e and Eve is

e the attack

t informations over Alice

information

Bob can havesigned usinghe IPSec and




This combination will prove e

The covertness index for Net

where

(Ut) =

The covertness index for sublimi

IPSec make use of AES-XCimplantation - Sequence Numb

random number generator algor

seed

As per [7] the trapdoors can beformation However this will noheaders


Fig5 Noise Covert Channel

ffective in hop-to-hop routing and can avoid an

ork Covert Channel in Network Layer (IPv4)-

(T) = Probability ofa trapdoor card

niversal set of all possibletrapdoors

nal channel in IPSec - ESP format

C-MAC cipher suite and ESP format allow tr field and padding The maximum number of ro

ithm is 16 Out of which 5 rounds are used for g

etected under the assumption stated in the hybrid ct be the same if multiple trapdoors are set in each o

ay 2015

44

detections

o trapdoorsunds in AES

enerating the

overt channelf the protocol




42 Scenario-2

This scenario is built on the thrusers in sub-network are comp

communication from the sub nChannel This sub network can b

Fig6 Noisel

The scenario can have multi-t

trapdoor can move from one pro

or can be combination trapdoor

particular index

5COVERT SCHEMES AND

The covert schemes are crucialobscured way More sophistica

samples of covert schemes wer

presented here

Scheme 1

The IP ID is field used for iden

covert scheme used for this field

bull Intentional use of only c

bull Scheme is designed by tfield

bull

The Covert receiver acharacter

For instance a simple scheme

performing modulus operation

encoding a character lsquocrsquo is


eat model of noiseless covert channel where theomised This sub-network is connected to other

twork to all the other networks is built using ae similar to bot-net as described in [8]

ess Covert Channel with Hybrid Covert Channel

rapdoor or protocol hopped hybrid covert chan

tocol to another protocol during the hop-to-hop cos in multiple level in the protocol suite Hence th

THEIR EMBODIMENT

for conveying the covert data over communicationed scheme likely not to be retrieved by detectio

discussed in section 2 of this paper and detailed

tification of the packet and is used for the routing

is based on following strategy-

rtain IP IDs while having conversation with Cover

he covert sender for embedding covert characters i

plies the scheme used by the sender to retrie

that can be used for this field is extracting the

of the character set size General notation for thi

ay 2015

45

esources andetwork The

ybrid Covert

el [16] The

municationre can be no

channel in aentity Few

schemes are

purpose The

t receiver

to the IP ID

e the covert

IP ID is by

s scheme for




46

Where 983080983081 is the encoding function R is the IP ID value and n is the size of the character setFor an ASCII character set n = 256

Example If IP ID = 26702 and if the character to be sent is `M Then 983080983081 983101 983090983094983095983088983090 minus

983089 983090983093983094 = `M

To convey a covert message the covert sender has select IP ID in such a way as to match with

983080983081

Scheme 2

Another prominent scheme used is on the sequence number where maximum range is4294967296 numbers as it is 32 bit field To communicate covertly under this scheme following

strategy is employed-

bull

Sequence number is multiplied with value of character set and bound is declared withmaximum limit

bull The receiver side retrieves the sequence number and then divides it by character set size

The encoding function 983080983081 is given below-

Where S is the initial sequence number and n is the size of the character set The decoding

function is 983080991257983081 is given below ndash

Where 991257 is the decoded character and 991257 is the received sequence number

For instance to send a character I covertly over the channel the sender would have to choose

1235037038 as sequence number and the max value is derived as 65535 256 = 16777216

Therefore the decoded character is 983080991257983081 = 1235037038=16777216 = 73 The value 73 when

mapped back to ASCII Table is the character `I

Scheme 3

Another scheme which has tremendous effect on the bandwidth is the modulation of TCP

timestamps or use of timing element in the network protocol TCP timestamps is in the optionsfield of the TCP header which indicates the round trip time of the packets The TCP processaccurately calculates the next retransmission of TCP segment which was failed to beacknowledged If the character is to be covertly sent using this scheme following strategy is used

bull Get the binary representation of the character and extract bits from the least significant

bit

bull Check if the Timestamp least significant bit (LSB) is same as covert bit if so send the




47

TCP segment

bull Covert receiver will extract the LSB of the timestamp and store the same until it is a byte

Let be the binary representation of the character `c and FLSB(Bc) be the encoding function for

encoding the covert bits in TCP timestamp

6ENTROPY BASED COVERT CHANNEL ANALYSIS

The entropy [2] in communication network indicates the number of bits required to encode a

character over the channel as stated by Shannon Entropy theory This is based on the frequency of

the characters in given string and the size of the alphabet The entropy measure also checks foruncertainty of the random variable

Let A be finite set of characters such that 983164983164 ge 983089 and any character983136991257 isin A is sequence of

symbols which is a string each of alphabet in string isin A For instance let cbbacabbac besequence of symbols that needs to be transmitted over network then its sequence of bits represents

the coded symbol sequence which may be 101110011011100010 Then the entropy for suchscenario is defined as ndash

where isin 983164983164 and 983164983164 983102 983089 pi is the probability of the occurrence of symbol lsquocrsquo in the string and ngives the length of the string To transmit a message ldquonetworkrdquo over the communication

network following are the calculated entropy for each alphabet ndash

The frequency of all the characters in a string with unique symbols will be same since the word

ldquonetworkrdquo has unique symbols the frequency is 0143 Let X be string for which the entropy is to

be calculated here X may word like network or stream of numbers then

H(X)=[(0143log20143) + (0143log20143) + (0143log20143) +(0143log20143) + (01

43log20143) + (0143log20143) + (0143log20143)]

H(X)=2803

It requires 3 bits to represent each symbol in the given string and 21 bits are required to representthe entire string Further the appropriate line coding technique has to be chosen to represent themin the transmission line So in general entropy of X where each alphabet is a unique symbol is

In a covert channel scenario the covert user has to be chosen the message in such a way that theentropy of string should always be less that number of bits available for that field in the protocol

header

ieH(X)lt|Maximumnumberof bitsinthatf ield(Bf )|




The IP ID presented in the sc

X the minimum of 21 bits are

The covert channel occupies 25

header or protocol header simplchannel capacity ratio will be lo

This makes the detection of covefields for analysis

In general

for robust covert channel constcovert channel will be greater

protocols is actually setting upentropy for such scenarios isscheme Also in the scenario o

hybrid covert channel where the

figure 7 and figure 8 shows the a


eme 1 of this paper has 16 bits in the IP heade

required Hence capacity of the covert channel i

of total IP header space Multiple trapdoors (t)

y doubles the covert channel capacity However tthus making it robust ie

rt bits much difficult as the detection systems needs

uction where [7]the covertness index for suchthan 05 The multiple trapdoors through a proto

f multiple covert channels in the communicationispersed across multiple making it difficult to umulti-trapdoors covert channel behaves like a si

effect of the entropy is doubled The below results

ccurate expected behaviour discussed in this paper -

Fig7 IP Entropy analysis

Fig8 TCP Entropy Analysis

ay 2015

48

r so to send

is

[5] [4] in IP

he entropy to

to scan more

ulti-trapdoorcol or set of

network Thederstand thegle coherent

shown in the




49

The results indicate the multiple trapdoors used in hybrid covert channel yields to a higherentropy value and low channel to entropy ratio (CE) The constant CE ratio also indicates the

consistent usage of protocol header for constructing multi-trapdoor based hybrid covert channelThis implies that the covert schemes used in Hybrid covert channel is difficult detect in secured

communication

7RESULTS AND DISCUSSIONS

The number of trapdoors implemented in a protocol cannot be all the fields vulnerable in thatprotocol ie

where Tm is the max number of trapdoors possible in that protocol Ts is the no of Trapdoors set

The analysis of the trapdoor setting is performed on protocols like IPv4 TCP and IPSec

SSLTLS The trapdoor setting in the rudimentary network protocols like the IPv4 and TCP ismerely based on placing the covert data in any of its header fields The table 1 shows effect ofvarying the number of trapdoors in IPv4 protocol

Table1Multi-TrapdoorAnalysisof IPv4

SlNo

TrapdoorName Noof Trap

doors

No

o

f Trapdoor

Algorith

m

CovertnessIndex

Entropy

C E

1 Network Covert

Channel-IPv4-

Single

4 1 NIL 025 2803 0089

2 Network Covert

Channel-IPv4-

dual

4 2 NIL 05 5606 017

3 Network Covert

Channel-IPv4-

triple

4 3 NIL 075 1121 0358

The graph of Trapdoors Vs the Covertness Index is show in the figure 9 where increase in the

number of the trapdoors in IPv4 increases the difficulty in detecting the covert channel Thetrapdoor setting in IPSec using subliminal channel is slightly complex to understand However

the ESP format provides two fields to convey the covert bits in the protocol header Theremaining data is sent over the ESP algorithm during the time of the key generation for

encryption using AES algorithm The residual bits in used in random number generation or used

in the round box of the AES and this is depicted on row 2 of the table 2 Hence the covertnessindex is 015 equation 2 which is 047 This will not change any further as there is limited scope

for subliminal channel development in IPSec -ESP format




Fig

Table 2 Multi-

The graph of Trapdoors Vs the

number of the trapdoors in IPSbased protocol is simple and pro

the changing trapdoor that hastrapdoors are involved it is difficshows change in the trapdoor co

covertness index can be minima

based on the algorithm used inHowever to increase the compl

bits is feasible in chosen prime

index for such channels is discus

Fig10 Entropy V

SlNo TrapdoorName

1 SubliminalChan

nel-IPSecESP-1

2 SubliminalChan

nel-IPSecESP-2

3 SubliminalChannel-IPSecESP-3


9 Entropy Vs Covertness Index in IPv4

Trapdoor Analysis of Subliminal Channel in IPSec

Covertness Index is show in the figure 10 where i

c ESP makes covertness index constant The trapvides seven fields for placing the covert data The t

an effect on the covertness index When more nult to detect the composition of the covert channelnt that has an effect in the detection However the

l The trapdoor setting in the subliminal channel i

its cipher suite This is purely called as random oxity of the subliminal to thwart detection the ran

umber This forms Newton Subliminal Channel T

sed in the table 4

s Covertness Index in IPSec based subliminal channel

Noof Trapdoors

No of

Trapdoorsu

Algorithm CovertnessIndex

Entropy C

2 1 AES-

XCBC-MAC

015 2803 0

- - AES-

XCBC-

MAC

047 478 0

- - AES-XCBC-

MAC

047 521 0

ay 2015

50

crease in the

oors in TCPble 3 depicts

umber of theThe figure 11hanges in the

SSLTLS is

acle channelomization of

he covertness

E

14

35

35




Table 3 Multi-

SlNo TrapdoorName

1 Network Coverthannel-TCP-

2 Network Covert

hannel-TCP-

3 Network Covert

hannel-TCP-

The graph of covertness index

12 The higher entropy value f[10] is able to detect the activi

Hybrid Covert channel is not fea

and IPv4 as this become easily d

Fig11 Entro

Table4Multi-

SlNo TrapdoorName

1 SubliminalChannel(Oracl

e)-

SSL TLS-1 2 SubliminalC

hannel(Oracl

e)-


hann

el(Oracl

e)-

SSL TLS-3


rapdoor Analysis of Network covert channel in TCP

Noof Trapd

oors No

of

Trapdoorsu

Algorithm CovertnessI

ndex Entropy C

1 7 1 NIL 0142 2803 0

2 7 2 NIL 028 5606 0

3 7 3 NIL 042 1121 0

s the trapdoor in the subliminal channel is shown

r the some of the formation indicates that the detty and this give clear indication of the higher de

sible for the combinations of the Network covert ch

tectable combination

y Vs Covertness Index in Covert Channel based on TCP

TrapdoorAnalysisof SubliminalChannelinSSL TLS

Noof Trapdoors

No of

Trapdoorsu


Entropy C

- - SSLCi-pherSuite

025 2803 0

- - SSLCi-pherSuite

058 367 0

- - SSLCi-

pherSu

ite

058 367 0

ay 2015

51

E

14

28

14

in the figure

ction enginetection rates

annel in TCP

E

14

35

35




Fig12 Covertn

8CONCLUSION

Covert schemes are difficult totaken in protocol header This p

be malware code Entropy basecovert symbol in a protocol Thi

in a better way It is unacceptablof administrator It is inference tentropy which makes it difficu

principle to detect such events

ACKNOWLEDGEMENT

AnjanKoundinya thanks Late

Computer Science and Engine

igniting the passion for research

REFERENCES

[1] Description of Detec

netprojectspapershtmlcctde

[2] Description of the Entropy cal

[Online accessed 16-Feb-201

[3] KoundinyaAnjan and Jibi A

channel In Third Internation

Chennai India 2010 Springe[4] Jibi Abraham Anjan K Srin

channel in secured communic

2014

[5] Bo Yuan Chaim Sanders Ja

Network Covert Channels 201

[6] RajarathnamChandramouli a

internet Issues approaches a


ss Index for Subliminal Channel based on SSLTLS

understand from third party entity as they obscurrovides an opportunity for embedding any data wh

analysis gives the actual number of bits used tos gives clearly metric to understand the covert cha

e to have malicious conversation of the network evehis experiment that the hybrid covert channel has hlt to detect It is required to concentrate on stron

Dr VK Ananthashayana Erstwhile Head De

ering MSRamaiah Institute of Tech-nology B

tion Approaches at the URL htt

html 2014 [Online accessed 15-Feb-2015]

culation at the URL httpwww shannonentro

]

braham Behaviour analysis of transport layer based

al Conference on Net-work Security and Application

-Verlag LNCS seriesath N K Attack modelling and behavioral analysis of

tion ACEEE In-ternational Journal of Network Securit

ob VallettaEmploying Entropy in the Detection and

12

d Koduvayur P Subbalakshmi Covert chan-nel for

d experiences 5(1)4150 July 2007

ay 2015

52

e the contentich may even

represent thennel schemes

n in presenceigh degree ofger detection

-partment of

angalore for

pgray-world

pynetmarkpl

hybrid covert

pages 83-92

hybrid covert

05(2)6777

Monitoring of

ensics on the




[7] Anjan K Koundinya etal C

In ADCONS 2011 pages 582

[8] JaideepChandrashekar etal

Proceedings of 12th Internat

September 2009

[9] LoicHelou Claude Jard andSPV03 Volume 3 April 200

[10] Anjan K Koundinya and Jibi

Detection Engine volume 1 o

2010

[11] B W Lampson A Note on th

[12] Enping Li and Scott Craver

of the 11th ACM workshop

2009[13] Clay Shields SarderCabuk C

2004

[14] Clay Shields SarderCabuk

Information and System Secur

[15] Gustavus J Simmons The Sub

[16] Steffen Wendzel Protocol Ch[17] Andreas Willig A short intro

1999

[18] Adam Young and Moti Yung

220-240 2004

AUTHORrsquoS

AnjanK has received his B

UniversityBelgaumIndia in 2007

Science and Engineering MSRam

been awarded Best Performer PG 2

includes NetworkSecurityandCrypt

PhD in Computer Science and Engi

as Assistant Professorin Deptof CEngineering Bengaluru India

SrinathNK has his ME degree in S

Roorkee University in 1986 and P

in 2009His areas of research int

Distributed Computing DBMS Mi

PG Dept of Computer Science and

JibiAbraham has received h

BITSRajasthanIndia in 199 and

University Belgaum India in

fresearch interests include Network

of Wireless Sensor Networks andHead in Dept of CEIT College of


vertness analysis of subliminal channels in legitimate c

591 Springer- Verlag LNCS series 2012

xploiting temporal persistence to detect covert botnet

ional Symposium RAID 2009 pages 326345 Saint-

Marc ZeitounCovert channels detection in protocols u

Abraham Design of Transport Layer Based Hybrid C

f 4 International Journal of Ad hocSensor and Ubiquito

Con_nement ProblemCommunication of the ACM 19

supraliminal channel in a wireless phone application

n Multimedia and security pages 718 Princeton Ne

rla Brodley IP covert timing channels Design and det

Carla Brodley IP covert channel detectionACM

ity Volume 12(Article 22) 2009

liminal Channel and Digital SignaturesSpringer-Verlag

nnelsHAKIN9 2009uction to queuing theorylecture notes at Technical Uni

Malicious Cryptography First edition Wiley Publish-

E degree from Visveswariah Technological

nd his master degre from Department of Computer

iahInstitute of Technology Bangalore IndiaHe has

10 for his academic excellenceHis area so fresearch

graphyAgile Software EngineeringHe ispursuing

neeing fromVTUBelgaum He is currently working

omputer Science and Engineering RV College of

ystems Engineering and Operations Research from

D degree from Avinash Lingum UniversityIndia

rests include Operations Research Parallel and

roprocessor His isworking as Professor and Dean

EngineeringRVCollege of Engineering

r MS degree in Software Systems from

PhD degree from Visveswariah Technological

008 in the area of Network SecurityHe rarea so

routing algorithms Cryptography Network Security

lgorithms DesignShe is working as Professor andngineering Pune

ay 2015

53

ommunication

channels In

Malo France

sing scenarios

overt Channel

us Computing

3

n Proceedings

Jersey USA

ction CCS 4

ransaction on

1998

versity Berlin

ingFeb pages




This clearly states the policcommunication channel was en

simple covert channel can be vichannel in the communication

Covertchannelinformationexchaimplementation of such langua

proliferated into multiple protoc

complex to detect such clan-desmechanism for ameliorated deve

have such multiple trapdoors eit

Multiple trapdoors can be imple

the different covert channel va

coherent covert channel Such cChannel [3] is homogeneous co

instance of time Hybrid covertto assess the composition of the

is depicted in [3] and figure 2

Fig2

The covert channel was first in[11] Extensive work is carried o

forensics [6] based Scenario bato understand the detection bett

basis for detection Modelling th


violation constraint but does not considerisaged as a communication channel by the syste

ualizedin [3] where channel comprises of both co

Fig1 Covert Channel Visualization

geisbasedcovertlanguagespre-negotiated by the coges uses intricate encoding schemes These sche

ols where each such protocol will be a trapdoor

tine mediums SETUP attack [18] makes uses oflopment of covert channel A hybrid covert channel

er in the same layer on in different layers

ented in the same layer or in different layersImpl

iants at the same instance of time tends to behav

annel is termed as ldquoHybrid Covert Channel Aposition of two or more covert channel variants exi

hannel may not have strict composition It becomeHybrid Covert Channel An instance of the hybrid c

Hybrid Covert Channel in Transport Layer

roduced in the traditional confinement problem asut in devising the detection methods which can be o

sed analysis of the covert channel detections [3][7]r Monitoring the unusual traffic [14] in the netwo

e covert timing channel process as Poissonrsquos distrib

ay 2015

40

whether thedesigner A

ert and overt

ert users andmes may be

his makes it

ulti-trapdoorscenario may

mentation of

e as a single

ybrid Covertsting at same

complicatedovert channel

described inn real-time or

is performedk stream is a

tion is also a






2COVERT COMMUNICA



















ION TYPES

















ay 2015

41


two forms

g covert data

erstood with

ectively one






ine however











character

bull




3COVERT CHANNEL VA





parties



receiver

















receiver


IANTS














ectable



ions

ay 2015

42

by applying

IP ID fields

vert receiver


h serves as

t data


presence of

ely by covert

er directly or

on file-lock

formation by

erved by the

trapdoor in

sender and

ect whether

algorithm

ation in the

in a manner







Mixed composition o



4ATTACK MODELLING








41Scenario - 1














ation layer


















ay 2015

43


g to detect

erent covert


sers Each of

communicate



given below


e and Eve is

e the attack


information







where

(Ut) =




seed












ay 2015

44

detections


enerating the





42 Scenario-2



Fig6 Noisel




particular index

5COVERT SCHEMES AND



presented here

Scheme 1





bull











THEIR EMBODIMENT










ay 2015

45


ybrid Covert

el [16] The



schemes are

purpose The

t receiver

to the IP ID

e the covert

IP ID is by

s scheme for




46



983089 983090983093983094 = `M


983080983081

Scheme 2



bull











Scheme 3




bit





47

TCP segment
















H(X)=[(0143log20143) + (0143log20143) + (0143log20143) +(0143log20143) + (01

43log20143) + (0143log20143) + (0143log20143)]

H(X)=2803



header










In general

















ay 2015

48

r so to send

is

[5] [4] in IP

he entropy to

to scan more



shown in the




49



communication







SlNo


doors

No

o

f Trapdoor

Algorith

m

CovertnessIndex

Entropy

C E

1 Network Covert

Channel-IPv4-

Single

4 1 NIL 025 2803 0089

2 Network Covert

Channel-IPv4-

dual

4 2 NIL 05 5606 017

3 Network Covert

Channel-IPv4-

triple

4 3 NIL 075 1121 0358










Fig

Table 2 Multi-








Fig10 Entropy V

SlNo TrapdoorName

1 SubliminalChan

nel-IPSecESP-1

2 SubliminalChan

nel-IPSecESP-2











sed in the table 4


Noof Trapdoors

No of

Trapdoorsu


Entropy C

2 1 AES-

XCBC-MAC

015 2803 0

- - AES-

XCBC-

MAC

047 478 0

- - AES-XCBC-

MAC

047 521 0

ay 2015

50

crease in the



SSLTLS is


he covertness

E

14

35

35




Table 3 Multi-

SlNo TrapdoorName


2 Network Covert

hannel-TCP-

3 Network Covert

hannel-TCP-





Fig11 Entro

Table4Multi-

SlNo TrapdoorName


e)-


hannel(Oracl

e)-


hann

el(Oracl

e)-

SSL TLS-3



Noof Trapd

oors No

of

Trapdoorsu


ndex Entropy C

1 7 1 NIL 0142 2803 0

2 7 2 NIL 028 5606 0

3 7 3 NIL 042 1121 0







Noof Trapdoors

No of

Trapdoorsu


Entropy C

- - SSLCi-pherSuite

025 2803 0

- - SSLCi-pherSuite

058 367 0

- - SSLCi-

pherSu

ite

058 367 0

ay 2015

51

E

14

28

14

in the figure


annel in TCP

E

14

35

35




Fig12 Covertn

8CONCLUSION





ACKNOWLEDGEMENT




REFERENCES









2014















]






12



ay 2015

52




-partment of

angalore for

pgray-world

pynetmarkpl

hybrid covert

pages 83-92

hybrid covert

05(2)6777

Monitoring of

ensics on the








September 2009




2010





2004





1999


220-240 2004

AUTHORrsquoS




















































ay 2015

53

ommunication

channels In

Malo France

sing scenarios

overt Channel

us Computing

3

n Proceedings

Jersey USA

ction CCS 4

ransaction on

1998

versity Berlin

ingFeb pages






2COVERT COMMUNICA



















ION TYPES

















ay 2015

41


two forms

g covert data

erstood with

ectively one






ine however











character

bull




3COVERT CHANNEL VA





parties



receiver

















receiver


IANTS














ectable



ions

ay 2015

42

by applying

IP ID fields

vert receiver


h serves as

t data


presence of

ely by covert

er directly or

on file-lock

formation by

erved by the

trapdoor in

sender and

ect whether

algorithm

ation in the

in a manner







Mixed composition o



4ATTACK MODELLING








41Scenario - 1














ation layer


















ay 2015

43


g to detect

erent covert


sers Each of

communicate



given below


e and Eve is

e the attack


information







where

(Ut) =




seed












ay 2015

44

detections


enerating the





42 Scenario-2



Fig6 Noisel




particular index

5COVERT SCHEMES AND



presented here

Scheme 1





bull











THEIR EMBODIMENT










ay 2015

45


ybrid Covert

el [16] The



schemes are

purpose The

t receiver

to the IP ID

e the covert

IP ID is by

s scheme for




46



983089 983090983093983094 = `M


983080983081

Scheme 2



bull











Scheme 3




bit





47

TCP segment
















H(X)=[(0143log20143) + (0143log20143) + (0143log20143) +(0143log20143) + (01

43log20143) + (0143log20143) + (0143log20143)]

H(X)=2803



header










In general

















ay 2015

48

r so to send

is

[5] [4] in IP

he entropy to

to scan more



shown in the




49



communication







SlNo


doors

No

o

f Trapdoor

Algorith

m

CovertnessIndex

Entropy

C E

1 Network Covert

Channel-IPv4-

Single

4 1 NIL 025 2803 0089

2 Network Covert

Channel-IPv4-

dual

4 2 NIL 05 5606 017

3 Network Covert

Channel-IPv4-

triple

4 3 NIL 075 1121 0358










Fig

Table 2 Multi-








Fig10 Entropy V

SlNo TrapdoorName

1 SubliminalChan

nel-IPSecESP-1

2 SubliminalChan

nel-IPSecESP-2











sed in the table 4


Noof Trapdoors

No of

Trapdoorsu


Entropy C

2 1 AES-

XCBC-MAC

015 2803 0

- - AES-

XCBC-

MAC

047 478 0

- - AES-XCBC-

MAC

047 521 0

ay 2015

50

crease in the



SSLTLS is


he covertness

E

14

35

35




Table 3 Multi-

SlNo TrapdoorName


2 Network Covert

hannel-TCP-

3 Network Covert

hannel-TCP-





Fig11 Entro

Table4Multi-

SlNo TrapdoorName


e)-


hannel(Oracl

e)-


hann

el(Oracl

e)-

SSL TLS-3



Noof Trapd

oors No

of

Trapdoorsu


ndex Entropy C

1 7 1 NIL 0142 2803 0

2 7 2 NIL 028 5606 0

3 7 3 NIL 042 1121 0







Noof Trapdoors

No of

Trapdoorsu


Entropy C

- - SSLCi-pherSuite

025 2803 0

- - SSLCi-pherSuite

058 367 0

- - SSLCi-

pherSu

ite

058 367 0

ay 2015

51

E

14

28

14

in the figure


annel in TCP

E

14

35

35




Fig12 Covertn

8CONCLUSION





ACKNOWLEDGEMENT




REFERENCES









2014















]






12



ay 2015

52




-partment of

angalore for

pgray-world

pynetmarkpl

hybrid covert

pages 83-92

hybrid covert

05(2)6777

Monitoring of

ensics on the








September 2009




2010





2004





1999


220-240 2004

AUTHORrsquoS




















































ay 2015

53

ommunication

channels In

Malo France

sing scenarios

overt Channel

us Computing

3

n Proceedings

Jersey USA

ction CCS 4

ransaction on

1998

versity Berlin

ingFeb pages








character

bull




3COVERT CHANNEL VA





parties



receiver

















receiver


IANTS














ectable



ions

ay 2015

42

by applying

IP ID fields

vert receiver


h serves as

t data


presence of

ely by covert

er directly or

on file-lock

formation by

erved by the

trapdoor in

sender and

ect whether

algorithm

ation in the

in a manner







Mixed composition o



4ATTACK MODELLING








41Scenario - 1














ation layer


















ay 2015

43


g to detect

erent covert


sers Each of

communicate



given below


e and Eve is

e the attack


information







where

(Ut) =




seed












ay 2015

44

detections


enerating the





42 Scenario-2



Fig6 Noisel




particular index

5COVERT SCHEMES AND



presented here

Scheme 1





bull











THEIR EMBODIMENT










ay 2015

45


ybrid Covert

el [16] The



schemes are

purpose The

t receiver

to the IP ID

e the covert

IP ID is by

s scheme for




46



983089 983090983093983094 = `M


983080983081

Scheme 2



bull











Scheme 3




bit





47

TCP segment
















H(X)=[(0143log20143) + (0143log20143) + (0143log20143) +(0143log20143) + (01

43log20143) + (0143log20143) + (0143log20143)]

H(X)=2803



header










In general

















ay 2015

48

r so to send

is

[5] [4] in IP

he entropy to

to scan more



shown in the




49



communication







SlNo


doors

No

o

f Trapdoor

Algorith

m

CovertnessIndex

Entropy

C E

1 Network Covert

Channel-IPv4-

Single

4 1 NIL 025 2803 0089

2 Network Covert

Channel-IPv4-

dual

4 2 NIL 05 5606 017

3 Network Covert

Channel-IPv4-

triple

4 3 NIL 075 1121 0358










Fig

Table 2 Multi-








Fig10 Entropy V

SlNo TrapdoorName

1 SubliminalChan

nel-IPSecESP-1

2 SubliminalChan

nel-IPSecESP-2











sed in the table 4


Noof Trapdoors

No of

Trapdoorsu


Entropy C

2 1 AES-

XCBC-MAC

015 2803 0

- - AES-

XCBC-

MAC

047 478 0

- - AES-XCBC-

MAC

047 521 0

ay 2015

50

crease in the



SSLTLS is


he covertness

E

14

35

35




Table 3 Multi-

SlNo TrapdoorName


2 Network Covert

hannel-TCP-

3 Network Covert

hannel-TCP-





Fig11 Entro

Table4Multi-

SlNo TrapdoorName


e)-


hannel(Oracl

e)-


hann

el(Oracl

e)-

SSL TLS-3



Noof Trapd

oors No

of

Trapdoorsu


ndex Entropy C

1 7 1 NIL 0142 2803 0

2 7 2 NIL 028 5606 0

3 7 3 NIL 042 1121 0







Noof Trapdoors

No of

Trapdoorsu


Entropy C

- - SSLCi-pherSuite

025 2803 0

- - SSLCi-pherSuite

058 367 0

- - SSLCi-

pherSu

ite

058 367 0

ay 2015

51

E

14

28

14

in the figure


annel in TCP

E

14

35

35




Fig12 Covertn

8CONCLUSION





ACKNOWLEDGEMENT




REFERENCES









2014















]






12



ay 2015

52




-partment of

angalore for

pgray-world

pynetmarkpl

hybrid covert

pages 83-92

hybrid covert

05(2)6777

Monitoring of

ensics on the








September 2009




2010





2004





1999


220-240 2004

AUTHORrsquoS




















































ay 2015

53

ommunication

channels In

Malo France

sing scenarios

overt Channel

us Computing

3

n Proceedings

Jersey USA

ction CCS 4

ransaction on

1998

versity Berlin

ingFeb pages







Mixed composition o



4ATTACK MODELLING








41Scenario - 1














ation layer


















ay 2015

43


g to detect

erent covert


sers Each of

communicate



given below


e and Eve is

e the attack


information







where

(Ut) =




seed












ay 2015

44

detections


enerating the





42 Scenario-2



Fig6 Noisel




particular index

5COVERT SCHEMES AND



presented here

Scheme 1





bull











THEIR EMBODIMENT










ay 2015

45


ybrid Covert

el [16] The



schemes are

purpose The

t receiver

to the IP ID

e the covert

IP ID is by

s scheme for




46



983089 983090983093983094 = `M


983080983081

Scheme 2



bull











Scheme 3




bit





47

TCP segment
















H(X)=[(0143log20143) + (0143log20143) + (0143log20143) +(0143log20143) + (01

43log20143) + (0143log20143) + (0143log20143)]

H(X)=2803



header










In general

















ay 2015

48

r so to send

is

[5] [4] in IP

he entropy to

to scan more



shown in the




49



communication







SlNo


doors

No

o

f Trapdoor

Algorith

m

CovertnessIndex

Entropy

C E

1 Network Covert

Channel-IPv4-

Single

4 1 NIL 025 2803 0089

2 Network Covert

Channel-IPv4-

dual

4 2 NIL 05 5606 017

3 Network Covert

Channel-IPv4-

triple

4 3 NIL 075 1121 0358










Fig

Table 2 Multi-








Fig10 Entropy V

SlNo TrapdoorName

1 SubliminalChan

nel-IPSecESP-1

2 SubliminalChan

nel-IPSecESP-2











sed in the table 4


Noof Trapdoors

No of

Trapdoorsu


Entropy C

2 1 AES-

XCBC-MAC

015 2803 0

- - AES-

XCBC-

MAC

047 478 0

- - AES-XCBC-

MAC

047 521 0

ay 2015

50

crease in the



SSLTLS is


he covertness

E

14

35

35




Table 3 Multi-

SlNo TrapdoorName


2 Network Covert

hannel-TCP-

3 Network Covert

hannel-TCP-





Fig11 Entro

Table4Multi-

SlNo TrapdoorName


e)-


hannel(Oracl

e)-


hann

el(Oracl

e)-

SSL TLS-3



Noof Trapd

oors No

of

Trapdoorsu


ndex Entropy C

1 7 1 NIL 0142 2803 0

2 7 2 NIL 028 5606 0

3 7 3 NIL 042 1121 0







Noof Trapdoors

No of

Trapdoorsu


Entropy C

- - SSLCi-pherSuite

025 2803 0

- - SSLCi-pherSuite

058 367 0

- - SSLCi-

pherSu

ite

058 367 0

ay 2015

51

E

14

28

14

in the figure


annel in TCP

E

14

35

35




Fig12 Covertn

8CONCLUSION





ACKNOWLEDGEMENT




REFERENCES









2014















]






12



ay 2015

52




-partment of

angalore for

pgray-world

pynetmarkpl

hybrid covert

pages 83-92

hybrid covert

05(2)6777

Monitoring of

ensics on the








September 2009




2010





2004





1999


220-240 2004

AUTHORrsquoS




















































ay 2015

53

ommunication

channels In

Malo France

sing scenarios

overt Channel

us Computing

3

n Proceedings

Jersey USA

ction CCS 4

ransaction on

1998

versity Berlin

ingFeb pages






where

(Ut) =




seed












ay 2015

44

detections


enerating the





42 Scenario-2



Fig6 Noisel




particular index

5COVERT SCHEMES AND



presented here

Scheme 1





bull











THEIR EMBODIMENT










ay 2015

45


ybrid Covert

el [16] The



schemes are

purpose The

t receiver

to the IP ID

e the covert

IP ID is by

s scheme for




46



983089 983090983093983094 = `M


983080983081

Scheme 2



bull











Scheme 3




bit





47

TCP segment
















H(X)=[(0143log20143) + (0143log20143) + (0143log20143) +(0143log20143) + (01

43log20143) + (0143log20143) + (0143log20143)]

H(X)=2803



header










In general

















ay 2015

48

r so to send

is

[5] [4] in IP

he entropy to

to scan more



shown in the




49



communication







SlNo


doors

No

o

f Trapdoor

Algorith

m

CovertnessIndex

Entropy

C E

1 Network Covert

Channel-IPv4-

Single

4 1 NIL 025 2803 0089

2 Network Covert

Channel-IPv4-

dual

4 2 NIL 05 5606 017

3 Network Covert

Channel-IPv4-

triple

4 3 NIL 075 1121 0358










Fig

Table 2 Multi-








Fig10 Entropy V

SlNo TrapdoorName

1 SubliminalChan

nel-IPSecESP-1

2 SubliminalChan

nel-IPSecESP-2











sed in the table 4


Noof Trapdoors

No of

Trapdoorsu


Entropy C

2 1 AES-

XCBC-MAC

015 2803 0

- - AES-

XCBC-

MAC

047 478 0

- - AES-XCBC-

MAC

047 521 0

ay 2015

50

crease in the



SSLTLS is


he covertness

E

14

35

35




Table 3 Multi-

SlNo TrapdoorName


2 Network Covert

hannel-TCP-

3 Network Covert

hannel-TCP-





Fig11 Entro

Table4Multi-

SlNo TrapdoorName


e)-


hannel(Oracl

e)-


hann

el(Oracl

e)-

SSL TLS-3



Noof Trapd

oors No

of

Trapdoorsu


ndex Entropy C

1 7 1 NIL 0142 2803 0

2 7 2 NIL 028 5606 0

3 7 3 NIL 042 1121 0







Noof Trapdoors

No of

Trapdoorsu


Entropy C

- - SSLCi-pherSuite

025 2803 0

- - SSLCi-pherSuite

058 367 0

- - SSLCi-

pherSu

ite

058 367 0

ay 2015

51

E

14

28

14

in the figure


annel in TCP

E

14

35

35




Fig12 Covertn

8CONCLUSION





ACKNOWLEDGEMENT




REFERENCES









2014















]






12



ay 2015

52




-partment of

angalore for

pgray-world

pynetmarkpl

hybrid covert

pages 83-92

hybrid covert

05(2)6777

Monitoring of

ensics on the








September 2009




2010





2004





1999


220-240 2004

AUTHORrsquoS




















































ay 2015

53

ommunication

channels In

Malo France

sing scenarios

overt Channel

us Computing

3

n Proceedings

Jersey USA

ction CCS 4

ransaction on

1998

versity Berlin

ingFeb pages




42 Scenario-2



Fig6 Noisel




particular index

5COVERT SCHEMES AND



presented here

Scheme 1





bull











THEIR EMBODIMENT










ay 2015

45


ybrid Covert

el [16] The



schemes are

purpose The

t receiver

to the IP ID

e the covert

IP ID is by

s scheme for




46



983089 983090983093983094 = `M


983080983081

Scheme 2



bull











Scheme 3




bit





47

TCP segment
















H(X)=[(0143log20143) + (0143log20143) + (0143log20143) +(0143log20143) + (01

43log20143) + (0143log20143) + (0143log20143)]

H(X)=2803



header










In general

















ay 2015

48

r so to send

is

[5] [4] in IP

he entropy to

to scan more



shown in the




49



communication







SlNo


doors

No

o

f Trapdoor

Algorith

m

CovertnessIndex

Entropy

C E

1 Network Covert

Channel-IPv4-

Single

4 1 NIL 025 2803 0089

2 Network Covert

Channel-IPv4-

dual

4 2 NIL 05 5606 017

3 Network Covert

Channel-IPv4-

triple

4 3 NIL 075 1121 0358










Fig

Table 2 Multi-








Fig10 Entropy V

SlNo TrapdoorName

1 SubliminalChan

nel-IPSecESP-1

2 SubliminalChan

nel-IPSecESP-2











sed in the table 4


Noof Trapdoors

No of

Trapdoorsu


Entropy C

2 1 AES-

XCBC-MAC

015 2803 0

- - AES-

XCBC-

MAC

047 478 0

- - AES-XCBC-

MAC

047 521 0

ay 2015

50

crease in the



SSLTLS is


he covertness

E

14

35

35




Table 3 Multi-

SlNo TrapdoorName


2 Network Covert

hannel-TCP-

3 Network Covert

hannel-TCP-





Fig11 Entro

Table4Multi-

SlNo TrapdoorName


e)-


hannel(Oracl

e)-


hann

el(Oracl

e)-

SSL TLS-3



Noof Trapd

oors No

of

Trapdoorsu


ndex Entropy C

1 7 1 NIL 0142 2803 0

2 7 2 NIL 028 5606 0

3 7 3 NIL 042 1121 0







Noof Trapdoors

No of

Trapdoorsu


Entropy C

- - SSLCi-pherSuite

025 2803 0

- - SSLCi-pherSuite

058 367 0

- - SSLCi-

pherSu

ite

058 367 0

ay 2015

51

E

14

28

14

in the figure


annel in TCP

E

14

35

35




Fig12 Covertn

8CONCLUSION





ACKNOWLEDGEMENT




REFERENCES









2014















]






12



ay 2015

52




-partment of

angalore for

pgray-world

pynetmarkpl

hybrid covert

pages 83-92

hybrid covert

05(2)6777

Monitoring of

ensics on the








September 2009




2010





2004





1999


220-240 2004

AUTHORrsquoS




















































ay 2015

53

ommunication

channels In

Malo France

sing scenarios

overt Channel

us Computing

3

n Proceedings

Jersey USA

ction CCS 4

ransaction on

1998

versity Berlin

ingFeb pages




46



983089 983090983093983094 = `M


983080983081

Scheme 2



bull











Scheme 3




bit





47

TCP segment
















H(X)=[(0143log20143) + (0143log20143) + (0143log20143) +(0143log20143) + (01

43log20143) + (0143log20143) + (0143log20143)]

H(X)=2803



header










In general

















ay 2015

48

r so to send

is

[5] [4] in IP

he entropy to

to scan more



shown in the




49



communication







SlNo


doors

No

o

f Trapdoor

Algorith

m

CovertnessIndex

Entropy

C E

1 Network Covert

Channel-IPv4-

Single

4 1 NIL 025 2803 0089

2 Network Covert

Channel-IPv4-

dual

4 2 NIL 05 5606 017

3 Network Covert

Channel-IPv4-

triple

4 3 NIL 075 1121 0358










Fig

Table 2 Multi-








Fig10 Entropy V

SlNo TrapdoorName

1 SubliminalChan

nel-IPSecESP-1

2 SubliminalChan

nel-IPSecESP-2











sed in the table 4


Noof Trapdoors

No of

Trapdoorsu


Entropy C

2 1 AES-

XCBC-MAC

015 2803 0

- - AES-

XCBC-

MAC

047 478 0

- - AES-XCBC-

MAC

047 521 0

ay 2015

50

crease in the



SSLTLS is


he covertness

E

14

35

35




Table 3 Multi-

SlNo TrapdoorName


2 Network Covert

hannel-TCP-

3 Network Covert

hannel-TCP-





Fig11 Entro

Table4Multi-

SlNo TrapdoorName


e)-


hannel(Oracl

e)-


hann

el(Oracl

e)-

SSL TLS-3



Noof Trapd

oors No

of

Trapdoorsu


ndex Entropy C

1 7 1 NIL 0142 2803 0

2 7 2 NIL 028 5606 0

3 7 3 NIL 042 1121 0







Noof Trapdoors

No of

Trapdoorsu


Entropy C

- - SSLCi-pherSuite

025 2803 0

- - SSLCi-pherSuite

058 367 0

- - SSLCi-

pherSu

ite

058 367 0

ay 2015

51

E

14

28

14

in the figure


annel in TCP

E

14

35

35




Fig12 Covertn

8CONCLUSION





ACKNOWLEDGEMENT




REFERENCES









2014















]






12



ay 2015

52




-partment of

angalore for

pgray-world

pynetmarkpl

hybrid covert

pages 83-92

hybrid covert

05(2)6777

Monitoring of

ensics on the








September 2009




2010





2004





1999


220-240 2004

AUTHORrsquoS




















































ay 2015

53

ommunication

channels In

Malo France

sing scenarios

overt Channel

us Computing

3

n Proceedings

Jersey USA

ction CCS 4

ransaction on

1998

versity Berlin

ingFeb pages




47

TCP segment
















H(X)=[(0143log20143) + (0143log20143) + (0143log20143) +(0143log20143) + (01

43log20143) + (0143log20143) + (0143log20143)]

H(X)=2803



header










In general

















ay 2015

48

r so to send

is

[5] [4] in IP

he entropy to

to scan more



shown in the




49



communication







SlNo


doors

No

o

f Trapdoor

Algorith

m

CovertnessIndex

Entropy

C E

1 Network Covert

Channel-IPv4-

Single

4 1 NIL 025 2803 0089

2 Network Covert

Channel-IPv4-

dual

4 2 NIL 05 5606 017

3 Network Covert

Channel-IPv4-

triple

4 3 NIL 075 1121 0358










Fig

Table 2 Multi-








Fig10 Entropy V

SlNo TrapdoorName

1 SubliminalChan

nel-IPSecESP-1

2 SubliminalChan

nel-IPSecESP-2











sed in the table 4


Noof Trapdoors

No of

Trapdoorsu


Entropy C

2 1 AES-

XCBC-MAC

015 2803 0

- - AES-

XCBC-

MAC

047 478 0

- - AES-XCBC-

MAC

047 521 0

ay 2015

50

crease in the



SSLTLS is


he covertness

E

14

35

35




Table 3 Multi-

SlNo TrapdoorName


2 Network Covert

hannel-TCP-

3 Network Covert

hannel-TCP-





Fig11 Entro

Table4Multi-

SlNo TrapdoorName


e)-


hannel(Oracl

e)-


hann

el(Oracl

e)-

SSL TLS-3



Noof Trapd

oors No

of

Trapdoorsu


ndex Entropy C

1 7 1 NIL 0142 2803 0

2 7 2 NIL 028 5606 0

3 7 3 NIL 042 1121 0







Noof Trapdoors

No of

Trapdoorsu


Entropy C

- - SSLCi-pherSuite

025 2803 0

- - SSLCi-pherSuite

058 367 0

- - SSLCi-

pherSu

ite

058 367 0

ay 2015

51

E

14

28

14

in the figure


annel in TCP

E

14

35

35




Fig12 Covertn

8CONCLUSION





ACKNOWLEDGEMENT




REFERENCES









2014















]






12



ay 2015

52




-partment of

angalore for

pgray-world

pynetmarkpl

hybrid covert

pages 83-92

hybrid covert

05(2)6777

Monitoring of

ensics on the








September 2009




2010





2004





1999


220-240 2004

AUTHORrsquoS




















































ay 2015

53

ommunication

channels In

Malo France

sing scenarios

overt Channel

us Computing

3

n Proceedings

Jersey USA

ction CCS 4

ransaction on

1998

versity Berlin

ingFeb pages









In general

















ay 2015

48

r so to send

is

[5] [4] in IP

he entropy to

to scan more



shown in the




49



communication







SlNo


doors

No

o

f Trapdoor

Algorith

m

CovertnessIndex

Entropy

C E

1 Network Covert

Channel-IPv4-

Single

4 1 NIL 025 2803 0089

2 Network Covert

Channel-IPv4-

dual

4 2 NIL 05 5606 017

3 Network Covert

Channel-IPv4-

triple

4 3 NIL 075 1121 0358










Fig

Table 2 Multi-








Fig10 Entropy V

SlNo TrapdoorName

1 SubliminalChan

nel-IPSecESP-1

2 SubliminalChan

nel-IPSecESP-2











sed in the table 4


Noof Trapdoors

No of

Trapdoorsu


Entropy C

2 1 AES-

XCBC-MAC

015 2803 0

- - AES-

XCBC-

MAC

047 478 0

- - AES-XCBC-

MAC

047 521 0

ay 2015

50

crease in the



SSLTLS is


he covertness

E

14

35

35




Table 3 Multi-

SlNo TrapdoorName


2 Network Covert

hannel-TCP-

3 Network Covert

hannel-TCP-





Fig11 Entro

Table4Multi-

SlNo TrapdoorName


e)-


hannel(Oracl

e)-


hann

el(Oracl

e)-

SSL TLS-3



Noof Trapd

oors No

of

Trapdoorsu


ndex Entropy C

1 7 1 NIL 0142 2803 0

2 7 2 NIL 028 5606 0

3 7 3 NIL 042 1121 0







Noof Trapdoors

No of

Trapdoorsu


Entropy C

- - SSLCi-pherSuite

025 2803 0

- - SSLCi-pherSuite

058 367 0

- - SSLCi-

pherSu

ite

058 367 0

ay 2015

51

E

14

28

14

in the figure


annel in TCP

E

14

35

35




Fig12 Covertn

8CONCLUSION





ACKNOWLEDGEMENT




REFERENCES









2014















]






12



ay 2015

52




-partment of

angalore for

pgray-world

pynetmarkpl

hybrid covert

pages 83-92

hybrid covert

05(2)6777

Monitoring of

ensics on the








September 2009




2010





2004





1999


220-240 2004

AUTHORrsquoS




















































ay 2015

53

ommunication

channels In

Malo France

sing scenarios

overt Channel

us Computing

3

n Proceedings

Jersey USA

ction CCS 4

ransaction on

1998

versity Berlin

ingFeb pages




49



communication







SlNo


doors

No

o

f Trapdoor

Algorith

m

CovertnessIndex

Entropy

C E

1 Network Covert

Channel-IPv4-

Single

4 1 NIL 025 2803 0089

2 Network Covert

Channel-IPv4-

dual

4 2 NIL 05 5606 017

3 Network Covert

Channel-IPv4-

triple

4 3 NIL 075 1121 0358










Fig

Table 2 Multi-








Fig10 Entropy V

SlNo TrapdoorName

1 SubliminalChan

nel-IPSecESP-1

2 SubliminalChan

nel-IPSecESP-2











sed in the table 4


Noof Trapdoors

No of

Trapdoorsu


Entropy C

2 1 AES-

XCBC-MAC

015 2803 0

- - AES-

XCBC-

MAC

047 478 0

- - AES-XCBC-

MAC

047 521 0

ay 2015

50

crease in the



SSLTLS is


he covertness

E

14

35

35




Table 3 Multi-

SlNo TrapdoorName


2 Network Covert

hannel-TCP-

3 Network Covert

hannel-TCP-





Fig11 Entro

Table4Multi-

SlNo TrapdoorName


e)-


hannel(Oracl

e)-


hann

el(Oracl

e)-

SSL TLS-3



Noof Trapd

oors No

of

Trapdoorsu


ndex Entropy C

1 7 1 NIL 0142 2803 0

2 7 2 NIL 028 5606 0

3 7 3 NIL 042 1121 0







Noof Trapdoors

No of

Trapdoorsu


Entropy C

- - SSLCi-pherSuite

025 2803 0

- - SSLCi-pherSuite

058 367 0

- - SSLCi-

pherSu

ite

058 367 0

ay 2015

51

E

14

28

14

in the figure


annel in TCP

E

14

35

35




Fig12 Covertn

8CONCLUSION





ACKNOWLEDGEMENT




REFERENCES









2014















]






12



ay 2015

52




-partment of

angalore for

pgray-world

pynetmarkpl

hybrid covert

pages 83-92

hybrid covert

05(2)6777

Monitoring of

ensics on the








September 2009




2010





2004





1999


220-240 2004

AUTHORrsquoS




















































ay 2015

53

ommunication

channels In

Malo France

sing scenarios

overt Channel

us Computing

3

n Proceedings

Jersey USA

ction CCS 4

ransaction on

1998

versity Berlin

ingFeb pages




Fig

Table 2 Multi-








Fig10 Entropy V

SlNo TrapdoorName

1 SubliminalChan

nel-IPSecESP-1

2 SubliminalChan

nel-IPSecESP-2











sed in the table 4


Noof Trapdoors

No of

Trapdoorsu


Entropy C

2 1 AES-

XCBC-MAC

015 2803 0

- - AES-

XCBC-

MAC

047 478 0

- - AES-XCBC-

MAC

047 521 0

ay 2015

50

crease in the



SSLTLS is


he covertness

E

14

35

35




Table 3 Multi-

SlNo TrapdoorName


2 Network Covert

hannel-TCP-

3 Network Covert

hannel-TCP-





Fig11 Entro

Table4Multi-

SlNo TrapdoorName


e)-


hannel(Oracl

e)-


hann

el(Oracl

e)-

SSL TLS-3



Noof Trapd

oors No

of

Trapdoorsu


ndex Entropy C

1 7 1 NIL 0142 2803 0

2 7 2 NIL 028 5606 0

3 7 3 NIL 042 1121 0







Noof Trapdoors

No of

Trapdoorsu


Entropy C

- - SSLCi-pherSuite

025 2803 0

- - SSLCi-pherSuite

058 367 0

- - SSLCi-

pherSu

ite

058 367 0

ay 2015

51

E

14

28

14

in the figure


annel in TCP

E

14

35

35




Fig12 Covertn

8CONCLUSION





ACKNOWLEDGEMENT




REFERENCES









2014















]






12



ay 2015

52




-partment of

angalore for

pgray-world

pynetmarkpl

hybrid covert

pages 83-92

hybrid covert

05(2)6777

Monitoring of

ensics on the








September 2009




2010





2004





1999


220-240 2004

AUTHORrsquoS




















































ay 2015

53

ommunication

channels In

Malo France

sing scenarios

overt Channel

us Computing

3

n Proceedings

Jersey USA

ction CCS 4

ransaction on

1998

versity Berlin

ingFeb pages




Table 3 Multi-

SlNo TrapdoorName


2 Network Covert

hannel-TCP-

3 Network Covert

hannel-TCP-





Fig11 Entro

Table4Multi-

SlNo TrapdoorName


e)-


hannel(Oracl

e)-


hann

el(Oracl

e)-

SSL TLS-3



Noof Trapd

oors No

of

Trapdoorsu


ndex Entropy C

1 7 1 NIL 0142 2803 0

2 7 2 NIL 028 5606 0

3 7 3 NIL 042 1121 0







Noof Trapdoors

No of

Trapdoorsu


Entropy C

- - SSLCi-pherSuite

025 2803 0

- - SSLCi-pherSuite

058 367 0

- - SSLCi-

pherSu

ite

058 367 0

ay 2015

51

E

14

28

14

in the figure


annel in TCP

E

14

35

35




Fig12 Covertn

8CONCLUSION





ACKNOWLEDGEMENT




REFERENCES









2014















]






12



ay 2015

52




-partment of

angalore for

pgray-world

pynetmarkpl

hybrid covert

pages 83-92

hybrid covert

05(2)6777

Monitoring of

ensics on the








September 2009




2010





2004





1999


220-240 2004

AUTHORrsquoS




















































ay 2015

53

ommunication

channels In

Malo France

sing scenarios

overt Channel

us Computing

3

n Proceedings

Jersey USA

ction CCS 4

ransaction on

1998

versity Berlin

ingFeb pages




Fig12 Covertn

8CONCLUSION





ACKNOWLEDGEMENT




REFERENCES









2014















]






12



ay 2015

52




-partment of

angalore for

pgray-world

pynetmarkpl

hybrid covert

pages 83-92

hybrid covert

05(2)6777

Monitoring of

ensics on the








September 2009




2010





2004





1999


220-240 2004

AUTHORrsquoS




















































ay 2015

53

ommunication

channels In

Malo France

sing scenarios

overt Channel

us Computing

3

n Proceedings

Jersey USA

ction CCS 4

ransaction on

1998

versity Berlin

ingFeb pages








September 2009




2010





2004





1999


220-240 2004

AUTHORrsquoS




















































ay 2015

53

ommunication

channels In

Malo France

sing scenarios

overt Channel

us Computing

3

n Proceedings

Jersey USA

ction CCS 4

ransaction on

1998

versity Berlin

ingFeb pages

e ntropy b ased d etection a nd b ehavioral a nalysis of h ybrid c overt c hannelin s ecured ...

Documents