InCC: Hiding Information by Mimicking Traffic In Network Flows

Luis Campo Giralte, Cristina Conde, Isaac Martin De Diego, Enrique Cabello

Abstract

This article proposes and implements a light-weight covert channel called InCC, which is designed to produce a undetectable communication channel between systems. This channel, fully transparent to any network analysis, is able to send messages on the same production network without compromising its existence. By using techniques like encryption, address spoofing, signatures and traffic analysis, the channel is able to hide the flows on the network without compromising the source and destination.

References

  1. BitTorrent (2013). The bittorrent protocol specification, version 11031. http://bittorrent.org/beps/ bep 0003.html.
  2. Burnett, S., Feamster, N., and Vempala, S. (2010). Chipping away at censorship firewalls with user-generated content. In Proceedings of the 19th USENIX conference on Security, USENIX Security'10, pages 29-29, Berkeley, CA, USA. USENIX Association.
  3. Degraaf, R., Aycock, J., and Jacobson, M. (2005). Improved port knocking with strong authentication. In In Proc. 21st Annual Computer Security Applications Conference (ACSAC 2005, pages 409-418. Springer.
  4. Dittmann, J., Hesse, D., and Hillert, R. (2005). Steganography and steganalysis in voice-over ip scenarios: operational aspects and first experiences with a new steganalysis tool set. In Delp, E. J. and Wong, P. W., editors, Security, Steganography, and Watermarking of Multimedia Contents, volume 5681 of Proceedings of SPIE, pages 607-618. SPIE.
  5. Freire, E. P., Ziviani, A., and Salles, R. M. (2009). On metrics to distinguish skype flows from http traffic. J. Network Syst. Manage., 17(1-2):53-72.
  6. Fu, X., Guan, Y., Graham, B., Bettati, R., and Zhao, W. (2002). Using parasite flows to camouflage flow traffic. In Proceedings of the 2002 IEEE Workshop on Information Assurance.
  7. Hippie (2013). Hi-performance protocol identification engine. http://sourceforge.net/projects/hippie/.
  8. Klein, A. (2008). Attacks on the rc4 stream cipher. Des. Codes Cryptography, 48(3):269-286.
  9. Liu, Y., Ghosal, D., Armknecht, F., Sadeghi, A.-R., Schulz, S., and Katzenbeisser, S. (2009). Hide and seek in time - robust covert timing channels. In Backes, M. and Ning, P., editors, ESORICS, volume 5789 of Lecture Notes in Computer Science, pages 120-135. Springer.
  10. Llamas, D., Miller, A., and Allison, C. (2005). An evaluation framework for the analysis of covert channels in the tcp/ip protocol suite. In ECIW, pages 205-214. Academic Conferences Limited, Reading, UK.
  11. Lucena, N. B., Pease, J., Yadollahpour, P., and Chapin, S. J. (2004). Syntax and semantics-preserving applicationlayer protocol steganography. In Proceedings of the 6th Information Hiding Workshop, pages 164-169.
  12. Luo, X., Chan, E. W. W., and Chang, R. K. C. (2009). Clack: A network covert channel based on partial acknowledgment encoding. In ICC, pages 1-5. IEEE.
  13. Mantin, I. (2005). Predicting and distinguishing attacks on rc4 keystream generator. In EUROCRYPT, pages 491- 506.
  14. Mazurczyk, W. and Szczypiorski, K. (2009). Steganography in handling oversized ip packets. CoRR, abs/0907.0313.
  15. Miklosovic, S. (2011). Pa018 - term project - port knocking enhancements. http://www.portknocking.org/view/ resources.
  16. Nussbaum, L., Neyron, P., and Richard, O. (2009). On robust covert channels inside dns. In Gritzalis, D. and Lopez, J., editors, SEC, volume 297 of IFIP, pages 51-62. Springer.
  17. OpenDPI (2013). Opendpi. opendpi.org/index.html.
  18. Paul, S. and Preneel, B. (2004). A new weakness in the rc4 keystream generator and an approach to improve the security of the cipher. pages 245-259.
  19. Rcf4557 (2006). The rc4-hmac kerberos encryption types used by microsoft windows. http://www.ietf.org/rfc/rfc4757.txt.
  20. Rfc2246 (1999). The tls protocol. http://www.ietf.org/rfc/ rfc2246.txt.
  21. Rios, R., Onieva, J. A., and Lopez, J. (2012). Hide dhcp: Covert communications through network configuration messages. In Gritzalis, D., Furnell, S., and Theoharidou, M., editors, Proceedings of the 27th IFIP TC 11 International Information Security and Privacy Conference (SEC 2012), volume 376 of IFIP AICT, pages 162-173, Heraklion, Crete, Greece. Springer Boston, Springer Boston.
  22. Sellke, S. H., Wang, C.-C., Bagchi, S., and Shroff, N. B. (2009). Tcp/ip timing channels: Theory to implementation. In INFOCOM, pages 2204-2212. IEEE.
  23. Snort (2013). Snort. http://www.snort.org/.
  24. Tariq, M., Baig, M. S., and Saeed, M. T. (2008). Associating the authentication and connection-establishment phases in passive authorization techniques.
  25. Tcpdump (2013). Tcpdump. http://www.tcpdump.org/.
  26. Wendzel, S. and Zander, S. (2012). Detecting protocol switching covert channels. 37th Annual IEEE Conference on Local Computer Networks, 0:280-283.
  27. Zander, S., Armitage, G. J., and Branch, P. (2007a). An empirical evaluation of ip time to live covert channels. In ICON, pages 42-47. IEEE.
  28. Zander, S., Armitage, G. J., and Branch, P. (2007b). A survey of covert channels and countermeasures in computer network protocols. IEEE Communications Surveys and Tutorials, 9(1-4):44-57.
  29. Zhang, D., Askarov, A., and Myers, A. C. (2011). Predictive mitigation of timing channels in interactive systems. In Proceedings of the 18th ACM conference on Computer and communications security, CCS 7811, pages 563-574, New York, NY, USA. ACM.
Download


Paper Citation


in Harvard Style

Campo Giralte L., Conde C., Martin De Diego I. and Cabello E. (2013). InCC: Hiding Information by Mimicking Traffic In Network Flows . In Proceedings of the 10th International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2013) ISBN 978-989-8565-73-0, pages 5-14. DOI: 10.5220/0004436600050014


in Bibtex Style

@conference{secrypt13,
author={Luis Campo Giralte and Cristina Conde and Isaac Martin De Diego and Enrique Cabello},
title={InCC: Hiding Information by Mimicking Traffic In Network Flows},
booktitle={Proceedings of the 10th International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2013)},
year={2013},
pages={5-14},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0004436600050014},
isbn={978-989-8565-73-0},
}


in EndNote Style

TY - CONF
JO - Proceedings of the 10th International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2013)
TI - InCC: Hiding Information by Mimicking Traffic In Network Flows
SN - 978-989-8565-73-0
AU - Campo Giralte L.
AU - Conde C.
AU - Martin De Diego I.
AU - Cabello E.
PY - 2013
SP - 5
EP - 14
DO - 10.5220/0004436600050014