Embed Size (px)
Citation preview
Using a Novel Blending Method Over Multiple Network Connections
for Secure Communications
Jaime C. Acostaand
John Medrano
U.S. Army Research Laboratory
Motivation
– Network attack steps– Locate a network– Analyze traffic– Identify target– Scan nodes for vulnerabilities– Execute exploit
– Issue– Node addresses and traffic flows
Motivation
– Covert Communication– Traditionally seen as adversarial– Data exfiltration
– From a defensive perspective– Hide data in decoy traffic– Hide node endpoints– Avoid scanning– Avoid suspicion for critical data
Covert Communication
– Timing channels
– Timing anomalies
– Generally low throughput
– Data channels
– Unused fields, invalid messages
– Once documented identification is trivial
Objectives
– Scalable throughput
– Reliable
– Dynamic insertion point selection
Research Question
Can we leverage characteristics of network flows for covert, secure communication?
Envisioned Approach
A
FED
CB
Envisioned Approach
Conn1
Conn2
Conn3Conn4
Conn5
Conn6
Conn7Conn8
A
FED
CB
Connections: 1. Unidirectional 2. Fixed size messages sharing the same
a. source and destination MAC, IP, and portsb. protocol type
3. Have an update rate 4. Have a complexity measure
Envisioned Approach
Connection Name
Communication Rate
Connection Complexity
Conn1 5 msg/sec Low
Conn2 10 msg/sec Med
Conn3 1 msg/sec High
...
Conn1
Conn2
Conn3Conn4
Conn5
Conn6
Conn7Conn8
Promiscuous Traffic
Covert Communicators
A
FED
CB
Envisioned Approach
Connection Name
Communication Rate
Connection Complexity
Conn1 5 msg/sec Low
Conn2 10 msg/sec Med
Conn3 1 msg/sec High
...
Conn1
Conn2
Conn3Conn4
Conn5
Conn6
Conn7Conn8
Promiscuous Traffic
Covert Communicators
Hide data within high-complexity payloads
A
FED
CB
Methodology
– Implement a system – Parameters for determining insertion points
– Evaluate– Vary parameter values– Measure throughput and reliability
Network Blending Communication System (NBCS)
Network
Analysis Subsystem
Display Subsystem
Communications Subsystem
Configuration
NBCS Analysis SubsystemNetwork
b0 b1 b2 b3 b4
b0 b1 b2 b3 b4
Connection 1
b0 b1 b2 b3 b4
Packets during window
Connection 2
Connection 3
NBCS Analysis SubsystemNetwork
b0 b1 b2 b3 b4
b0 b1 b2 b3 b4
Connection 1
b0 b1 b2 b3 b4
Packets during window
Connection 2
Connection 3
NBCS Analysis Subsystem
Min/Max = byteComplexities
NBCS Analysis SubsystemNetwork
b0 b1 b2 b3 b4
b0 b1 b2 b3 b4
Connection 1
b0 b1 b2 b3 b4
Packets during window
c0 c1 c2 c3 c4
byteComplexities
sum
Connection 1 complexity
C
Connection 2
Connection 3
Freq.Distribution
NBCS system
Network
Analysis Subsystem
Display Subsystem
Communications Subsystem
Configuration
Communications Subsystem
Connection 1 with sufficient complexity
…
Connection 4 with sufficient complexity
…
Latest packets with sufficient byteComplexities
Communications Subsystem
Connection 1 with sufficient complexity
…
Connection 4 with sufficient complexity
…
Latest packets with sufficient byteComplexities
Attach Sync and Checksum Bytes
check rateToUse
Communications Subsystem
Connection 1 with sufficient complexity
…
Connection 4 with sufficient complexity
…
Latest packets with sufficient byteComplexities
NBCS System
Network
Analysis Subsystem
Display Subsystem
Communications Subsystem
Configuration
Display Subsystem
Requirements – How it can be done
– Hub– Promiscuous by default
– Switch – Port mirroring
– Wireless– Within distance
– Multicast– Within group
Requirements – How it can be done
– Hub– Promiscuous by default
– Switch – Port mirroring
– Wireless– Within distance
– Multicast– Within group
Evaluation - Network Setup
Load A Load BOvert Nodes 6 12Packets/sec 80-100 5200-5500Bytes/sec 95KB – 115KB 2.7MB – 3.5MB# of Connections 15-20 (6 UDP) 40-50 (6 UDP)
Evaluation
– Controlled (favoring low detectability)
– Window Size = 1000ms
– Sync Bytes = 2
– Checksum Bytes = 2
– Protocol to Use = UDP
– Rate Threshold = 10
– Rate to Use = 0.1
Evaluation
– Independent– Byte Complexity Threshold [0.1-0.9]
– Dependent– Throughput– Packet loss
– Procedure– Covert sender and receiver start
simultaneously– Covert data buffer is always full– Run for 5 minutes
Results - Throughput
Results – Packet Loss
Future Work
– More beneficial to hide covert data based on byte similarity?
– Wireless and multicast traffic?
– Automatic parameter tuning in real time depending on network characteristics?
Questions
Preliminary Wireless Tests
Preliminary Wireless Tests
NBCS Analysis SubsystemNetwork
b0 b1 b2 b3 b4
b0 b1 b2 b3 b4
Connection 1
b0 b1 b2 b3 b4
Packets during window
Connection 2
Connection 3
NBCS Analysis Subsystem
Sample byte complexities
NBCS Analysis SubsystemNetwork
b0 b1 b2 b3 b4
b0 b1 b2 b3 b4
Connection 1
b0 b1 b2 b3 b4
Packets during window
c0 c1 c2 c3 c4
byteComplexities
sum
Connection 1 complexity
C
Connection 2
Connection 3
Min Max
