guido pineda reyes€¦ · guido pineda reyes msc. systems and networking engineering university of...
TRANSCRIPT
Covert channel detection using flow-data
Guido Pineda Reyes
MSc. Systems and Networking EngineeringUniversity of Amsterdam
July 3, 2014
Guido Pineda Reyes (UvA) Covert channel detection using flow-data July 3, 2014 1 / 46
Outline
1 Introduction
2 Research questions
3 Approach
4 Data analysisICMPDNSHTTP
5 Algorithms
6 ImplementationICMPDNSHTTP
7 Conclusions
8 Q&A
Guido Pineda Reyes (UvA) Covert channel detection using flow-data July 3, 2014 2 / 46
Covert ChannelsDefinition
Lampson, 1973
“... A communication channel that is used for information transmission,but that is not intended for communications...”
National Computer Security Centre Maryland Meade, 1985
“Communication channel that can be exploited ... to transfer informationin a manner that violates the system’s security policy”
Guido Pineda Reyes (UvA) Covert channel detection using flow-data July 3, 2014 3 / 46
Malicious usage
Data exfiltration
Intrusion maintenance
Botnet control
Malware updates
Gathering of sensitive information
...
Guido Pineda Reyes (UvA) Covert channel detection using flow-data July 3, 2014 4 / 46
Chosen techniques
ICMP tunnel
ICMP reverse shell
DNS tunnel
HTTP reverse shell
Guido Pineda Reyes (UvA) Covert channel detection using flow-data July 3, 2014 5 / 46
Flow-dataOverview
Netflow is a monitoring tool
Describes the method for a collector to export statistics about IPpackets passing an observation point.
Netflow v10 aka IPFIX (RFC 5101)
Payload is not included
Flow
Packets with a set of common properties:
source address and port number
ingress interface
destination address and port number
network layer protocol
type of service (TOS)
Guido Pineda Reyes (UvA) Covert channel detection using flow-data July 3, 2014 6 / 46
Research questions
Is it possible to detect network-based covert channel maliciousactivity by using flow-data?
How do the selected covert channel techniques work?What is the difference between normal traffic and covert channel trafficbehaviour using the chosen techniques?What algorithms can be used to detect network-based covert channeltraffic?How can this results be validated?
Guido Pineda Reyes (UvA) Covert channel detection using flow-data July 3, 2014 7 / 46
ApproachData gathering
Regular traffic
Protocol Total bytes (MB) Total packets Total bidirectional flowsICMP 698.5 3445152 169DNS 1638.6 3981600 53490HTTP 1956.27 1818293 40107
Guido Pineda Reyes (UvA) Covert channel detection using flow-data July 3, 2014 8 / 46
ApproachData gathering
Malicious traffic
Technique Total bytes (MB) Total packets Total bidirectional flowsICMP tunneling 3957.08 4491868 30ICMP reverse shell 196.2 3481308 75DNS tunneling 2746.7 3376230 172HTTP reverse shell 311.39 470985 166
Guido Pineda Reyes (UvA) Covert channel detection using flow-data July 3, 2014 9 / 46
ApproachExperimental environment
Guido Pineda Reyes (UvA) Covert channel detection using flow-data July 3, 2014 10 / 46
IPFIX templatesExport template: ICMP
Field DescriptionIPV4 SRC ADDR IPv4 source addressIPV4 DST ADDR IPv4 destination addressPROTOCOL IP protocol byteIN BYTES Incoming flow bytes (src ->dst)IN PKTS Incoming flow packets (src ->dst)OUT BYTES Outgoing flow bytes (dst ->src)OUT PKTS Outgoing flow packets (dst ->src)MIN TTL Min flow TTLMAX TTL Max flow TTLICMP TYPE ICMP Type * 256 + ICMP code
Guido Pineda Reyes (UvA) Covert channel detection using flow-data July 3, 2014 11 / 46
IPFIX templatesExport template: DNS
Field DescriptionIPV4 SRC ADDR IPv4 source addressIPV4 DST ADDR IPv4 destination addressPROTOCOL IP protocol byteIN BYTES Incoming flow bytes (src ->dst)IN PKTS Incoming flow packets (src ->dst)OUT BYTES Outgoing flow bytes (dst ->src)OUT PKTS Outgoing flow packets (dst ->src)MIN TTL Min flow TTLMAX TTL Max flow TTLDNS QUERY DNS queryDNS QUERY ID DNS query transaction IdDNS QUERY TYPE DNS query type (e.g. 1=A, 2=NS..)DNS RET CODE DNS return code (e.g. 0=no error)
Guido Pineda Reyes (UvA) Covert channel detection using flow-data July 3, 2014 12 / 46
IPFIX templatesExport template: HTTP
Field DescriptionIPV4 SRC ADDR IPv4 source addressIPV4 DST ADDR IPv4 destination addressPROTOCOL IP protocol byteIN BYTES Incoming flow bytes (src->dst)IN PKTS Incoming flow packets (src->dst)OUT BYTES Outgoing flow bytes (dst->src)OUT PKTS Outgoing flow packets (dst->src)MIN TTL Min flow TTLMAX TTL Max flow TTLTCP FLAGS Cumulative of all flow TCP flagsHTTP URL HTTP URLHTTP METHOD HTTP METHODHTTP RET CODE HTTP return code (e.g. 200, 304...)
Guido Pineda Reyes (UvA) Covert channel detection using flow-data July 3, 2014 13 / 46
Outline
1 Introduction
2 Research questions
3 Approach
4 Data analysisICMPDNSHTTP
5 Algorithms
6 ImplementationICMPDNSHTTP
7 Conclusions
8 Q&A
Guido Pineda Reyes (UvA) Covert channel detection using flow-data July 3, 2014 14 / 46
ICMP tunnelPacket ratio distribution
Regular ICMP ICMP tunnel
Guido Pineda Reyes (UvA) Covert channel detection using flow-data July 3, 2014 15 / 46
ICMP tunnelBytes per packet distribution
Regular ICMP ICMP tunnel
Guido Pineda Reyes (UvA) Covert channel detection using flow-data July 3, 2014 16 / 46
ICMP reverse shellTTL distribution
Regular ICMP ICMP reverse shell
Guido Pineda Reyes (UvA) Covert channel detection using flow-data July 3, 2014 17 / 46
Outline
1 Introduction
2 Research questions
3 Approach
4 Data analysisICMPDNSHTTP
5 Algorithms
6 ImplementationICMPDNSHTTP
7 Conclusions
8 Q&A
Guido Pineda Reyes (UvA) Covert channel detection using flow-data July 3, 2014 18 / 46
DNS tunnelPacket ratio distribution
Regular DNS DNS tunnel
Guido Pineda Reyes (UvA) Covert channel detection using flow-data July 3, 2014 19 / 46
Regular DNSPacket distribution per unique destination IP
Guido Pineda Reyes (UvA) Covert channel detection using flow-data July 3, 2014 20 / 46
DNS tunnelPacket distribution per unique destination IP
Destination IP A Destination IP B
Guido Pineda Reyes (UvA) Covert channel detection using flow-data July 3, 2014 21 / 46
DNS tunnelPacket distribution per unique destination IP
Destination IP C (Tunnel server)
Guido Pineda Reyes (UvA) Covert channel detection using flow-data July 3, 2014 22 / 46
Regular DNSDNS QUERY TYPE analysis
DNS QUERY TYPE # of flows % Type1 40395 75.5 A2 1807 3.39 NS6 4 0.007 SOA
12 438 0.08 PTR16 1 0.002 TXT28 2461 4.6 AAAA33 18 0.03 SRV43 723 1.35 DS48 8083 15.03 DNSKEY
Guido Pineda Reyes (UvA) Covert channel detection using flow-data July 3, 2014 23 / 46
DNS tunnelDNS QUERY TYPE analysis
DNS QUERY TYPE # of flows %12 60 34.8810 57 33.141 26 15.120 13 7.56
16 5 2.925 3 1.74
15 3 1.7433 3 1.74
255 1 0.5828 1 0.58
Guido Pineda Reyes (UvA) Covert channel detection using flow-data July 3, 2014 24 / 46
Outline
1 Introduction
2 Research questions
3 Approach
4 Data analysisICMPDNSHTTP
5 Algorithms
6 ImplementationICMPDNSHTTP
7 Conclusions
8 Q&A
Guido Pineda Reyes (UvA) Covert channel detection using flow-data July 3, 2014 25 / 46
HTTPTCP FLAGS analysis
Cumulative OR-ed of TCP FLAGS for all packets in one flow.
For regular HTTP traffic, this value is well distributed.
But, for malicious HTTP traffic, every flow has the TCP FLAGSvalue = 27
Guido Pineda Reyes (UvA) Covert channel detection using flow-data July 3, 2014 26 / 46
Regular HTTPTCP FLAGS analysis
TCP FLAG # of flows Meaning %24 22088 ACK+PUSH 55,072726 10284 ACK+PUSH+SYN 25,641427 5039 ACK+PUSH+SYN+FIN 12,563919 2223 ACK+FIN+SYN 5,542717 163 ACK+FIN 0,406431 162 ACK+PUSH+RST+SYN+FIN 0,403930 93 ACK+PUSH+RST+SYN 0,231923 38 ACK+RST+SYN+FIN 0,094725 15 ACK+PSH+FIN 0,037421 1 ACK+RST+FIN 0,002518 1 ACK+SYN 0,0025
Guido Pineda Reyes (UvA) Covert channel detection using flow-data July 3, 2014 27 / 46
HTTPHTTP METHOD analysis per unique destination IP
Destination IP address# of Flows with method:
GET POST HEAD EMPTYA 104 - 1722 105B 114 - 1482 107C 267 25 849 94D - - - 979E 18 - 729 3F 700 - - 10G 628 - - 33H - - - 618I - - 555 4J 371 136 - 39
Guido Pineda Reyes (UvA) Covert channel detection using flow-data July 3, 2014 28 / 46
HTTPHTTP METHOD analysis per unique destination IP
For HTTP reverse shell traffic, the amount of POST and GETmethods per unique destination IP address is about 50% each.
Guido Pineda Reyes (UvA) Covert channel detection using flow-data July 3, 2014 29 / 46
AlgorithmsDescription
Using a data-set provided by the sponsoring company.
HTTP traffic generated by 150 different web crawlers (64095 flows)
DNS traffic (35219 flows)
ICMP traffic (12352 flows)
Guido Pineda Reyes (UvA) Covert channel detection using flow-data July 3, 2014 30 / 46
Proposed alorithmsICMP
Guido Pineda Reyes (UvA) Covert channel detection using flow-data July 3, 2014 31 / 46
Proposed alorithmsDNS
Guido Pineda Reyes (UvA) Covert channel detection using flow-data July 3, 2014 32 / 46
Proposed alorithmsHTTP
Guido Pineda Reyes (UvA) Covert channel detection using flow-data July 3, 2014 33 / 46
Outline
1 Introduction
2 Research questions
3 Approach
4 Data analysisICMPDNSHTTP
5 Algorithms
6 ImplementationICMPDNSHTTP
7 Conclusions
8 Q&A
Guido Pineda Reyes (UvA) Covert channel detection using flow-data July 3, 2014 34 / 46
ICMP Tunnel
Before injection After injection
Guido Pineda Reyes (UvA) Covert channel detection using flow-data July 3, 2014 35 / 46
ICMPICMP reverse shell
Before injection After injection
Guido Pineda Reyes (UvA) Covert channel detection using flow-data July 3, 2014 36 / 46
Outline
1 Introduction
2 Research questions
3 Approach
4 Data analysisICMPDNSHTTP
5 Algorithms
6 ImplementationICMPDNSHTTP
7 Conclusions
8 Q&A
Guido Pineda Reyes (UvA) Covert channel detection using flow-data July 3, 2014 37 / 46
DNSDNS tunnel
Analysis on the packet distribution per unique destination IP addressshows suspicious standard deviation values for specific flows.
DNS QUERY TYPE field is effective to retrieve unusual values.
Guido Pineda Reyes (UvA) Covert channel detection using flow-data July 3, 2014 38 / 46
Outline
1 Introduction
2 Research questions
3 Approach
4 Data analysisICMPDNSHTTP
5 Algorithms
6 ImplementationICMPDNSHTTP
7 Conclusions
8 Q&A
Guido Pineda Reyes (UvA) Covert channel detection using flow-data July 3, 2014 39 / 46
HTTPHTTP reverse shell
After filtering every flow with TCP FLAGS field = 27
Guido Pineda Reyes (UvA) Covert channel detection using flow-data July 3, 2014 40 / 46
HTTPHTTP reverse shell
Guido Pineda Reyes (UvA) Covert channel detection using flow-data July 3, 2014 41 / 46
HTTPHTTP reverse shell
Guido Pineda Reyes (UvA) Covert channel detection using flow-data July 3, 2014 42 / 46
Conclusions
It is possible to detect the tested network-based covert channels byusing flow data.
By establishing a base line behaviour, it is possible to comparebetween regular and suspicious behavior.
Even though, flow-data does not give an insight on the payload of apacket, is still a powerful tool for security analysis.
Guido Pineda Reyes (UvA) Covert channel detection using flow-data July 3, 2014 43 / 46
Future work
Implement the proposed algorithms as a script or programminglanguage and with live flow-data
Test more tools for similar behaviour patterns
Test other protocols
Test a bigger data-set for possible false positives
Compare results with other types of malicious traffic
Investigate flow-data with network-based covert timing channels
Guido Pineda Reyes (UvA) Covert channel detection using flow-data July 3, 2014 44 / 46
Q&A
Questions?
Guido Pineda Reyes (UvA) Covert channel detection using flow-data July 3, 2014 45 / 46
AppendixCovert Channel Classification
Covert Storage Channel
Carries information inside protocol fields
Covert Timing Channel
They use time emission between packets.A time interval can be defined: if a packet is sent during the interval,this codes a one, if no packet is sent this codes a zero.
Guido Pineda Reyes (UvA) Covert channel detection using flow-data July 3, 2014 46 / 46