guido pineda reyes€¦ · guido pineda reyes msc. systems and networking engineering university of...
TRANSCRIPT
![Page 1: Guido Pineda Reyes€¦ · Guido Pineda Reyes MSc. Systems and Networking Engineering University of Amsterdam July 3, 2014 Guido Pineda Reyes (UvA) Covert channel detection using](https://reader033.vdocuments.site/reader033/viewer/2022042403/5f14bda8d9ec005dbb002553/html5/thumbnails/1.jpg)
Covert channel detection using flow-data
Guido Pineda Reyes
MSc. Systems and Networking EngineeringUniversity of Amsterdam
July 3, 2014
Guido Pineda Reyes (UvA) Covert channel detection using flow-data July 3, 2014 1 / 46
![Page 2: Guido Pineda Reyes€¦ · Guido Pineda Reyes MSc. Systems and Networking Engineering University of Amsterdam July 3, 2014 Guido Pineda Reyes (UvA) Covert channel detection using](https://reader033.vdocuments.site/reader033/viewer/2022042403/5f14bda8d9ec005dbb002553/html5/thumbnails/2.jpg)
Outline
1 Introduction
2 Research questions
3 Approach
4 Data analysisICMPDNSHTTP
5 Algorithms
6 ImplementationICMPDNSHTTP
7 Conclusions
8 Q&A
Guido Pineda Reyes (UvA) Covert channel detection using flow-data July 3, 2014 2 / 46
![Page 3: Guido Pineda Reyes€¦ · Guido Pineda Reyes MSc. Systems and Networking Engineering University of Amsterdam July 3, 2014 Guido Pineda Reyes (UvA) Covert channel detection using](https://reader033.vdocuments.site/reader033/viewer/2022042403/5f14bda8d9ec005dbb002553/html5/thumbnails/3.jpg)
Covert ChannelsDefinition
Lampson, 1973
“... A communication channel that is used for information transmission,but that is not intended for communications...”
National Computer Security Centre Maryland Meade, 1985
“Communication channel that can be exploited ... to transfer informationin a manner that violates the system’s security policy”
Guido Pineda Reyes (UvA) Covert channel detection using flow-data July 3, 2014 3 / 46
![Page 4: Guido Pineda Reyes€¦ · Guido Pineda Reyes MSc. Systems and Networking Engineering University of Amsterdam July 3, 2014 Guido Pineda Reyes (UvA) Covert channel detection using](https://reader033.vdocuments.site/reader033/viewer/2022042403/5f14bda8d9ec005dbb002553/html5/thumbnails/4.jpg)
Malicious usage
Data exfiltration
Intrusion maintenance
Botnet control
Malware updates
Gathering of sensitive information
...
Guido Pineda Reyes (UvA) Covert channel detection using flow-data July 3, 2014 4 / 46
![Page 5: Guido Pineda Reyes€¦ · Guido Pineda Reyes MSc. Systems and Networking Engineering University of Amsterdam July 3, 2014 Guido Pineda Reyes (UvA) Covert channel detection using](https://reader033.vdocuments.site/reader033/viewer/2022042403/5f14bda8d9ec005dbb002553/html5/thumbnails/5.jpg)
Chosen techniques
ICMP tunnel
ICMP reverse shell
DNS tunnel
HTTP reverse shell
Guido Pineda Reyes (UvA) Covert channel detection using flow-data July 3, 2014 5 / 46
![Page 6: Guido Pineda Reyes€¦ · Guido Pineda Reyes MSc. Systems and Networking Engineering University of Amsterdam July 3, 2014 Guido Pineda Reyes (UvA) Covert channel detection using](https://reader033.vdocuments.site/reader033/viewer/2022042403/5f14bda8d9ec005dbb002553/html5/thumbnails/6.jpg)
Flow-dataOverview
Netflow is a monitoring tool
Describes the method for a collector to export statistics about IPpackets passing an observation point.
Netflow v10 aka IPFIX (RFC 5101)
Payload is not included
Flow
Packets with a set of common properties:
source address and port number
ingress interface
destination address and port number
network layer protocol
type of service (TOS)
Guido Pineda Reyes (UvA) Covert channel detection using flow-data July 3, 2014 6 / 46
![Page 7: Guido Pineda Reyes€¦ · Guido Pineda Reyes MSc. Systems and Networking Engineering University of Amsterdam July 3, 2014 Guido Pineda Reyes (UvA) Covert channel detection using](https://reader033.vdocuments.site/reader033/viewer/2022042403/5f14bda8d9ec005dbb002553/html5/thumbnails/7.jpg)
Research questions
Is it possible to detect network-based covert channel maliciousactivity by using flow-data?
How do the selected covert channel techniques work?What is the difference between normal traffic and covert channel trafficbehaviour using the chosen techniques?What algorithms can be used to detect network-based covert channeltraffic?How can this results be validated?
Guido Pineda Reyes (UvA) Covert channel detection using flow-data July 3, 2014 7 / 46
![Page 8: Guido Pineda Reyes€¦ · Guido Pineda Reyes MSc. Systems and Networking Engineering University of Amsterdam July 3, 2014 Guido Pineda Reyes (UvA) Covert channel detection using](https://reader033.vdocuments.site/reader033/viewer/2022042403/5f14bda8d9ec005dbb002553/html5/thumbnails/8.jpg)
ApproachData gathering
Regular traffic
Protocol Total bytes (MB) Total packets Total bidirectional flowsICMP 698.5 3445152 169DNS 1638.6 3981600 53490HTTP 1956.27 1818293 40107
Guido Pineda Reyes (UvA) Covert channel detection using flow-data July 3, 2014 8 / 46
![Page 9: Guido Pineda Reyes€¦ · Guido Pineda Reyes MSc. Systems and Networking Engineering University of Amsterdam July 3, 2014 Guido Pineda Reyes (UvA) Covert channel detection using](https://reader033.vdocuments.site/reader033/viewer/2022042403/5f14bda8d9ec005dbb002553/html5/thumbnails/9.jpg)
ApproachData gathering
Malicious traffic
Technique Total bytes (MB) Total packets Total bidirectional flowsICMP tunneling 3957.08 4491868 30ICMP reverse shell 196.2 3481308 75DNS tunneling 2746.7 3376230 172HTTP reverse shell 311.39 470985 166
Guido Pineda Reyes (UvA) Covert channel detection using flow-data July 3, 2014 9 / 46
![Page 10: Guido Pineda Reyes€¦ · Guido Pineda Reyes MSc. Systems and Networking Engineering University of Amsterdam July 3, 2014 Guido Pineda Reyes (UvA) Covert channel detection using](https://reader033.vdocuments.site/reader033/viewer/2022042403/5f14bda8d9ec005dbb002553/html5/thumbnails/10.jpg)
ApproachExperimental environment
Guido Pineda Reyes (UvA) Covert channel detection using flow-data July 3, 2014 10 / 46
![Page 11: Guido Pineda Reyes€¦ · Guido Pineda Reyes MSc. Systems and Networking Engineering University of Amsterdam July 3, 2014 Guido Pineda Reyes (UvA) Covert channel detection using](https://reader033.vdocuments.site/reader033/viewer/2022042403/5f14bda8d9ec005dbb002553/html5/thumbnails/11.jpg)
IPFIX templatesExport template: ICMP
Field DescriptionIPV4 SRC ADDR IPv4 source addressIPV4 DST ADDR IPv4 destination addressPROTOCOL IP protocol byteIN BYTES Incoming flow bytes (src ->dst)IN PKTS Incoming flow packets (src ->dst)OUT BYTES Outgoing flow bytes (dst ->src)OUT PKTS Outgoing flow packets (dst ->src)MIN TTL Min flow TTLMAX TTL Max flow TTLICMP TYPE ICMP Type * 256 + ICMP code
Guido Pineda Reyes (UvA) Covert channel detection using flow-data July 3, 2014 11 / 46
![Page 12: Guido Pineda Reyes€¦ · Guido Pineda Reyes MSc. Systems and Networking Engineering University of Amsterdam July 3, 2014 Guido Pineda Reyes (UvA) Covert channel detection using](https://reader033.vdocuments.site/reader033/viewer/2022042403/5f14bda8d9ec005dbb002553/html5/thumbnails/12.jpg)
IPFIX templatesExport template: DNS
Field DescriptionIPV4 SRC ADDR IPv4 source addressIPV4 DST ADDR IPv4 destination addressPROTOCOL IP protocol byteIN BYTES Incoming flow bytes (src ->dst)IN PKTS Incoming flow packets (src ->dst)OUT BYTES Outgoing flow bytes (dst ->src)OUT PKTS Outgoing flow packets (dst ->src)MIN TTL Min flow TTLMAX TTL Max flow TTLDNS QUERY DNS queryDNS QUERY ID DNS query transaction IdDNS QUERY TYPE DNS query type (e.g. 1=A, 2=NS..)DNS RET CODE DNS return code (e.g. 0=no error)
Guido Pineda Reyes (UvA) Covert channel detection using flow-data July 3, 2014 12 / 46
![Page 13: Guido Pineda Reyes€¦ · Guido Pineda Reyes MSc. Systems and Networking Engineering University of Amsterdam July 3, 2014 Guido Pineda Reyes (UvA) Covert channel detection using](https://reader033.vdocuments.site/reader033/viewer/2022042403/5f14bda8d9ec005dbb002553/html5/thumbnails/13.jpg)
IPFIX templatesExport template: HTTP
Field DescriptionIPV4 SRC ADDR IPv4 source addressIPV4 DST ADDR IPv4 destination addressPROTOCOL IP protocol byteIN BYTES Incoming flow bytes (src->dst)IN PKTS Incoming flow packets (src->dst)OUT BYTES Outgoing flow bytes (dst->src)OUT PKTS Outgoing flow packets (dst->src)MIN TTL Min flow TTLMAX TTL Max flow TTLTCP FLAGS Cumulative of all flow TCP flagsHTTP URL HTTP URLHTTP METHOD HTTP METHODHTTP RET CODE HTTP return code (e.g. 200, 304...)
Guido Pineda Reyes (UvA) Covert channel detection using flow-data July 3, 2014 13 / 46
![Page 14: Guido Pineda Reyes€¦ · Guido Pineda Reyes MSc. Systems and Networking Engineering University of Amsterdam July 3, 2014 Guido Pineda Reyes (UvA) Covert channel detection using](https://reader033.vdocuments.site/reader033/viewer/2022042403/5f14bda8d9ec005dbb002553/html5/thumbnails/14.jpg)
Outline
1 Introduction
2 Research questions
3 Approach
4 Data analysisICMPDNSHTTP
5 Algorithms
6 ImplementationICMPDNSHTTP
7 Conclusions
8 Q&A
Guido Pineda Reyes (UvA) Covert channel detection using flow-data July 3, 2014 14 / 46
![Page 15: Guido Pineda Reyes€¦ · Guido Pineda Reyes MSc. Systems and Networking Engineering University of Amsterdam July 3, 2014 Guido Pineda Reyes (UvA) Covert channel detection using](https://reader033.vdocuments.site/reader033/viewer/2022042403/5f14bda8d9ec005dbb002553/html5/thumbnails/15.jpg)
ICMP tunnelPacket ratio distribution
Regular ICMP ICMP tunnel
Guido Pineda Reyes (UvA) Covert channel detection using flow-data July 3, 2014 15 / 46
![Page 16: Guido Pineda Reyes€¦ · Guido Pineda Reyes MSc. Systems and Networking Engineering University of Amsterdam July 3, 2014 Guido Pineda Reyes (UvA) Covert channel detection using](https://reader033.vdocuments.site/reader033/viewer/2022042403/5f14bda8d9ec005dbb002553/html5/thumbnails/16.jpg)
ICMP tunnelBytes per packet distribution
Regular ICMP ICMP tunnel
Guido Pineda Reyes (UvA) Covert channel detection using flow-data July 3, 2014 16 / 46
![Page 17: Guido Pineda Reyes€¦ · Guido Pineda Reyes MSc. Systems and Networking Engineering University of Amsterdam July 3, 2014 Guido Pineda Reyes (UvA) Covert channel detection using](https://reader033.vdocuments.site/reader033/viewer/2022042403/5f14bda8d9ec005dbb002553/html5/thumbnails/17.jpg)
ICMP reverse shellTTL distribution
Regular ICMP ICMP reverse shell
Guido Pineda Reyes (UvA) Covert channel detection using flow-data July 3, 2014 17 / 46
![Page 18: Guido Pineda Reyes€¦ · Guido Pineda Reyes MSc. Systems and Networking Engineering University of Amsterdam July 3, 2014 Guido Pineda Reyes (UvA) Covert channel detection using](https://reader033.vdocuments.site/reader033/viewer/2022042403/5f14bda8d9ec005dbb002553/html5/thumbnails/18.jpg)
Outline
1 Introduction
2 Research questions
3 Approach
4 Data analysisICMPDNSHTTP
5 Algorithms
6 ImplementationICMPDNSHTTP
7 Conclusions
8 Q&A
Guido Pineda Reyes (UvA) Covert channel detection using flow-data July 3, 2014 18 / 46
![Page 19: Guido Pineda Reyes€¦ · Guido Pineda Reyes MSc. Systems and Networking Engineering University of Amsterdam July 3, 2014 Guido Pineda Reyes (UvA) Covert channel detection using](https://reader033.vdocuments.site/reader033/viewer/2022042403/5f14bda8d9ec005dbb002553/html5/thumbnails/19.jpg)
DNS tunnelPacket ratio distribution
Regular DNS DNS tunnel
Guido Pineda Reyes (UvA) Covert channel detection using flow-data July 3, 2014 19 / 46
![Page 20: Guido Pineda Reyes€¦ · Guido Pineda Reyes MSc. Systems and Networking Engineering University of Amsterdam July 3, 2014 Guido Pineda Reyes (UvA) Covert channel detection using](https://reader033.vdocuments.site/reader033/viewer/2022042403/5f14bda8d9ec005dbb002553/html5/thumbnails/20.jpg)
Regular DNSPacket distribution per unique destination IP
Guido Pineda Reyes (UvA) Covert channel detection using flow-data July 3, 2014 20 / 46
![Page 21: Guido Pineda Reyes€¦ · Guido Pineda Reyes MSc. Systems and Networking Engineering University of Amsterdam July 3, 2014 Guido Pineda Reyes (UvA) Covert channel detection using](https://reader033.vdocuments.site/reader033/viewer/2022042403/5f14bda8d9ec005dbb002553/html5/thumbnails/21.jpg)
DNS tunnelPacket distribution per unique destination IP
Destination IP A Destination IP B
Guido Pineda Reyes (UvA) Covert channel detection using flow-data July 3, 2014 21 / 46
![Page 22: Guido Pineda Reyes€¦ · Guido Pineda Reyes MSc. Systems and Networking Engineering University of Amsterdam July 3, 2014 Guido Pineda Reyes (UvA) Covert channel detection using](https://reader033.vdocuments.site/reader033/viewer/2022042403/5f14bda8d9ec005dbb002553/html5/thumbnails/22.jpg)
DNS tunnelPacket distribution per unique destination IP
Destination IP C (Tunnel server)
Guido Pineda Reyes (UvA) Covert channel detection using flow-data July 3, 2014 22 / 46
![Page 23: Guido Pineda Reyes€¦ · Guido Pineda Reyes MSc. Systems and Networking Engineering University of Amsterdam July 3, 2014 Guido Pineda Reyes (UvA) Covert channel detection using](https://reader033.vdocuments.site/reader033/viewer/2022042403/5f14bda8d9ec005dbb002553/html5/thumbnails/23.jpg)
Regular DNSDNS QUERY TYPE analysis
DNS QUERY TYPE # of flows % Type1 40395 75.5 A2 1807 3.39 NS6 4 0.007 SOA
12 438 0.08 PTR16 1 0.002 TXT28 2461 4.6 AAAA33 18 0.03 SRV43 723 1.35 DS48 8083 15.03 DNSKEY
Guido Pineda Reyes (UvA) Covert channel detection using flow-data July 3, 2014 23 / 46
![Page 24: Guido Pineda Reyes€¦ · Guido Pineda Reyes MSc. Systems and Networking Engineering University of Amsterdam July 3, 2014 Guido Pineda Reyes (UvA) Covert channel detection using](https://reader033.vdocuments.site/reader033/viewer/2022042403/5f14bda8d9ec005dbb002553/html5/thumbnails/24.jpg)
DNS tunnelDNS QUERY TYPE analysis
DNS QUERY TYPE # of flows %12 60 34.8810 57 33.141 26 15.120 13 7.56
16 5 2.925 3 1.74
15 3 1.7433 3 1.74
255 1 0.5828 1 0.58
Guido Pineda Reyes (UvA) Covert channel detection using flow-data July 3, 2014 24 / 46
![Page 25: Guido Pineda Reyes€¦ · Guido Pineda Reyes MSc. Systems and Networking Engineering University of Amsterdam July 3, 2014 Guido Pineda Reyes (UvA) Covert channel detection using](https://reader033.vdocuments.site/reader033/viewer/2022042403/5f14bda8d9ec005dbb002553/html5/thumbnails/25.jpg)
Outline
1 Introduction
2 Research questions
3 Approach
4 Data analysisICMPDNSHTTP
5 Algorithms
6 ImplementationICMPDNSHTTP
7 Conclusions
8 Q&A
Guido Pineda Reyes (UvA) Covert channel detection using flow-data July 3, 2014 25 / 46
![Page 26: Guido Pineda Reyes€¦ · Guido Pineda Reyes MSc. Systems and Networking Engineering University of Amsterdam July 3, 2014 Guido Pineda Reyes (UvA) Covert channel detection using](https://reader033.vdocuments.site/reader033/viewer/2022042403/5f14bda8d9ec005dbb002553/html5/thumbnails/26.jpg)
HTTPTCP FLAGS analysis
Cumulative OR-ed of TCP FLAGS for all packets in one flow.
For regular HTTP traffic, this value is well distributed.
But, for malicious HTTP traffic, every flow has the TCP FLAGSvalue = 27
Guido Pineda Reyes (UvA) Covert channel detection using flow-data July 3, 2014 26 / 46
![Page 27: Guido Pineda Reyes€¦ · Guido Pineda Reyes MSc. Systems and Networking Engineering University of Amsterdam July 3, 2014 Guido Pineda Reyes (UvA) Covert channel detection using](https://reader033.vdocuments.site/reader033/viewer/2022042403/5f14bda8d9ec005dbb002553/html5/thumbnails/27.jpg)
Regular HTTPTCP FLAGS analysis
TCP FLAG # of flows Meaning %24 22088 ACK+PUSH 55,072726 10284 ACK+PUSH+SYN 25,641427 5039 ACK+PUSH+SYN+FIN 12,563919 2223 ACK+FIN+SYN 5,542717 163 ACK+FIN 0,406431 162 ACK+PUSH+RST+SYN+FIN 0,403930 93 ACK+PUSH+RST+SYN 0,231923 38 ACK+RST+SYN+FIN 0,094725 15 ACK+PSH+FIN 0,037421 1 ACK+RST+FIN 0,002518 1 ACK+SYN 0,0025
Guido Pineda Reyes (UvA) Covert channel detection using flow-data July 3, 2014 27 / 46
![Page 28: Guido Pineda Reyes€¦ · Guido Pineda Reyes MSc. Systems and Networking Engineering University of Amsterdam July 3, 2014 Guido Pineda Reyes (UvA) Covert channel detection using](https://reader033.vdocuments.site/reader033/viewer/2022042403/5f14bda8d9ec005dbb002553/html5/thumbnails/28.jpg)
HTTPHTTP METHOD analysis per unique destination IP
Destination IP address# of Flows with method:
GET POST HEAD EMPTYA 104 - 1722 105B 114 - 1482 107C 267 25 849 94D - - - 979E 18 - 729 3F 700 - - 10G 628 - - 33H - - - 618I - - 555 4J 371 136 - 39
Guido Pineda Reyes (UvA) Covert channel detection using flow-data July 3, 2014 28 / 46
![Page 29: Guido Pineda Reyes€¦ · Guido Pineda Reyes MSc. Systems and Networking Engineering University of Amsterdam July 3, 2014 Guido Pineda Reyes (UvA) Covert channel detection using](https://reader033.vdocuments.site/reader033/viewer/2022042403/5f14bda8d9ec005dbb002553/html5/thumbnails/29.jpg)
HTTPHTTP METHOD analysis per unique destination IP
For HTTP reverse shell traffic, the amount of POST and GETmethods per unique destination IP address is about 50% each.
Guido Pineda Reyes (UvA) Covert channel detection using flow-data July 3, 2014 29 / 46
![Page 30: Guido Pineda Reyes€¦ · Guido Pineda Reyes MSc. Systems and Networking Engineering University of Amsterdam July 3, 2014 Guido Pineda Reyes (UvA) Covert channel detection using](https://reader033.vdocuments.site/reader033/viewer/2022042403/5f14bda8d9ec005dbb002553/html5/thumbnails/30.jpg)
AlgorithmsDescription
Using a data-set provided by the sponsoring company.
HTTP traffic generated by 150 different web crawlers (64095 flows)
DNS traffic (35219 flows)
ICMP traffic (12352 flows)
Guido Pineda Reyes (UvA) Covert channel detection using flow-data July 3, 2014 30 / 46
![Page 31: Guido Pineda Reyes€¦ · Guido Pineda Reyes MSc. Systems and Networking Engineering University of Amsterdam July 3, 2014 Guido Pineda Reyes (UvA) Covert channel detection using](https://reader033.vdocuments.site/reader033/viewer/2022042403/5f14bda8d9ec005dbb002553/html5/thumbnails/31.jpg)
Proposed alorithmsICMP
Guido Pineda Reyes (UvA) Covert channel detection using flow-data July 3, 2014 31 / 46
![Page 32: Guido Pineda Reyes€¦ · Guido Pineda Reyes MSc. Systems and Networking Engineering University of Amsterdam July 3, 2014 Guido Pineda Reyes (UvA) Covert channel detection using](https://reader033.vdocuments.site/reader033/viewer/2022042403/5f14bda8d9ec005dbb002553/html5/thumbnails/32.jpg)
Proposed alorithmsDNS
Guido Pineda Reyes (UvA) Covert channel detection using flow-data July 3, 2014 32 / 46
![Page 33: Guido Pineda Reyes€¦ · Guido Pineda Reyes MSc. Systems and Networking Engineering University of Amsterdam July 3, 2014 Guido Pineda Reyes (UvA) Covert channel detection using](https://reader033.vdocuments.site/reader033/viewer/2022042403/5f14bda8d9ec005dbb002553/html5/thumbnails/33.jpg)
Proposed alorithmsHTTP
Guido Pineda Reyes (UvA) Covert channel detection using flow-data July 3, 2014 33 / 46
![Page 34: Guido Pineda Reyes€¦ · Guido Pineda Reyes MSc. Systems and Networking Engineering University of Amsterdam July 3, 2014 Guido Pineda Reyes (UvA) Covert channel detection using](https://reader033.vdocuments.site/reader033/viewer/2022042403/5f14bda8d9ec005dbb002553/html5/thumbnails/34.jpg)
Outline
1 Introduction
2 Research questions
3 Approach
4 Data analysisICMPDNSHTTP
5 Algorithms
6 ImplementationICMPDNSHTTP
7 Conclusions
8 Q&A
Guido Pineda Reyes (UvA) Covert channel detection using flow-data July 3, 2014 34 / 46
![Page 35: Guido Pineda Reyes€¦ · Guido Pineda Reyes MSc. Systems and Networking Engineering University of Amsterdam July 3, 2014 Guido Pineda Reyes (UvA) Covert channel detection using](https://reader033.vdocuments.site/reader033/viewer/2022042403/5f14bda8d9ec005dbb002553/html5/thumbnails/35.jpg)
ICMP Tunnel
Before injection After injection
Guido Pineda Reyes (UvA) Covert channel detection using flow-data July 3, 2014 35 / 46
![Page 36: Guido Pineda Reyes€¦ · Guido Pineda Reyes MSc. Systems and Networking Engineering University of Amsterdam July 3, 2014 Guido Pineda Reyes (UvA) Covert channel detection using](https://reader033.vdocuments.site/reader033/viewer/2022042403/5f14bda8d9ec005dbb002553/html5/thumbnails/36.jpg)
ICMPICMP reverse shell
Before injection After injection
Guido Pineda Reyes (UvA) Covert channel detection using flow-data July 3, 2014 36 / 46
![Page 37: Guido Pineda Reyes€¦ · Guido Pineda Reyes MSc. Systems and Networking Engineering University of Amsterdam July 3, 2014 Guido Pineda Reyes (UvA) Covert channel detection using](https://reader033.vdocuments.site/reader033/viewer/2022042403/5f14bda8d9ec005dbb002553/html5/thumbnails/37.jpg)
Outline
1 Introduction
2 Research questions
3 Approach
4 Data analysisICMPDNSHTTP
5 Algorithms
6 ImplementationICMPDNSHTTP
7 Conclusions
8 Q&A
Guido Pineda Reyes (UvA) Covert channel detection using flow-data July 3, 2014 37 / 46
![Page 38: Guido Pineda Reyes€¦ · Guido Pineda Reyes MSc. Systems and Networking Engineering University of Amsterdam July 3, 2014 Guido Pineda Reyes (UvA) Covert channel detection using](https://reader033.vdocuments.site/reader033/viewer/2022042403/5f14bda8d9ec005dbb002553/html5/thumbnails/38.jpg)
DNSDNS tunnel
Analysis on the packet distribution per unique destination IP addressshows suspicious standard deviation values for specific flows.
DNS QUERY TYPE field is effective to retrieve unusual values.
Guido Pineda Reyes (UvA) Covert channel detection using flow-data July 3, 2014 38 / 46
![Page 39: Guido Pineda Reyes€¦ · Guido Pineda Reyes MSc. Systems and Networking Engineering University of Amsterdam July 3, 2014 Guido Pineda Reyes (UvA) Covert channel detection using](https://reader033.vdocuments.site/reader033/viewer/2022042403/5f14bda8d9ec005dbb002553/html5/thumbnails/39.jpg)
Outline
1 Introduction
2 Research questions
3 Approach
4 Data analysisICMPDNSHTTP
5 Algorithms
6 ImplementationICMPDNSHTTP
7 Conclusions
8 Q&A
Guido Pineda Reyes (UvA) Covert channel detection using flow-data July 3, 2014 39 / 46
![Page 40: Guido Pineda Reyes€¦ · Guido Pineda Reyes MSc. Systems and Networking Engineering University of Amsterdam July 3, 2014 Guido Pineda Reyes (UvA) Covert channel detection using](https://reader033.vdocuments.site/reader033/viewer/2022042403/5f14bda8d9ec005dbb002553/html5/thumbnails/40.jpg)
HTTPHTTP reverse shell
After filtering every flow with TCP FLAGS field = 27
Guido Pineda Reyes (UvA) Covert channel detection using flow-data July 3, 2014 40 / 46
![Page 41: Guido Pineda Reyes€¦ · Guido Pineda Reyes MSc. Systems and Networking Engineering University of Amsterdam July 3, 2014 Guido Pineda Reyes (UvA) Covert channel detection using](https://reader033.vdocuments.site/reader033/viewer/2022042403/5f14bda8d9ec005dbb002553/html5/thumbnails/41.jpg)
HTTPHTTP reverse shell
Guido Pineda Reyes (UvA) Covert channel detection using flow-data July 3, 2014 41 / 46
![Page 42: Guido Pineda Reyes€¦ · Guido Pineda Reyes MSc. Systems and Networking Engineering University of Amsterdam July 3, 2014 Guido Pineda Reyes (UvA) Covert channel detection using](https://reader033.vdocuments.site/reader033/viewer/2022042403/5f14bda8d9ec005dbb002553/html5/thumbnails/42.jpg)
HTTPHTTP reverse shell
Guido Pineda Reyes (UvA) Covert channel detection using flow-data July 3, 2014 42 / 46
![Page 43: Guido Pineda Reyes€¦ · Guido Pineda Reyes MSc. Systems and Networking Engineering University of Amsterdam July 3, 2014 Guido Pineda Reyes (UvA) Covert channel detection using](https://reader033.vdocuments.site/reader033/viewer/2022042403/5f14bda8d9ec005dbb002553/html5/thumbnails/43.jpg)
Conclusions
It is possible to detect the tested network-based covert channels byusing flow data.
By establishing a base line behaviour, it is possible to comparebetween regular and suspicious behavior.
Even though, flow-data does not give an insight on the payload of apacket, is still a powerful tool for security analysis.
Guido Pineda Reyes (UvA) Covert channel detection using flow-data July 3, 2014 43 / 46
![Page 44: Guido Pineda Reyes€¦ · Guido Pineda Reyes MSc. Systems and Networking Engineering University of Amsterdam July 3, 2014 Guido Pineda Reyes (UvA) Covert channel detection using](https://reader033.vdocuments.site/reader033/viewer/2022042403/5f14bda8d9ec005dbb002553/html5/thumbnails/44.jpg)
Future work
Implement the proposed algorithms as a script or programminglanguage and with live flow-data
Test more tools for similar behaviour patterns
Test other protocols
Test a bigger data-set for possible false positives
Compare results with other types of malicious traffic
Investigate flow-data with network-based covert timing channels
Guido Pineda Reyes (UvA) Covert channel detection using flow-data July 3, 2014 44 / 46
![Page 45: Guido Pineda Reyes€¦ · Guido Pineda Reyes MSc. Systems and Networking Engineering University of Amsterdam July 3, 2014 Guido Pineda Reyes (UvA) Covert channel detection using](https://reader033.vdocuments.site/reader033/viewer/2022042403/5f14bda8d9ec005dbb002553/html5/thumbnails/45.jpg)
Q&A
Questions?
Guido Pineda Reyes (UvA) Covert channel detection using flow-data July 3, 2014 45 / 46
![Page 46: Guido Pineda Reyes€¦ · Guido Pineda Reyes MSc. Systems and Networking Engineering University of Amsterdam July 3, 2014 Guido Pineda Reyes (UvA) Covert channel detection using](https://reader033.vdocuments.site/reader033/viewer/2022042403/5f14bda8d9ec005dbb002553/html5/thumbnails/46.jpg)
AppendixCovert Channel Classification
Covert Storage Channel
Carries information inside protocol fields
Covert Timing Channel
They use time emission between packets.A time interval can be defined: if a packet is sent during the interval,this codes a one, if no packet is sent this codes a zero.
Guido Pineda Reyes (UvA) Covert channel detection using flow-data July 3, 2014 46 / 46