Detection of Size Modulation Covert Channels Using Countermeasure Variation
Steffen Wendzel (Fraunhofer FKIE & Worms University of Applied Sciences, Germany)
Florian Link (Worms University of Applied Sciences, Germany)
Daniela Eller (Worms University of Applied Sciences, Germany)
Wojciech Mazurczyk (Warsaw University of Technology, Poland)
Abstract: Network covert channels enable stealthy communications for malware and data exfiltration. For this reason, developing effective countermeasures for these threats is important for the protection of individuals and organizations. However, due to the large number of available covert channel techniques, it is considered impractical to develop countermeasures for all existing covert channels.
In recent years, researchers started to develop countermeasures that (instead of only countering one particular hiding technique) can be applied to a whole family of similar hiding techniques. These families are referred to as hiding patterns.
Considering above, the main contribution of this paper is to introduce the concept of countermeasure variation. Countermeasure variation is a slight modification of a given countermeasure that was designed to detect covert channels of one specific hiding pattern so that the countermeasure can also detect covert channels that are representing other hiding patterns.
We exemplify countermeasure variation using the compressibility score, the ε-similarity and the regularity metric originally presented by Cabuk et al. All three methods are used to detect covert channels that utilize the Inter-packet Times pattern and we show that countermeasure variation allows the application of these countermeasures to detect covert channels of the Size Modulation pattern, too.
Keywords: covert channels, information hiding, network security, network steganography, patterns
Categories: B.4.1, C.2.2, C.2.5, C.2.6, D.4.6, K.6.5, K.7.m