Networking and Security

Networking and Security Research Group

Integrating Covert Channel Detection into an Open Source IDS

Architecture

As basis for our implementation we choose Bro (for more details on why we chose Bro refer to our tech reports). This page provides a brief overview of the architecture of our IDS extension for Bro. For more details please refer to our technical reports.


Covert Channel Detection Architecture

We are extending Bro with plugins to extract features and do some analysis on the extracted features. We made use of Bro's capability to add plugins and do not modify any internals of Bro. The whole infrastructure is held together by the Custom Script which manages the communication flows between our plugins internally and with Bro. To make use of our IDS extension, one needs to change the script accordingly, either by loading additional scripts from an existing script and/or by modifying an existing script.

Whenever Bro sniffs a packet from the network, it does some flow identification. The flow / connection is then passed along with the packet to be inspected, and events of interests are raised, e.g. a new_packet event for every packet, an ICMP_echo_request event whenever the packet is an ICMP packet with echo request, and so on. Bro script is event-driven, so writing event handlers for a specific event and raising events are at the heart of Bro script execution.

We have created three new types of plugins that are responsible for extracting features from the observed traffic (Feature Extraction Plugin), calculating metrics based on the extracted features (Analysis Plugin) and classifying the traffic into legitimate and covert channel based on the calculated metrics and a model of the properties of legitimate traffic and covert channels (Classifier Plugin).

Whenever feature, e.g. some header field, of interest is extracted (in the Feature Extraction Plugin), an event is raised containing the corresponding feature value. The event containing feature value (or set of features) is then handled by the Analysis Plugin. To be more precise, the event is handled by Bro script and then the value is passed to the Analysis Plugin. Once the Analysis Plugin has calculated the metric, another event may be raised which contains the value of this analysis metric. The metric values can be passed further to a classifier (such as a decision tree), or they can be handled directly in the script, e.g. an email notification can be sent when a certain threshold is violated.

Current set of features extracted

  • URG_Flag and URG_ptr from TCP header. In the case where URG_Flag is 0, then URG_ptr should not be used (0 values). If there is a packet whose URG_Flag is 0 yet the URG_ptr is not 0, then this packet is quite suspicious.
  • TTL extracted from IP header to detect the possibility of value modulation covert channels embedded in the TTL variations [7].
  • Packet Length extracted from IP header to detect the possibility of size modulation covert channels [8].
  • ICMP payload to detect Ping Tunnel packets [9].
  • Inter arrival time to detect the possibility of timing covert channels [10,11].
    •

    Currently implemented analysis engine

  • Kolmogorov-Smirnov test.
  • (First order) Entropy.
  • Corrected Conditional Entropy (CCE) [12].
  • Multi Modality [13].
  • Autocorrelation [13].
  • Regularity Analysis [14].
  • Null, which just pass the feature value as the analysis result.
    •

    Authors: Dr Sebastian Zander e-mail: S.Zander@murdoch.edu.au | Dr Hendra Gunadi e-mail: hendra.gunadi@murdoch.edu.au

    This project is supported by a grant provided by the Comcast Innovation Fund.