Integrating Covert Channel Detection into an Open Source IDS
Covert channels aim to hide the very existence of communication between two parties by hiding a covert communication inside an existing overt communication (overt channel) [1,2]. Often their use is motivated by adversarial relationships between two parties, such as government agencies versus criminal or terrorist organisations, hackers or corporate spies versus a company IT departments, or dissenting citizens versus their governments. The huge amount of data and vast number of different protocols makes the Internet a high-bandwidth carrier for covert communications, and a large number of network covert channels has been proposed in recent years.
In many scenarios the potential existence of network covert channels poses a tangible security risk. While the applications for network covert channels are manifold , recent research shows that covert channels are often linked to illicit purposes including malware . Protocol tunnelling, e.g. UDP over ICMP, has been used for many years to circumvent firewalls or intrusion detection systems, but now there is evidence that several malwares are actually using network covert channels. The worm W32.Morto  hides its communication with the command and control (C&C) servers in Domain Name System (DNS) messages. Linux.Fokirtor, a Trojan that opens a backdoor and allows an attacker to remotely compromise a host , hides its communications in innocent Secure Shell (SSH) and other server network traffic. Regin  covertly communicates with its C&C server by tunnelling secrets in ICMP/ping traffic and embedding commands in HTTP cookies or in custom TCP segments and UDP datagrams. While these exploited covert channels are not very sophisticated yet, it is only a matter of time until more sophisticated methods will be used.
In the academic literature a number of techniques have been proposed to detect covert channels, which all exploit the inherent need of covert channels to modulate their carriers slightly above the natural 'noise'. However, for the vast majority of these techniques there are no publicly available implementations. In the rare cases where there is an implementation available, it is usually a proof-of-concept implementation that is not integrated with any common IDS and provides suboptimal performance. Running several research prototypes in real networks is practically infeasible. An integrated IDS solution is needed.
The goal of this project is to implement detection techniques for a selection of prominent network covert channels, both storage and timing channels, integrated within a well-known open source IDS. Our goal is not to just implement various detection techniques, but we aim to design and implement a flexible and extensible framework (inside the IDS) on which these detection techniques will be based. This framework will make it easy to add new detection mechanisms in the future. Since the existing IDS tools mainly deal with data from the IP layer and above, we will focus on covert channels inside the network layer, transport layer and selected widely used application layer protocols. Covert channels inside packet payload are out of scope of this project. Our project focusses on leveraging an existing well known open source IDS, such as snort or Bro, as basis for our extension to avoid reinventing the wheel and enable easy deployment.
Our project involves the following tasks:
- Identify which IDS is best suited as basis for our extension.
- Identify a number of metrics that can be used to detect covert channels and can be practically implemented in an existing IDS.
- Identify practical solutions on how to differentiate between legitimate and covert traffic, such as leveraging Machine Learning techniques.
- Design and implement an extension for the chosen IDS that implements the metrics and can be easily extended in the future.
- Measure the performance of the implemented prototype in terms of CPU usage, memory usage and classification accuracy.
Outcomes of the project:
- We compared the snort, Suricata and Bro IDSs and found that Bro is the most suitable IDS for our purposes (see Technical Report 20170818A).
- We identifed several metrics that can be implemented in an existing IDS to detect covert channels (see Technical Report 20171117A).
- We integrated a tree-based ML classifier, which can be trained to distinguish between legitimate traffic and covert channels (see Technical Report 20171117B).
- We designed and implemented the Bro Covert Channel Detection (BroCCaDe) framework, an extension for Bro (see Technical Report 20171117B).
- We measured the performance of BroCCaDe in terms of CPU/memory usage and classification accuracy (see Technical Report 20180427A).
- We published the source code of BroCCaDe on github (see BroCCaDe repository).