detection of covert channels through vpns – final presentation
DESCRIPTION
Noam Segev , Israel Chernyak , Evgeny Reznikov. Detection of Covert Channels through VPNs – Final Presentation. Supervisor: Gabi Nakibly, Ph. D. . Covert Channels over VPNs. Mission Statement. Create a covert channel detector that would function in the described scenario. - PowerPoint PPT PresentationTRANSCRIPT
Detection of Covert Channels through VPNs – Final Presentation
Noam Segev, Israel Chernyak, Evgeny Reznikov
Supervisor: Gabi Nakibly, Ph. D.
Covert Channels over VPNs
Mission Statement
Create a covert channel detector that would function in the described scenario.
The detector’s operation: A learning period of clear traffic Two traffic samples:▪ A clean sample▪ Traffic containing a covert channel
Goal: Correct classification of both samples
Methods Description
We used four detection methods in the creation of the detector: BLOSUM PSPM Learning Algorithm Entropy-based approach
BLOSUM and PSPM
Taken from the field of bioinformatics BLOSUM (BLOcks of Amino Acid
SUbstitution Matrix) is a substitution matrix used for sequence alignment of proteins.
PSPM(Position Specific Probability Matrix) is a substitution matrix used for sequence alignment of proteins.
The algorithms constructs a substitution matrix of probabilities for each amino acid to be present in certain positions in the sequence.
BLOSUM algorithm
We break down the learning communication to 10 groups of 10. (total length of 100)
We defined the probability of a value to be
We define the probability of a couple of values to be
When receiving a new packet we compare to a packet from the original communication using the formula
The values checked can be packet size or packet delay
# _ _#
ii
packets with Xppackets
1 2 1 2
1 2
,,
,
# _ _ # _ _i i i ii i
a b
s packets with X packets with Xq
s
,22log i j
i i
qp p
PSPM
We break down the learning communication to 10 groups of 10. (total length of 100)
We defined the probability of a value to be
The values checked can be packet size or packet delay
,# _ _ _ _ _
# _ _ _i
i jpackets with X at position jp
packets at position j
There exists a range of weaker algorithms for covert channel detection exist.
Each weak algorithm is either less accurate or only good for detecting a certain type of covert channel.
We utilized a learning algorithm in an attempt to boost and combine the effectiveness of several of the weaker algorithms.
Learning Algorithm
Learning Algorithm
We used the C4.5 learning algorithm to combine three of the weaker algorithms: Regularity detection Histogram of packet times/sizes Epsilon similarity
Learning algorithm metrics
Regularity:
Histogram:| , :i j
i
regularity STDEV i j i j
Epsilon SimilarityStores and sorts the list of all inter-
arrival times between packets.Pi – inter-arrival time i in the sorted
list.Epsilon similarity: the percentage of
|Pi - Pi+1|/Pi that are smaller than the epsilon.
Learning Algorithm – cont.During the semester we compiled a
collection of traffic samples created by 3 of the covert channel programs designed by previous teams, as well as some samples of randomly generated traffic with normal distribution of sizes and inter-arrival times.
The learning algorithm was given a training set of the answers all the above methods gave for each packet in the aforementioned traffic.
Entropy-based approach
Entropy measures the amount of disorder in a system.
A covert channel injects information into certain communication metrics, therefore increasing the amount of order over these metrics.
By measuring the amount of entropy of a given channel over the above metrics we can try to deduce the existence of a covert channel.
Entropy calculation
We used the entropy calculation methods presented in Gianvecchio &Wang ’07:
1
1 1 1...
,..., ,..., log ,...,m
m m m mx x
EN X H X X P x x P x x
1 1 1
1 1 1
| | ,...,
,..., ,...,m m m m
m m
CE X X H X X X
H X X H X X
1 1 1| |m m m m mCCE X X CE X X perc X EN X
Entropy variables
Our method calculates the entropy of the following variables: Packet delay Packet sizes Combined (size & time) Bursts (k-packet averages on packet
size & delay) Peaks (maxima points of packet sizes
and delays)
First Challenge
The challenge consisted of 3 simulations.
Each included: A learning phase on clean traffic. A detection phase on clean traffic to
weed out false positives. And a detection phase on traffic
contaminated by the covert channel.
First Challenge – results
In this challenge our detector hasn’t generated any output – defined as a negative detection result – due to an error (which was found only later) which placed the output statements in an unreachable “if” statement.
First Challenge - conclusionsDue to the aforementioned error
suffered by our program, the results of the first challenge were inconclusive.
We decided that we’d attempt to investigate the sensitivity factor of our methods (since we saw neither false nor true positives).
Learning Algorithm – analysisWe hoped that the algorithm would
detect a pattern indicating which of the detection methods should be trusted in which case.
In case it was needed, we intended to boost the algorithm with providing more information about the covert channel – statistical information about packet distribution, as well as the numerical values computed by the aforementioned methods.
Learning algorithm – analysis cont.Unfortunately, it turned out that the
covert channels we chose to work with were mainly detected by the histogram method, which didn’t leave much room for maneuver with the learning algorithm.
First Challenge - improvementsSeveral issues were detected in our
program: The aforementioned error which
prevented output from being displayed. In the BLOSUM method, there were
miscalculations in the algorithm. The entropy calculations, albeit correct,
suffered from inefficiency, which forced us to reduce several parameters, affecting the accuracy.
Sensitivity factors were tweaked throughout the program.
Second Challenge
The second challenge consisted of one simulation, including, as in the first challenge: A learning phase on clean traffic. A detection phase on clean traffic to
weed out false positives. A detection phase on traffic
contaminated by a covert channel.
Second Challenge - resultsUnfortunately, after weeding out
false positives, no detection was made.
After some investigation, we discovered that the BLOSUM method has, in fact, detected the covert channel, but due to another error, failed to report it.
Second Challenge - conclusionsFurther refinement of the detection
methods’ sensitivity thresholds is necessary.
In the learning algorithm method, the chosen methods proved to be insufficiently robust. Additionally, the lack of covert channel communication samples further undermined our efforts.
Future work
It would be interesting to see how the learning algorithm fares given a large amount of traffic samples, as well as stronger methods such as the entropy and BLOSUM methods we have implemented during this project.