ABSTRACT
The application-layer covert channels have been extensively studied in recent years. Information-hiding in ubiquitous application packets can significantly improve the capacity of covert channels. However, the undetectability is still a knotty problem, because the existing covert channels are all frustrated by proper detection schemes. In this paper, we propose LiHB, a behavior-based covert channel in HTTP. When a client is browsing a website and downloading webpage objects, we can reveal some fluctuation behaviors that the distribution relationship between the ports opening and HTTP requests are flexible. Based on combinatorial nature of distributing N HTTP requests over M HTTP flows, such fluctuation can be exploited by LiHB channel to encode covert messages, which can obtain high stealthiness. Besides, LiHB achieves a considerable and controllable capacity by setting the number of webpage objects and HTTP flows. Compared with existing techniques, LiHB is the first covert channel implemented based on the unsuspicious behavior of browsers, the most important application-layer software. Because most HTTP proxies are using NAPT techniques, LiHB can also operate well even when a proxy is equipped, which poses a serious threat to individual privacy. Experimental results show that LiHB covert channel achieves a good capacity, reliability and high undetectability.
- M. Bauer. New covert channels in http: adding unwitting web browsers to anonymity sets. In Proceedings of the 2003 ACM workshop on Privacy in the electronic society, pages 72--78. ACM, 2003. Google ScholarDigital Library
- K. Borders and A. Prakash. Web tap: detecting covert web traffic. In Proceedings of the 11th ACM conference on Computer and communications security, pages 110--120. ACM, 2004. Google ScholarDigital Library
- E. Brown, B. Yuan, D. Johnson, and P. Lutz. Covert channels in the http network protocol: Channel characterization and detecting man-in-the-middle attacks. In Proc. 5th Intern. Conf. Information Warfare and Security. Ohio, USA, pages 56--65, 2010.Google Scholar
- S. Cabuk, C. E. Brodley, and C. Shields. Ip covert timing channels: design and detection. In Proceedings of the 11th ACM conference on Computer and communications security, pages 178--187. ACM, 2004. Google ScholarDigital Library
- S. Castro. Covert channel and tunneling over the http protocol detection: Gw implementation theoretical design. Gray World. net Team, Novembro, 2003.Google Scholar
- M. Crotti, M. Dusi, F. Gringoli, and L. Salgarelli. Traffic classification through simple statistical fingerprinting. ACM SIGCOMM Computer Communication Review, 37(1):5--16, 2007. Google ScholarDigital Library
- M. Dusi, M. Crotti, F. Gringoli, and L. Salgarelli. Tunnel hunter: Detecting application-layer tunnels with statistical fingerprinting. Computer Networks, 53(1):81--97, 2009. Google ScholarDigital Library
- A. Dyatlov and S. Castro. Exploitation of data streams authorized by a network access control system for arbitrary data transfers: tunneling and covert channels over the http protocol. Grayworld, USA, http://grayworld.net/projects/papers/html/covert_paper.html, 2003.Google Scholar
- K. Egevang and P. Francis. The ip network address translator (nat). Technical report, RFC 1631, 1994. Google ScholarDigital Library
- R. Fielding, J. Gettys, J. Mogul, H. Frystyk, L. Masinter, P. Leach, and T. Berners-Lee. Hypertext transfer protocol--http/1.1, 1999.Google Scholar
- A. Galatenko, A. Grusho, A. Kniazev, and E. Timonina. Statistical covert channels through proxy server. In Computer Network Security, pages 424--429. Springer, 2005. Google ScholarDigital Library
- S. Gianvecchio and H. Wang. Detecting covert timing channels: an entropy-based approach. In Proceedings of the 14th ACM conference on Computer and communications security, pages 307--316. ACM, 2007. Google ScholarDigital Library
- S. Gianvecchio and H. Wang. An entropy-based approach to detecting covert timing channels. Dependable and Secure Computing, IEEE Transactions on, 8(6):785--797, 2011. Google ScholarDigital Library
- S. Gianvecchio, H. Wang, D. Wijesekera, and S. Jajodia. Model-based covert timing channels: Automated modeling and evasion. In Recent Advances in Intrusion Detection, pages 211--230. Springer, 2008. Google ScholarDigital Library
- D. Gourley and B. Totty. HTTP: the definitive guide. O'Reilly Media, Inc., 2002. Google ScholarDigital Library
- D. L. Kreher and D. R. Stinson. Combinatorial algorithms: generation, enumeration, and search, volume 7. CRC press, 1998.Google Scholar
- Z. Kwecka. Application layer covert channel analysis and detection. PhD thesis, Edinburgh Napier University, 2006.Google Scholar
- Y. Liu, D. Ghosal, F. Armknecht, A.-R. Sadeghi, S. Schulz, and S. Katzenbeisser. Hide and seek in time-robust covert timing channels. In Computer Security--ESORICS, pages 120--135. Springer, 2009. Google ScholarDigital Library
- Y. Liu, D. Ghosal, F. Armknecht, A.-R. Sadeghi, S. Schulz, and S. Katzenbeisser. Robust and undetectable steganographic timing channels for iid traffic. In Information Hiding, pages 193--207. Springer, 2010. Google ScholarDigital Library
- X. Luo, E. W. Chan, and R. K. Chang. Cloak: A ten-fold way for reliable covert communications. In Computer Security--ESORICS 2007, pages 283--298. Springer, 2007. Google ScholarDigital Library
- X. Luo, E. W. Chan, P. Zhou, and R. K. Chang. Robust network covert communications based on tcp and enumerative combinatorics. Dependable and Secure Computing, IEEE Transactions on, 9(6):890--902, 2012. Google ScholarDigital Library
- X. Luo, P. Zhou, E. W. Chan, R. K. Chang, and W. Lee. A combinatorial approach to network covert communications with applications in web leaks. In Dependable Systems and Networks, 2011 IEEE/IFIP 41st International Conference on, pages 474--485. IEEE, 2011. Google ScholarDigital Library
- F. A. Petitcolas, R. J. Anderson, and M. G. Kuhn. Information hiding-a survey. Proceedings of the IEEE, 87(7):1062--1078, 1999.Google ScholarCross Ref
- SINA. Sina homepage. http://www.sina.com.cn/, May 2014.Google Scholar
- P. Srisuresh and M. Holdrege. Ip network address translator (nat) terminology and considerations. 1999.Google Scholar
- R. P. Stanley. Enumerative combinatorics. vol. 2, volume 62 of cambridge studies in advanced mathematics, 1999.Google Scholar
- F. Wang, L. Huang, H. Miao, and M. Tian. A novel distributed covert channel in http. Security and Communication Networks, 7(6):1031--1041, 2014.Google ScholarDigital Library
- H. Wang and S. Wang. Cyber warfare: steganography vs. steganalysis. Communications of the ACM, 47(10):76--82, 2004. Google ScholarDigital Library
- S. Zander, G. Armitage, and P. Branch. A survey of covert channels and countermeasures in computer network protocols. Communications Surveys and Tutorials, IEEE, 9(3):44--57, 2007. Google ScholarDigital Library
Index Terms
- LiHB: Lost in HTTP Behaviors - A Behavior-Based Covert Channel in HTTP
Recommendations
A Survey and Taxonomy Aimed at the Detection and Measurement of Covert Channels
IH&MMSec '16: Proceedings of the 4th ACM Workshop on Information Hiding and Multimedia SecurityNew viewpoints of covert channels are presented in this work. First, the origin of covert channels is traced back to acc ess control and a new class of covert channel, air-gap covert channels, is presented. Second, we study the design of covert channels ...
Concealed in web surfing
Application-layer covert channels have been extensively studied in recent years. Ubiquitous application packets serving as covert carriers contain a considerable potential channel capacity. However, undetectability is still a challenging task to be ...
Out-of-Band Covert Channels—A Survey
A novel class of covert channel, out-of-band covert channels, is presented by extending Simmons’ prisoners’ problem. This new class of covert channel is established by surveying the existing covert channel, device-pairing, and side-channel research. ...
Comments