Abstract
Numerous network anomaly detection techniques utilize traffic summaries (e.g., NetFlow records) to detect and diagnose attacks. In this paper we investigate the limits of such approaches, by introducing a technique by which compromised hosts can communicate without altering the behavior of the network as evidenced in summary records of many common types. Our technique builds on two key observations. First, network anomaly detection based on payload-oblivious traffic summaries admits a new type of covert embedding in which compromised nodes embed content in the space vacated by compressing the payloads of packets already in transit between them. Second, point-to-point covert channels can serve as a “data link layer” over which routing protocols can be run, enabling more functional covert networking than previously explored. We investigate the combination of these ideas, which we term Summary-Invisible Networking (SIN), to determine both the covert networking capacities that an attacker can realize in various tasks and the possibilities for defenders to detect these activities.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
Similar content being viewed by others
References
Ahsan, K., Kundur, D.: Practical data hiding in TCP/IP. In: Workshop on Multimedia and Security at ACM Multimedia 2002 (December 2002)
Borup, L.: Peer-to-peer botnets: A case study on Waledac. Master’s thesis, Technical University of Denmark (2009)
Cabuk, S., Brodley, C.E., Shields, C.: IP covert timing channels: Design and detection. In: CCS, pp. 178–187 (2004)
Collins, M.P., Reiter, M.K.: Finding peer-to-peer file-sharing using coarse network behaviors. In: Gollmann, D., Meier, J., Sabelfeld, A. (eds.) ESORICS 2006. LNCS, vol. 4189, pp. 1–17. Springer, Heidelberg (2006)
Collins, M.P., Reiter, M.K.: Hit-list worm detection and bot identification in large networks using protocol graphs. In: Kruegel, C., Lippmann, R., Clark, A. (eds.) RAID 2007. LNCS, vol. 4637, pp. 276–295. Springer, Heidelberg (2007)
Collins, M.P., Reiter, M.K.: On the limits of payload-oblivious network attack detection. In: Lippmann, R., Kirda, E., Trachtenberg, A. (eds.) RAID 2008. LNCS, vol. 5230, pp. 251–270. Springer, Heidelberg (2008)
Demmer, M., Fall, K.: DTLSR: Delay tolerant routing for developing regions. In: Workshop on Networked Systems for Developing Regions, pp. 1–6 (2007)
Erramilli, V., Crovella, M.: Forwarding in opportunistic networks under resource constraints. In: ACM MobiCom Workshop on Challenged Networks (September 2008)
Fall, K.: A delay-tolerant network architecture for challenged internets. In: SIGCOMM, pp. 27–34 (2003)
Ford Jr., L.R., Fulkerson, D.R.: Maximal flow through a network. Canadian J. Mathematics 8, 399–404 (1956)
Gao, Y., Zhao, Y., Schweller, R., Venkataraman, S., Chen, Y., Song, D., Kao, M.-Y.: Detecting stealthy attacks using online histograms. In: 15th IEEE Intern. Workshop on Quality of Service (June 2007)
Giffin, J., Greenstadt, R., Litwack, P., Tibbetts, R.: Covert messaging through TCP timestamps. In: Dingledine, R., Syverson, P.F. (eds.) PET 2002. LNCS, vol. 2482, pp. 194–208. Springer, Heidelberg (2003)
Gu, G., Perdisci, R., Zhang, J., Lee, W.: BotMiner: Clustering analysis of network traffic for protocol and structure independent botnet detection. In: USENIX Security (2008)
Gu, G., Porras, P., Yegneswaran, V., Fong, M., Lee, W.: BotHunter: Detecting malware infection through ids-driven dialog correlation. In: USENIX Security (August 2007)
Gu, G., Zhang, J., Lee, W.: BotSniffer: Detecting botnet command and control channels in network traffic. In: NDSS (February 2008)
Handel, T.G., Sandford II, M.T.: Hiding data in the OSI network model. In: Anderson, R. (ed.) IH 1996. LNCS, vol. 1174, pp. 23–38. Springer, Heidelberg (1996)
Hernández-Campos, F., Nobel, A.B., Smith, F.D., Jeffay, K.: Understanding patterns of TCP connection usage with statistical clustering. In: MASCOTS, pp. 35–44 (September 2005)
Jain, S., Fall, K., Patra, R.: Routing in a delay tolerant network. In: SIGCOMM, pp. 145–158 (2004)
Jung, J., Paxson, V., Berger, A.W., Balakrishnan, H.: Fast portscan detection using sequential hypothesis testing. In: IEEE Symp. Security and Privacy (May 2004)
Karagiannis, T., Papagiannaki, K., Faloutsos, M.: BLINC: Multilevel traffic classification in the dark. In: SIGCOMM (August 2005)
Karamcheti, V., Geiger, D., Kedem, Z., Muthukrishnan, S.: Detecting malicious network traffic using inverse distributions of packet contents. In: Workshop on Mining Network Data, pp. 165–170 (2005)
Kim, H.A., Karp, B.: Autograph: Toward automatic distributed worm signature generation. In: USENIX Security (August 2004)
Kruegel, C., Toth, T., Kirda, E.: Service specific anomaly detection for network intrusion detection. In: Symp. Applied Computing (March 2002)
Lakhina, A., Crovella, M., Diot, C.: Mining anomalies using traffic feature distributions. In: SIGCOMM, pp. 217–228 (2005)
Lucena, N.B., Lewandowski, G., Chapin, S.J.: Covert channels in IPv6. In: Danezis, G., Martin, D. (eds.) PET 2005. LNCS, vol. 3856, pp. 147–166. Springer, Heidelberg (2006)
Murdoch, S.J., Lewis, S.: Embedding covert channels into TCP/IP. In: Barni, M., Herrera-Joancomartí, J., Katzenbeisser, S., Pérez-González, F. (eds.) IH 2005. LNCS, vol. 3727, pp. 247–261. Springer, Heidelberg (2005)
Newsome, J., Karp, B., Song, D.: Polygraph: Automatically generating signatures for polymorphic worms. In: IEEE Symp. Security and Privacy (May 2005)
Rowland, C.H.: Covert channels in the TCP/IP protocol suite. First Monday 2(5) (1997)
Singh, S., Estan, C., Varghese, G., Savage, S.: Automated worm fingerprinting. In: OSDI (December 2004)
Staniford-Chen, S., Cheung, S., Crawford, R., Dilger, M., Frank, J., Hoagl, J., Levitt, K., Wee, C., Yip, R., Zerkle, D.: GrIDS – a graph based intrusion detection system for large networks. In: 19th National Information Systems Security Conf., pp. 361–370 (1996)
Stover, S., Dittrich, D., Hernandez, J., Dietrich, S.: Analysis of the Storm and Nugache trojans: P2P is here. USENIX;login 32(6) (2007)
Terrell, J., Jeffay, K., Smith, F.D., Gogan, J., Keller, J.: Exposing server performance to network managers through passive network measurements. In: IEEE Internet Network Management Workshop, pp. 1–6 (October 2008)
Vadhat, A., Becker, D.: Epidemic routing for partially connected ad hoc networks. Technical Report CS-200006, Department of Computer Science, Duke University (2000)
Wang, K., Cretu, G., Stolfo, S.J.: Anomalous payload-based worm detection and signature generation. In: Valdes, A., Zamboni, D. (eds.) RAID 2005. LNCS, vol. 3858, pp. 227–246. Springer, Heidelberg (2006)
Wang, K., Parekh, J.J., Stolfo, S.J.: Anagram: A content anomaly detector resistant to mimicry attack. In: Zamboni, D., Krügel, C. (eds.) RAID 2006. LNCS, vol. 4219, pp. 226–248. Springer, Heidelberg (2006)
Wang, K., Stolfo, S.J.: Anomalous payload-based network intrusion detection. In: Jonsson, E., Valdes, A., Almgren, M. (eds.) RAID 2004. LNCS, vol. 3224, pp. 203–222. Springer, Heidelberg (2004)
Wei, L., Reiter, M.K., Mayer-Patel, K.: Summary-invisible networking: Techniques and defenses. Technical Report TR09-019, Department of Computer Science, University of North Carolina at Chapel Hill (2009)
Xie, Y., Sekar, V., Maltz, D., Reiter, M.K., Zhang, H.: Worm origin identification using random moonwalks. In: 2005 IEEE Symp. Security and Privacy, pp. 242–256 (May 2005)
Yen, T.-F., Reiter, M.K.: Traffic aggregation for malware detection. In: Zamboni, D. (ed.) DIMVA 2008. LNCS, vol. 5137, pp. 207–227. Springer, Heidelberg (2008)
Yen, T.-F., Reiter, M.K.: Are your hosts trading or plotting? Telling P2P file-sharing and bots apart. In: ICDCS (2010)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2011 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Wei, L., Reiter, M.K., Mayer-Patel, K. (2011). Summary-Invisible Networking: Techniques and Defenses. In: Burmester, M., Tsudik, G., Magliveras, S., Ilić, I. (eds) Information Security. ISC 2010. Lecture Notes in Computer Science, vol 6531. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-18178-8_19
Download citation
DOI: https://doi.org/10.1007/978-3-642-18178-8_19
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-18177-1
Online ISBN: 978-3-642-18178-8
eBook Packages: Computer ScienceComputer Science (R0)