Covert Channel Detection

Carter Bullard carter at qosient.com
Thu Jul 20 17:32:44 EDT 2000


Gentle people,
   Continuing the thread on new applications.
Covert channel detection/protocol discovery is
the number 1 issue on my list of things to do
for Argus-2.x.  This, to me, is the primary
problem in enterprise security today, although
not publicly recognized.

   A covert channel detector should be able to
indicate what protocols are being used by
flows, based on packet contents.  I think it
should be knowledgeable of a limited number of
protocols (< 32), and it should have a generic
approach to protocol discovery for protocols
that it doesn't understand.   

   I think that Argus can do the best job at
this by doing some pattern recognition in the
user traffic.  I think for most purposes,
being able to validate the protocol above the
transport layer would be a good start.

   Is anyone interested in this type of work?

Carter



Carter Bullard
QoSient, LLC
300 E. 56th Street, Suite 17A
New York, New York  10022

carter at qosient.com
Phone +1 212 813-9426
Fax   +1 212 813-9426



More information about the argus mailing list