Covert Channel Detection

Russell Fulton r.fulton at auckland.ac.nz
Fri Jul 21 00:36:45 EDT 2000 

On Thu, 20 Jul 2000 17:32:44 -0400 Carter Bullard <carter at qosient.com> 
wrote:

>    I think that Argus can do the best job at
> this by doing some pattern recognition in the
> user traffic.  I think for most purposes,
> being able to validate the protocol above the
> transport layer would be a good start.
> 
>    Is anyone interested in this type of work?

I am.  We have already seen some interesting covert channels in the 
DDoS tools (eg using ECR packets to carry commands) and we saw a 
facinating demonstration at the FIRST meeting in Chicago of using SSL 
to tunnel all sorts of traffic through a compromised web server and 
thus circumventing a firewall.  

[Aside : this was the most impressive live demo I have ever seen -- it 
took several hours and they had 5 machines and a router hooked up at 
the front of the meeting room. There was only one minor glich and we 
paused 5 minutes early for morning tea while they figured 
out what was wrong. It turned out to be finger trouble...]

There are two approaches I see to this problem: 

Provide an argus client that calculate various standard stats about 
different protocols that we might use to characterise them. This is 
what raservices does.  The logical extention is to have a client that 
loaded in a set of parameters and watched for flows that lay outside 
the distributions.

The other approach, which I perfer because I like tinkering with 
things, is to provide good access to the raw argus data so that we can 
easily extract data that we can feed into a stats package to do more 
sophisticated analysis.  The experimentalist's approach ;-)

I suspect that we will need different statistics to detect different 
types of covert channels.  eg.  simple mean and std on flow sizes might 
be enough in some cases, in other we may have to look at size or timing
distributions of individual packets.  (Netramet will do that for you ;-)

Unfortunately I don't have enought time to do everything that I as 
supposed to do now without starting research project on things like 
this.

Cheers, Russell

More information about the argus mailing list