Covert Channel Detection

Peter Van Epp vanepp at sfu.ca
Fri Jul 21 11:15:03 EDT 2000


> 
> Gentle people,
>    Russell has a great point,  for the most part
> its simple flow statistics, that can tell you that
> something is amuck on a given port.  And to address
> one of Peter's concerns, even with encryption, in
> many cases, the flow statistics will give away the
> ghost.

	Or the protocol pattern even in the encrypted data. The NFR folks have
a BO detector that looks for a pattern of data in the encrypted stream which
gives it away. Of course with source (and knowing NFR and argus are out there)
the cracker community is of course looking for a way around that. But as you
say, there is a necessary pattern of connections that is unusual and should
be detectable. As I say its easy for me to see such patterns in the output
but I'm not sure how I'd get software to be able to do that same thing.

Peter Van Epp / Operations and Technical Support 
Simon Fraser University, Burnaby, B.C. Canada



More information about the argus mailing list