Covert Channel Detection

Carter Bullard carter at qosient.com
Fri Jul 21 11:59:59 EDT 2000


Hey Peter,

> be detectable. As I say its easy for me to see such patterns 
> in the output
> but I'm not sure how I'd get software to be able to do that 
> same thing.
> 

Well, this is the fun part!  I can do some of it, the
question is, "is this something that we want to support
in every Argus record we generate"?  I believe the answer
is yes!

Adding packet burst information to the flow records
will really make a big contribution, as this is a sensitive
metric that can be used in conjunction with other numbers
to do decent application/service fingerprinting.  Decent
enough to generate categories of protocol behavior.  This
is doable, but will require some interesting Argus data
analysis.  I'm really interested in this kind of stuff,
and so I'll put a lot of effort into it.

One of the real questions I have is the type and amount
of user data that we'll need to collect on each
transaction to reliably identify the next layer protocol.
In most situations we'll only need to be about 16 bytes,
but it may need up to 32.  Any thoughts?

Carter



More information about the argus mailing list