survey

Pattern-Based Survey and Categorization of Network Covert Channel Techniques

Authors:
Steffen Wendzel

Fraunhofer Institute for Communication, Information Processing and Ergonomics FKIE, Germany

Fraunhofer Institute for Communication, Information Processing and Ergonomics FKIE, Germany
View Profile

,
Sebastian Zander

Centre for Advanced Internet Architectures, Swinburne University of Technology, Australia

Centre for Advanced Internet Architectures, Swinburne University of Technology, Australia
View Profile

,
Bernhard Fechner

Department of Systems and Networking, University of Augsburg, Bavaria, Germany

Department of Systems and Networking, University of Augsburg, Bavaria, Germany
View Profile

,
Christian Herdin

Department of Computer Science, University of Rostock, Germany

Department of Computer Science, University of Rostock, Germany
View Profile

Authors Info & Claims

ACM Computing Surveys Volume 47 Issue 3Article No.: 50pp 1–26https://doi.org/10.1145/2684195

Published:01 April 2015Publication History

ACM Computing Surveys

Abstract

Network covert channels are used to hide communication inside network protocols. Various techniques for covert channels have arisen in the past few decades. We surveyed and analyzed 109 techniques developed between 1987 and 2013 and show that these techniques can be reduced to only 11 different patterns. Moreover, the majority (69.7%) of techniques can be categorized into only four different patterns (i.e., most techniques we surveyed are similar). We represent the patterns in a hierarchical catalog using a pattern language. Our pattern catalog will serve as a base for future covert channel novelty evaluation. Furthermore, we apply the concept of pattern variations to network covert channels. With pattern variations, the context of a pattern can change. For example, a channel developed for IPv4 can automatically be adapted to other network protocols. We also propose the pattern-based covert channel optimizations pattern hopping and pattern combination. Finally, we lay the foundation for pattern-based countermeasures: whereas many current countermeasures were developed for specific channels, a pattern-oriented approach allows application of one countermeasure to multiple channels. Hence, future countermeasure development can focus on patterns, and the development of real-world protection against covert channels is greatly simplified.

References

K. Ahsan and D. Kundur. 2002. Practical data hiding in TCP/IP. In Proceedings of the Workshop on Multimedia Security.Google Scholar
C. Alexander, S. Ishikawa, and M. Silverstein. 1977. A Pattern Language: Towns, Buildings, Construction. Oxford University Press, New York, NY.Google Scholar
P. Backs, S. Wendzel, and J. Keller. 2012. Dynamic routing in covert channel overlays based on control protocols. In Proceedings of the International Workshop on Information Security, Theory, and Practice (ISTP’12). IEEE, Los Alamitos, CA, 32--39.Google Scholar
V. Berk, A. Giani, and G. Cybenko. 2005. Detection of Covert Channel Encoding in Network Packet Delays. Technical Report. Department of Computer Science, Dartmouth College, Hanover, NH.Google Scholar
T. Borland. 2008. Guide to Encrypted Dynamic Covert Channels. Retrieved February 23, 2015, from http://turboborland.blogspot.com/2008/12/guide-to-encrypted-dyn amic-covert.html.Google Scholar
W. J. Buchanan and D. Llamas. 2004. Covert channel analysis and detection with reverse proxy servers using Microsoft Windows. In Proceedings of the 3rd European Conference on Information Warfare and Security. 31--40.Google Scholar
S. Cabuk. 2006. Network Covert Channels: Design, Analysis, Detection, and Elimination. Ph.D. Dissertation. Purdue University, West Lafayette, IN. Google ScholarDigital Library
S. Cabuk, C. E. Brodley, and C. Shields. 2009. IP covert channel detection. ACM Transactions on Information and System Security 12, 4, 22:1--22:29. Google ScholarDigital Library
S. Craver. 1998. On public-key steganography in the presence of an active warden. In Information Hiding. Lecture Notes in Computer Science, vol. 1525. Springer, 355--368.Google Scholar
daemon9. 1997. LOKI2 (the implementation). Phrack Magazine 7, 51 (1997). Retrieved February 23, 2015, from http://www.phrack.org/issues.html&quest;issue=51&id=6.Google Scholar
A. Dyatlov and S. Castro. 2005. Exploitation of Data Streams Authorized by a Network Access Control System for Arbitrary Data Transfers: Tunneling and Covert Channels over the HTTP Protocol. Technical Report. Gray-World.net.Google Scholar
A. El-Atawy and E. Al-Shaer. 2009. Building covert channels over the packet reordering phenomenon. In Proceedings of INFOCOM 2009. 2186--2194.Google Scholar
J. Engel, C. Märtin, and P. Forbrig. 2011. HCI patterns as a means to transform interactive user interfaces to diverse contexts of use. In Human-Computer Interaction: Design and Development Approaches. Lecture Notes in Computer Science, vol. 6761. Springer, 204--213. Google ScholarDigital Library
J. Engel, C. Märtin, C. Herdin, and P. Forbig. 2013. Formal pattern specifications to facilitate semi-automated user interface generation. In Human-Computer Interaction: Human-Centred Design Approaches, Methods, Tools, and Environments. Lecture Notes in Computer Science, vol. 8004. Springer, 300--309. Google ScholarDigital Library
H.-G. Esser. 2005. Ausnutzung verdeckter Kanaele am Beispiel eines Web-Servers. Master’s Thesis. RWTH Aachen. (in German).Google Scholar
S. Fincher, J. Finlay, S. Greene, L. Jones, P. Matchen, J. Thomas, and P. J. Molina. 2003. Perspectives on HCI patterns: Concepts and tools. In Proceedings of CHI’03: Extended Abstracts on Human Factors in Computing Systems (CHI EA’03). ACM, New York, NY, 1044--1045. Google ScholarDigital Library
G. Fisk, M. Fisk, C. Papadopoulos, and J. Neil. 2003. Eliminating steganography in Internet traffic with active wardens. In Revised Papers from the 5th International Workshop on Information Hiding. Springer, 18--35. Google ScholarDigital Library
W. Fraczek, W. Mazurczyk, and K. Szczypiorski. 2012. Multi-level steganography: Improving hidden communication in networks. Journal of Universal Computer Science 18, 14, 1967--1986.Google Scholar
A. Gaffar, D. Sinnig, A. Seffah, and P. Forbrig. 2004. Modeling patterns for task models. In Proceedings of the 3rd Annual Conference on Task Models and Diagrams (TAMODIA’04). ACM, New York, NY, 99--104. Google ScholarDigital Library
E. Gamma, R. Helm, R. Johnson, and J. Vlissides. 1994. Design Patterns: Elements of Reusable Object-Oriented Software. Addison-Wesley. Google ScholarDigital Library
A. Getchell. 2008. RE: For those interested in covert channels. A posting on the SecurityFocus penetration testing mailing list. Retrieved February 23, 2015, from http://www.securityfocus.com/archive/101/499640.Google Scholar
S. Gianvecchio and H. Wang. 2007. Detecting covert timing channels: An entropy-based approach. In Proceedings of 14th ACM Conference on Computer and Communication Security (CCS). Google ScholarDigital Library
S. Gianvecchio, H. Wang, D. Wijesekera, and S. Jajodia. 2008. Model-based covert timing channels: Automated modeling and evasion. In Proceedings of the Recent Advances in Intrusion Detection (RAID) Symposium. 211--230. Google ScholarDigital Library
J. Giffin, R. Greenstadt, P. Litwack, and R. Tibbetts. 2003. Covert messaging through TCP timestamps. In Proceedings of the 2nd International Conference on Privacy Enhancing Technologies. 194--208. Google ScholarDigital Library
C. G. Girling. 1987. Covert channels in LAN’s. IEEE Transactions on Software Engineering 13, 2, 292--296. Google ScholarDigital Library
T. Graf. 2003. Messaging over IPv6 Destination Options. Retrieved February 23, 2015, from http://gray-world.net/papers/messip6.txt.Google Scholar
T. G. Handel and M. T. Sandford II. 1996. Hiding data in the OSI network model. In Proceedings of the 1st International Workshop on Information Hiding. 23--38. Google ScholarDigital Library
M. Handley, V. Paxson, and C. Kreibich. 2001. Network intrusion detection: Evasion, traffic normalization, and end-to-end protocol semantics. In Proceedings of the 10th USENIX Security Symposium, vol. 10. 115--131. Google ScholarDigital Library
A. Herzberg and H. Shulman. 2013. Limiting MitM to MitE covert-channels. In Proceedings of the 2013 8th International Conference on Availability, Reliability, and Security (ARES’13). IEEE, Los Alamitos, CA, 236--241. Google ScholarDigital Library
W.-M. Hu. 1991. Reducing timing channels with fuzzy time. In Proceedings of the 1991 Symposium on Security and Privacy. IEEE, Los Alamitos, CA, 8--20.Google ScholarCross Ref
B. Jankowski, W. Mazurczyk, and K. Szczypiorski. 2010. Information hiding using improper frame padding. In Proceedings of the 14th International Telecommunications Network Strategy and Planning Symposium (NETWORKS). 1--6.Google Scholar
L. Ji, Y. Fan, and C. Ma. 2010. Covert channel for local area network. In Proceedings of the International Conference on Wireless Communications, Networking, and Information Security (WCNIS). 316--319.Google Scholar
L. Ji, H. Liang, Y. Song, and X. Niu. 2009. A normal-traffic network covert channel. In Proceedings of the International Conference on Computational Intelligence and Security. 499--503. Google ScholarDigital Library
M. H. Kang and I. S. Moskowitz. 1993. A pump for rapid, reliable, secure communication. In Proceedings of the 1st ACM Conference on Computer and Communication Security. 119--129. Google ScholarDigital Library
R. A. Kemmerer. 1983. Shared resource matrix methodology: An approach to identifying storage and timing channels. ACM Transactions on Computer Systems 1, 3, 256--277. DOI: http://dx.doi.org/10.1145/357369.357374 Google ScholarDigital Library
C. Kraetzer, J. Dittmann, A. Lang, and T. Kuehne. 2006. WLAN steganography: A first practical review. In Proceedings of the 8th Workshop on Multimedia and Security (MMSEC’06). 17--22. Google ScholarDigital Library
B. W. Lampson. 1973. A note on the confinement problem. Communications of the ACM 16, 10, 613--615. Google ScholarDigital Library
G. Lewandowski, N. Lucena, and S. Chapin. 2007. Analyzing network-aware active wardens in IPv6. In Information Hiding. Lecture Notes in Computer Science, vol. 4437. Springer, 58--77. Google ScholarDigital Library
X. Li, Y. Zhang, F. T. Chong, and B. Y. Zhao. 2011. A Covert Channel Analysis of a Real Switch. Technical Report. Department of Computer Science, University of California, Santa Barbara.Google Scholar
D. Llamas, C. Allison, and A. Miller. 2005. Covert channels in Internet protocols: A survey. In Proceedings of the 6th Annual Postgraduate Symposium Convergence of Telecommunications, Networking, and Broadcasting (PGNET’05).Google Scholar
N. Lucena, G. Lewandowski, and S. Chapin. 2006. Covert channels in IPv6. In Privacy Enhancing Technologies. Lecture Notes in Computer Science, vol. 3856. Springer, 147--166. Google ScholarDigital Library
N. Lucena, J. Pease, P. Yadollahpour, and S. J. Chapin. 2004. Syntax and semantics-preserving application-layer protocol steganography. In Proceedings of the 6th Information Hiding Workshop (IH’04). 164--179. Google ScholarDigital Library
X. Luo, E. W. W. Chan, and R. K. C. Chang. 2007. Cloak: A ten-fold way for reliable covert communications. In Proceedings of Computer Security—ESORICS 2007. Lecture Notes in Computer Science, vol. 4734. Springer, 283--298. Google ScholarDigital Library
A. Marcus. 2004. Patterns within patterns. Interactions 11, 2, 28--34. Google ScholarDigital Library
W. Mazurczyk, M. Smolarczyk, and K. Szczypiorski. 2011. Retransmission steganography and its detection. Soft Computing 15, 3, 505--515. Google ScholarDigital Library
W. Mazurczyk and K. Szczypiorski. 2012. Evaluation of steganographic methods for oversized IP packets. Telecommunication Systems 49, 2, 207--217. Google ScholarDigital Library
C. Meadows and I. S. Moskowitz. 1996. Covert channels—a context-based view. In Information Hiding. Lecture Notes in Computer Science, vol. 1174. Springer, 73--93. Google ScholarDigital Library
J. Millen. 1999. 20 years of covert channel modeling and analysis. In Proceedings of the 1999 IEEE Symposium on Security and Privacy. 113--114.Google ScholarCross Ref
D. N. Muchene, K. Luli, and C. A. Shue. 2013. Reporting insider threats via covert channels. In Proceedings of the 2013 IEEE Security and Privacy Workshops. 68--71. Google ScholarDigital Library
S. J. Murdoch. 2007. Covert Channel Vulnerabilities in Anonymity Systems. Ph.D. Dissertation. University of Cambridge (Computer Laboratory).Google Scholar
S. J. Murdoch and S. Lewis. 2005. Embedding covert channels into TCP/IP. In Information Hiding. Lecture Notes in Computer Science, vol. 3727. Springer, 247--261. Google ScholarDigital Library
Object Management Group. 2010. Unified Modeling Language (OMG UML), Infrastructure, Version 2.3.Google Scholar
N. Ogurtsov, H. Orman, R. Schroeppel, S. O’Malley, and O. Spatscheck. 1996. Covert Channel Elimination Protocols. Technical Report. Department of Computer Science, University of Arizona, Tucson. Google ScholarDigital Library
R. Patuck and J. Hernandez-Castro. 2013. Steganography using the extensible messaging and presence protocol (XMPP). CoRR abs/1310.0524.Google Scholar
B. Pfitzmann. 1996. Information hiding terminology—results of an informal plenary meeting and additional proposals. In Information Hiding. Lecture Notes in Computer Science, vol. 1174. Springer, 347--350. Google ScholarDigital Library
P. A. Porras and R. A. Kemmerer. 1991. Covert flow trees: A technique for identifying and analyzing covert storage channels. In Proceedings of the IEEE Symposium on Security and Privacy. 36--51.Google Scholar
B. Ray and S. Mishra. 2008. A protocol for building secure and reliable covert channel. In Proceedings of the 6th Annual Conference on Privacy, Security, and Trust (PST’08). IEEE, Los Alamitos, CA, 246--253. Google ScholarDigital Library
R. Rios, J. A. Onieva, and J. Lopez. 2012. HIDE_DHCP: Covert communications through network configuration messages. In Proceedings of the 27th IFIP TC 11 International Information Security Conference. 162--173.Google Scholar
C. H. Rowland. 1997. Covert channels in the TCP/IP protocol suite. First Monday 2, 5. Available at http://firstmonday.org/ojs/index.php/fm/article/view/528/449.Google ScholarCross Ref
J. Rutkowska. 2004. Passive covert channels implementation in Linux kernel. In Proceedings of the Chaos Communication Congress. Available at http://events.ccc.de/congress/2004/fahrplan/files/319-passive- covert-ch annels-slides.pdf.Google Scholar
A.-R. Sadeghi, S. Schulz, and V. Varadharajan. 2012. The silence of the LANs: Efficient leakage resilience for IPsec VPNs. In Computer Security—ESORICS 2012. Lecture Notes in Computer Science, vol. 7459. Springer, 253--270.Google Scholar
A. Seffah. 2010. The evolution of design patterns in HCI: From pattern languages to pattern-oriented design. In Proceedings of the 1st International Workshop on Pattern-Driven Engineering of Interactive Computing Systems (PEICS’10). ACM, New York, NY, 4--9. Google ScholarDigital Library
S. D. Servetto and M. Vetterli. 2001. Communication using phantoms: Covert channels in the Internet. In Proceedings of the 2011 IEEE International Symposium on Information Theory. 229.Google Scholar
G. Shah, A. Molina, and M. Blaze. 2006. Keyboards and covert channels. In Proceedings of the 15th USENIX Security Symposium. 59--75. Google ScholarDigital Library
J. Shen, S. Qing, Q. Shen, and L. Li. 2005. Optimization of covert channel identification. In Proceedings of the 3rd IEEE International Security in Storage Workshop (SISW’05). IEEE, Los Alamitos, CA, 95--108. Google ScholarDigital Library
G. J. Simmons. 1983. The prisoners’ problem and the subliminal channel. In Advances in Cryptology: Proceedings of Crypto 83. Springer, 51--67.Google Scholar
Snort Project. 2012. Snort Users Manual 2.9.3.Google Scholar
T. Sohn, J. Seo, and J. Moon. 2003. A study on the covert channel detection of TCP/IP header using support vector machine. In Proceedings of the 5th International Conference on Information and Communications Security. 313--324.Google Scholar
D. Stødle. 2009. Ping Tunnel: For Those Times When Everything Else Is Blocked. Retrieved February 23, 2015, from http://www.cs.uit.no/&sim;daniels/PingTunnel/.Google Scholar
J. Tidwell. 2009. Designing Interfaces: Patterns for Effective Interaction Design. O’Reilly Media. Google ScholarDigital Library
T. Tiedtke, T. Krach, and C. Märtin. 2005. Multi-level patterns for the planes of user experience. In Proceedings of HCI International.Google Scholar
Z. Trabelsi and I. Jawhar. 2010. Covert file transfer protocol based on the IP record route option. Journal of Information Assurance and Security 5, 1, 64--73.Google Scholar
E. Tumoian and M. Anikeev. 2005. Network based detection of passive covert channels in TCP/IP. In Proceedings of the 1st IEEE LCN Workshop on Network Security. 802--809. Google ScholarDigital Library
D. K. Van Duyne, J. A. Landay, and J. I. Hong. 2007. The Design of Sites: Patterns For Creating Winning Web Sites. Prentice Hall. Google ScholarDigital Library
M. Van Welie. 2001. Patterns in Interaction Design. http://www.welie.com/.Google Scholar
S. Wendzel, B. Kahler, and T. Rist. 2012. Covert channels and their prevention in building automation protocols: A prototype exemplified using BACnet. In Proceedings of the 2012 International Conference on Green Computing and Communications (GreenCom). IEEE, Los Alamitos, CA, 731--736. Google ScholarDigital Library
S. Wendzel and J. Keller. 2011. Low-attention forwarding for mobile network covert channels. In Communications and Multimedia Security. Lecture Notes in Computer Science, vol. 7025. Springer, 122--133. Google ScholarDigital Library
S. Wendzel and J. Keller. 2012a. Preventing protocol switching covert channels. International Journal on Advances in Security 5, 3--4, 81--93.Google Scholar
S. Wendzel and J. Keller. 2012b. Systematic engineering of control protocols for covert channels. In Communications and Multimedia Security. Lecture Notes in Computer Science, vol. 7394. Springer, 131--144. Google ScholarDigital Library
S. Wendzel and S. Zander. 2012. Detecting protocol switching covert channels. In Proceedings of the 37th IEEE Conference on Local Computer Networks (LCN). IEEE, Los Alamitos, CA, 280--283. Google ScholarDigital Library
M. Wolf. 1989. Covert channels in LAN protocols. In Local Area Network Security. Lecture Notes in Computer Science, vol. 396. Springer, 89--101. Google ScholarDigital Library
F. V. Yarochkin, S.-Y. Dai, C.-H. Lin, Y. Huang, and S.-Y. Kuo. 2008. Towards adaptive covert communication system. In Proceedings of the 14th IEEE Pacific Rim International Symposium on Dependable Computing (PRDC’08). IEEE, Los Alamitos, CA, 153--159. Google ScholarDigital Library
J. Yoder and J. Barcalow. 1997. Architectural patterns for enabling application security. In Proceedings of the 4th Conference of Pattern Languages of Programs.Google Scholar
S. Zander, G. Armitage, and P. Branch. 2006. Covert channels in the IP time to live field. In Proceedings of the Australian Telecommunication Networks and Applications Conference (ATNAC’06). 298--302.Google Scholar
S. Zander, G. Armitage, and P. Branch. 2008. Covert channels in multiplayer first person shooter online games. In Proceedings of the 33rd IEEE Conference on Local Computer Networks (LCN’08). IEEE, Los Alamitos, CA, 215--222.Google Scholar
S. Zander, G. Armitage, and P. Branch. 2011. Stealthier inter-packet timing covert channels. In Networking 2011. Lecture Notes in Computer Science, vol. 6640. Springer, 458--470. Google ScholarDigital Library
S. Zander, G. J. Armitage, and P. Branch. 2007. A survey of covert channels and countermeasures in computer network protocols. IEEE Communications Surveys and Tutorials 9, 3, 44--57. Google ScholarDigital Library
C. Zhiyong and Z. Yong. 2009. Entropy based taxonomy of network convert channels. In Proceedings of the 2nd International Conference on Power Electronics and Intelligent Transportation System (PEITS). 451--455.Google Scholar
X.-G. Zou, Q. Li, S.-H. Sun, and X. Niu. 2005. The research on information hiding based on command sequence of FTP protocol. In Knowledge-Based Intelligent Information and Engineering Systems. Lecture Notes in Computer Science, vol. 3683. Springer, 1079--1085. Google ScholarDigital Library

Index Terms

Pattern-Based Survey and Categorization of Network Covert Channel Techniques

Recommendations

A Revised Taxonomy of Steganography Embedding Patterns
ARES '21: Proceedings of the 16th International Conference on Availability, Reliability and Security

Steganography embraces several hiding techniques which spawn across multiple domains. However, the related terminology is not unified among the different domains, such as digital media steganography, text steganography, cyber-physical systems ...
Read More
One Countermeasure, Multiple Patterns: Countermeasure Variation for Covert Channels
CECC 2018: Proceedings of the Central European Cybersecurity Conference 2018

Network covert channels enable stealthy communications for malware and data exfiltration. For this reason, the development of effective countermeasures for covert channels is important for the protection of individuals and organizations. However, due to ...
Read More
Out-of-Band Covert Channels—A Survey

A novel class of covert channel, out-of-band covert channels, is presented by extending Simmons’ prisoners’ problem. This new class of covert channel is established by surveying the existing covert channel, device-pairing, and side-channel research. ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

Published in
ACM Computing Surveys Volume 47, Issue 3
April 2015
602 pages
ISSN:0360-0300
EISSN:1557-7341
DOI:10.1145/2737799
Editor:
Sartaj Sahni
Department of Computer and Information Science and Engineering / University of Florida / Gainesville, FL
Issue’s Table of Contents
Copyright © 2015 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 1 April 2015
- Revised: 1 October 2014
- Accepted: 1 October 2014
- Received: 1 December 2013
Published in csur Volume 47, Issue 3

Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
Covert channels
PLML
information hiding
network security
patterns
taxonomy
Qualifiers
- survey
- Research
- Refereed
Conference
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 109
  Total Citations
  View Citations
- 1,545
  Total Downloads
- Downloads (Last 12 months)141
- Downloads (Last 6 weeks)17
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Pattern-Based Survey and Categorization of Network Covert Channel Techniques

ACM Computing Surveys

Abstract

References

Cited By

Index Terms

Recommendations

A Revised Taxonomy of Steganography Embedding Patterns

One Countermeasure, Multiple Patterns: Countermeasure Variation for Covert Channels

Out-of-Band Covert Channels—A Survey