Upload
aircc-ijnsa
View
223
Download
0
Embed Size (px)
Citation preview
882019 E NTROPY B ASED D ETECTION A ND B EHAVIORAL A NALYSIS OF H YBRID C OVERT C HANNELIN S ECURED C OMMUhellip
httpslidepdfcomreaderfulle-ntropy-b-ased-d-etection-a-nd-b-ehavioral-a-nalysis-of-h-ybrid-c-overt-c 115
International Journal of Network Security amp Its Applications (IJNSA) Vol7 No3 May 2015
DOI 105121ijnsa20157304 39
ENTROPY B ASED DETECTION A NDBEHAVIORAL
A NALYSIS OF H YBRID COVERT CHANNELIN SECURED
COMMUNICATION
Anjan K1 Srinath N K
1 and Jibi Abraham
2
1Department of Computer Science and Engineering
R V College of Engineering BengaluruIndia2Department of Computer Engineering and Information Technology
College of Engineering Pune India
A BSTRACT
Covert channels is a vital setup in the analysing the strength of security in a network Covert Channel is
illegitimate channelling over the secured channel and establishes a malicious conversation The trap-door
set in such channels proliferates making covert channel sophisticated to detect their presence in network
firewall This is due to the intricate covert scheme that enables to build robust covert channel over the
network From an attackers perspective this will ameliorate by placing multiple such trapdoors in
different protocols in the rudimentary protocol stack This leads to a unique scenario of ldquoHybrid Covert
Channel where different covert channel trapdoors exist at the same instance of time in same layer of
protocol stack For detection agents to detect such event is complicated due to lack of knowledge over the
different covert schemes To improve the knowledge of the detection engine to detect the hybrid covert
channel scenario it is required to explore all possible clandestine mediums used in the formation of such
channels This can be explored by different schemes available and their entropy impact on hybrid covert
channel The environment can be composed of resources and subject under at-tack and subject whichhave initiated the attack (attacker) The paper sets itself an objective to understand the different covert
schemes and the attack scenario (modelling) and possibilities of covert mediums along with metric for
detection
K EYWORDS
Covert Channel Subliminal Channel Network Forensics Kleptography Trapdoors Covert Schemes
1INTRODUCTION
Global internet consists of massive devices connected to it with numerous applications running onit There is frequent inherent threat of intentional exposure of the confidential and sensitive
information over secured channel Such threats are implemented using Covert Channel whichcompromises very important attribute Privacyof secured channel Covert channel is defined indifferent ways based on scenarios of establishment of covert channel and is non-concrete
ldquoAn enforced illicit signaling channel that allows a user to
surreptitiouslycontravene the multi-level separation policy and un-observability
requirements of the [target of evaluation]
882019 E NTROPY B ASED D ETECTION A ND B EHAVIORAL A NALYSIS OF H YBRID C OVERT C HANNELIN S ECURED C OMMUhellip
httpslidepdfcomreaderfulle-ntropy-b-ased-d-etection-a-nd-b-ehavioral-a-nalysis-of-h-ybrid-c-overt-c 215
International Journal of Net
This clearly states the policcommunication channel was en
simple covert channel can be vichannel in the communication
Covertchannelinformationexchaimplementation of such langua
proliferated into multiple protoc
complex to detect such clan-desmechanism for ameliorated deve
have such multiple trapdoors eit
Multiple trapdoors can be imple
the different covert channel va
coherent covert channel Such cChannel [3] is homogeneous co
instance of time Hybrid covertto assess the composition of the
is depicted in [3] and figure 2
Fig2
The covert channel was first in[11] Extensive work is carried o
forensics [6] based Scenario bato understand the detection bett
basis for detection Modelling th
ork Security amp Its Applications (IJNSA) Vol7 No3 M
violation constraint but does not considerisaged as a communication channel by the syste
ualizedin [3] where channel comprises of both co
Fig1 Covert Channel Visualization
geisbasedcovertlanguagespre-negotiated by the coges uses intricate encoding schemes These sche
ols where each such protocol will be a trapdoor
tine mediums SETUP attack [18] makes uses oflopment of covert channel A hybrid covert channel
er in the same layer on in different layers
ented in the same layer or in different layersImpl
iants at the same instance of time tends to behav
annel is termed as ldquoHybrid Covert Channel Aposition of two or more covert channel variants exi
hannel may not have strict composition It becomeHybrid Covert Channel An instance of the hybrid c
Hybrid Covert Channel in Transport Layer
roduced in the traditional confinement problem asut in devising the detection methods which can be o
sed analysis of the covert channel detections [3][7]r Monitoring the unusual traffic [14] in the netwo
e covert timing channel process as Poissonrsquos distrib
ay 2015
40
whether thedesigner A
ert and overt
ert users andmes may be
his makes it
ulti-trapdoorscenario may
mentation of
e as a single
ybrid Covertsting at same
complicatedovert channel
described inn real-time or
is performedk stream is a
tion is also a
882019 E NTROPY B ASED D ETECTION A ND B EHAVIORAL A NALYSIS OF H YBRID C OVERT C HANNELIN S ECURED C OMMUhellip
httpslidepdfcomreaderfulle-ntropy-b-ased-d-etection-a-nd-b-ehavioral-a-nalysis-of-h-ybrid-c-overt-c 315
International Journal of Net
way to detect such activity ISequence Charts (MSC) [9]Thi
to detect hybrid covert channel b
2COVERT COMMUNICA
In Network communication cov(a) covert data exchange an
(b) covert indication
In covert data exchange covert
in rudimentary protocols This
pipeline problem where there e
inside the other such that d2lt d1
transportation of crude oil In F
known or undocumented in thlegitimate pipe This type of the
schemes will be simple placemeclandestine field in the traditinetwork covert channel
Second form of covert communlanguage not known to others I
encoding scheme to leak inform1 is the language that covertenvironment This sophisticate
decoding the language might be
The best real time classical exaleaks the answers to Student Y
presence of invigilating officertriggers an event to student Y
coughs Same schema holds gocontinuous clock events that coYSome of the other forms of co
ork Security amp Its Applications (IJNSA) Vol7 No3 M
llegitimate information flows can be tracked thropaper employs a statistical protocol based entropy
ased on analysis made on packet headers
ION TYPES
rt communication amongst a pair of users can take
ata is exchanged between the covert users by hidi
form of covert communication can best be un
ists two pipesp1 and p2 of diameters d1 and d2 res
These pipes are setup between two geographicaligure 3 the inner pipe p2 of diameter d2 is the co
design and used for smuggling oil The outer pcovert communication type will not have pre-defi
nt of covert data (trapdoor creation) directly in tonal network protocol stack This channel is call
Fig3 Classical Pipeline Problem
ication is the covert indication Covert users comn Figure 4 the covert sender and receiver share a
ation This information encoding scheme as seen frsers employ to communicate in a secured legiti
communication is visible to our detection eng
uite difficult in many situations
ple of such communication is Examination Proble or an objective type examination paper in an exami
For each choice in a question student X makesFor instance to communicate choice A to student
d in case network communication where covert umunicate some form of action to be performed b
ert indication in network scenario include
ay 2015
41
ugh Messagedetection [1]
two forms
g covert data
erstood with
ectively one
laces for thevert pipe not
ipe p1 is theed encoding
the identifiedd as simple
unicate in ainformation
m the figureate network
ine however
m Student Xnation hall in
gesture thatY student X
er X triggersy covert user
882019 E NTROPY B ASED D ETECTION A ND B EHAVIORAL A NALYSIS OF H YBRID C OVERT C HANNELIN S ECURED C OMMUhellip
httpslidepdfcomreaderfulle-ntropy-b-ased-d-etection-a-nd-b-ehavioral-a-nalysis-of-h-ybrid-c-overt-c 415
International Journal of Net
bull Encoding ASCII chara
mathematical operation
bull Repeated sending of ack
is listening to Receiverto this server This val
character
bull
Retrieving the packet
information to the cover
bull Using logical operators l
3COVERT CHANNEL VA
Covert channel are categorizedcommunication like the shared
the communication The covert c
bull Noisy Covert Chann
both Overt and covertbull Noiseless Covert Ch
parties
bull Storage Covert Chaindirectly read or writesRW in hard disk
bull Timing Covert Chanmodulating the resourc
receiver
bull Simple Network Cov
rudimentary protocols
bull Steganographic Cha
receiver collude to pcommunication is hap
bull Subliminal Channel
typically proved undet
bull Supraliminal Chann
semantic content of c
similar to mimic funct
ork Security amp Its Applications (IJNSA) Vol7 No3 M
Fig4 Classical Examination Problem
ter set in Sequence number Decoding the same
n sequence number This can either be in TCP or I
nowledge packet to an unknown server where the c
has to count the number of time the acknowledge paue can later on mapped to ASCII table for retrie
sorting order numbering in IPSec frames whi
receiver
ike the XOR with sequence number to get the cover
IANTS
based on different aspects of the overall entities inresources backdoortrapdoor placement and partie
hannel general classification is given below ndash
l [14] is a communication channel which has
usersnnel [14] is the communication channel used sol
nel [14] involves the sender and the receiver eith
in to storage location The implementation can be
nel [14] [13] involves the sender signalling the i
s in such a way that real response time is obs
ert Channel [14] (SNCC) exists by creating
used in network protocol suite
nel [3] is a means of communication wher
revent an observer being able to reliably detening
[15]- is a covert channel in a cryptographi
ectable
l [12] - A supraliminal channel encodes infor
ver data generating innocent communication
ions
ay 2015
42
by applying
IP ID fields
vert receiver
cket was sentving suitable
h serves as
t data
volved in thes involved in
presence of
ely by covert
er directly or
on file-lock
formation by
erved by the
trapdoor in
sender and
ect whether
algorithm
ation in the
in a manner
882019 E NTROPY B ASED D ETECTION A ND B EHAVIORAL A NALYSIS OF H YBRID C OVERT C HANNELIN S ECURED C OMMUhellip
httpslidepdfcomreaderfulle-ntropy-b-ased-d-etection-a-nd-b-ehavioral-a-nalysis-of-h-ybrid-c-overt-c 515
International Journal of Net
bull Hybrid Covert Chan
covert channels existi
covert channel is diff
Mixed composition o
channel and is of ainstance noisy covert
network layer or appli
4ATTACK MODELLING
The attack modelling [4] can be
these scenarios are designed and
in direct or encoded format diclandestine medium in the net
using encoding scheme and that
The intricate design choosing oway for successful undetectablemediums may be difficult and h
is given below and will be used
This important formation scenari
41Scenario - 1
The attack scenarios have threeand Eve is legitimate entityuslegitimate users hence it is sce
Bob and Eve is legitimate chan
covert channel Alice and B
information and is mentioned in
While Eve is communicating wiover the covert channel Once
would also stop communicatio
snatched from Bobs machine Tstrong trapdoor so as to thwartHybrid covert channel Such po
Network Covert Channel in the I
ork Security amp Its Applications (IJNSA) Vol7 No3 M
nel [4] is co-existence of two or more differeng at same instance of time The composition o
icult to assess from third party which is tryi
covert channel variants behave as single coh
reatest threat to the legitimate network envirchannel in transport layer with subliminal
ation layer
based on different scenarios and placement covert
built to fulfil certain objectives Covert users can
ect communication is merely placement of covertork protocol Alternatively the covert user can
is known only to the covert users
f clandestine mediums (trapdoors) and encoding scestablishment of covert channel Detecting such
ence detection metric called covertness index is us
or assessment in the attack scenarios
os of covert channels where attack can be devised is
ntities - Alice Bob and Eve Alice and Bob are coer The scenario comprises of the combinationario of noisy covert channel The channel establi
el comprising of covert channel and between Ali
b have pre-established channel to communicat
dotted lines in the figure 5
th Bob over legitimate channel Alice would extracwhen the communication between Bob and Eve i
with Bob Further Alice and eve can share th
he covert channel implemented between Alice andthe detection methods Such trapdoors can be d
ssible composition can be Subliminal channel in t
P both at network layer
ay 2015
43
t variants off the Hybrid
g to detect
erent covert
onment Forchannel in
sers Each of
communicate
data over ancommunicate
heme paves astrong covertdThe metric
given below
vert attackersf covert andhed between
e and Eve is
e the attack
t informations over Alice
information
Bob can havesigned usinghe IPSec and
882019 E NTROPY B ASED D ETECTION A ND B EHAVIORAL A NALYSIS OF H YBRID C OVERT C HANNELIN S ECURED C OMMUhellip
httpslidepdfcomreaderfulle-ntropy-b-ased-d-etection-a-nd-b-ehavioral-a-nalysis-of-h-ybrid-c-overt-c 615
International Journal of Net
This combination will prove e
The covertness index for Net
where
(Ut) =
The covertness index for sublimi
IPSec make use of AES-XCimplantation - Sequence Numb
random number generator algor
seed
As per [7] the trapdoors can beformation However this will noheaders
ork Security amp Its Applications (IJNSA) Vol7 No3 M
Fig5 Noise Covert Channel
ffective in hop-to-hop routing and can avoid an
ork Covert Channel in Network Layer (IPv4)-
(T) = Probability ofa trapdoor card
niversal set of all possibletrapdoors
nal channel in IPSec - ESP format
C-MAC cipher suite and ESP format allow tr field and padding The maximum number of ro
ithm is 16 Out of which 5 rounds are used for g
etected under the assumption stated in the hybrid ct be the same if multiple trapdoors are set in each o
ay 2015
44
detections
o trapdoorsunds in AES
enerating the
overt channelf the protocol
882019 E NTROPY B ASED D ETECTION A ND B EHAVIORAL A NALYSIS OF H YBRID C OVERT C HANNELIN S ECURED C OMMUhellip
httpslidepdfcomreaderfulle-ntropy-b-ased-d-etection-a-nd-b-ehavioral-a-nalysis-of-h-ybrid-c-overt-c 715
International Journal of Net
42 Scenario-2
This scenario is built on the thrusers in sub-network are comp
communication from the sub nChannel This sub network can b
Fig6 Noisel
The scenario can have multi-t
trapdoor can move from one pro
or can be combination trapdoor
particular index
5COVERT SCHEMES AND
The covert schemes are crucialobscured way More sophistica
samples of covert schemes wer
presented here
Scheme 1
The IP ID is field used for iden
covert scheme used for this field
bull Intentional use of only c
bull Scheme is designed by tfield
bull
The Covert receiver acharacter
For instance a simple scheme
performing modulus operation
encoding a character lsquocrsquo is
ork Security amp Its Applications (IJNSA) Vol7 No3 M
eat model of noiseless covert channel where theomised This sub-network is connected to other
twork to all the other networks is built using ae similar to bot-net as described in [8]
ess Covert Channel with Hybrid Covert Channel
rapdoor or protocol hopped hybrid covert chan
tocol to another protocol during the hop-to-hop cos in multiple level in the protocol suite Hence th
THEIR EMBODIMENT
for conveying the covert data over communicationed scheme likely not to be retrieved by detectio
discussed in section 2 of this paper and detailed
tification of the packet and is used for the routing
is based on following strategy-
rtain IP IDs while having conversation with Cover
he covert sender for embedding covert characters i
plies the scheme used by the sender to retrie
that can be used for this field is extracting the
of the character set size General notation for thi
ay 2015
45
esources andetwork The
ybrid Covert
el [16] The
municationre can be no
channel in aentity Few
schemes are
purpose The
t receiver
to the IP ID
e the covert
IP ID is by
s scheme for
882019 E NTROPY B ASED D ETECTION A ND B EHAVIORAL A NALYSIS OF H YBRID C OVERT C HANNELIN S ECURED C OMMUhellip
httpslidepdfcomreaderfulle-ntropy-b-ased-d-etection-a-nd-b-ehavioral-a-nalysis-of-h-ybrid-c-overt-c 815
International Journal of Network Security amp Its Applications (IJNSA) Vol7 No3 May 2015
46
Where 983080983081 is the encoding function R is the IP ID value and n is the size of the character setFor an ASCII character set n = 256
Example If IP ID = 26702 and if the character to be sent is `M Then 983080983081 983101 983090983094983095983088983090 minus
983089 983090983093983094 = `M
To convey a covert message the covert sender has select IP ID in such a way as to match with
983080983081
Scheme 2
Another prominent scheme used is on the sequence number where maximum range is4294967296 numbers as it is 32 bit field To communicate covertly under this scheme following
strategy is employed-
bull
Sequence number is multiplied with value of character set and bound is declared withmaximum limit
bull The receiver side retrieves the sequence number and then divides it by character set size
The encoding function 983080983081 is given below-
Where S is the initial sequence number and n is the size of the character set The decoding
function is 983080991257983081 is given below ndash
Where 991257 is the decoded character and 991257 is the received sequence number
For instance to send a character I covertly over the channel the sender would have to choose
1235037038 as sequence number and the max value is derived as 65535 256 = 16777216
Therefore the decoded character is 983080991257983081 = 1235037038=16777216 = 73 The value 73 when
mapped back to ASCII Table is the character `I
Scheme 3
Another scheme which has tremendous effect on the bandwidth is the modulation of TCP
timestamps or use of timing element in the network protocol TCP timestamps is in the optionsfield of the TCP header which indicates the round trip time of the packets The TCP processaccurately calculates the next retransmission of TCP segment which was failed to beacknowledged If the character is to be covertly sent using this scheme following strategy is used
bull Get the binary representation of the character and extract bits from the least significant
bit
bull Check if the Timestamp least significant bit (LSB) is same as covert bit if so send the
882019 E NTROPY B ASED D ETECTION A ND B EHAVIORAL A NALYSIS OF H YBRID C OVERT C HANNELIN S ECURED C OMMUhellip
httpslidepdfcomreaderfulle-ntropy-b-ased-d-etection-a-nd-b-ehavioral-a-nalysis-of-h-ybrid-c-overt-c 915
International Journal of Network Security amp Its Applications (IJNSA) Vol7 No3 May 2015
47
TCP segment
bull Covert receiver will extract the LSB of the timestamp and store the same until it is a byte
Let be the binary representation of the character `c and FLSB(Bc) be the encoding function for
encoding the covert bits in TCP timestamp
6ENTROPY BASED COVERT CHANNEL ANALYSIS
The entropy [2] in communication network indicates the number of bits required to encode a
character over the channel as stated by Shannon Entropy theory This is based on the frequency of
the characters in given string and the size of the alphabet The entropy measure also checks foruncertainty of the random variable
Let A be finite set of characters such that 983164983164 ge 983089 and any character983136991257 isin A is sequence of
symbols which is a string each of alphabet in string isin A For instance let cbbacabbac besequence of symbols that needs to be transmitted over network then its sequence of bits represents
the coded symbol sequence which may be 101110011011100010 Then the entropy for suchscenario is defined as ndash
where isin 983164983164 and 983164983164 983102 983089 pi is the probability of the occurrence of symbol lsquocrsquo in the string and ngives the length of the string To transmit a message ldquonetworkrdquo over the communication
network following are the calculated entropy for each alphabet ndash
The frequency of all the characters in a string with unique symbols will be same since the word
ldquonetworkrdquo has unique symbols the frequency is 0143 Let X be string for which the entropy is to
be calculated here X may word like network or stream of numbers then
H(X)=[(0143log20143) + (0143log20143) + (0143log20143) +(0143log20143) + (01
43log20143) + (0143log20143) + (0143log20143)]
H(X)=2803
It requires 3 bits to represent each symbol in the given string and 21 bits are required to representthe entire string Further the appropriate line coding technique has to be chosen to represent themin the transmission line So in general entropy of X where each alphabet is a unique symbol is
In a covert channel scenario the covert user has to be chosen the message in such a way that theentropy of string should always be less that number of bits available for that field in the protocol
header
ieH(X)lt|Maximumnumberof bitsinthatf ield(Bf )|
882019 E NTROPY B ASED D ETECTION A ND B EHAVIORAL A NALYSIS OF H YBRID C OVERT C HANNELIN S ECURED C OMMUhellip
httpslidepdfcomreaderfulle-ntropy-b-ased-d-etection-a-nd-b-ehavioral-a-nalysis-of-h-ybrid-c-overt-c 1015
International Journal of Net
The IP ID presented in the sc
X the minimum of 21 bits are
The covert channel occupies 25
header or protocol header simplchannel capacity ratio will be lo
This makes the detection of covefields for analysis
In general
for robust covert channel constcovert channel will be greater
protocols is actually setting upentropy for such scenarios isscheme Also in the scenario o
hybrid covert channel where the
figure 7 and figure 8 shows the a
ork Security amp Its Applications (IJNSA) Vol7 No3 M
eme 1 of this paper has 16 bits in the IP heade
required Hence capacity of the covert channel i
of total IP header space Multiple trapdoors (t)
y doubles the covert channel capacity However tthus making it robust ie
rt bits much difficult as the detection systems needs
uction where [7]the covertness index for suchthan 05 The multiple trapdoors through a proto
f multiple covert channels in the communicationispersed across multiple making it difficult to umulti-trapdoors covert channel behaves like a si
effect of the entropy is doubled The below results
ccurate expected behaviour discussed in this paper -
Fig7 IP Entropy analysis
Fig8 TCP Entropy Analysis
ay 2015
48
r so to send
is
[5] [4] in IP
he entropy to
to scan more
ulti-trapdoorcol or set of
network Thederstand thegle coherent
shown in the
882019 E NTROPY B ASED D ETECTION A ND B EHAVIORAL A NALYSIS OF H YBRID C OVERT C HANNELIN S ECURED C OMMUhellip
httpslidepdfcomreaderfulle-ntropy-b-ased-d-etection-a-nd-b-ehavioral-a-nalysis-of-h-ybrid-c-overt-c 1115
International Journal of Network Security amp Its Applications (IJNSA) Vol7 No3 May 2015
49
The results indicate the multiple trapdoors used in hybrid covert channel yields to a higherentropy value and low channel to entropy ratio (CE) The constant CE ratio also indicates the
consistent usage of protocol header for constructing multi-trapdoor based hybrid covert channelThis implies that the covert schemes used in Hybrid covert channel is difficult detect in secured
communication
7RESULTS AND DISCUSSIONS
The number of trapdoors implemented in a protocol cannot be all the fields vulnerable in thatprotocol ie
where Tm is the max number of trapdoors possible in that protocol Ts is the no of Trapdoors set
The analysis of the trapdoor setting is performed on protocols like IPv4 TCP and IPSec
SSLTLS The trapdoor setting in the rudimentary network protocols like the IPv4 and TCP ismerely based on placing the covert data in any of its header fields The table 1 shows effect ofvarying the number of trapdoors in IPv4 protocol
Table1Multi-TrapdoorAnalysisof IPv4
SlNo
TrapdoorName Noof Trap
doors
No
o
f Trapdoor
Algorith
m
CovertnessIndex
Entropy
C E
1 Network Covert
Channel-IPv4-
Single
4 1 NIL 025 2803 0089
2 Network Covert
Channel-IPv4-
dual
4 2 NIL 05 5606 017
3 Network Covert
Channel-IPv4-
triple
4 3 NIL 075 1121 0358
The graph of Trapdoors Vs the Covertness Index is show in the figure 9 where increase in the
number of the trapdoors in IPv4 increases the difficulty in detecting the covert channel Thetrapdoor setting in IPSec using subliminal channel is slightly complex to understand However
the ESP format provides two fields to convey the covert bits in the protocol header Theremaining data is sent over the ESP algorithm during the time of the key generation for
encryption using AES algorithm The residual bits in used in random number generation or used
in the round box of the AES and this is depicted on row 2 of the table 2 Hence the covertnessindex is 015 equation 2 which is 047 This will not change any further as there is limited scope
for subliminal channel development in IPSec -ESP format
882019 E NTROPY B ASED D ETECTION A ND B EHAVIORAL A NALYSIS OF H YBRID C OVERT C HANNELIN S ECURED C OMMUhellip
httpslidepdfcomreaderfulle-ntropy-b-ased-d-etection-a-nd-b-ehavioral-a-nalysis-of-h-ybrid-c-overt-c 1215
International Journal of Net
Fig
Table 2 Multi-
The graph of Trapdoors Vs the
number of the trapdoors in IPSbased protocol is simple and pro
the changing trapdoor that hastrapdoors are involved it is difficshows change in the trapdoor co
covertness index can be minima
based on the algorithm used inHowever to increase the compl
bits is feasible in chosen prime
index for such channels is discus
Fig10 Entropy V
SlNo TrapdoorName
1 SubliminalChan
nel-IPSecESP-1
2 SubliminalChan
nel-IPSecESP-2
3 SubliminalChannel-IPSecESP-3
ork Security amp Its Applications (IJNSA) Vol7 No3 M
9 Entropy Vs Covertness Index in IPv4
Trapdoor Analysis of Subliminal Channel in IPSec
Covertness Index is show in the figure 10 where i
c ESP makes covertness index constant The trapvides seven fields for placing the covert data The t
an effect on the covertness index When more nult to detect the composition of the covert channelnt that has an effect in the detection However the
l The trapdoor setting in the subliminal channel i
its cipher suite This is purely called as random oxity of the subliminal to thwart detection the ran
umber This forms Newton Subliminal Channel T
sed in the table 4
s Covertness Index in IPSec based subliminal channel
Noof Trapdoors
No of
Trapdoorsu
Algorithm CovertnessIndex
Entropy C
2 1 AES-
XCBC-MAC
015 2803 0
- - AES-
XCBC-
MAC
047 478 0
- - AES-XCBC-
MAC
047 521 0
ay 2015
50
crease in the
oors in TCPble 3 depicts
umber of theThe figure 11hanges in the
SSLTLS is
acle channelomization of
he covertness
E
14
35
35
882019 E NTROPY B ASED D ETECTION A ND B EHAVIORAL A NALYSIS OF H YBRID C OVERT C HANNELIN S ECURED C OMMUhellip
httpslidepdfcomreaderfulle-ntropy-b-ased-d-etection-a-nd-b-ehavioral-a-nalysis-of-h-ybrid-c-overt-c 1315
International Journal of Net
Table 3 Multi-
SlNo TrapdoorName
1 Network Coverthannel-TCP-
2 Network Covert
hannel-TCP-
3 Network Covert
hannel-TCP-
The graph of covertness index
12 The higher entropy value f[10] is able to detect the activi
Hybrid Covert channel is not fea
and IPv4 as this become easily d
Fig11 Entro
Table4Multi-
SlNo TrapdoorName
1 SubliminalChannel(Oracl
e)-
SSL TLS-1 2 SubliminalC
hannel(Oracl
e)-
SSL TLS-2 3 SubliminalC
hann
el(Oracl
e)-
SSL TLS-3
ork Security amp Its Applications (IJNSA) Vol7 No3 M
rapdoor Analysis of Network covert channel in TCP
Noof Trapd
oors No
of
Trapdoorsu
Algorithm CovertnessI
ndex Entropy C
1 7 1 NIL 0142 2803 0
2 7 2 NIL 028 5606 0
3 7 3 NIL 042 1121 0
s the trapdoor in the subliminal channel is shown
r the some of the formation indicates that the detty and this give clear indication of the higher de
sible for the combinations of the Network covert ch
tectable combination
y Vs Covertness Index in Covert Channel based on TCP
TrapdoorAnalysisof SubliminalChannelinSSL TLS
Noof Trapdoors
No of
Trapdoorsu
Algorithm CovertnessIndex
Entropy C
- - SSLCi-pherSuite
025 2803 0
- - SSLCi-pherSuite
058 367 0
- - SSLCi-
pherSu
ite
058 367 0
ay 2015
51
E
14
28
14
in the figure
ction enginetection rates
annel in TCP
E
14
35
35
882019 E NTROPY B ASED D ETECTION A ND B EHAVIORAL A NALYSIS OF H YBRID C OVERT C HANNELIN S ECURED C OMMUhellip
httpslidepdfcomreaderfulle-ntropy-b-ased-d-etection-a-nd-b-ehavioral-a-nalysis-of-h-ybrid-c-overt-c 1415
International Journal of Net
Fig12 Covertn
8CONCLUSION
Covert schemes are difficult totaken in protocol header This p
be malware code Entropy basecovert symbol in a protocol Thi
in a better way It is unacceptablof administrator It is inference tentropy which makes it difficu
principle to detect such events
ACKNOWLEDGEMENT
AnjanKoundinya thanks Late
Computer Science and Engine
igniting the passion for research
REFERENCES
[1] Description of Detec
netprojectspapershtmlcctde
[2] Description of the Entropy cal
[Online accessed 16-Feb-201
[3] KoundinyaAnjan and Jibi A
channel In Third Internation
Chennai India 2010 Springe[4] Jibi Abraham Anjan K Srin
channel in secured communic
2014
[5] Bo Yuan Chaim Sanders Ja
Network Covert Channels 201
[6] RajarathnamChandramouli a
internet Issues approaches a
ork Security amp Its Applications (IJNSA) Vol7 No3 M
ss Index for Subliminal Channel based on SSLTLS
understand from third party entity as they obscurrovides an opportunity for embedding any data wh
analysis gives the actual number of bits used tos gives clearly metric to understand the covert cha
e to have malicious conversation of the network evehis experiment that the hybrid covert channel has hlt to detect It is required to concentrate on stron
Dr VK Ananthashayana Erstwhile Head De
ering MSRamaiah Institute of Tech-nology B
tion Approaches at the URL htt
html 2014 [Online accessed 15-Feb-2015]
culation at the URL httpwww shannonentro
]
braham Behaviour analysis of transport layer based
al Conference on Net-work Security and Application
-Verlag LNCS seriesath N K Attack modelling and behavioral analysis of
tion ACEEE In-ternational Journal of Network Securit
ob VallettaEmploying Entropy in the Detection and
12
d Koduvayur P Subbalakshmi Covert chan-nel for
d experiences 5(1)4150 July 2007
ay 2015
52
e the contentich may even
represent thennel schemes
n in presenceigh degree ofger detection
-partment of
angalore for
pgray-world
pynetmarkpl
hybrid covert
pages 83-92
hybrid covert
05(2)6777
Monitoring of
ensics on the
882019 E NTROPY B ASED D ETECTION A ND B EHAVIORAL A NALYSIS OF H YBRID C OVERT C HANNELIN S ECURED C OMMUhellip
httpslidepdfcomreaderfulle-ntropy-b-ased-d-etection-a-nd-b-ehavioral-a-nalysis-of-h-ybrid-c-overt-c 1515
International Journal of Net
[7] Anjan K Koundinya etal C
In ADCONS 2011 pages 582
[8] JaideepChandrashekar etal
Proceedings of 12th Internat
September 2009
[9] LoicHelou Claude Jard andSPV03 Volume 3 April 200
[10] Anjan K Koundinya and Jibi
Detection Engine volume 1 o
2010
[11] B W Lampson A Note on th
[12] Enping Li and Scott Craver
of the 11th ACM workshop
2009[13] Clay Shields SarderCabuk C
2004
[14] Clay Shields SarderCabuk
Information and System Secur
[15] Gustavus J Simmons The Sub
[16] Steffen Wendzel Protocol Ch[17] Andreas Willig A short intro
1999
[18] Adam Young and Moti Yung
220-240 2004
AUTHORrsquoS
AnjanK has received his B
UniversityBelgaumIndia in 2007
Science and Engineering MSRam
been awarded Best Performer PG 2
includes NetworkSecurityandCrypt
PhD in Computer Science and Engi
as Assistant Professorin Deptof CEngineering Bengaluru India
SrinathNK has his ME degree in S
Roorkee University in 1986 and P
in 2009His areas of research int
Distributed Computing DBMS Mi
PG Dept of Computer Science and
JibiAbraham has received h
BITSRajasthanIndia in 199 and
University Belgaum India in
fresearch interests include Network
of Wireless Sensor Networks andHead in Dept of CEIT College of
ork Security amp Its Applications (IJNSA) Vol7 No3 M
vertness analysis of subliminal channels in legitimate c
591 Springer- Verlag LNCS series 2012
xploiting temporal persistence to detect covert botnet
ional Symposium RAID 2009 pages 326345 Saint-
Marc ZeitounCovert channels detection in protocols u
Abraham Design of Transport Layer Based Hybrid C
f 4 International Journal of Ad hocSensor and Ubiquito
Con_nement ProblemCommunication of the ACM 19
supraliminal channel in a wireless phone application
n Multimedia and security pages 718 Princeton Ne
rla Brodley IP covert timing channels Design and det
Carla Brodley IP covert channel detectionACM
ity Volume 12(Article 22) 2009
liminal Channel and Digital SignaturesSpringer-Verlag
nnelsHAKIN9 2009uction to queuing theorylecture notes at Technical Uni
Malicious Cryptography First edition Wiley Publish-
E degree from Visveswariah Technological
nd his master degre from Department of Computer
iahInstitute of Technology Bangalore IndiaHe has
10 for his academic excellenceHis area so fresearch
graphyAgile Software EngineeringHe ispursuing
neeing fromVTUBelgaum He is currently working
omputer Science and Engineering RV College of
ystems Engineering and Operations Research from
D degree from Avinash Lingum UniversityIndia
rests include Operations Research Parallel and
roprocessor His isworking as Professor and Dean
EngineeringRVCollege of Engineering
r MS degree in Software Systems from
PhD degree from Visveswariah Technological
008 in the area of Network SecurityHe rarea so
routing algorithms Cryptography Network Security
lgorithms DesignShe is working as Professor andngineering Pune
ay 2015
53
ommunication
channels In
Malo France
sing scenarios
overt Channel
us Computing
3
n Proceedings
Jersey USA
ction CCS 4
ransaction on
1998
versity Berlin
ingFeb pages
882019 E NTROPY B ASED D ETECTION A ND B EHAVIORAL A NALYSIS OF H YBRID C OVERT C HANNELIN S ECURED C OMMUhellip
httpslidepdfcomreaderfulle-ntropy-b-ased-d-etection-a-nd-b-ehavioral-a-nalysis-of-h-ybrid-c-overt-c 215
International Journal of Net
This clearly states the policcommunication channel was en
simple covert channel can be vichannel in the communication
Covertchannelinformationexchaimplementation of such langua
proliferated into multiple protoc
complex to detect such clan-desmechanism for ameliorated deve
have such multiple trapdoors eit
Multiple trapdoors can be imple
the different covert channel va
coherent covert channel Such cChannel [3] is homogeneous co
instance of time Hybrid covertto assess the composition of the
is depicted in [3] and figure 2
Fig2
The covert channel was first in[11] Extensive work is carried o
forensics [6] based Scenario bato understand the detection bett
basis for detection Modelling th
ork Security amp Its Applications (IJNSA) Vol7 No3 M
violation constraint but does not considerisaged as a communication channel by the syste
ualizedin [3] where channel comprises of both co
Fig1 Covert Channel Visualization
geisbasedcovertlanguagespre-negotiated by the coges uses intricate encoding schemes These sche
ols where each such protocol will be a trapdoor
tine mediums SETUP attack [18] makes uses oflopment of covert channel A hybrid covert channel
er in the same layer on in different layers
ented in the same layer or in different layersImpl
iants at the same instance of time tends to behav
annel is termed as ldquoHybrid Covert Channel Aposition of two or more covert channel variants exi
hannel may not have strict composition It becomeHybrid Covert Channel An instance of the hybrid c
Hybrid Covert Channel in Transport Layer
roduced in the traditional confinement problem asut in devising the detection methods which can be o
sed analysis of the covert channel detections [3][7]r Monitoring the unusual traffic [14] in the netwo
e covert timing channel process as Poissonrsquos distrib
ay 2015
40
whether thedesigner A
ert and overt
ert users andmes may be
his makes it
ulti-trapdoorscenario may
mentation of
e as a single
ybrid Covertsting at same
complicatedovert channel
described inn real-time or
is performedk stream is a
tion is also a
882019 E NTROPY B ASED D ETECTION A ND B EHAVIORAL A NALYSIS OF H YBRID C OVERT C HANNELIN S ECURED C OMMUhellip
httpslidepdfcomreaderfulle-ntropy-b-ased-d-etection-a-nd-b-ehavioral-a-nalysis-of-h-ybrid-c-overt-c 315
International Journal of Net
way to detect such activity ISequence Charts (MSC) [9]Thi
to detect hybrid covert channel b
2COVERT COMMUNICA
In Network communication cov(a) covert data exchange an
(b) covert indication
In covert data exchange covert
in rudimentary protocols This
pipeline problem where there e
inside the other such that d2lt d1
transportation of crude oil In F
known or undocumented in thlegitimate pipe This type of the
schemes will be simple placemeclandestine field in the traditinetwork covert channel
Second form of covert communlanguage not known to others I
encoding scheme to leak inform1 is the language that covertenvironment This sophisticate
decoding the language might be
The best real time classical exaleaks the answers to Student Y
presence of invigilating officertriggers an event to student Y
coughs Same schema holds gocontinuous clock events that coYSome of the other forms of co
ork Security amp Its Applications (IJNSA) Vol7 No3 M
llegitimate information flows can be tracked thropaper employs a statistical protocol based entropy
ased on analysis made on packet headers
ION TYPES
rt communication amongst a pair of users can take
ata is exchanged between the covert users by hidi
form of covert communication can best be un
ists two pipesp1 and p2 of diameters d1 and d2 res
These pipes are setup between two geographicaligure 3 the inner pipe p2 of diameter d2 is the co
design and used for smuggling oil The outer pcovert communication type will not have pre-defi
nt of covert data (trapdoor creation) directly in tonal network protocol stack This channel is call
Fig3 Classical Pipeline Problem
ication is the covert indication Covert users comn Figure 4 the covert sender and receiver share a
ation This information encoding scheme as seen frsers employ to communicate in a secured legiti
communication is visible to our detection eng
uite difficult in many situations
ple of such communication is Examination Proble or an objective type examination paper in an exami
For each choice in a question student X makesFor instance to communicate choice A to student
d in case network communication where covert umunicate some form of action to be performed b
ert indication in network scenario include
ay 2015
41
ugh Messagedetection [1]
two forms
g covert data
erstood with
ectively one
laces for thevert pipe not
ipe p1 is theed encoding
the identifiedd as simple
unicate in ainformation
m the figureate network
ine however
m Student Xnation hall in
gesture thatY student X
er X triggersy covert user
882019 E NTROPY B ASED D ETECTION A ND B EHAVIORAL A NALYSIS OF H YBRID C OVERT C HANNELIN S ECURED C OMMUhellip
httpslidepdfcomreaderfulle-ntropy-b-ased-d-etection-a-nd-b-ehavioral-a-nalysis-of-h-ybrid-c-overt-c 415
International Journal of Net
bull Encoding ASCII chara
mathematical operation
bull Repeated sending of ack
is listening to Receiverto this server This val
character
bull
Retrieving the packet
information to the cover
bull Using logical operators l
3COVERT CHANNEL VA
Covert channel are categorizedcommunication like the shared
the communication The covert c
bull Noisy Covert Chann
both Overt and covertbull Noiseless Covert Ch
parties
bull Storage Covert Chaindirectly read or writesRW in hard disk
bull Timing Covert Chanmodulating the resourc
receiver
bull Simple Network Cov
rudimentary protocols
bull Steganographic Cha
receiver collude to pcommunication is hap
bull Subliminal Channel
typically proved undet
bull Supraliminal Chann
semantic content of c
similar to mimic funct
ork Security amp Its Applications (IJNSA) Vol7 No3 M
Fig4 Classical Examination Problem
ter set in Sequence number Decoding the same
n sequence number This can either be in TCP or I
nowledge packet to an unknown server where the c
has to count the number of time the acknowledge paue can later on mapped to ASCII table for retrie
sorting order numbering in IPSec frames whi
receiver
ike the XOR with sequence number to get the cover
IANTS
based on different aspects of the overall entities inresources backdoortrapdoor placement and partie
hannel general classification is given below ndash
l [14] is a communication channel which has
usersnnel [14] is the communication channel used sol
nel [14] involves the sender and the receiver eith
in to storage location The implementation can be
nel [14] [13] involves the sender signalling the i
s in such a way that real response time is obs
ert Channel [14] (SNCC) exists by creating
used in network protocol suite
nel [3] is a means of communication wher
revent an observer being able to reliably detening
[15]- is a covert channel in a cryptographi
ectable
l [12] - A supraliminal channel encodes infor
ver data generating innocent communication
ions
ay 2015
42
by applying
IP ID fields
vert receiver
cket was sentving suitable
h serves as
t data
volved in thes involved in
presence of
ely by covert
er directly or
on file-lock
formation by
erved by the
trapdoor in
sender and
ect whether
algorithm
ation in the
in a manner
882019 E NTROPY B ASED D ETECTION A ND B EHAVIORAL A NALYSIS OF H YBRID C OVERT C HANNELIN S ECURED C OMMUhellip
httpslidepdfcomreaderfulle-ntropy-b-ased-d-etection-a-nd-b-ehavioral-a-nalysis-of-h-ybrid-c-overt-c 515
International Journal of Net
bull Hybrid Covert Chan
covert channels existi
covert channel is diff
Mixed composition o
channel and is of ainstance noisy covert
network layer or appli
4ATTACK MODELLING
The attack modelling [4] can be
these scenarios are designed and
in direct or encoded format diclandestine medium in the net
using encoding scheme and that
The intricate design choosing oway for successful undetectablemediums may be difficult and h
is given below and will be used
This important formation scenari
41Scenario - 1
The attack scenarios have threeand Eve is legitimate entityuslegitimate users hence it is sce
Bob and Eve is legitimate chan
covert channel Alice and B
information and is mentioned in
While Eve is communicating wiover the covert channel Once
would also stop communicatio
snatched from Bobs machine Tstrong trapdoor so as to thwartHybrid covert channel Such po
Network Covert Channel in the I
ork Security amp Its Applications (IJNSA) Vol7 No3 M
nel [4] is co-existence of two or more differeng at same instance of time The composition o
icult to assess from third party which is tryi
covert channel variants behave as single coh
reatest threat to the legitimate network envirchannel in transport layer with subliminal
ation layer
based on different scenarios and placement covert
built to fulfil certain objectives Covert users can
ect communication is merely placement of covertork protocol Alternatively the covert user can
is known only to the covert users
f clandestine mediums (trapdoors) and encoding scestablishment of covert channel Detecting such
ence detection metric called covertness index is us
or assessment in the attack scenarios
os of covert channels where attack can be devised is
ntities - Alice Bob and Eve Alice and Bob are coer The scenario comprises of the combinationario of noisy covert channel The channel establi
el comprising of covert channel and between Ali
b have pre-established channel to communicat
dotted lines in the figure 5
th Bob over legitimate channel Alice would extracwhen the communication between Bob and Eve i
with Bob Further Alice and eve can share th
he covert channel implemented between Alice andthe detection methods Such trapdoors can be d
ssible composition can be Subliminal channel in t
P both at network layer
ay 2015
43
t variants off the Hybrid
g to detect
erent covert
onment Forchannel in
sers Each of
communicate
data over ancommunicate
heme paves astrong covertdThe metric
given below
vert attackersf covert andhed between
e and Eve is
e the attack
t informations over Alice
information
Bob can havesigned usinghe IPSec and
882019 E NTROPY B ASED D ETECTION A ND B EHAVIORAL A NALYSIS OF H YBRID C OVERT C HANNELIN S ECURED C OMMUhellip
httpslidepdfcomreaderfulle-ntropy-b-ased-d-etection-a-nd-b-ehavioral-a-nalysis-of-h-ybrid-c-overt-c 615
International Journal of Net
This combination will prove e
The covertness index for Net
where
(Ut) =
The covertness index for sublimi
IPSec make use of AES-XCimplantation - Sequence Numb
random number generator algor
seed
As per [7] the trapdoors can beformation However this will noheaders
ork Security amp Its Applications (IJNSA) Vol7 No3 M
Fig5 Noise Covert Channel
ffective in hop-to-hop routing and can avoid an
ork Covert Channel in Network Layer (IPv4)-
(T) = Probability ofa trapdoor card
niversal set of all possibletrapdoors
nal channel in IPSec - ESP format
C-MAC cipher suite and ESP format allow tr field and padding The maximum number of ro
ithm is 16 Out of which 5 rounds are used for g
etected under the assumption stated in the hybrid ct be the same if multiple trapdoors are set in each o
ay 2015
44
detections
o trapdoorsunds in AES
enerating the
overt channelf the protocol
882019 E NTROPY B ASED D ETECTION A ND B EHAVIORAL A NALYSIS OF H YBRID C OVERT C HANNELIN S ECURED C OMMUhellip
httpslidepdfcomreaderfulle-ntropy-b-ased-d-etection-a-nd-b-ehavioral-a-nalysis-of-h-ybrid-c-overt-c 715
International Journal of Net
42 Scenario-2
This scenario is built on the thrusers in sub-network are comp
communication from the sub nChannel This sub network can b
Fig6 Noisel
The scenario can have multi-t
trapdoor can move from one pro
or can be combination trapdoor
particular index
5COVERT SCHEMES AND
The covert schemes are crucialobscured way More sophistica
samples of covert schemes wer
presented here
Scheme 1
The IP ID is field used for iden
covert scheme used for this field
bull Intentional use of only c
bull Scheme is designed by tfield
bull
The Covert receiver acharacter
For instance a simple scheme
performing modulus operation
encoding a character lsquocrsquo is
ork Security amp Its Applications (IJNSA) Vol7 No3 M
eat model of noiseless covert channel where theomised This sub-network is connected to other
twork to all the other networks is built using ae similar to bot-net as described in [8]
ess Covert Channel with Hybrid Covert Channel
rapdoor or protocol hopped hybrid covert chan
tocol to another protocol during the hop-to-hop cos in multiple level in the protocol suite Hence th
THEIR EMBODIMENT
for conveying the covert data over communicationed scheme likely not to be retrieved by detectio
discussed in section 2 of this paper and detailed
tification of the packet and is used for the routing
is based on following strategy-
rtain IP IDs while having conversation with Cover
he covert sender for embedding covert characters i
plies the scheme used by the sender to retrie
that can be used for this field is extracting the
of the character set size General notation for thi
ay 2015
45
esources andetwork The
ybrid Covert
el [16] The
municationre can be no
channel in aentity Few
schemes are
purpose The
t receiver
to the IP ID
e the covert
IP ID is by
s scheme for
882019 E NTROPY B ASED D ETECTION A ND B EHAVIORAL A NALYSIS OF H YBRID C OVERT C HANNELIN S ECURED C OMMUhellip
httpslidepdfcomreaderfulle-ntropy-b-ased-d-etection-a-nd-b-ehavioral-a-nalysis-of-h-ybrid-c-overt-c 815
International Journal of Network Security amp Its Applications (IJNSA) Vol7 No3 May 2015
46
Where 983080983081 is the encoding function R is the IP ID value and n is the size of the character setFor an ASCII character set n = 256
Example If IP ID = 26702 and if the character to be sent is `M Then 983080983081 983101 983090983094983095983088983090 minus
983089 983090983093983094 = `M
To convey a covert message the covert sender has select IP ID in such a way as to match with
983080983081
Scheme 2
Another prominent scheme used is on the sequence number where maximum range is4294967296 numbers as it is 32 bit field To communicate covertly under this scheme following
strategy is employed-
bull
Sequence number is multiplied with value of character set and bound is declared withmaximum limit
bull The receiver side retrieves the sequence number and then divides it by character set size
The encoding function 983080983081 is given below-
Where S is the initial sequence number and n is the size of the character set The decoding
function is 983080991257983081 is given below ndash
Where 991257 is the decoded character and 991257 is the received sequence number
For instance to send a character I covertly over the channel the sender would have to choose
1235037038 as sequence number and the max value is derived as 65535 256 = 16777216
Therefore the decoded character is 983080991257983081 = 1235037038=16777216 = 73 The value 73 when
mapped back to ASCII Table is the character `I
Scheme 3
Another scheme which has tremendous effect on the bandwidth is the modulation of TCP
timestamps or use of timing element in the network protocol TCP timestamps is in the optionsfield of the TCP header which indicates the round trip time of the packets The TCP processaccurately calculates the next retransmission of TCP segment which was failed to beacknowledged If the character is to be covertly sent using this scheme following strategy is used
bull Get the binary representation of the character and extract bits from the least significant
bit
bull Check if the Timestamp least significant bit (LSB) is same as covert bit if so send the
882019 E NTROPY B ASED D ETECTION A ND B EHAVIORAL A NALYSIS OF H YBRID C OVERT C HANNELIN S ECURED C OMMUhellip
httpslidepdfcomreaderfulle-ntropy-b-ased-d-etection-a-nd-b-ehavioral-a-nalysis-of-h-ybrid-c-overt-c 915
International Journal of Network Security amp Its Applications (IJNSA) Vol7 No3 May 2015
47
TCP segment
bull Covert receiver will extract the LSB of the timestamp and store the same until it is a byte
Let be the binary representation of the character `c and FLSB(Bc) be the encoding function for
encoding the covert bits in TCP timestamp
6ENTROPY BASED COVERT CHANNEL ANALYSIS
The entropy [2] in communication network indicates the number of bits required to encode a
character over the channel as stated by Shannon Entropy theory This is based on the frequency of
the characters in given string and the size of the alphabet The entropy measure also checks foruncertainty of the random variable
Let A be finite set of characters such that 983164983164 ge 983089 and any character983136991257 isin A is sequence of
symbols which is a string each of alphabet in string isin A For instance let cbbacabbac besequence of symbols that needs to be transmitted over network then its sequence of bits represents
the coded symbol sequence which may be 101110011011100010 Then the entropy for suchscenario is defined as ndash
where isin 983164983164 and 983164983164 983102 983089 pi is the probability of the occurrence of symbol lsquocrsquo in the string and ngives the length of the string To transmit a message ldquonetworkrdquo over the communication
network following are the calculated entropy for each alphabet ndash
The frequency of all the characters in a string with unique symbols will be same since the word
ldquonetworkrdquo has unique symbols the frequency is 0143 Let X be string for which the entropy is to
be calculated here X may word like network or stream of numbers then
H(X)=[(0143log20143) + (0143log20143) + (0143log20143) +(0143log20143) + (01
43log20143) + (0143log20143) + (0143log20143)]
H(X)=2803
It requires 3 bits to represent each symbol in the given string and 21 bits are required to representthe entire string Further the appropriate line coding technique has to be chosen to represent themin the transmission line So in general entropy of X where each alphabet is a unique symbol is
In a covert channel scenario the covert user has to be chosen the message in such a way that theentropy of string should always be less that number of bits available for that field in the protocol
header
ieH(X)lt|Maximumnumberof bitsinthatf ield(Bf )|
882019 E NTROPY B ASED D ETECTION A ND B EHAVIORAL A NALYSIS OF H YBRID C OVERT C HANNELIN S ECURED C OMMUhellip
httpslidepdfcomreaderfulle-ntropy-b-ased-d-etection-a-nd-b-ehavioral-a-nalysis-of-h-ybrid-c-overt-c 1015
International Journal of Net
The IP ID presented in the sc
X the minimum of 21 bits are
The covert channel occupies 25
header or protocol header simplchannel capacity ratio will be lo
This makes the detection of covefields for analysis
In general
for robust covert channel constcovert channel will be greater
protocols is actually setting upentropy for such scenarios isscheme Also in the scenario o
hybrid covert channel where the
figure 7 and figure 8 shows the a
ork Security amp Its Applications (IJNSA) Vol7 No3 M
eme 1 of this paper has 16 bits in the IP heade
required Hence capacity of the covert channel i
of total IP header space Multiple trapdoors (t)
y doubles the covert channel capacity However tthus making it robust ie
rt bits much difficult as the detection systems needs
uction where [7]the covertness index for suchthan 05 The multiple trapdoors through a proto
f multiple covert channels in the communicationispersed across multiple making it difficult to umulti-trapdoors covert channel behaves like a si
effect of the entropy is doubled The below results
ccurate expected behaviour discussed in this paper -
Fig7 IP Entropy analysis
Fig8 TCP Entropy Analysis
ay 2015
48
r so to send
is
[5] [4] in IP
he entropy to
to scan more
ulti-trapdoorcol or set of
network Thederstand thegle coherent
shown in the
882019 E NTROPY B ASED D ETECTION A ND B EHAVIORAL A NALYSIS OF H YBRID C OVERT C HANNELIN S ECURED C OMMUhellip
httpslidepdfcomreaderfulle-ntropy-b-ased-d-etection-a-nd-b-ehavioral-a-nalysis-of-h-ybrid-c-overt-c 1115
International Journal of Network Security amp Its Applications (IJNSA) Vol7 No3 May 2015
49
The results indicate the multiple trapdoors used in hybrid covert channel yields to a higherentropy value and low channel to entropy ratio (CE) The constant CE ratio also indicates the
consistent usage of protocol header for constructing multi-trapdoor based hybrid covert channelThis implies that the covert schemes used in Hybrid covert channel is difficult detect in secured
communication
7RESULTS AND DISCUSSIONS
The number of trapdoors implemented in a protocol cannot be all the fields vulnerable in thatprotocol ie
where Tm is the max number of trapdoors possible in that protocol Ts is the no of Trapdoors set
The analysis of the trapdoor setting is performed on protocols like IPv4 TCP and IPSec
SSLTLS The trapdoor setting in the rudimentary network protocols like the IPv4 and TCP ismerely based on placing the covert data in any of its header fields The table 1 shows effect ofvarying the number of trapdoors in IPv4 protocol
Table1Multi-TrapdoorAnalysisof IPv4
SlNo
TrapdoorName Noof Trap
doors
No
o
f Trapdoor
Algorith
m
CovertnessIndex
Entropy
C E
1 Network Covert
Channel-IPv4-
Single
4 1 NIL 025 2803 0089
2 Network Covert
Channel-IPv4-
dual
4 2 NIL 05 5606 017
3 Network Covert
Channel-IPv4-
triple
4 3 NIL 075 1121 0358
The graph of Trapdoors Vs the Covertness Index is show in the figure 9 where increase in the
number of the trapdoors in IPv4 increases the difficulty in detecting the covert channel Thetrapdoor setting in IPSec using subliminal channel is slightly complex to understand However
the ESP format provides two fields to convey the covert bits in the protocol header Theremaining data is sent over the ESP algorithm during the time of the key generation for
encryption using AES algorithm The residual bits in used in random number generation or used
in the round box of the AES and this is depicted on row 2 of the table 2 Hence the covertnessindex is 015 equation 2 which is 047 This will not change any further as there is limited scope
for subliminal channel development in IPSec -ESP format
882019 E NTROPY B ASED D ETECTION A ND B EHAVIORAL A NALYSIS OF H YBRID C OVERT C HANNELIN S ECURED C OMMUhellip
httpslidepdfcomreaderfulle-ntropy-b-ased-d-etection-a-nd-b-ehavioral-a-nalysis-of-h-ybrid-c-overt-c 1215
International Journal of Net
Fig
Table 2 Multi-
The graph of Trapdoors Vs the
number of the trapdoors in IPSbased protocol is simple and pro
the changing trapdoor that hastrapdoors are involved it is difficshows change in the trapdoor co
covertness index can be minima
based on the algorithm used inHowever to increase the compl
bits is feasible in chosen prime
index for such channels is discus
Fig10 Entropy V
SlNo TrapdoorName
1 SubliminalChan
nel-IPSecESP-1
2 SubliminalChan
nel-IPSecESP-2
3 SubliminalChannel-IPSecESP-3
ork Security amp Its Applications (IJNSA) Vol7 No3 M
9 Entropy Vs Covertness Index in IPv4
Trapdoor Analysis of Subliminal Channel in IPSec
Covertness Index is show in the figure 10 where i
c ESP makes covertness index constant The trapvides seven fields for placing the covert data The t
an effect on the covertness index When more nult to detect the composition of the covert channelnt that has an effect in the detection However the
l The trapdoor setting in the subliminal channel i
its cipher suite This is purely called as random oxity of the subliminal to thwart detection the ran
umber This forms Newton Subliminal Channel T
sed in the table 4
s Covertness Index in IPSec based subliminal channel
Noof Trapdoors
No of
Trapdoorsu
Algorithm CovertnessIndex
Entropy C
2 1 AES-
XCBC-MAC
015 2803 0
- - AES-
XCBC-
MAC
047 478 0
- - AES-XCBC-
MAC
047 521 0
ay 2015
50
crease in the
oors in TCPble 3 depicts
umber of theThe figure 11hanges in the
SSLTLS is
acle channelomization of
he covertness
E
14
35
35
882019 E NTROPY B ASED D ETECTION A ND B EHAVIORAL A NALYSIS OF H YBRID C OVERT C HANNELIN S ECURED C OMMUhellip
httpslidepdfcomreaderfulle-ntropy-b-ased-d-etection-a-nd-b-ehavioral-a-nalysis-of-h-ybrid-c-overt-c 1315
International Journal of Net
Table 3 Multi-
SlNo TrapdoorName
1 Network Coverthannel-TCP-
2 Network Covert
hannel-TCP-
3 Network Covert
hannel-TCP-
The graph of covertness index
12 The higher entropy value f[10] is able to detect the activi
Hybrid Covert channel is not fea
and IPv4 as this become easily d
Fig11 Entro
Table4Multi-
SlNo TrapdoorName
1 SubliminalChannel(Oracl
e)-
SSL TLS-1 2 SubliminalC
hannel(Oracl
e)-
SSL TLS-2 3 SubliminalC
hann
el(Oracl
e)-
SSL TLS-3
ork Security amp Its Applications (IJNSA) Vol7 No3 M
rapdoor Analysis of Network covert channel in TCP
Noof Trapd
oors No
of
Trapdoorsu
Algorithm CovertnessI
ndex Entropy C
1 7 1 NIL 0142 2803 0
2 7 2 NIL 028 5606 0
3 7 3 NIL 042 1121 0
s the trapdoor in the subliminal channel is shown
r the some of the formation indicates that the detty and this give clear indication of the higher de
sible for the combinations of the Network covert ch
tectable combination
y Vs Covertness Index in Covert Channel based on TCP
TrapdoorAnalysisof SubliminalChannelinSSL TLS
Noof Trapdoors
No of
Trapdoorsu
Algorithm CovertnessIndex
Entropy C
- - SSLCi-pherSuite
025 2803 0
- - SSLCi-pherSuite
058 367 0
- - SSLCi-
pherSu
ite
058 367 0
ay 2015
51
E
14
28
14
in the figure
ction enginetection rates
annel in TCP
E
14
35
35
882019 E NTROPY B ASED D ETECTION A ND B EHAVIORAL A NALYSIS OF H YBRID C OVERT C HANNELIN S ECURED C OMMUhellip
httpslidepdfcomreaderfulle-ntropy-b-ased-d-etection-a-nd-b-ehavioral-a-nalysis-of-h-ybrid-c-overt-c 1415
International Journal of Net
Fig12 Covertn
8CONCLUSION
Covert schemes are difficult totaken in protocol header This p
be malware code Entropy basecovert symbol in a protocol Thi
in a better way It is unacceptablof administrator It is inference tentropy which makes it difficu
principle to detect such events
ACKNOWLEDGEMENT
AnjanKoundinya thanks Late
Computer Science and Engine
igniting the passion for research
REFERENCES
[1] Description of Detec
netprojectspapershtmlcctde
[2] Description of the Entropy cal
[Online accessed 16-Feb-201
[3] KoundinyaAnjan and Jibi A
channel In Third Internation
Chennai India 2010 Springe[4] Jibi Abraham Anjan K Srin
channel in secured communic
2014
[5] Bo Yuan Chaim Sanders Ja
Network Covert Channels 201
[6] RajarathnamChandramouli a
internet Issues approaches a
ork Security amp Its Applications (IJNSA) Vol7 No3 M
ss Index for Subliminal Channel based on SSLTLS
understand from third party entity as they obscurrovides an opportunity for embedding any data wh
analysis gives the actual number of bits used tos gives clearly metric to understand the covert cha
e to have malicious conversation of the network evehis experiment that the hybrid covert channel has hlt to detect It is required to concentrate on stron
Dr VK Ananthashayana Erstwhile Head De
ering MSRamaiah Institute of Tech-nology B
tion Approaches at the URL htt
html 2014 [Online accessed 15-Feb-2015]
culation at the URL httpwww shannonentro
]
braham Behaviour analysis of transport layer based
al Conference on Net-work Security and Application
-Verlag LNCS seriesath N K Attack modelling and behavioral analysis of
tion ACEEE In-ternational Journal of Network Securit
ob VallettaEmploying Entropy in the Detection and
12
d Koduvayur P Subbalakshmi Covert chan-nel for
d experiences 5(1)4150 July 2007
ay 2015
52
e the contentich may even
represent thennel schemes
n in presenceigh degree ofger detection
-partment of
angalore for
pgray-world
pynetmarkpl
hybrid covert
pages 83-92
hybrid covert
05(2)6777
Monitoring of
ensics on the
882019 E NTROPY B ASED D ETECTION A ND B EHAVIORAL A NALYSIS OF H YBRID C OVERT C HANNELIN S ECURED C OMMUhellip
httpslidepdfcomreaderfulle-ntropy-b-ased-d-etection-a-nd-b-ehavioral-a-nalysis-of-h-ybrid-c-overt-c 1515
International Journal of Net
[7] Anjan K Koundinya etal C
In ADCONS 2011 pages 582
[8] JaideepChandrashekar etal
Proceedings of 12th Internat
September 2009
[9] LoicHelou Claude Jard andSPV03 Volume 3 April 200
[10] Anjan K Koundinya and Jibi
Detection Engine volume 1 o
2010
[11] B W Lampson A Note on th
[12] Enping Li and Scott Craver
of the 11th ACM workshop
2009[13] Clay Shields SarderCabuk C
2004
[14] Clay Shields SarderCabuk
Information and System Secur
[15] Gustavus J Simmons The Sub
[16] Steffen Wendzel Protocol Ch[17] Andreas Willig A short intro
1999
[18] Adam Young and Moti Yung
220-240 2004
AUTHORrsquoS
AnjanK has received his B
UniversityBelgaumIndia in 2007
Science and Engineering MSRam
been awarded Best Performer PG 2
includes NetworkSecurityandCrypt
PhD in Computer Science and Engi
as Assistant Professorin Deptof CEngineering Bengaluru India
SrinathNK has his ME degree in S
Roorkee University in 1986 and P
in 2009His areas of research int
Distributed Computing DBMS Mi
PG Dept of Computer Science and
JibiAbraham has received h
BITSRajasthanIndia in 199 and
University Belgaum India in
fresearch interests include Network
of Wireless Sensor Networks andHead in Dept of CEIT College of
ork Security amp Its Applications (IJNSA) Vol7 No3 M
vertness analysis of subliminal channels in legitimate c
591 Springer- Verlag LNCS series 2012
xploiting temporal persistence to detect covert botnet
ional Symposium RAID 2009 pages 326345 Saint-
Marc ZeitounCovert channels detection in protocols u
Abraham Design of Transport Layer Based Hybrid C
f 4 International Journal of Ad hocSensor and Ubiquito
Con_nement ProblemCommunication of the ACM 19
supraliminal channel in a wireless phone application
n Multimedia and security pages 718 Princeton Ne
rla Brodley IP covert timing channels Design and det
Carla Brodley IP covert channel detectionACM
ity Volume 12(Article 22) 2009
liminal Channel and Digital SignaturesSpringer-Verlag
nnelsHAKIN9 2009uction to queuing theorylecture notes at Technical Uni
Malicious Cryptography First edition Wiley Publish-
E degree from Visveswariah Technological
nd his master degre from Department of Computer
iahInstitute of Technology Bangalore IndiaHe has
10 for his academic excellenceHis area so fresearch
graphyAgile Software EngineeringHe ispursuing
neeing fromVTUBelgaum He is currently working
omputer Science and Engineering RV College of
ystems Engineering and Operations Research from
D degree from Avinash Lingum UniversityIndia
rests include Operations Research Parallel and
roprocessor His isworking as Professor and Dean
EngineeringRVCollege of Engineering
r MS degree in Software Systems from
PhD degree from Visveswariah Technological
008 in the area of Network SecurityHe rarea so
routing algorithms Cryptography Network Security
lgorithms DesignShe is working as Professor andngineering Pune
ay 2015
53
ommunication
channels In
Malo France
sing scenarios
overt Channel
us Computing
3
n Proceedings
Jersey USA
ction CCS 4
ransaction on
1998
versity Berlin
ingFeb pages
882019 E NTROPY B ASED D ETECTION A ND B EHAVIORAL A NALYSIS OF H YBRID C OVERT C HANNELIN S ECURED C OMMUhellip
httpslidepdfcomreaderfulle-ntropy-b-ased-d-etection-a-nd-b-ehavioral-a-nalysis-of-h-ybrid-c-overt-c 315
International Journal of Net
way to detect such activity ISequence Charts (MSC) [9]Thi
to detect hybrid covert channel b
2COVERT COMMUNICA
In Network communication cov(a) covert data exchange an
(b) covert indication
In covert data exchange covert
in rudimentary protocols This
pipeline problem where there e
inside the other such that d2lt d1
transportation of crude oil In F
known or undocumented in thlegitimate pipe This type of the
schemes will be simple placemeclandestine field in the traditinetwork covert channel
Second form of covert communlanguage not known to others I
encoding scheme to leak inform1 is the language that covertenvironment This sophisticate
decoding the language might be
The best real time classical exaleaks the answers to Student Y
presence of invigilating officertriggers an event to student Y
coughs Same schema holds gocontinuous clock events that coYSome of the other forms of co
ork Security amp Its Applications (IJNSA) Vol7 No3 M
llegitimate information flows can be tracked thropaper employs a statistical protocol based entropy
ased on analysis made on packet headers
ION TYPES
rt communication amongst a pair of users can take
ata is exchanged between the covert users by hidi
form of covert communication can best be un
ists two pipesp1 and p2 of diameters d1 and d2 res
These pipes are setup between two geographicaligure 3 the inner pipe p2 of diameter d2 is the co
design and used for smuggling oil The outer pcovert communication type will not have pre-defi
nt of covert data (trapdoor creation) directly in tonal network protocol stack This channel is call
Fig3 Classical Pipeline Problem
ication is the covert indication Covert users comn Figure 4 the covert sender and receiver share a
ation This information encoding scheme as seen frsers employ to communicate in a secured legiti
communication is visible to our detection eng
uite difficult in many situations
ple of such communication is Examination Proble or an objective type examination paper in an exami
For each choice in a question student X makesFor instance to communicate choice A to student
d in case network communication where covert umunicate some form of action to be performed b
ert indication in network scenario include
ay 2015
41
ugh Messagedetection [1]
two forms
g covert data
erstood with
ectively one
laces for thevert pipe not
ipe p1 is theed encoding
the identifiedd as simple
unicate in ainformation
m the figureate network
ine however
m Student Xnation hall in
gesture thatY student X
er X triggersy covert user
882019 E NTROPY B ASED D ETECTION A ND B EHAVIORAL A NALYSIS OF H YBRID C OVERT C HANNELIN S ECURED C OMMUhellip
httpslidepdfcomreaderfulle-ntropy-b-ased-d-etection-a-nd-b-ehavioral-a-nalysis-of-h-ybrid-c-overt-c 415
International Journal of Net
bull Encoding ASCII chara
mathematical operation
bull Repeated sending of ack
is listening to Receiverto this server This val
character
bull
Retrieving the packet
information to the cover
bull Using logical operators l
3COVERT CHANNEL VA
Covert channel are categorizedcommunication like the shared
the communication The covert c
bull Noisy Covert Chann
both Overt and covertbull Noiseless Covert Ch
parties
bull Storage Covert Chaindirectly read or writesRW in hard disk
bull Timing Covert Chanmodulating the resourc
receiver
bull Simple Network Cov
rudimentary protocols
bull Steganographic Cha
receiver collude to pcommunication is hap
bull Subliminal Channel
typically proved undet
bull Supraliminal Chann
semantic content of c
similar to mimic funct
ork Security amp Its Applications (IJNSA) Vol7 No3 M
Fig4 Classical Examination Problem
ter set in Sequence number Decoding the same
n sequence number This can either be in TCP or I
nowledge packet to an unknown server where the c
has to count the number of time the acknowledge paue can later on mapped to ASCII table for retrie
sorting order numbering in IPSec frames whi
receiver
ike the XOR with sequence number to get the cover
IANTS
based on different aspects of the overall entities inresources backdoortrapdoor placement and partie
hannel general classification is given below ndash
l [14] is a communication channel which has
usersnnel [14] is the communication channel used sol
nel [14] involves the sender and the receiver eith
in to storage location The implementation can be
nel [14] [13] involves the sender signalling the i
s in such a way that real response time is obs
ert Channel [14] (SNCC) exists by creating
used in network protocol suite
nel [3] is a means of communication wher
revent an observer being able to reliably detening
[15]- is a covert channel in a cryptographi
ectable
l [12] - A supraliminal channel encodes infor
ver data generating innocent communication
ions
ay 2015
42
by applying
IP ID fields
vert receiver
cket was sentving suitable
h serves as
t data
volved in thes involved in
presence of
ely by covert
er directly or
on file-lock
formation by
erved by the
trapdoor in
sender and
ect whether
algorithm
ation in the
in a manner
882019 E NTROPY B ASED D ETECTION A ND B EHAVIORAL A NALYSIS OF H YBRID C OVERT C HANNELIN S ECURED C OMMUhellip
httpslidepdfcomreaderfulle-ntropy-b-ased-d-etection-a-nd-b-ehavioral-a-nalysis-of-h-ybrid-c-overt-c 515
International Journal of Net
bull Hybrid Covert Chan
covert channels existi
covert channel is diff
Mixed composition o
channel and is of ainstance noisy covert
network layer or appli
4ATTACK MODELLING
The attack modelling [4] can be
these scenarios are designed and
in direct or encoded format diclandestine medium in the net
using encoding scheme and that
The intricate design choosing oway for successful undetectablemediums may be difficult and h
is given below and will be used
This important formation scenari
41Scenario - 1
The attack scenarios have threeand Eve is legitimate entityuslegitimate users hence it is sce
Bob and Eve is legitimate chan
covert channel Alice and B
information and is mentioned in
While Eve is communicating wiover the covert channel Once
would also stop communicatio
snatched from Bobs machine Tstrong trapdoor so as to thwartHybrid covert channel Such po
Network Covert Channel in the I
ork Security amp Its Applications (IJNSA) Vol7 No3 M
nel [4] is co-existence of two or more differeng at same instance of time The composition o
icult to assess from third party which is tryi
covert channel variants behave as single coh
reatest threat to the legitimate network envirchannel in transport layer with subliminal
ation layer
based on different scenarios and placement covert
built to fulfil certain objectives Covert users can
ect communication is merely placement of covertork protocol Alternatively the covert user can
is known only to the covert users
f clandestine mediums (trapdoors) and encoding scestablishment of covert channel Detecting such
ence detection metric called covertness index is us
or assessment in the attack scenarios
os of covert channels where attack can be devised is
ntities - Alice Bob and Eve Alice and Bob are coer The scenario comprises of the combinationario of noisy covert channel The channel establi
el comprising of covert channel and between Ali
b have pre-established channel to communicat
dotted lines in the figure 5
th Bob over legitimate channel Alice would extracwhen the communication between Bob and Eve i
with Bob Further Alice and eve can share th
he covert channel implemented between Alice andthe detection methods Such trapdoors can be d
ssible composition can be Subliminal channel in t
P both at network layer
ay 2015
43
t variants off the Hybrid
g to detect
erent covert
onment Forchannel in
sers Each of
communicate
data over ancommunicate
heme paves astrong covertdThe metric
given below
vert attackersf covert andhed between
e and Eve is
e the attack
t informations over Alice
information
Bob can havesigned usinghe IPSec and
882019 E NTROPY B ASED D ETECTION A ND B EHAVIORAL A NALYSIS OF H YBRID C OVERT C HANNELIN S ECURED C OMMUhellip
httpslidepdfcomreaderfulle-ntropy-b-ased-d-etection-a-nd-b-ehavioral-a-nalysis-of-h-ybrid-c-overt-c 615
International Journal of Net
This combination will prove e
The covertness index for Net
where
(Ut) =
The covertness index for sublimi
IPSec make use of AES-XCimplantation - Sequence Numb
random number generator algor
seed
As per [7] the trapdoors can beformation However this will noheaders
ork Security amp Its Applications (IJNSA) Vol7 No3 M
Fig5 Noise Covert Channel
ffective in hop-to-hop routing and can avoid an
ork Covert Channel in Network Layer (IPv4)-
(T) = Probability ofa trapdoor card
niversal set of all possibletrapdoors
nal channel in IPSec - ESP format
C-MAC cipher suite and ESP format allow tr field and padding The maximum number of ro
ithm is 16 Out of which 5 rounds are used for g
etected under the assumption stated in the hybrid ct be the same if multiple trapdoors are set in each o
ay 2015
44
detections
o trapdoorsunds in AES
enerating the
overt channelf the protocol
882019 E NTROPY B ASED D ETECTION A ND B EHAVIORAL A NALYSIS OF H YBRID C OVERT C HANNELIN S ECURED C OMMUhellip
httpslidepdfcomreaderfulle-ntropy-b-ased-d-etection-a-nd-b-ehavioral-a-nalysis-of-h-ybrid-c-overt-c 715
International Journal of Net
42 Scenario-2
This scenario is built on the thrusers in sub-network are comp
communication from the sub nChannel This sub network can b
Fig6 Noisel
The scenario can have multi-t
trapdoor can move from one pro
or can be combination trapdoor
particular index
5COVERT SCHEMES AND
The covert schemes are crucialobscured way More sophistica
samples of covert schemes wer
presented here
Scheme 1
The IP ID is field used for iden
covert scheme used for this field
bull Intentional use of only c
bull Scheme is designed by tfield
bull
The Covert receiver acharacter
For instance a simple scheme
performing modulus operation
encoding a character lsquocrsquo is
ork Security amp Its Applications (IJNSA) Vol7 No3 M
eat model of noiseless covert channel where theomised This sub-network is connected to other
twork to all the other networks is built using ae similar to bot-net as described in [8]
ess Covert Channel with Hybrid Covert Channel
rapdoor or protocol hopped hybrid covert chan
tocol to another protocol during the hop-to-hop cos in multiple level in the protocol suite Hence th
THEIR EMBODIMENT
for conveying the covert data over communicationed scheme likely not to be retrieved by detectio
discussed in section 2 of this paper and detailed
tification of the packet and is used for the routing
is based on following strategy-
rtain IP IDs while having conversation with Cover
he covert sender for embedding covert characters i
plies the scheme used by the sender to retrie
that can be used for this field is extracting the
of the character set size General notation for thi
ay 2015
45
esources andetwork The
ybrid Covert
el [16] The
municationre can be no
channel in aentity Few
schemes are
purpose The
t receiver
to the IP ID
e the covert
IP ID is by
s scheme for
882019 E NTROPY B ASED D ETECTION A ND B EHAVIORAL A NALYSIS OF H YBRID C OVERT C HANNELIN S ECURED C OMMUhellip
httpslidepdfcomreaderfulle-ntropy-b-ased-d-etection-a-nd-b-ehavioral-a-nalysis-of-h-ybrid-c-overt-c 815
International Journal of Network Security amp Its Applications (IJNSA) Vol7 No3 May 2015
46
Where 983080983081 is the encoding function R is the IP ID value and n is the size of the character setFor an ASCII character set n = 256
Example If IP ID = 26702 and if the character to be sent is `M Then 983080983081 983101 983090983094983095983088983090 minus
983089 983090983093983094 = `M
To convey a covert message the covert sender has select IP ID in such a way as to match with
983080983081
Scheme 2
Another prominent scheme used is on the sequence number where maximum range is4294967296 numbers as it is 32 bit field To communicate covertly under this scheme following
strategy is employed-
bull
Sequence number is multiplied with value of character set and bound is declared withmaximum limit
bull The receiver side retrieves the sequence number and then divides it by character set size
The encoding function 983080983081 is given below-
Where S is the initial sequence number and n is the size of the character set The decoding
function is 983080991257983081 is given below ndash
Where 991257 is the decoded character and 991257 is the received sequence number
For instance to send a character I covertly over the channel the sender would have to choose
1235037038 as sequence number and the max value is derived as 65535 256 = 16777216
Therefore the decoded character is 983080991257983081 = 1235037038=16777216 = 73 The value 73 when
mapped back to ASCII Table is the character `I
Scheme 3
Another scheme which has tremendous effect on the bandwidth is the modulation of TCP
timestamps or use of timing element in the network protocol TCP timestamps is in the optionsfield of the TCP header which indicates the round trip time of the packets The TCP processaccurately calculates the next retransmission of TCP segment which was failed to beacknowledged If the character is to be covertly sent using this scheme following strategy is used
bull Get the binary representation of the character and extract bits from the least significant
bit
bull Check if the Timestamp least significant bit (LSB) is same as covert bit if so send the
882019 E NTROPY B ASED D ETECTION A ND B EHAVIORAL A NALYSIS OF H YBRID C OVERT C HANNELIN S ECURED C OMMUhellip
httpslidepdfcomreaderfulle-ntropy-b-ased-d-etection-a-nd-b-ehavioral-a-nalysis-of-h-ybrid-c-overt-c 915
International Journal of Network Security amp Its Applications (IJNSA) Vol7 No3 May 2015
47
TCP segment
bull Covert receiver will extract the LSB of the timestamp and store the same until it is a byte
Let be the binary representation of the character `c and FLSB(Bc) be the encoding function for
encoding the covert bits in TCP timestamp
6ENTROPY BASED COVERT CHANNEL ANALYSIS
The entropy [2] in communication network indicates the number of bits required to encode a
character over the channel as stated by Shannon Entropy theory This is based on the frequency of
the characters in given string and the size of the alphabet The entropy measure also checks foruncertainty of the random variable
Let A be finite set of characters such that 983164983164 ge 983089 and any character983136991257 isin A is sequence of
symbols which is a string each of alphabet in string isin A For instance let cbbacabbac besequence of symbols that needs to be transmitted over network then its sequence of bits represents
the coded symbol sequence which may be 101110011011100010 Then the entropy for suchscenario is defined as ndash
where isin 983164983164 and 983164983164 983102 983089 pi is the probability of the occurrence of symbol lsquocrsquo in the string and ngives the length of the string To transmit a message ldquonetworkrdquo over the communication
network following are the calculated entropy for each alphabet ndash
The frequency of all the characters in a string with unique symbols will be same since the word
ldquonetworkrdquo has unique symbols the frequency is 0143 Let X be string for which the entropy is to
be calculated here X may word like network or stream of numbers then
H(X)=[(0143log20143) + (0143log20143) + (0143log20143) +(0143log20143) + (01
43log20143) + (0143log20143) + (0143log20143)]
H(X)=2803
It requires 3 bits to represent each symbol in the given string and 21 bits are required to representthe entire string Further the appropriate line coding technique has to be chosen to represent themin the transmission line So in general entropy of X where each alphabet is a unique symbol is
In a covert channel scenario the covert user has to be chosen the message in such a way that theentropy of string should always be less that number of bits available for that field in the protocol
header
ieH(X)lt|Maximumnumberof bitsinthatf ield(Bf )|
882019 E NTROPY B ASED D ETECTION A ND B EHAVIORAL A NALYSIS OF H YBRID C OVERT C HANNELIN S ECURED C OMMUhellip
httpslidepdfcomreaderfulle-ntropy-b-ased-d-etection-a-nd-b-ehavioral-a-nalysis-of-h-ybrid-c-overt-c 1015
International Journal of Net
The IP ID presented in the sc
X the minimum of 21 bits are
The covert channel occupies 25
header or protocol header simplchannel capacity ratio will be lo
This makes the detection of covefields for analysis
In general
for robust covert channel constcovert channel will be greater
protocols is actually setting upentropy for such scenarios isscheme Also in the scenario o
hybrid covert channel where the
figure 7 and figure 8 shows the a
ork Security amp Its Applications (IJNSA) Vol7 No3 M
eme 1 of this paper has 16 bits in the IP heade
required Hence capacity of the covert channel i
of total IP header space Multiple trapdoors (t)
y doubles the covert channel capacity However tthus making it robust ie
rt bits much difficult as the detection systems needs
uction where [7]the covertness index for suchthan 05 The multiple trapdoors through a proto
f multiple covert channels in the communicationispersed across multiple making it difficult to umulti-trapdoors covert channel behaves like a si
effect of the entropy is doubled The below results
ccurate expected behaviour discussed in this paper -
Fig7 IP Entropy analysis
Fig8 TCP Entropy Analysis
ay 2015
48
r so to send
is
[5] [4] in IP
he entropy to
to scan more
ulti-trapdoorcol or set of
network Thederstand thegle coherent
shown in the
882019 E NTROPY B ASED D ETECTION A ND B EHAVIORAL A NALYSIS OF H YBRID C OVERT C HANNELIN S ECURED C OMMUhellip
httpslidepdfcomreaderfulle-ntropy-b-ased-d-etection-a-nd-b-ehavioral-a-nalysis-of-h-ybrid-c-overt-c 1115
International Journal of Network Security amp Its Applications (IJNSA) Vol7 No3 May 2015
49
The results indicate the multiple trapdoors used in hybrid covert channel yields to a higherentropy value and low channel to entropy ratio (CE) The constant CE ratio also indicates the
consistent usage of protocol header for constructing multi-trapdoor based hybrid covert channelThis implies that the covert schemes used in Hybrid covert channel is difficult detect in secured
communication
7RESULTS AND DISCUSSIONS
The number of trapdoors implemented in a protocol cannot be all the fields vulnerable in thatprotocol ie
where Tm is the max number of trapdoors possible in that protocol Ts is the no of Trapdoors set
The analysis of the trapdoor setting is performed on protocols like IPv4 TCP and IPSec
SSLTLS The trapdoor setting in the rudimentary network protocols like the IPv4 and TCP ismerely based on placing the covert data in any of its header fields The table 1 shows effect ofvarying the number of trapdoors in IPv4 protocol
Table1Multi-TrapdoorAnalysisof IPv4
SlNo
TrapdoorName Noof Trap
doors
No
o
f Trapdoor
Algorith
m
CovertnessIndex
Entropy
C E
1 Network Covert
Channel-IPv4-
Single
4 1 NIL 025 2803 0089
2 Network Covert
Channel-IPv4-
dual
4 2 NIL 05 5606 017
3 Network Covert
Channel-IPv4-
triple
4 3 NIL 075 1121 0358
The graph of Trapdoors Vs the Covertness Index is show in the figure 9 where increase in the
number of the trapdoors in IPv4 increases the difficulty in detecting the covert channel Thetrapdoor setting in IPSec using subliminal channel is slightly complex to understand However
the ESP format provides two fields to convey the covert bits in the protocol header Theremaining data is sent over the ESP algorithm during the time of the key generation for
encryption using AES algorithm The residual bits in used in random number generation or used
in the round box of the AES and this is depicted on row 2 of the table 2 Hence the covertnessindex is 015 equation 2 which is 047 This will not change any further as there is limited scope
for subliminal channel development in IPSec -ESP format
882019 E NTROPY B ASED D ETECTION A ND B EHAVIORAL A NALYSIS OF H YBRID C OVERT C HANNELIN S ECURED C OMMUhellip
httpslidepdfcomreaderfulle-ntropy-b-ased-d-etection-a-nd-b-ehavioral-a-nalysis-of-h-ybrid-c-overt-c 1215
International Journal of Net
Fig
Table 2 Multi-
The graph of Trapdoors Vs the
number of the trapdoors in IPSbased protocol is simple and pro
the changing trapdoor that hastrapdoors are involved it is difficshows change in the trapdoor co
covertness index can be minima
based on the algorithm used inHowever to increase the compl
bits is feasible in chosen prime
index for such channels is discus
Fig10 Entropy V
SlNo TrapdoorName
1 SubliminalChan
nel-IPSecESP-1
2 SubliminalChan
nel-IPSecESP-2
3 SubliminalChannel-IPSecESP-3
ork Security amp Its Applications (IJNSA) Vol7 No3 M
9 Entropy Vs Covertness Index in IPv4
Trapdoor Analysis of Subliminal Channel in IPSec
Covertness Index is show in the figure 10 where i
c ESP makes covertness index constant The trapvides seven fields for placing the covert data The t
an effect on the covertness index When more nult to detect the composition of the covert channelnt that has an effect in the detection However the
l The trapdoor setting in the subliminal channel i
its cipher suite This is purely called as random oxity of the subliminal to thwart detection the ran
umber This forms Newton Subliminal Channel T
sed in the table 4
s Covertness Index in IPSec based subliminal channel
Noof Trapdoors
No of
Trapdoorsu
Algorithm CovertnessIndex
Entropy C
2 1 AES-
XCBC-MAC
015 2803 0
- - AES-
XCBC-
MAC
047 478 0
- - AES-XCBC-
MAC
047 521 0
ay 2015
50
crease in the
oors in TCPble 3 depicts
umber of theThe figure 11hanges in the
SSLTLS is
acle channelomization of
he covertness
E
14
35
35
882019 E NTROPY B ASED D ETECTION A ND B EHAVIORAL A NALYSIS OF H YBRID C OVERT C HANNELIN S ECURED C OMMUhellip
httpslidepdfcomreaderfulle-ntropy-b-ased-d-etection-a-nd-b-ehavioral-a-nalysis-of-h-ybrid-c-overt-c 1315
International Journal of Net
Table 3 Multi-
SlNo TrapdoorName
1 Network Coverthannel-TCP-
2 Network Covert
hannel-TCP-
3 Network Covert
hannel-TCP-
The graph of covertness index
12 The higher entropy value f[10] is able to detect the activi
Hybrid Covert channel is not fea
and IPv4 as this become easily d
Fig11 Entro
Table4Multi-
SlNo TrapdoorName
1 SubliminalChannel(Oracl
e)-
SSL TLS-1 2 SubliminalC
hannel(Oracl
e)-
SSL TLS-2 3 SubliminalC
hann
el(Oracl
e)-
SSL TLS-3
ork Security amp Its Applications (IJNSA) Vol7 No3 M
rapdoor Analysis of Network covert channel in TCP
Noof Trapd
oors No
of
Trapdoorsu
Algorithm CovertnessI
ndex Entropy C
1 7 1 NIL 0142 2803 0
2 7 2 NIL 028 5606 0
3 7 3 NIL 042 1121 0
s the trapdoor in the subliminal channel is shown
r the some of the formation indicates that the detty and this give clear indication of the higher de
sible for the combinations of the Network covert ch
tectable combination
y Vs Covertness Index in Covert Channel based on TCP
TrapdoorAnalysisof SubliminalChannelinSSL TLS
Noof Trapdoors
No of
Trapdoorsu
Algorithm CovertnessIndex
Entropy C
- - SSLCi-pherSuite
025 2803 0
- - SSLCi-pherSuite
058 367 0
- - SSLCi-
pherSu
ite
058 367 0
ay 2015
51
E
14
28
14
in the figure
ction enginetection rates
annel in TCP
E
14
35
35
882019 E NTROPY B ASED D ETECTION A ND B EHAVIORAL A NALYSIS OF H YBRID C OVERT C HANNELIN S ECURED C OMMUhellip
httpslidepdfcomreaderfulle-ntropy-b-ased-d-etection-a-nd-b-ehavioral-a-nalysis-of-h-ybrid-c-overt-c 1415
International Journal of Net
Fig12 Covertn
8CONCLUSION
Covert schemes are difficult totaken in protocol header This p
be malware code Entropy basecovert symbol in a protocol Thi
in a better way It is unacceptablof administrator It is inference tentropy which makes it difficu
principle to detect such events
ACKNOWLEDGEMENT
AnjanKoundinya thanks Late
Computer Science and Engine
igniting the passion for research
REFERENCES
[1] Description of Detec
netprojectspapershtmlcctde
[2] Description of the Entropy cal
[Online accessed 16-Feb-201
[3] KoundinyaAnjan and Jibi A
channel In Third Internation
Chennai India 2010 Springe[4] Jibi Abraham Anjan K Srin
channel in secured communic
2014
[5] Bo Yuan Chaim Sanders Ja
Network Covert Channels 201
[6] RajarathnamChandramouli a
internet Issues approaches a
ork Security amp Its Applications (IJNSA) Vol7 No3 M
ss Index for Subliminal Channel based on SSLTLS
understand from third party entity as they obscurrovides an opportunity for embedding any data wh
analysis gives the actual number of bits used tos gives clearly metric to understand the covert cha
e to have malicious conversation of the network evehis experiment that the hybrid covert channel has hlt to detect It is required to concentrate on stron
Dr VK Ananthashayana Erstwhile Head De
ering MSRamaiah Institute of Tech-nology B
tion Approaches at the URL htt
html 2014 [Online accessed 15-Feb-2015]
culation at the URL httpwww shannonentro
]
braham Behaviour analysis of transport layer based
al Conference on Net-work Security and Application
-Verlag LNCS seriesath N K Attack modelling and behavioral analysis of
tion ACEEE In-ternational Journal of Network Securit
ob VallettaEmploying Entropy in the Detection and
12
d Koduvayur P Subbalakshmi Covert chan-nel for
d experiences 5(1)4150 July 2007
ay 2015
52
e the contentich may even
represent thennel schemes
n in presenceigh degree ofger detection
-partment of
angalore for
pgray-world
pynetmarkpl
hybrid covert
pages 83-92
hybrid covert
05(2)6777
Monitoring of
ensics on the
882019 E NTROPY B ASED D ETECTION A ND B EHAVIORAL A NALYSIS OF H YBRID C OVERT C HANNELIN S ECURED C OMMUhellip
httpslidepdfcomreaderfulle-ntropy-b-ased-d-etection-a-nd-b-ehavioral-a-nalysis-of-h-ybrid-c-overt-c 1515
International Journal of Net
[7] Anjan K Koundinya etal C
In ADCONS 2011 pages 582
[8] JaideepChandrashekar etal
Proceedings of 12th Internat
September 2009
[9] LoicHelou Claude Jard andSPV03 Volume 3 April 200
[10] Anjan K Koundinya and Jibi
Detection Engine volume 1 o
2010
[11] B W Lampson A Note on th
[12] Enping Li and Scott Craver
of the 11th ACM workshop
2009[13] Clay Shields SarderCabuk C
2004
[14] Clay Shields SarderCabuk
Information and System Secur
[15] Gustavus J Simmons The Sub
[16] Steffen Wendzel Protocol Ch[17] Andreas Willig A short intro
1999
[18] Adam Young and Moti Yung
220-240 2004
AUTHORrsquoS
AnjanK has received his B
UniversityBelgaumIndia in 2007
Science and Engineering MSRam
been awarded Best Performer PG 2
includes NetworkSecurityandCrypt
PhD in Computer Science and Engi
as Assistant Professorin Deptof CEngineering Bengaluru India
SrinathNK has his ME degree in S
Roorkee University in 1986 and P
in 2009His areas of research int
Distributed Computing DBMS Mi
PG Dept of Computer Science and
JibiAbraham has received h
BITSRajasthanIndia in 199 and
University Belgaum India in
fresearch interests include Network
of Wireless Sensor Networks andHead in Dept of CEIT College of
ork Security amp Its Applications (IJNSA) Vol7 No3 M
vertness analysis of subliminal channels in legitimate c
591 Springer- Verlag LNCS series 2012
xploiting temporal persistence to detect covert botnet
ional Symposium RAID 2009 pages 326345 Saint-
Marc ZeitounCovert channels detection in protocols u
Abraham Design of Transport Layer Based Hybrid C
f 4 International Journal of Ad hocSensor and Ubiquito
Con_nement ProblemCommunication of the ACM 19
supraliminal channel in a wireless phone application
n Multimedia and security pages 718 Princeton Ne
rla Brodley IP covert timing channels Design and det
Carla Brodley IP covert channel detectionACM
ity Volume 12(Article 22) 2009
liminal Channel and Digital SignaturesSpringer-Verlag
nnelsHAKIN9 2009uction to queuing theorylecture notes at Technical Uni
Malicious Cryptography First edition Wiley Publish-
E degree from Visveswariah Technological
nd his master degre from Department of Computer
iahInstitute of Technology Bangalore IndiaHe has
10 for his academic excellenceHis area so fresearch
graphyAgile Software EngineeringHe ispursuing
neeing fromVTUBelgaum He is currently working
omputer Science and Engineering RV College of
ystems Engineering and Operations Research from
D degree from Avinash Lingum UniversityIndia
rests include Operations Research Parallel and
roprocessor His isworking as Professor and Dean
EngineeringRVCollege of Engineering
r MS degree in Software Systems from
PhD degree from Visveswariah Technological
008 in the area of Network SecurityHe rarea so
routing algorithms Cryptography Network Security
lgorithms DesignShe is working as Professor andngineering Pune
ay 2015
53
ommunication
channels In
Malo France
sing scenarios
overt Channel
us Computing
3
n Proceedings
Jersey USA
ction CCS 4
ransaction on
1998
versity Berlin
ingFeb pages
882019 E NTROPY B ASED D ETECTION A ND B EHAVIORAL A NALYSIS OF H YBRID C OVERT C HANNELIN S ECURED C OMMUhellip
httpslidepdfcomreaderfulle-ntropy-b-ased-d-etection-a-nd-b-ehavioral-a-nalysis-of-h-ybrid-c-overt-c 415
International Journal of Net
bull Encoding ASCII chara
mathematical operation
bull Repeated sending of ack
is listening to Receiverto this server This val
character
bull
Retrieving the packet
information to the cover
bull Using logical operators l
3COVERT CHANNEL VA
Covert channel are categorizedcommunication like the shared
the communication The covert c
bull Noisy Covert Chann
both Overt and covertbull Noiseless Covert Ch
parties
bull Storage Covert Chaindirectly read or writesRW in hard disk
bull Timing Covert Chanmodulating the resourc
receiver
bull Simple Network Cov
rudimentary protocols
bull Steganographic Cha
receiver collude to pcommunication is hap
bull Subliminal Channel
typically proved undet
bull Supraliminal Chann
semantic content of c
similar to mimic funct
ork Security amp Its Applications (IJNSA) Vol7 No3 M
Fig4 Classical Examination Problem
ter set in Sequence number Decoding the same
n sequence number This can either be in TCP or I
nowledge packet to an unknown server where the c
has to count the number of time the acknowledge paue can later on mapped to ASCII table for retrie
sorting order numbering in IPSec frames whi
receiver
ike the XOR with sequence number to get the cover
IANTS
based on different aspects of the overall entities inresources backdoortrapdoor placement and partie
hannel general classification is given below ndash
l [14] is a communication channel which has
usersnnel [14] is the communication channel used sol
nel [14] involves the sender and the receiver eith
in to storage location The implementation can be
nel [14] [13] involves the sender signalling the i
s in such a way that real response time is obs
ert Channel [14] (SNCC) exists by creating
used in network protocol suite
nel [3] is a means of communication wher
revent an observer being able to reliably detening
[15]- is a covert channel in a cryptographi
ectable
l [12] - A supraliminal channel encodes infor
ver data generating innocent communication
ions
ay 2015
42
by applying
IP ID fields
vert receiver
cket was sentving suitable
h serves as
t data
volved in thes involved in
presence of
ely by covert
er directly or
on file-lock
formation by
erved by the
trapdoor in
sender and
ect whether
algorithm
ation in the
in a manner
882019 E NTROPY B ASED D ETECTION A ND B EHAVIORAL A NALYSIS OF H YBRID C OVERT C HANNELIN S ECURED C OMMUhellip
httpslidepdfcomreaderfulle-ntropy-b-ased-d-etection-a-nd-b-ehavioral-a-nalysis-of-h-ybrid-c-overt-c 515
International Journal of Net
bull Hybrid Covert Chan
covert channels existi
covert channel is diff
Mixed composition o
channel and is of ainstance noisy covert
network layer or appli
4ATTACK MODELLING
The attack modelling [4] can be
these scenarios are designed and
in direct or encoded format diclandestine medium in the net
using encoding scheme and that
The intricate design choosing oway for successful undetectablemediums may be difficult and h
is given below and will be used
This important formation scenari
41Scenario - 1
The attack scenarios have threeand Eve is legitimate entityuslegitimate users hence it is sce
Bob and Eve is legitimate chan
covert channel Alice and B
information and is mentioned in
While Eve is communicating wiover the covert channel Once
would also stop communicatio
snatched from Bobs machine Tstrong trapdoor so as to thwartHybrid covert channel Such po
Network Covert Channel in the I
ork Security amp Its Applications (IJNSA) Vol7 No3 M
nel [4] is co-existence of two or more differeng at same instance of time The composition o
icult to assess from third party which is tryi
covert channel variants behave as single coh
reatest threat to the legitimate network envirchannel in transport layer with subliminal
ation layer
based on different scenarios and placement covert
built to fulfil certain objectives Covert users can
ect communication is merely placement of covertork protocol Alternatively the covert user can
is known only to the covert users
f clandestine mediums (trapdoors) and encoding scestablishment of covert channel Detecting such
ence detection metric called covertness index is us
or assessment in the attack scenarios
os of covert channels where attack can be devised is
ntities - Alice Bob and Eve Alice and Bob are coer The scenario comprises of the combinationario of noisy covert channel The channel establi
el comprising of covert channel and between Ali
b have pre-established channel to communicat
dotted lines in the figure 5
th Bob over legitimate channel Alice would extracwhen the communication between Bob and Eve i
with Bob Further Alice and eve can share th
he covert channel implemented between Alice andthe detection methods Such trapdoors can be d
ssible composition can be Subliminal channel in t
P both at network layer
ay 2015
43
t variants off the Hybrid
g to detect
erent covert
onment Forchannel in
sers Each of
communicate
data over ancommunicate
heme paves astrong covertdThe metric
given below
vert attackersf covert andhed between
e and Eve is
e the attack
t informations over Alice
information
Bob can havesigned usinghe IPSec and
882019 E NTROPY B ASED D ETECTION A ND B EHAVIORAL A NALYSIS OF H YBRID C OVERT C HANNELIN S ECURED C OMMUhellip
httpslidepdfcomreaderfulle-ntropy-b-ased-d-etection-a-nd-b-ehavioral-a-nalysis-of-h-ybrid-c-overt-c 615
International Journal of Net
This combination will prove e
The covertness index for Net
where
(Ut) =
The covertness index for sublimi
IPSec make use of AES-XCimplantation - Sequence Numb
random number generator algor
seed
As per [7] the trapdoors can beformation However this will noheaders
ork Security amp Its Applications (IJNSA) Vol7 No3 M
Fig5 Noise Covert Channel
ffective in hop-to-hop routing and can avoid an
ork Covert Channel in Network Layer (IPv4)-
(T) = Probability ofa trapdoor card
niversal set of all possibletrapdoors
nal channel in IPSec - ESP format
C-MAC cipher suite and ESP format allow tr field and padding The maximum number of ro
ithm is 16 Out of which 5 rounds are used for g
etected under the assumption stated in the hybrid ct be the same if multiple trapdoors are set in each o
ay 2015
44
detections
o trapdoorsunds in AES
enerating the
overt channelf the protocol
882019 E NTROPY B ASED D ETECTION A ND B EHAVIORAL A NALYSIS OF H YBRID C OVERT C HANNELIN S ECURED C OMMUhellip
httpslidepdfcomreaderfulle-ntropy-b-ased-d-etection-a-nd-b-ehavioral-a-nalysis-of-h-ybrid-c-overt-c 715
International Journal of Net
42 Scenario-2
This scenario is built on the thrusers in sub-network are comp
communication from the sub nChannel This sub network can b
Fig6 Noisel
The scenario can have multi-t
trapdoor can move from one pro
or can be combination trapdoor
particular index
5COVERT SCHEMES AND
The covert schemes are crucialobscured way More sophistica
samples of covert schemes wer
presented here
Scheme 1
The IP ID is field used for iden
covert scheme used for this field
bull Intentional use of only c
bull Scheme is designed by tfield
bull
The Covert receiver acharacter
For instance a simple scheme
performing modulus operation
encoding a character lsquocrsquo is
ork Security amp Its Applications (IJNSA) Vol7 No3 M
eat model of noiseless covert channel where theomised This sub-network is connected to other
twork to all the other networks is built using ae similar to bot-net as described in [8]
ess Covert Channel with Hybrid Covert Channel
rapdoor or protocol hopped hybrid covert chan
tocol to another protocol during the hop-to-hop cos in multiple level in the protocol suite Hence th
THEIR EMBODIMENT
for conveying the covert data over communicationed scheme likely not to be retrieved by detectio
discussed in section 2 of this paper and detailed
tification of the packet and is used for the routing
is based on following strategy-
rtain IP IDs while having conversation with Cover
he covert sender for embedding covert characters i
plies the scheme used by the sender to retrie
that can be used for this field is extracting the
of the character set size General notation for thi
ay 2015
45
esources andetwork The
ybrid Covert
el [16] The
municationre can be no
channel in aentity Few
schemes are
purpose The
t receiver
to the IP ID
e the covert
IP ID is by
s scheme for
882019 E NTROPY B ASED D ETECTION A ND B EHAVIORAL A NALYSIS OF H YBRID C OVERT C HANNELIN S ECURED C OMMUhellip
httpslidepdfcomreaderfulle-ntropy-b-ased-d-etection-a-nd-b-ehavioral-a-nalysis-of-h-ybrid-c-overt-c 815
International Journal of Network Security amp Its Applications (IJNSA) Vol7 No3 May 2015
46
Where 983080983081 is the encoding function R is the IP ID value and n is the size of the character setFor an ASCII character set n = 256
Example If IP ID = 26702 and if the character to be sent is `M Then 983080983081 983101 983090983094983095983088983090 minus
983089 983090983093983094 = `M
To convey a covert message the covert sender has select IP ID in such a way as to match with
983080983081
Scheme 2
Another prominent scheme used is on the sequence number where maximum range is4294967296 numbers as it is 32 bit field To communicate covertly under this scheme following
strategy is employed-
bull
Sequence number is multiplied with value of character set and bound is declared withmaximum limit
bull The receiver side retrieves the sequence number and then divides it by character set size
The encoding function 983080983081 is given below-
Where S is the initial sequence number and n is the size of the character set The decoding
function is 983080991257983081 is given below ndash
Where 991257 is the decoded character and 991257 is the received sequence number
For instance to send a character I covertly over the channel the sender would have to choose
1235037038 as sequence number and the max value is derived as 65535 256 = 16777216
Therefore the decoded character is 983080991257983081 = 1235037038=16777216 = 73 The value 73 when
mapped back to ASCII Table is the character `I
Scheme 3
Another scheme which has tremendous effect on the bandwidth is the modulation of TCP
timestamps or use of timing element in the network protocol TCP timestamps is in the optionsfield of the TCP header which indicates the round trip time of the packets The TCP processaccurately calculates the next retransmission of TCP segment which was failed to beacknowledged If the character is to be covertly sent using this scheme following strategy is used
bull Get the binary representation of the character and extract bits from the least significant
bit
bull Check if the Timestamp least significant bit (LSB) is same as covert bit if so send the
882019 E NTROPY B ASED D ETECTION A ND B EHAVIORAL A NALYSIS OF H YBRID C OVERT C HANNELIN S ECURED C OMMUhellip
httpslidepdfcomreaderfulle-ntropy-b-ased-d-etection-a-nd-b-ehavioral-a-nalysis-of-h-ybrid-c-overt-c 915
International Journal of Network Security amp Its Applications (IJNSA) Vol7 No3 May 2015
47
TCP segment
bull Covert receiver will extract the LSB of the timestamp and store the same until it is a byte
Let be the binary representation of the character `c and FLSB(Bc) be the encoding function for
encoding the covert bits in TCP timestamp
6ENTROPY BASED COVERT CHANNEL ANALYSIS
The entropy [2] in communication network indicates the number of bits required to encode a
character over the channel as stated by Shannon Entropy theory This is based on the frequency of
the characters in given string and the size of the alphabet The entropy measure also checks foruncertainty of the random variable
Let A be finite set of characters such that 983164983164 ge 983089 and any character983136991257 isin A is sequence of
symbols which is a string each of alphabet in string isin A For instance let cbbacabbac besequence of symbols that needs to be transmitted over network then its sequence of bits represents
the coded symbol sequence which may be 101110011011100010 Then the entropy for suchscenario is defined as ndash
where isin 983164983164 and 983164983164 983102 983089 pi is the probability of the occurrence of symbol lsquocrsquo in the string and ngives the length of the string To transmit a message ldquonetworkrdquo over the communication
network following are the calculated entropy for each alphabet ndash
The frequency of all the characters in a string with unique symbols will be same since the word
ldquonetworkrdquo has unique symbols the frequency is 0143 Let X be string for which the entropy is to
be calculated here X may word like network or stream of numbers then
H(X)=[(0143log20143) + (0143log20143) + (0143log20143) +(0143log20143) + (01
43log20143) + (0143log20143) + (0143log20143)]
H(X)=2803
It requires 3 bits to represent each symbol in the given string and 21 bits are required to representthe entire string Further the appropriate line coding technique has to be chosen to represent themin the transmission line So in general entropy of X where each alphabet is a unique symbol is
In a covert channel scenario the covert user has to be chosen the message in such a way that theentropy of string should always be less that number of bits available for that field in the protocol
header
ieH(X)lt|Maximumnumberof bitsinthatf ield(Bf )|
882019 E NTROPY B ASED D ETECTION A ND B EHAVIORAL A NALYSIS OF H YBRID C OVERT C HANNELIN S ECURED C OMMUhellip
httpslidepdfcomreaderfulle-ntropy-b-ased-d-etection-a-nd-b-ehavioral-a-nalysis-of-h-ybrid-c-overt-c 1015
International Journal of Net
The IP ID presented in the sc
X the minimum of 21 bits are
The covert channel occupies 25
header or protocol header simplchannel capacity ratio will be lo
This makes the detection of covefields for analysis
In general
for robust covert channel constcovert channel will be greater
protocols is actually setting upentropy for such scenarios isscheme Also in the scenario o
hybrid covert channel where the
figure 7 and figure 8 shows the a
ork Security amp Its Applications (IJNSA) Vol7 No3 M
eme 1 of this paper has 16 bits in the IP heade
required Hence capacity of the covert channel i
of total IP header space Multiple trapdoors (t)
y doubles the covert channel capacity However tthus making it robust ie
rt bits much difficult as the detection systems needs
uction where [7]the covertness index for suchthan 05 The multiple trapdoors through a proto
f multiple covert channels in the communicationispersed across multiple making it difficult to umulti-trapdoors covert channel behaves like a si
effect of the entropy is doubled The below results
ccurate expected behaviour discussed in this paper -
Fig7 IP Entropy analysis
Fig8 TCP Entropy Analysis
ay 2015
48
r so to send
is
[5] [4] in IP
he entropy to
to scan more
ulti-trapdoorcol or set of
network Thederstand thegle coherent
shown in the
882019 E NTROPY B ASED D ETECTION A ND B EHAVIORAL A NALYSIS OF H YBRID C OVERT C HANNELIN S ECURED C OMMUhellip
httpslidepdfcomreaderfulle-ntropy-b-ased-d-etection-a-nd-b-ehavioral-a-nalysis-of-h-ybrid-c-overt-c 1115
International Journal of Network Security amp Its Applications (IJNSA) Vol7 No3 May 2015
49
The results indicate the multiple trapdoors used in hybrid covert channel yields to a higherentropy value and low channel to entropy ratio (CE) The constant CE ratio also indicates the
consistent usage of protocol header for constructing multi-trapdoor based hybrid covert channelThis implies that the covert schemes used in Hybrid covert channel is difficult detect in secured
communication
7RESULTS AND DISCUSSIONS
The number of trapdoors implemented in a protocol cannot be all the fields vulnerable in thatprotocol ie
where Tm is the max number of trapdoors possible in that protocol Ts is the no of Trapdoors set
The analysis of the trapdoor setting is performed on protocols like IPv4 TCP and IPSec
SSLTLS The trapdoor setting in the rudimentary network protocols like the IPv4 and TCP ismerely based on placing the covert data in any of its header fields The table 1 shows effect ofvarying the number of trapdoors in IPv4 protocol
Table1Multi-TrapdoorAnalysisof IPv4
SlNo
TrapdoorName Noof Trap
doors
No
o
f Trapdoor
Algorith
m
CovertnessIndex
Entropy
C E
1 Network Covert
Channel-IPv4-
Single
4 1 NIL 025 2803 0089
2 Network Covert
Channel-IPv4-
dual
4 2 NIL 05 5606 017
3 Network Covert
Channel-IPv4-
triple
4 3 NIL 075 1121 0358
The graph of Trapdoors Vs the Covertness Index is show in the figure 9 where increase in the
number of the trapdoors in IPv4 increases the difficulty in detecting the covert channel Thetrapdoor setting in IPSec using subliminal channel is slightly complex to understand However
the ESP format provides two fields to convey the covert bits in the protocol header Theremaining data is sent over the ESP algorithm during the time of the key generation for
encryption using AES algorithm The residual bits in used in random number generation or used
in the round box of the AES and this is depicted on row 2 of the table 2 Hence the covertnessindex is 015 equation 2 which is 047 This will not change any further as there is limited scope
for subliminal channel development in IPSec -ESP format
882019 E NTROPY B ASED D ETECTION A ND B EHAVIORAL A NALYSIS OF H YBRID C OVERT C HANNELIN S ECURED C OMMUhellip
httpslidepdfcomreaderfulle-ntropy-b-ased-d-etection-a-nd-b-ehavioral-a-nalysis-of-h-ybrid-c-overt-c 1215
International Journal of Net
Fig
Table 2 Multi-
The graph of Trapdoors Vs the
number of the trapdoors in IPSbased protocol is simple and pro
the changing trapdoor that hastrapdoors are involved it is difficshows change in the trapdoor co
covertness index can be minima
based on the algorithm used inHowever to increase the compl
bits is feasible in chosen prime
index for such channels is discus
Fig10 Entropy V
SlNo TrapdoorName
1 SubliminalChan
nel-IPSecESP-1
2 SubliminalChan
nel-IPSecESP-2
3 SubliminalChannel-IPSecESP-3
ork Security amp Its Applications (IJNSA) Vol7 No3 M
9 Entropy Vs Covertness Index in IPv4
Trapdoor Analysis of Subliminal Channel in IPSec
Covertness Index is show in the figure 10 where i
c ESP makes covertness index constant The trapvides seven fields for placing the covert data The t
an effect on the covertness index When more nult to detect the composition of the covert channelnt that has an effect in the detection However the
l The trapdoor setting in the subliminal channel i
its cipher suite This is purely called as random oxity of the subliminal to thwart detection the ran
umber This forms Newton Subliminal Channel T
sed in the table 4
s Covertness Index in IPSec based subliminal channel
Noof Trapdoors
No of
Trapdoorsu
Algorithm CovertnessIndex
Entropy C
2 1 AES-
XCBC-MAC
015 2803 0
- - AES-
XCBC-
MAC
047 478 0
- - AES-XCBC-
MAC
047 521 0
ay 2015
50
crease in the
oors in TCPble 3 depicts
umber of theThe figure 11hanges in the
SSLTLS is
acle channelomization of
he covertness
E
14
35
35
882019 E NTROPY B ASED D ETECTION A ND B EHAVIORAL A NALYSIS OF H YBRID C OVERT C HANNELIN S ECURED C OMMUhellip
httpslidepdfcomreaderfulle-ntropy-b-ased-d-etection-a-nd-b-ehavioral-a-nalysis-of-h-ybrid-c-overt-c 1315
International Journal of Net
Table 3 Multi-
SlNo TrapdoorName
1 Network Coverthannel-TCP-
2 Network Covert
hannel-TCP-
3 Network Covert
hannel-TCP-
The graph of covertness index
12 The higher entropy value f[10] is able to detect the activi
Hybrid Covert channel is not fea
and IPv4 as this become easily d
Fig11 Entro
Table4Multi-
SlNo TrapdoorName
1 SubliminalChannel(Oracl
e)-
SSL TLS-1 2 SubliminalC
hannel(Oracl
e)-
SSL TLS-2 3 SubliminalC
hann
el(Oracl
e)-
SSL TLS-3
ork Security amp Its Applications (IJNSA) Vol7 No3 M
rapdoor Analysis of Network covert channel in TCP
Noof Trapd
oors No
of
Trapdoorsu
Algorithm CovertnessI
ndex Entropy C
1 7 1 NIL 0142 2803 0
2 7 2 NIL 028 5606 0
3 7 3 NIL 042 1121 0
s the trapdoor in the subliminal channel is shown
r the some of the formation indicates that the detty and this give clear indication of the higher de
sible for the combinations of the Network covert ch
tectable combination
y Vs Covertness Index in Covert Channel based on TCP
TrapdoorAnalysisof SubliminalChannelinSSL TLS
Noof Trapdoors
No of
Trapdoorsu
Algorithm CovertnessIndex
Entropy C
- - SSLCi-pherSuite
025 2803 0
- - SSLCi-pherSuite
058 367 0
- - SSLCi-
pherSu
ite
058 367 0
ay 2015
51
E
14
28
14
in the figure
ction enginetection rates
annel in TCP
E
14
35
35
882019 E NTROPY B ASED D ETECTION A ND B EHAVIORAL A NALYSIS OF H YBRID C OVERT C HANNELIN S ECURED C OMMUhellip
httpslidepdfcomreaderfulle-ntropy-b-ased-d-etection-a-nd-b-ehavioral-a-nalysis-of-h-ybrid-c-overt-c 1415
International Journal of Net
Fig12 Covertn
8CONCLUSION
Covert schemes are difficult totaken in protocol header This p
be malware code Entropy basecovert symbol in a protocol Thi
in a better way It is unacceptablof administrator It is inference tentropy which makes it difficu
principle to detect such events
ACKNOWLEDGEMENT
AnjanKoundinya thanks Late
Computer Science and Engine
igniting the passion for research
REFERENCES
[1] Description of Detec
netprojectspapershtmlcctde
[2] Description of the Entropy cal
[Online accessed 16-Feb-201
[3] KoundinyaAnjan and Jibi A
channel In Third Internation
Chennai India 2010 Springe[4] Jibi Abraham Anjan K Srin
channel in secured communic
2014
[5] Bo Yuan Chaim Sanders Ja
Network Covert Channels 201
[6] RajarathnamChandramouli a
internet Issues approaches a
ork Security amp Its Applications (IJNSA) Vol7 No3 M
ss Index for Subliminal Channel based on SSLTLS
understand from third party entity as they obscurrovides an opportunity for embedding any data wh
analysis gives the actual number of bits used tos gives clearly metric to understand the covert cha
e to have malicious conversation of the network evehis experiment that the hybrid covert channel has hlt to detect It is required to concentrate on stron
Dr VK Ananthashayana Erstwhile Head De
ering MSRamaiah Institute of Tech-nology B
tion Approaches at the URL htt
html 2014 [Online accessed 15-Feb-2015]
culation at the URL httpwww shannonentro
]
braham Behaviour analysis of transport layer based
al Conference on Net-work Security and Application
-Verlag LNCS seriesath N K Attack modelling and behavioral analysis of
tion ACEEE In-ternational Journal of Network Securit
ob VallettaEmploying Entropy in the Detection and
12
d Koduvayur P Subbalakshmi Covert chan-nel for
d experiences 5(1)4150 July 2007
ay 2015
52
e the contentich may even
represent thennel schemes
n in presenceigh degree ofger detection
-partment of
angalore for
pgray-world
pynetmarkpl
hybrid covert
pages 83-92
hybrid covert
05(2)6777
Monitoring of
ensics on the
882019 E NTROPY B ASED D ETECTION A ND B EHAVIORAL A NALYSIS OF H YBRID C OVERT C HANNELIN S ECURED C OMMUhellip
httpslidepdfcomreaderfulle-ntropy-b-ased-d-etection-a-nd-b-ehavioral-a-nalysis-of-h-ybrid-c-overt-c 1515
International Journal of Net
[7] Anjan K Koundinya etal C
In ADCONS 2011 pages 582
[8] JaideepChandrashekar etal
Proceedings of 12th Internat
September 2009
[9] LoicHelou Claude Jard andSPV03 Volume 3 April 200
[10] Anjan K Koundinya and Jibi
Detection Engine volume 1 o
2010
[11] B W Lampson A Note on th
[12] Enping Li and Scott Craver
of the 11th ACM workshop
2009[13] Clay Shields SarderCabuk C
2004
[14] Clay Shields SarderCabuk
Information and System Secur
[15] Gustavus J Simmons The Sub
[16] Steffen Wendzel Protocol Ch[17] Andreas Willig A short intro
1999
[18] Adam Young and Moti Yung
220-240 2004
AUTHORrsquoS
AnjanK has received his B
UniversityBelgaumIndia in 2007
Science and Engineering MSRam
been awarded Best Performer PG 2
includes NetworkSecurityandCrypt
PhD in Computer Science and Engi
as Assistant Professorin Deptof CEngineering Bengaluru India
SrinathNK has his ME degree in S
Roorkee University in 1986 and P
in 2009His areas of research int
Distributed Computing DBMS Mi
PG Dept of Computer Science and
JibiAbraham has received h
BITSRajasthanIndia in 199 and
University Belgaum India in
fresearch interests include Network
of Wireless Sensor Networks andHead in Dept of CEIT College of
ork Security amp Its Applications (IJNSA) Vol7 No3 M
vertness analysis of subliminal channels in legitimate c
591 Springer- Verlag LNCS series 2012
xploiting temporal persistence to detect covert botnet
ional Symposium RAID 2009 pages 326345 Saint-
Marc ZeitounCovert channels detection in protocols u
Abraham Design of Transport Layer Based Hybrid C
f 4 International Journal of Ad hocSensor and Ubiquito
Con_nement ProblemCommunication of the ACM 19
supraliminal channel in a wireless phone application
n Multimedia and security pages 718 Princeton Ne
rla Brodley IP covert timing channels Design and det
Carla Brodley IP covert channel detectionACM
ity Volume 12(Article 22) 2009
liminal Channel and Digital SignaturesSpringer-Verlag
nnelsHAKIN9 2009uction to queuing theorylecture notes at Technical Uni
Malicious Cryptography First edition Wiley Publish-
E degree from Visveswariah Technological
nd his master degre from Department of Computer
iahInstitute of Technology Bangalore IndiaHe has
10 for his academic excellenceHis area so fresearch
graphyAgile Software EngineeringHe ispursuing
neeing fromVTUBelgaum He is currently working
omputer Science and Engineering RV College of
ystems Engineering and Operations Research from
D degree from Avinash Lingum UniversityIndia
rests include Operations Research Parallel and
roprocessor His isworking as Professor and Dean
EngineeringRVCollege of Engineering
r MS degree in Software Systems from
PhD degree from Visveswariah Technological
008 in the area of Network SecurityHe rarea so
routing algorithms Cryptography Network Security
lgorithms DesignShe is working as Professor andngineering Pune
ay 2015
53
ommunication
channels In
Malo France
sing scenarios
overt Channel
us Computing
3
n Proceedings
Jersey USA
ction CCS 4
ransaction on
1998
versity Berlin
ingFeb pages
882019 E NTROPY B ASED D ETECTION A ND B EHAVIORAL A NALYSIS OF H YBRID C OVERT C HANNELIN S ECURED C OMMUhellip
httpslidepdfcomreaderfulle-ntropy-b-ased-d-etection-a-nd-b-ehavioral-a-nalysis-of-h-ybrid-c-overt-c 515
International Journal of Net
bull Hybrid Covert Chan
covert channels existi
covert channel is diff
Mixed composition o
channel and is of ainstance noisy covert
network layer or appli
4ATTACK MODELLING
The attack modelling [4] can be
these scenarios are designed and
in direct or encoded format diclandestine medium in the net
using encoding scheme and that
The intricate design choosing oway for successful undetectablemediums may be difficult and h
is given below and will be used
This important formation scenari
41Scenario - 1
The attack scenarios have threeand Eve is legitimate entityuslegitimate users hence it is sce
Bob and Eve is legitimate chan
covert channel Alice and B
information and is mentioned in
While Eve is communicating wiover the covert channel Once
would also stop communicatio
snatched from Bobs machine Tstrong trapdoor so as to thwartHybrid covert channel Such po
Network Covert Channel in the I
ork Security amp Its Applications (IJNSA) Vol7 No3 M
nel [4] is co-existence of two or more differeng at same instance of time The composition o
icult to assess from third party which is tryi
covert channel variants behave as single coh
reatest threat to the legitimate network envirchannel in transport layer with subliminal
ation layer
based on different scenarios and placement covert
built to fulfil certain objectives Covert users can
ect communication is merely placement of covertork protocol Alternatively the covert user can
is known only to the covert users
f clandestine mediums (trapdoors) and encoding scestablishment of covert channel Detecting such
ence detection metric called covertness index is us
or assessment in the attack scenarios
os of covert channels where attack can be devised is
ntities - Alice Bob and Eve Alice and Bob are coer The scenario comprises of the combinationario of noisy covert channel The channel establi
el comprising of covert channel and between Ali
b have pre-established channel to communicat
dotted lines in the figure 5
th Bob over legitimate channel Alice would extracwhen the communication between Bob and Eve i
with Bob Further Alice and eve can share th
he covert channel implemented between Alice andthe detection methods Such trapdoors can be d
ssible composition can be Subliminal channel in t
P both at network layer
ay 2015
43
t variants off the Hybrid
g to detect
erent covert
onment Forchannel in
sers Each of
communicate
data over ancommunicate
heme paves astrong covertdThe metric
given below
vert attackersf covert andhed between
e and Eve is
e the attack
t informations over Alice
information
Bob can havesigned usinghe IPSec and
882019 E NTROPY B ASED D ETECTION A ND B EHAVIORAL A NALYSIS OF H YBRID C OVERT C HANNELIN S ECURED C OMMUhellip
httpslidepdfcomreaderfulle-ntropy-b-ased-d-etection-a-nd-b-ehavioral-a-nalysis-of-h-ybrid-c-overt-c 615
International Journal of Net
This combination will prove e
The covertness index for Net
where
(Ut) =
The covertness index for sublimi
IPSec make use of AES-XCimplantation - Sequence Numb
random number generator algor
seed
As per [7] the trapdoors can beformation However this will noheaders
ork Security amp Its Applications (IJNSA) Vol7 No3 M
Fig5 Noise Covert Channel
ffective in hop-to-hop routing and can avoid an
ork Covert Channel in Network Layer (IPv4)-
(T) = Probability ofa trapdoor card
niversal set of all possibletrapdoors
nal channel in IPSec - ESP format
C-MAC cipher suite and ESP format allow tr field and padding The maximum number of ro
ithm is 16 Out of which 5 rounds are used for g
etected under the assumption stated in the hybrid ct be the same if multiple trapdoors are set in each o
ay 2015
44
detections
o trapdoorsunds in AES
enerating the
overt channelf the protocol
882019 E NTROPY B ASED D ETECTION A ND B EHAVIORAL A NALYSIS OF H YBRID C OVERT C HANNELIN S ECURED C OMMUhellip
httpslidepdfcomreaderfulle-ntropy-b-ased-d-etection-a-nd-b-ehavioral-a-nalysis-of-h-ybrid-c-overt-c 715
International Journal of Net
42 Scenario-2
This scenario is built on the thrusers in sub-network are comp
communication from the sub nChannel This sub network can b
Fig6 Noisel
The scenario can have multi-t
trapdoor can move from one pro
or can be combination trapdoor
particular index
5COVERT SCHEMES AND
The covert schemes are crucialobscured way More sophistica
samples of covert schemes wer
presented here
Scheme 1
The IP ID is field used for iden
covert scheme used for this field
bull Intentional use of only c
bull Scheme is designed by tfield
bull
The Covert receiver acharacter
For instance a simple scheme
performing modulus operation
encoding a character lsquocrsquo is
ork Security amp Its Applications (IJNSA) Vol7 No3 M
eat model of noiseless covert channel where theomised This sub-network is connected to other
twork to all the other networks is built using ae similar to bot-net as described in [8]
ess Covert Channel with Hybrid Covert Channel
rapdoor or protocol hopped hybrid covert chan
tocol to another protocol during the hop-to-hop cos in multiple level in the protocol suite Hence th
THEIR EMBODIMENT
for conveying the covert data over communicationed scheme likely not to be retrieved by detectio
discussed in section 2 of this paper and detailed
tification of the packet and is used for the routing
is based on following strategy-
rtain IP IDs while having conversation with Cover
he covert sender for embedding covert characters i
plies the scheme used by the sender to retrie
that can be used for this field is extracting the
of the character set size General notation for thi
ay 2015
45
esources andetwork The
ybrid Covert
el [16] The
municationre can be no
channel in aentity Few
schemes are
purpose The
t receiver
to the IP ID
e the covert
IP ID is by
s scheme for
882019 E NTROPY B ASED D ETECTION A ND B EHAVIORAL A NALYSIS OF H YBRID C OVERT C HANNELIN S ECURED C OMMUhellip
httpslidepdfcomreaderfulle-ntropy-b-ased-d-etection-a-nd-b-ehavioral-a-nalysis-of-h-ybrid-c-overt-c 815
International Journal of Network Security amp Its Applications (IJNSA) Vol7 No3 May 2015
46
Where 983080983081 is the encoding function R is the IP ID value and n is the size of the character setFor an ASCII character set n = 256
Example If IP ID = 26702 and if the character to be sent is `M Then 983080983081 983101 983090983094983095983088983090 minus
983089 983090983093983094 = `M
To convey a covert message the covert sender has select IP ID in such a way as to match with
983080983081
Scheme 2
Another prominent scheme used is on the sequence number where maximum range is4294967296 numbers as it is 32 bit field To communicate covertly under this scheme following
strategy is employed-
bull
Sequence number is multiplied with value of character set and bound is declared withmaximum limit
bull The receiver side retrieves the sequence number and then divides it by character set size
The encoding function 983080983081 is given below-
Where S is the initial sequence number and n is the size of the character set The decoding
function is 983080991257983081 is given below ndash
Where 991257 is the decoded character and 991257 is the received sequence number
For instance to send a character I covertly over the channel the sender would have to choose
1235037038 as sequence number and the max value is derived as 65535 256 = 16777216
Therefore the decoded character is 983080991257983081 = 1235037038=16777216 = 73 The value 73 when
mapped back to ASCII Table is the character `I
Scheme 3
Another scheme which has tremendous effect on the bandwidth is the modulation of TCP
timestamps or use of timing element in the network protocol TCP timestamps is in the optionsfield of the TCP header which indicates the round trip time of the packets The TCP processaccurately calculates the next retransmission of TCP segment which was failed to beacknowledged If the character is to be covertly sent using this scheme following strategy is used
bull Get the binary representation of the character and extract bits from the least significant
bit
bull Check if the Timestamp least significant bit (LSB) is same as covert bit if so send the
882019 E NTROPY B ASED D ETECTION A ND B EHAVIORAL A NALYSIS OF H YBRID C OVERT C HANNELIN S ECURED C OMMUhellip
httpslidepdfcomreaderfulle-ntropy-b-ased-d-etection-a-nd-b-ehavioral-a-nalysis-of-h-ybrid-c-overt-c 915
International Journal of Network Security amp Its Applications (IJNSA) Vol7 No3 May 2015
47
TCP segment
bull Covert receiver will extract the LSB of the timestamp and store the same until it is a byte
Let be the binary representation of the character `c and FLSB(Bc) be the encoding function for
encoding the covert bits in TCP timestamp
6ENTROPY BASED COVERT CHANNEL ANALYSIS
The entropy [2] in communication network indicates the number of bits required to encode a
character over the channel as stated by Shannon Entropy theory This is based on the frequency of
the characters in given string and the size of the alphabet The entropy measure also checks foruncertainty of the random variable
Let A be finite set of characters such that 983164983164 ge 983089 and any character983136991257 isin A is sequence of
symbols which is a string each of alphabet in string isin A For instance let cbbacabbac besequence of symbols that needs to be transmitted over network then its sequence of bits represents
the coded symbol sequence which may be 101110011011100010 Then the entropy for suchscenario is defined as ndash
where isin 983164983164 and 983164983164 983102 983089 pi is the probability of the occurrence of symbol lsquocrsquo in the string and ngives the length of the string To transmit a message ldquonetworkrdquo over the communication
network following are the calculated entropy for each alphabet ndash
The frequency of all the characters in a string with unique symbols will be same since the word
ldquonetworkrdquo has unique symbols the frequency is 0143 Let X be string for which the entropy is to
be calculated here X may word like network or stream of numbers then
H(X)=[(0143log20143) + (0143log20143) + (0143log20143) +(0143log20143) + (01
43log20143) + (0143log20143) + (0143log20143)]
H(X)=2803
It requires 3 bits to represent each symbol in the given string and 21 bits are required to representthe entire string Further the appropriate line coding technique has to be chosen to represent themin the transmission line So in general entropy of X where each alphabet is a unique symbol is
In a covert channel scenario the covert user has to be chosen the message in such a way that theentropy of string should always be less that number of bits available for that field in the protocol
header
ieH(X)lt|Maximumnumberof bitsinthatf ield(Bf )|
882019 E NTROPY B ASED D ETECTION A ND B EHAVIORAL A NALYSIS OF H YBRID C OVERT C HANNELIN S ECURED C OMMUhellip
httpslidepdfcomreaderfulle-ntropy-b-ased-d-etection-a-nd-b-ehavioral-a-nalysis-of-h-ybrid-c-overt-c 1015
International Journal of Net
The IP ID presented in the sc
X the minimum of 21 bits are
The covert channel occupies 25
header or protocol header simplchannel capacity ratio will be lo
This makes the detection of covefields for analysis
In general
for robust covert channel constcovert channel will be greater
protocols is actually setting upentropy for such scenarios isscheme Also in the scenario o
hybrid covert channel where the
figure 7 and figure 8 shows the a
ork Security amp Its Applications (IJNSA) Vol7 No3 M
eme 1 of this paper has 16 bits in the IP heade
required Hence capacity of the covert channel i
of total IP header space Multiple trapdoors (t)
y doubles the covert channel capacity However tthus making it robust ie
rt bits much difficult as the detection systems needs
uction where [7]the covertness index for suchthan 05 The multiple trapdoors through a proto
f multiple covert channels in the communicationispersed across multiple making it difficult to umulti-trapdoors covert channel behaves like a si
effect of the entropy is doubled The below results
ccurate expected behaviour discussed in this paper -
Fig7 IP Entropy analysis
Fig8 TCP Entropy Analysis
ay 2015
48
r so to send
is
[5] [4] in IP
he entropy to
to scan more
ulti-trapdoorcol or set of
network Thederstand thegle coherent
shown in the
882019 E NTROPY B ASED D ETECTION A ND B EHAVIORAL A NALYSIS OF H YBRID C OVERT C HANNELIN S ECURED C OMMUhellip
httpslidepdfcomreaderfulle-ntropy-b-ased-d-etection-a-nd-b-ehavioral-a-nalysis-of-h-ybrid-c-overt-c 1115
International Journal of Network Security amp Its Applications (IJNSA) Vol7 No3 May 2015
49
The results indicate the multiple trapdoors used in hybrid covert channel yields to a higherentropy value and low channel to entropy ratio (CE) The constant CE ratio also indicates the
consistent usage of protocol header for constructing multi-trapdoor based hybrid covert channelThis implies that the covert schemes used in Hybrid covert channel is difficult detect in secured
communication
7RESULTS AND DISCUSSIONS
The number of trapdoors implemented in a protocol cannot be all the fields vulnerable in thatprotocol ie
where Tm is the max number of trapdoors possible in that protocol Ts is the no of Trapdoors set
The analysis of the trapdoor setting is performed on protocols like IPv4 TCP and IPSec
SSLTLS The trapdoor setting in the rudimentary network protocols like the IPv4 and TCP ismerely based on placing the covert data in any of its header fields The table 1 shows effect ofvarying the number of trapdoors in IPv4 protocol
Table1Multi-TrapdoorAnalysisof IPv4
SlNo
TrapdoorName Noof Trap
doors
No
o
f Trapdoor
Algorith
m
CovertnessIndex
Entropy
C E
1 Network Covert
Channel-IPv4-
Single
4 1 NIL 025 2803 0089
2 Network Covert
Channel-IPv4-
dual
4 2 NIL 05 5606 017
3 Network Covert
Channel-IPv4-
triple
4 3 NIL 075 1121 0358
The graph of Trapdoors Vs the Covertness Index is show in the figure 9 where increase in the
number of the trapdoors in IPv4 increases the difficulty in detecting the covert channel Thetrapdoor setting in IPSec using subliminal channel is slightly complex to understand However
the ESP format provides two fields to convey the covert bits in the protocol header Theremaining data is sent over the ESP algorithm during the time of the key generation for
encryption using AES algorithm The residual bits in used in random number generation or used
in the round box of the AES and this is depicted on row 2 of the table 2 Hence the covertnessindex is 015 equation 2 which is 047 This will not change any further as there is limited scope
for subliminal channel development in IPSec -ESP format
882019 E NTROPY B ASED D ETECTION A ND B EHAVIORAL A NALYSIS OF H YBRID C OVERT C HANNELIN S ECURED C OMMUhellip
httpslidepdfcomreaderfulle-ntropy-b-ased-d-etection-a-nd-b-ehavioral-a-nalysis-of-h-ybrid-c-overt-c 1215
International Journal of Net
Fig
Table 2 Multi-
The graph of Trapdoors Vs the
number of the trapdoors in IPSbased protocol is simple and pro
the changing trapdoor that hastrapdoors are involved it is difficshows change in the trapdoor co
covertness index can be minima
based on the algorithm used inHowever to increase the compl
bits is feasible in chosen prime
index for such channels is discus
Fig10 Entropy V
SlNo TrapdoorName
1 SubliminalChan
nel-IPSecESP-1
2 SubliminalChan
nel-IPSecESP-2
3 SubliminalChannel-IPSecESP-3
ork Security amp Its Applications (IJNSA) Vol7 No3 M
9 Entropy Vs Covertness Index in IPv4
Trapdoor Analysis of Subliminal Channel in IPSec
Covertness Index is show in the figure 10 where i
c ESP makes covertness index constant The trapvides seven fields for placing the covert data The t
an effect on the covertness index When more nult to detect the composition of the covert channelnt that has an effect in the detection However the
l The trapdoor setting in the subliminal channel i
its cipher suite This is purely called as random oxity of the subliminal to thwart detection the ran
umber This forms Newton Subliminal Channel T
sed in the table 4
s Covertness Index in IPSec based subliminal channel
Noof Trapdoors
No of
Trapdoorsu
Algorithm CovertnessIndex
Entropy C
2 1 AES-
XCBC-MAC
015 2803 0
- - AES-
XCBC-
MAC
047 478 0
- - AES-XCBC-
MAC
047 521 0
ay 2015
50
crease in the
oors in TCPble 3 depicts
umber of theThe figure 11hanges in the
SSLTLS is
acle channelomization of
he covertness
E
14
35
35
882019 E NTROPY B ASED D ETECTION A ND B EHAVIORAL A NALYSIS OF H YBRID C OVERT C HANNELIN S ECURED C OMMUhellip
httpslidepdfcomreaderfulle-ntropy-b-ased-d-etection-a-nd-b-ehavioral-a-nalysis-of-h-ybrid-c-overt-c 1315
International Journal of Net
Table 3 Multi-
SlNo TrapdoorName
1 Network Coverthannel-TCP-
2 Network Covert
hannel-TCP-
3 Network Covert
hannel-TCP-
The graph of covertness index
12 The higher entropy value f[10] is able to detect the activi
Hybrid Covert channel is not fea
and IPv4 as this become easily d
Fig11 Entro
Table4Multi-
SlNo TrapdoorName
1 SubliminalChannel(Oracl
e)-
SSL TLS-1 2 SubliminalC
hannel(Oracl
e)-
SSL TLS-2 3 SubliminalC
hann
el(Oracl
e)-
SSL TLS-3
ork Security amp Its Applications (IJNSA) Vol7 No3 M
rapdoor Analysis of Network covert channel in TCP
Noof Trapd
oors No
of
Trapdoorsu
Algorithm CovertnessI
ndex Entropy C
1 7 1 NIL 0142 2803 0
2 7 2 NIL 028 5606 0
3 7 3 NIL 042 1121 0
s the trapdoor in the subliminal channel is shown
r the some of the formation indicates that the detty and this give clear indication of the higher de
sible for the combinations of the Network covert ch
tectable combination
y Vs Covertness Index in Covert Channel based on TCP
TrapdoorAnalysisof SubliminalChannelinSSL TLS
Noof Trapdoors
No of
Trapdoorsu
Algorithm CovertnessIndex
Entropy C
- - SSLCi-pherSuite
025 2803 0
- - SSLCi-pherSuite
058 367 0
- - SSLCi-
pherSu
ite
058 367 0
ay 2015
51
E
14
28
14
in the figure
ction enginetection rates
annel in TCP
E
14
35
35
882019 E NTROPY B ASED D ETECTION A ND B EHAVIORAL A NALYSIS OF H YBRID C OVERT C HANNELIN S ECURED C OMMUhellip
httpslidepdfcomreaderfulle-ntropy-b-ased-d-etection-a-nd-b-ehavioral-a-nalysis-of-h-ybrid-c-overt-c 1415
International Journal of Net
Fig12 Covertn
8CONCLUSION
Covert schemes are difficult totaken in protocol header This p
be malware code Entropy basecovert symbol in a protocol Thi
in a better way It is unacceptablof administrator It is inference tentropy which makes it difficu
principle to detect such events
ACKNOWLEDGEMENT
AnjanKoundinya thanks Late
Computer Science and Engine
igniting the passion for research
REFERENCES
[1] Description of Detec
netprojectspapershtmlcctde
[2] Description of the Entropy cal
[Online accessed 16-Feb-201
[3] KoundinyaAnjan and Jibi A
channel In Third Internation
Chennai India 2010 Springe[4] Jibi Abraham Anjan K Srin
channel in secured communic
2014
[5] Bo Yuan Chaim Sanders Ja
Network Covert Channels 201
[6] RajarathnamChandramouli a
internet Issues approaches a
ork Security amp Its Applications (IJNSA) Vol7 No3 M
ss Index for Subliminal Channel based on SSLTLS
understand from third party entity as they obscurrovides an opportunity for embedding any data wh
analysis gives the actual number of bits used tos gives clearly metric to understand the covert cha
e to have malicious conversation of the network evehis experiment that the hybrid covert channel has hlt to detect It is required to concentrate on stron
Dr VK Ananthashayana Erstwhile Head De
ering MSRamaiah Institute of Tech-nology B
tion Approaches at the URL htt
html 2014 [Online accessed 15-Feb-2015]
culation at the URL httpwww shannonentro
]
braham Behaviour analysis of transport layer based
al Conference on Net-work Security and Application
-Verlag LNCS seriesath N K Attack modelling and behavioral analysis of
tion ACEEE In-ternational Journal of Network Securit
ob VallettaEmploying Entropy in the Detection and
12
d Koduvayur P Subbalakshmi Covert chan-nel for
d experiences 5(1)4150 July 2007
ay 2015
52
e the contentich may even
represent thennel schemes
n in presenceigh degree ofger detection
-partment of
angalore for
pgray-world
pynetmarkpl
hybrid covert
pages 83-92
hybrid covert
05(2)6777
Monitoring of
ensics on the
882019 E NTROPY B ASED D ETECTION A ND B EHAVIORAL A NALYSIS OF H YBRID C OVERT C HANNELIN S ECURED C OMMUhellip
httpslidepdfcomreaderfulle-ntropy-b-ased-d-etection-a-nd-b-ehavioral-a-nalysis-of-h-ybrid-c-overt-c 1515
International Journal of Net
[7] Anjan K Koundinya etal C
In ADCONS 2011 pages 582
[8] JaideepChandrashekar etal
Proceedings of 12th Internat
September 2009
[9] LoicHelou Claude Jard andSPV03 Volume 3 April 200
[10] Anjan K Koundinya and Jibi
Detection Engine volume 1 o
2010
[11] B W Lampson A Note on th
[12] Enping Li and Scott Craver
of the 11th ACM workshop
2009[13] Clay Shields SarderCabuk C
2004
[14] Clay Shields SarderCabuk
Information and System Secur
[15] Gustavus J Simmons The Sub
[16] Steffen Wendzel Protocol Ch[17] Andreas Willig A short intro
1999
[18] Adam Young and Moti Yung
220-240 2004
AUTHORrsquoS
AnjanK has received his B
UniversityBelgaumIndia in 2007
Science and Engineering MSRam
been awarded Best Performer PG 2
includes NetworkSecurityandCrypt
PhD in Computer Science and Engi
as Assistant Professorin Deptof CEngineering Bengaluru India
SrinathNK has his ME degree in S
Roorkee University in 1986 and P
in 2009His areas of research int
Distributed Computing DBMS Mi
PG Dept of Computer Science and
JibiAbraham has received h
BITSRajasthanIndia in 199 and
University Belgaum India in
fresearch interests include Network
of Wireless Sensor Networks andHead in Dept of CEIT College of
ork Security amp Its Applications (IJNSA) Vol7 No3 M
vertness analysis of subliminal channels in legitimate c
591 Springer- Verlag LNCS series 2012
xploiting temporal persistence to detect covert botnet
ional Symposium RAID 2009 pages 326345 Saint-
Marc ZeitounCovert channels detection in protocols u
Abraham Design of Transport Layer Based Hybrid C
f 4 International Journal of Ad hocSensor and Ubiquito
Con_nement ProblemCommunication of the ACM 19
supraliminal channel in a wireless phone application
n Multimedia and security pages 718 Princeton Ne
rla Brodley IP covert timing channels Design and det
Carla Brodley IP covert channel detectionACM
ity Volume 12(Article 22) 2009
liminal Channel and Digital SignaturesSpringer-Verlag
nnelsHAKIN9 2009uction to queuing theorylecture notes at Technical Uni
Malicious Cryptography First edition Wiley Publish-
E degree from Visveswariah Technological
nd his master degre from Department of Computer
iahInstitute of Technology Bangalore IndiaHe has
10 for his academic excellenceHis area so fresearch
graphyAgile Software EngineeringHe ispursuing
neeing fromVTUBelgaum He is currently working
omputer Science and Engineering RV College of
ystems Engineering and Operations Research from
D degree from Avinash Lingum UniversityIndia
rests include Operations Research Parallel and
roprocessor His isworking as Professor and Dean
EngineeringRVCollege of Engineering
r MS degree in Software Systems from
PhD degree from Visveswariah Technological
008 in the area of Network SecurityHe rarea so
routing algorithms Cryptography Network Security
lgorithms DesignShe is working as Professor andngineering Pune
ay 2015
53
ommunication
channels In
Malo France
sing scenarios
overt Channel
us Computing
3
n Proceedings
Jersey USA
ction CCS 4
ransaction on
1998
versity Berlin
ingFeb pages
882019 E NTROPY B ASED D ETECTION A ND B EHAVIORAL A NALYSIS OF H YBRID C OVERT C HANNELIN S ECURED C OMMUhellip
httpslidepdfcomreaderfulle-ntropy-b-ased-d-etection-a-nd-b-ehavioral-a-nalysis-of-h-ybrid-c-overt-c 615
International Journal of Net
This combination will prove e
The covertness index for Net
where
(Ut) =
The covertness index for sublimi
IPSec make use of AES-XCimplantation - Sequence Numb
random number generator algor
seed
As per [7] the trapdoors can beformation However this will noheaders
ork Security amp Its Applications (IJNSA) Vol7 No3 M
Fig5 Noise Covert Channel
ffective in hop-to-hop routing and can avoid an
ork Covert Channel in Network Layer (IPv4)-
(T) = Probability ofa trapdoor card
niversal set of all possibletrapdoors
nal channel in IPSec - ESP format
C-MAC cipher suite and ESP format allow tr field and padding The maximum number of ro
ithm is 16 Out of which 5 rounds are used for g
etected under the assumption stated in the hybrid ct be the same if multiple trapdoors are set in each o
ay 2015
44
detections
o trapdoorsunds in AES
enerating the
overt channelf the protocol
882019 E NTROPY B ASED D ETECTION A ND B EHAVIORAL A NALYSIS OF H YBRID C OVERT C HANNELIN S ECURED C OMMUhellip
httpslidepdfcomreaderfulle-ntropy-b-ased-d-etection-a-nd-b-ehavioral-a-nalysis-of-h-ybrid-c-overt-c 715
International Journal of Net
42 Scenario-2
This scenario is built on the thrusers in sub-network are comp
communication from the sub nChannel This sub network can b
Fig6 Noisel
The scenario can have multi-t
trapdoor can move from one pro
or can be combination trapdoor
particular index
5COVERT SCHEMES AND
The covert schemes are crucialobscured way More sophistica
samples of covert schemes wer
presented here
Scheme 1
The IP ID is field used for iden
covert scheme used for this field
bull Intentional use of only c
bull Scheme is designed by tfield
bull
The Covert receiver acharacter
For instance a simple scheme
performing modulus operation
encoding a character lsquocrsquo is
ork Security amp Its Applications (IJNSA) Vol7 No3 M
eat model of noiseless covert channel where theomised This sub-network is connected to other
twork to all the other networks is built using ae similar to bot-net as described in [8]
ess Covert Channel with Hybrid Covert Channel
rapdoor or protocol hopped hybrid covert chan
tocol to another protocol during the hop-to-hop cos in multiple level in the protocol suite Hence th
THEIR EMBODIMENT
for conveying the covert data over communicationed scheme likely not to be retrieved by detectio
discussed in section 2 of this paper and detailed
tification of the packet and is used for the routing
is based on following strategy-
rtain IP IDs while having conversation with Cover
he covert sender for embedding covert characters i
plies the scheme used by the sender to retrie
that can be used for this field is extracting the
of the character set size General notation for thi
ay 2015
45
esources andetwork The
ybrid Covert
el [16] The
municationre can be no
channel in aentity Few
schemes are
purpose The
t receiver
to the IP ID
e the covert
IP ID is by
s scheme for
882019 E NTROPY B ASED D ETECTION A ND B EHAVIORAL A NALYSIS OF H YBRID C OVERT C HANNELIN S ECURED C OMMUhellip
httpslidepdfcomreaderfulle-ntropy-b-ased-d-etection-a-nd-b-ehavioral-a-nalysis-of-h-ybrid-c-overt-c 815
International Journal of Network Security amp Its Applications (IJNSA) Vol7 No3 May 2015
46
Where 983080983081 is the encoding function R is the IP ID value and n is the size of the character setFor an ASCII character set n = 256
Example If IP ID = 26702 and if the character to be sent is `M Then 983080983081 983101 983090983094983095983088983090 minus
983089 983090983093983094 = `M
To convey a covert message the covert sender has select IP ID in such a way as to match with
983080983081
Scheme 2
Another prominent scheme used is on the sequence number where maximum range is4294967296 numbers as it is 32 bit field To communicate covertly under this scheme following
strategy is employed-
bull
Sequence number is multiplied with value of character set and bound is declared withmaximum limit
bull The receiver side retrieves the sequence number and then divides it by character set size
The encoding function 983080983081 is given below-
Where S is the initial sequence number and n is the size of the character set The decoding
function is 983080991257983081 is given below ndash
Where 991257 is the decoded character and 991257 is the received sequence number
For instance to send a character I covertly over the channel the sender would have to choose
1235037038 as sequence number and the max value is derived as 65535 256 = 16777216
Therefore the decoded character is 983080991257983081 = 1235037038=16777216 = 73 The value 73 when
mapped back to ASCII Table is the character `I
Scheme 3
Another scheme which has tremendous effect on the bandwidth is the modulation of TCP
timestamps or use of timing element in the network protocol TCP timestamps is in the optionsfield of the TCP header which indicates the round trip time of the packets The TCP processaccurately calculates the next retransmission of TCP segment which was failed to beacknowledged If the character is to be covertly sent using this scheme following strategy is used
bull Get the binary representation of the character and extract bits from the least significant
bit
bull Check if the Timestamp least significant bit (LSB) is same as covert bit if so send the
882019 E NTROPY B ASED D ETECTION A ND B EHAVIORAL A NALYSIS OF H YBRID C OVERT C HANNELIN S ECURED C OMMUhellip
httpslidepdfcomreaderfulle-ntropy-b-ased-d-etection-a-nd-b-ehavioral-a-nalysis-of-h-ybrid-c-overt-c 915
International Journal of Network Security amp Its Applications (IJNSA) Vol7 No3 May 2015
47
TCP segment
bull Covert receiver will extract the LSB of the timestamp and store the same until it is a byte
Let be the binary representation of the character `c and FLSB(Bc) be the encoding function for
encoding the covert bits in TCP timestamp
6ENTROPY BASED COVERT CHANNEL ANALYSIS
The entropy [2] in communication network indicates the number of bits required to encode a
character over the channel as stated by Shannon Entropy theory This is based on the frequency of
the characters in given string and the size of the alphabet The entropy measure also checks foruncertainty of the random variable
Let A be finite set of characters such that 983164983164 ge 983089 and any character983136991257 isin A is sequence of
symbols which is a string each of alphabet in string isin A For instance let cbbacabbac besequence of symbols that needs to be transmitted over network then its sequence of bits represents
the coded symbol sequence which may be 101110011011100010 Then the entropy for suchscenario is defined as ndash
where isin 983164983164 and 983164983164 983102 983089 pi is the probability of the occurrence of symbol lsquocrsquo in the string and ngives the length of the string To transmit a message ldquonetworkrdquo over the communication
network following are the calculated entropy for each alphabet ndash
The frequency of all the characters in a string with unique symbols will be same since the word
ldquonetworkrdquo has unique symbols the frequency is 0143 Let X be string for which the entropy is to
be calculated here X may word like network or stream of numbers then
H(X)=[(0143log20143) + (0143log20143) + (0143log20143) +(0143log20143) + (01
43log20143) + (0143log20143) + (0143log20143)]
H(X)=2803
It requires 3 bits to represent each symbol in the given string and 21 bits are required to representthe entire string Further the appropriate line coding technique has to be chosen to represent themin the transmission line So in general entropy of X where each alphabet is a unique symbol is
In a covert channel scenario the covert user has to be chosen the message in such a way that theentropy of string should always be less that number of bits available for that field in the protocol
header
ieH(X)lt|Maximumnumberof bitsinthatf ield(Bf )|
882019 E NTROPY B ASED D ETECTION A ND B EHAVIORAL A NALYSIS OF H YBRID C OVERT C HANNELIN S ECURED C OMMUhellip
httpslidepdfcomreaderfulle-ntropy-b-ased-d-etection-a-nd-b-ehavioral-a-nalysis-of-h-ybrid-c-overt-c 1015
International Journal of Net
The IP ID presented in the sc
X the minimum of 21 bits are
The covert channel occupies 25
header or protocol header simplchannel capacity ratio will be lo
This makes the detection of covefields for analysis
In general
for robust covert channel constcovert channel will be greater
protocols is actually setting upentropy for such scenarios isscheme Also in the scenario o
hybrid covert channel where the
figure 7 and figure 8 shows the a
ork Security amp Its Applications (IJNSA) Vol7 No3 M
eme 1 of this paper has 16 bits in the IP heade
required Hence capacity of the covert channel i
of total IP header space Multiple trapdoors (t)
y doubles the covert channel capacity However tthus making it robust ie
rt bits much difficult as the detection systems needs
uction where [7]the covertness index for suchthan 05 The multiple trapdoors through a proto
f multiple covert channels in the communicationispersed across multiple making it difficult to umulti-trapdoors covert channel behaves like a si
effect of the entropy is doubled The below results
ccurate expected behaviour discussed in this paper -
Fig7 IP Entropy analysis
Fig8 TCP Entropy Analysis
ay 2015
48
r so to send
is
[5] [4] in IP
he entropy to
to scan more
ulti-trapdoorcol or set of
network Thederstand thegle coherent
shown in the
882019 E NTROPY B ASED D ETECTION A ND B EHAVIORAL A NALYSIS OF H YBRID C OVERT C HANNELIN S ECURED C OMMUhellip
httpslidepdfcomreaderfulle-ntropy-b-ased-d-etection-a-nd-b-ehavioral-a-nalysis-of-h-ybrid-c-overt-c 1115
International Journal of Network Security amp Its Applications (IJNSA) Vol7 No3 May 2015
49
The results indicate the multiple trapdoors used in hybrid covert channel yields to a higherentropy value and low channel to entropy ratio (CE) The constant CE ratio also indicates the
consistent usage of protocol header for constructing multi-trapdoor based hybrid covert channelThis implies that the covert schemes used in Hybrid covert channel is difficult detect in secured
communication
7RESULTS AND DISCUSSIONS
The number of trapdoors implemented in a protocol cannot be all the fields vulnerable in thatprotocol ie
where Tm is the max number of trapdoors possible in that protocol Ts is the no of Trapdoors set
The analysis of the trapdoor setting is performed on protocols like IPv4 TCP and IPSec
SSLTLS The trapdoor setting in the rudimentary network protocols like the IPv4 and TCP ismerely based on placing the covert data in any of its header fields The table 1 shows effect ofvarying the number of trapdoors in IPv4 protocol
Table1Multi-TrapdoorAnalysisof IPv4
SlNo
TrapdoorName Noof Trap
doors
No
o
f Trapdoor
Algorith
m
CovertnessIndex
Entropy
C E
1 Network Covert
Channel-IPv4-
Single
4 1 NIL 025 2803 0089
2 Network Covert
Channel-IPv4-
dual
4 2 NIL 05 5606 017
3 Network Covert
Channel-IPv4-
triple
4 3 NIL 075 1121 0358
The graph of Trapdoors Vs the Covertness Index is show in the figure 9 where increase in the
number of the trapdoors in IPv4 increases the difficulty in detecting the covert channel Thetrapdoor setting in IPSec using subliminal channel is slightly complex to understand However
the ESP format provides two fields to convey the covert bits in the protocol header Theremaining data is sent over the ESP algorithm during the time of the key generation for
encryption using AES algorithm The residual bits in used in random number generation or used
in the round box of the AES and this is depicted on row 2 of the table 2 Hence the covertnessindex is 015 equation 2 which is 047 This will not change any further as there is limited scope
for subliminal channel development in IPSec -ESP format
882019 E NTROPY B ASED D ETECTION A ND B EHAVIORAL A NALYSIS OF H YBRID C OVERT C HANNELIN S ECURED C OMMUhellip
httpslidepdfcomreaderfulle-ntropy-b-ased-d-etection-a-nd-b-ehavioral-a-nalysis-of-h-ybrid-c-overt-c 1215
International Journal of Net
Fig
Table 2 Multi-
The graph of Trapdoors Vs the
number of the trapdoors in IPSbased protocol is simple and pro
the changing trapdoor that hastrapdoors are involved it is difficshows change in the trapdoor co
covertness index can be minima
based on the algorithm used inHowever to increase the compl
bits is feasible in chosen prime
index for such channels is discus
Fig10 Entropy V
SlNo TrapdoorName
1 SubliminalChan
nel-IPSecESP-1
2 SubliminalChan
nel-IPSecESP-2
3 SubliminalChannel-IPSecESP-3
ork Security amp Its Applications (IJNSA) Vol7 No3 M
9 Entropy Vs Covertness Index in IPv4
Trapdoor Analysis of Subliminal Channel in IPSec
Covertness Index is show in the figure 10 where i
c ESP makes covertness index constant The trapvides seven fields for placing the covert data The t
an effect on the covertness index When more nult to detect the composition of the covert channelnt that has an effect in the detection However the
l The trapdoor setting in the subliminal channel i
its cipher suite This is purely called as random oxity of the subliminal to thwart detection the ran
umber This forms Newton Subliminal Channel T
sed in the table 4
s Covertness Index in IPSec based subliminal channel
Noof Trapdoors
No of
Trapdoorsu
Algorithm CovertnessIndex
Entropy C
2 1 AES-
XCBC-MAC
015 2803 0
- - AES-
XCBC-
MAC
047 478 0
- - AES-XCBC-
MAC
047 521 0
ay 2015
50
crease in the
oors in TCPble 3 depicts
umber of theThe figure 11hanges in the
SSLTLS is
acle channelomization of
he covertness
E
14
35
35
882019 E NTROPY B ASED D ETECTION A ND B EHAVIORAL A NALYSIS OF H YBRID C OVERT C HANNELIN S ECURED C OMMUhellip
httpslidepdfcomreaderfulle-ntropy-b-ased-d-etection-a-nd-b-ehavioral-a-nalysis-of-h-ybrid-c-overt-c 1315
International Journal of Net
Table 3 Multi-
SlNo TrapdoorName
1 Network Coverthannel-TCP-
2 Network Covert
hannel-TCP-
3 Network Covert
hannel-TCP-
The graph of covertness index
12 The higher entropy value f[10] is able to detect the activi
Hybrid Covert channel is not fea
and IPv4 as this become easily d
Fig11 Entro
Table4Multi-
SlNo TrapdoorName
1 SubliminalChannel(Oracl
e)-
SSL TLS-1 2 SubliminalC
hannel(Oracl
e)-
SSL TLS-2 3 SubliminalC
hann
el(Oracl
e)-
SSL TLS-3
ork Security amp Its Applications (IJNSA) Vol7 No3 M
rapdoor Analysis of Network covert channel in TCP
Noof Trapd
oors No
of
Trapdoorsu
Algorithm CovertnessI
ndex Entropy C
1 7 1 NIL 0142 2803 0
2 7 2 NIL 028 5606 0
3 7 3 NIL 042 1121 0
s the trapdoor in the subliminal channel is shown
r the some of the formation indicates that the detty and this give clear indication of the higher de
sible for the combinations of the Network covert ch
tectable combination
y Vs Covertness Index in Covert Channel based on TCP
TrapdoorAnalysisof SubliminalChannelinSSL TLS
Noof Trapdoors
No of
Trapdoorsu
Algorithm CovertnessIndex
Entropy C
- - SSLCi-pherSuite
025 2803 0
- - SSLCi-pherSuite
058 367 0
- - SSLCi-
pherSu
ite
058 367 0
ay 2015
51
E
14
28
14
in the figure
ction enginetection rates
annel in TCP
E
14
35
35
882019 E NTROPY B ASED D ETECTION A ND B EHAVIORAL A NALYSIS OF H YBRID C OVERT C HANNELIN S ECURED C OMMUhellip
httpslidepdfcomreaderfulle-ntropy-b-ased-d-etection-a-nd-b-ehavioral-a-nalysis-of-h-ybrid-c-overt-c 1415
International Journal of Net
Fig12 Covertn
8CONCLUSION
Covert schemes are difficult totaken in protocol header This p
be malware code Entropy basecovert symbol in a protocol Thi
in a better way It is unacceptablof administrator It is inference tentropy which makes it difficu
principle to detect such events
ACKNOWLEDGEMENT
AnjanKoundinya thanks Late
Computer Science and Engine
igniting the passion for research
REFERENCES
[1] Description of Detec
netprojectspapershtmlcctde
[2] Description of the Entropy cal
[Online accessed 16-Feb-201
[3] KoundinyaAnjan and Jibi A
channel In Third Internation
Chennai India 2010 Springe[4] Jibi Abraham Anjan K Srin
channel in secured communic
2014
[5] Bo Yuan Chaim Sanders Ja
Network Covert Channels 201
[6] RajarathnamChandramouli a
internet Issues approaches a
ork Security amp Its Applications (IJNSA) Vol7 No3 M
ss Index for Subliminal Channel based on SSLTLS
understand from third party entity as they obscurrovides an opportunity for embedding any data wh
analysis gives the actual number of bits used tos gives clearly metric to understand the covert cha
e to have malicious conversation of the network evehis experiment that the hybrid covert channel has hlt to detect It is required to concentrate on stron
Dr VK Ananthashayana Erstwhile Head De
ering MSRamaiah Institute of Tech-nology B
tion Approaches at the URL htt
html 2014 [Online accessed 15-Feb-2015]
culation at the URL httpwww shannonentro
]
braham Behaviour analysis of transport layer based
al Conference on Net-work Security and Application
-Verlag LNCS seriesath N K Attack modelling and behavioral analysis of
tion ACEEE In-ternational Journal of Network Securit
ob VallettaEmploying Entropy in the Detection and
12
d Koduvayur P Subbalakshmi Covert chan-nel for
d experiences 5(1)4150 July 2007
ay 2015
52
e the contentich may even
represent thennel schemes
n in presenceigh degree ofger detection
-partment of
angalore for
pgray-world
pynetmarkpl
hybrid covert
pages 83-92
hybrid covert
05(2)6777
Monitoring of
ensics on the
882019 E NTROPY B ASED D ETECTION A ND B EHAVIORAL A NALYSIS OF H YBRID C OVERT C HANNELIN S ECURED C OMMUhellip
httpslidepdfcomreaderfulle-ntropy-b-ased-d-etection-a-nd-b-ehavioral-a-nalysis-of-h-ybrid-c-overt-c 1515
International Journal of Net
[7] Anjan K Koundinya etal C
In ADCONS 2011 pages 582
[8] JaideepChandrashekar etal
Proceedings of 12th Internat
September 2009
[9] LoicHelou Claude Jard andSPV03 Volume 3 April 200
[10] Anjan K Koundinya and Jibi
Detection Engine volume 1 o
2010
[11] B W Lampson A Note on th
[12] Enping Li and Scott Craver
of the 11th ACM workshop
2009[13] Clay Shields SarderCabuk C
2004
[14] Clay Shields SarderCabuk
Information and System Secur
[15] Gustavus J Simmons The Sub
[16] Steffen Wendzel Protocol Ch[17] Andreas Willig A short intro
1999
[18] Adam Young and Moti Yung
220-240 2004
AUTHORrsquoS
AnjanK has received his B
UniversityBelgaumIndia in 2007
Science and Engineering MSRam
been awarded Best Performer PG 2
includes NetworkSecurityandCrypt
PhD in Computer Science and Engi
as Assistant Professorin Deptof CEngineering Bengaluru India
SrinathNK has his ME degree in S
Roorkee University in 1986 and P
in 2009His areas of research int
Distributed Computing DBMS Mi
PG Dept of Computer Science and
JibiAbraham has received h
BITSRajasthanIndia in 199 and
University Belgaum India in
fresearch interests include Network
of Wireless Sensor Networks andHead in Dept of CEIT College of
ork Security amp Its Applications (IJNSA) Vol7 No3 M
vertness analysis of subliminal channels in legitimate c
591 Springer- Verlag LNCS series 2012
xploiting temporal persistence to detect covert botnet
ional Symposium RAID 2009 pages 326345 Saint-
Marc ZeitounCovert channels detection in protocols u
Abraham Design of Transport Layer Based Hybrid C
f 4 International Journal of Ad hocSensor and Ubiquito
Con_nement ProblemCommunication of the ACM 19
supraliminal channel in a wireless phone application
n Multimedia and security pages 718 Princeton Ne
rla Brodley IP covert timing channels Design and det
Carla Brodley IP covert channel detectionACM
ity Volume 12(Article 22) 2009
liminal Channel and Digital SignaturesSpringer-Verlag
nnelsHAKIN9 2009uction to queuing theorylecture notes at Technical Uni
Malicious Cryptography First edition Wiley Publish-
E degree from Visveswariah Technological
nd his master degre from Department of Computer
iahInstitute of Technology Bangalore IndiaHe has
10 for his academic excellenceHis area so fresearch
graphyAgile Software EngineeringHe ispursuing
neeing fromVTUBelgaum He is currently working
omputer Science and Engineering RV College of
ystems Engineering and Operations Research from
D degree from Avinash Lingum UniversityIndia
rests include Operations Research Parallel and
roprocessor His isworking as Professor and Dean
EngineeringRVCollege of Engineering
r MS degree in Software Systems from
PhD degree from Visveswariah Technological
008 in the area of Network SecurityHe rarea so
routing algorithms Cryptography Network Security
lgorithms DesignShe is working as Professor andngineering Pune
ay 2015
53
ommunication
channels In
Malo France
sing scenarios
overt Channel
us Computing
3
n Proceedings
Jersey USA
ction CCS 4
ransaction on
1998
versity Berlin
ingFeb pages
882019 E NTROPY B ASED D ETECTION A ND B EHAVIORAL A NALYSIS OF H YBRID C OVERT C HANNELIN S ECURED C OMMUhellip
httpslidepdfcomreaderfulle-ntropy-b-ased-d-etection-a-nd-b-ehavioral-a-nalysis-of-h-ybrid-c-overt-c 715
International Journal of Net
42 Scenario-2
This scenario is built on the thrusers in sub-network are comp
communication from the sub nChannel This sub network can b
Fig6 Noisel
The scenario can have multi-t
trapdoor can move from one pro
or can be combination trapdoor
particular index
5COVERT SCHEMES AND
The covert schemes are crucialobscured way More sophistica
samples of covert schemes wer
presented here
Scheme 1
The IP ID is field used for iden
covert scheme used for this field
bull Intentional use of only c
bull Scheme is designed by tfield
bull
The Covert receiver acharacter
For instance a simple scheme
performing modulus operation
encoding a character lsquocrsquo is
ork Security amp Its Applications (IJNSA) Vol7 No3 M
eat model of noiseless covert channel where theomised This sub-network is connected to other
twork to all the other networks is built using ae similar to bot-net as described in [8]
ess Covert Channel with Hybrid Covert Channel
rapdoor or protocol hopped hybrid covert chan
tocol to another protocol during the hop-to-hop cos in multiple level in the protocol suite Hence th
THEIR EMBODIMENT
for conveying the covert data over communicationed scheme likely not to be retrieved by detectio
discussed in section 2 of this paper and detailed
tification of the packet and is used for the routing
is based on following strategy-
rtain IP IDs while having conversation with Cover
he covert sender for embedding covert characters i
plies the scheme used by the sender to retrie
that can be used for this field is extracting the
of the character set size General notation for thi
ay 2015
45
esources andetwork The
ybrid Covert
el [16] The
municationre can be no
channel in aentity Few
schemes are
purpose The
t receiver
to the IP ID
e the covert
IP ID is by
s scheme for
882019 E NTROPY B ASED D ETECTION A ND B EHAVIORAL A NALYSIS OF H YBRID C OVERT C HANNELIN S ECURED C OMMUhellip
httpslidepdfcomreaderfulle-ntropy-b-ased-d-etection-a-nd-b-ehavioral-a-nalysis-of-h-ybrid-c-overt-c 815
International Journal of Network Security amp Its Applications (IJNSA) Vol7 No3 May 2015
46
Where 983080983081 is the encoding function R is the IP ID value and n is the size of the character setFor an ASCII character set n = 256
Example If IP ID = 26702 and if the character to be sent is `M Then 983080983081 983101 983090983094983095983088983090 minus
983089 983090983093983094 = `M
To convey a covert message the covert sender has select IP ID in such a way as to match with
983080983081
Scheme 2
Another prominent scheme used is on the sequence number where maximum range is4294967296 numbers as it is 32 bit field To communicate covertly under this scheme following
strategy is employed-
bull
Sequence number is multiplied with value of character set and bound is declared withmaximum limit
bull The receiver side retrieves the sequence number and then divides it by character set size
The encoding function 983080983081 is given below-
Where S is the initial sequence number and n is the size of the character set The decoding
function is 983080991257983081 is given below ndash
Where 991257 is the decoded character and 991257 is the received sequence number
For instance to send a character I covertly over the channel the sender would have to choose
1235037038 as sequence number and the max value is derived as 65535 256 = 16777216
Therefore the decoded character is 983080991257983081 = 1235037038=16777216 = 73 The value 73 when
mapped back to ASCII Table is the character `I
Scheme 3
Another scheme which has tremendous effect on the bandwidth is the modulation of TCP
timestamps or use of timing element in the network protocol TCP timestamps is in the optionsfield of the TCP header which indicates the round trip time of the packets The TCP processaccurately calculates the next retransmission of TCP segment which was failed to beacknowledged If the character is to be covertly sent using this scheme following strategy is used
bull Get the binary representation of the character and extract bits from the least significant
bit
bull Check if the Timestamp least significant bit (LSB) is same as covert bit if so send the
882019 E NTROPY B ASED D ETECTION A ND B EHAVIORAL A NALYSIS OF H YBRID C OVERT C HANNELIN S ECURED C OMMUhellip
httpslidepdfcomreaderfulle-ntropy-b-ased-d-etection-a-nd-b-ehavioral-a-nalysis-of-h-ybrid-c-overt-c 915
International Journal of Network Security amp Its Applications (IJNSA) Vol7 No3 May 2015
47
TCP segment
bull Covert receiver will extract the LSB of the timestamp and store the same until it is a byte
Let be the binary representation of the character `c and FLSB(Bc) be the encoding function for
encoding the covert bits in TCP timestamp
6ENTROPY BASED COVERT CHANNEL ANALYSIS
The entropy [2] in communication network indicates the number of bits required to encode a
character over the channel as stated by Shannon Entropy theory This is based on the frequency of
the characters in given string and the size of the alphabet The entropy measure also checks foruncertainty of the random variable
Let A be finite set of characters such that 983164983164 ge 983089 and any character983136991257 isin A is sequence of
symbols which is a string each of alphabet in string isin A For instance let cbbacabbac besequence of symbols that needs to be transmitted over network then its sequence of bits represents
the coded symbol sequence which may be 101110011011100010 Then the entropy for suchscenario is defined as ndash
where isin 983164983164 and 983164983164 983102 983089 pi is the probability of the occurrence of symbol lsquocrsquo in the string and ngives the length of the string To transmit a message ldquonetworkrdquo over the communication
network following are the calculated entropy for each alphabet ndash
The frequency of all the characters in a string with unique symbols will be same since the word
ldquonetworkrdquo has unique symbols the frequency is 0143 Let X be string for which the entropy is to
be calculated here X may word like network or stream of numbers then
H(X)=[(0143log20143) + (0143log20143) + (0143log20143) +(0143log20143) + (01
43log20143) + (0143log20143) + (0143log20143)]
H(X)=2803
It requires 3 bits to represent each symbol in the given string and 21 bits are required to representthe entire string Further the appropriate line coding technique has to be chosen to represent themin the transmission line So in general entropy of X where each alphabet is a unique symbol is
In a covert channel scenario the covert user has to be chosen the message in such a way that theentropy of string should always be less that number of bits available for that field in the protocol
header
ieH(X)lt|Maximumnumberof bitsinthatf ield(Bf )|
882019 E NTROPY B ASED D ETECTION A ND B EHAVIORAL A NALYSIS OF H YBRID C OVERT C HANNELIN S ECURED C OMMUhellip
httpslidepdfcomreaderfulle-ntropy-b-ased-d-etection-a-nd-b-ehavioral-a-nalysis-of-h-ybrid-c-overt-c 1015
International Journal of Net
The IP ID presented in the sc
X the minimum of 21 bits are
The covert channel occupies 25
header or protocol header simplchannel capacity ratio will be lo
This makes the detection of covefields for analysis
In general
for robust covert channel constcovert channel will be greater
protocols is actually setting upentropy for such scenarios isscheme Also in the scenario o
hybrid covert channel where the
figure 7 and figure 8 shows the a
ork Security amp Its Applications (IJNSA) Vol7 No3 M
eme 1 of this paper has 16 bits in the IP heade
required Hence capacity of the covert channel i
of total IP header space Multiple trapdoors (t)
y doubles the covert channel capacity However tthus making it robust ie
rt bits much difficult as the detection systems needs
uction where [7]the covertness index for suchthan 05 The multiple trapdoors through a proto
f multiple covert channels in the communicationispersed across multiple making it difficult to umulti-trapdoors covert channel behaves like a si
effect of the entropy is doubled The below results
ccurate expected behaviour discussed in this paper -
Fig7 IP Entropy analysis
Fig8 TCP Entropy Analysis
ay 2015
48
r so to send
is
[5] [4] in IP
he entropy to
to scan more
ulti-trapdoorcol or set of
network Thederstand thegle coherent
shown in the
882019 E NTROPY B ASED D ETECTION A ND B EHAVIORAL A NALYSIS OF H YBRID C OVERT C HANNELIN S ECURED C OMMUhellip
httpslidepdfcomreaderfulle-ntropy-b-ased-d-etection-a-nd-b-ehavioral-a-nalysis-of-h-ybrid-c-overt-c 1115
International Journal of Network Security amp Its Applications (IJNSA) Vol7 No3 May 2015
49
The results indicate the multiple trapdoors used in hybrid covert channel yields to a higherentropy value and low channel to entropy ratio (CE) The constant CE ratio also indicates the
consistent usage of protocol header for constructing multi-trapdoor based hybrid covert channelThis implies that the covert schemes used in Hybrid covert channel is difficult detect in secured
communication
7RESULTS AND DISCUSSIONS
The number of trapdoors implemented in a protocol cannot be all the fields vulnerable in thatprotocol ie
where Tm is the max number of trapdoors possible in that protocol Ts is the no of Trapdoors set
The analysis of the trapdoor setting is performed on protocols like IPv4 TCP and IPSec
SSLTLS The trapdoor setting in the rudimentary network protocols like the IPv4 and TCP ismerely based on placing the covert data in any of its header fields The table 1 shows effect ofvarying the number of trapdoors in IPv4 protocol
Table1Multi-TrapdoorAnalysisof IPv4
SlNo
TrapdoorName Noof Trap
doors
No
o
f Trapdoor
Algorith
m
CovertnessIndex
Entropy
C E
1 Network Covert
Channel-IPv4-
Single
4 1 NIL 025 2803 0089
2 Network Covert
Channel-IPv4-
dual
4 2 NIL 05 5606 017
3 Network Covert
Channel-IPv4-
triple
4 3 NIL 075 1121 0358
The graph of Trapdoors Vs the Covertness Index is show in the figure 9 where increase in the
number of the trapdoors in IPv4 increases the difficulty in detecting the covert channel Thetrapdoor setting in IPSec using subliminal channel is slightly complex to understand However
the ESP format provides two fields to convey the covert bits in the protocol header Theremaining data is sent over the ESP algorithm during the time of the key generation for
encryption using AES algorithm The residual bits in used in random number generation or used
in the round box of the AES and this is depicted on row 2 of the table 2 Hence the covertnessindex is 015 equation 2 which is 047 This will not change any further as there is limited scope
for subliminal channel development in IPSec -ESP format
882019 E NTROPY B ASED D ETECTION A ND B EHAVIORAL A NALYSIS OF H YBRID C OVERT C HANNELIN S ECURED C OMMUhellip
httpslidepdfcomreaderfulle-ntropy-b-ased-d-etection-a-nd-b-ehavioral-a-nalysis-of-h-ybrid-c-overt-c 1215
International Journal of Net
Fig
Table 2 Multi-
The graph of Trapdoors Vs the
number of the trapdoors in IPSbased protocol is simple and pro
the changing trapdoor that hastrapdoors are involved it is difficshows change in the trapdoor co
covertness index can be minima
based on the algorithm used inHowever to increase the compl
bits is feasible in chosen prime
index for such channels is discus
Fig10 Entropy V
SlNo TrapdoorName
1 SubliminalChan
nel-IPSecESP-1
2 SubliminalChan
nel-IPSecESP-2
3 SubliminalChannel-IPSecESP-3
ork Security amp Its Applications (IJNSA) Vol7 No3 M
9 Entropy Vs Covertness Index in IPv4
Trapdoor Analysis of Subliminal Channel in IPSec
Covertness Index is show in the figure 10 where i
c ESP makes covertness index constant The trapvides seven fields for placing the covert data The t
an effect on the covertness index When more nult to detect the composition of the covert channelnt that has an effect in the detection However the
l The trapdoor setting in the subliminal channel i
its cipher suite This is purely called as random oxity of the subliminal to thwart detection the ran
umber This forms Newton Subliminal Channel T
sed in the table 4
s Covertness Index in IPSec based subliminal channel
Noof Trapdoors
No of
Trapdoorsu
Algorithm CovertnessIndex
Entropy C
2 1 AES-
XCBC-MAC
015 2803 0
- - AES-
XCBC-
MAC
047 478 0
- - AES-XCBC-
MAC
047 521 0
ay 2015
50
crease in the
oors in TCPble 3 depicts
umber of theThe figure 11hanges in the
SSLTLS is
acle channelomization of
he covertness
E
14
35
35
882019 E NTROPY B ASED D ETECTION A ND B EHAVIORAL A NALYSIS OF H YBRID C OVERT C HANNELIN S ECURED C OMMUhellip
httpslidepdfcomreaderfulle-ntropy-b-ased-d-etection-a-nd-b-ehavioral-a-nalysis-of-h-ybrid-c-overt-c 1315
International Journal of Net
Table 3 Multi-
SlNo TrapdoorName
1 Network Coverthannel-TCP-
2 Network Covert
hannel-TCP-
3 Network Covert
hannel-TCP-
The graph of covertness index
12 The higher entropy value f[10] is able to detect the activi
Hybrid Covert channel is not fea
and IPv4 as this become easily d
Fig11 Entro
Table4Multi-
SlNo TrapdoorName
1 SubliminalChannel(Oracl
e)-
SSL TLS-1 2 SubliminalC
hannel(Oracl
e)-
SSL TLS-2 3 SubliminalC
hann
el(Oracl
e)-
SSL TLS-3
ork Security amp Its Applications (IJNSA) Vol7 No3 M
rapdoor Analysis of Network covert channel in TCP
Noof Trapd
oors No
of
Trapdoorsu
Algorithm CovertnessI
ndex Entropy C
1 7 1 NIL 0142 2803 0
2 7 2 NIL 028 5606 0
3 7 3 NIL 042 1121 0
s the trapdoor in the subliminal channel is shown
r the some of the formation indicates that the detty and this give clear indication of the higher de
sible for the combinations of the Network covert ch
tectable combination
y Vs Covertness Index in Covert Channel based on TCP
TrapdoorAnalysisof SubliminalChannelinSSL TLS
Noof Trapdoors
No of
Trapdoorsu
Algorithm CovertnessIndex
Entropy C
- - SSLCi-pherSuite
025 2803 0
- - SSLCi-pherSuite
058 367 0
- - SSLCi-
pherSu
ite
058 367 0
ay 2015
51
E
14
28
14
in the figure
ction enginetection rates
annel in TCP
E
14
35
35
882019 E NTROPY B ASED D ETECTION A ND B EHAVIORAL A NALYSIS OF H YBRID C OVERT C HANNELIN S ECURED C OMMUhellip
httpslidepdfcomreaderfulle-ntropy-b-ased-d-etection-a-nd-b-ehavioral-a-nalysis-of-h-ybrid-c-overt-c 1415
International Journal of Net
Fig12 Covertn
8CONCLUSION
Covert schemes are difficult totaken in protocol header This p
be malware code Entropy basecovert symbol in a protocol Thi
in a better way It is unacceptablof administrator It is inference tentropy which makes it difficu
principle to detect such events
ACKNOWLEDGEMENT
AnjanKoundinya thanks Late
Computer Science and Engine
igniting the passion for research
REFERENCES
[1] Description of Detec
netprojectspapershtmlcctde
[2] Description of the Entropy cal
[Online accessed 16-Feb-201
[3] KoundinyaAnjan and Jibi A
channel In Third Internation
Chennai India 2010 Springe[4] Jibi Abraham Anjan K Srin
channel in secured communic
2014
[5] Bo Yuan Chaim Sanders Ja
Network Covert Channels 201
[6] RajarathnamChandramouli a
internet Issues approaches a
ork Security amp Its Applications (IJNSA) Vol7 No3 M
ss Index for Subliminal Channel based on SSLTLS
understand from third party entity as they obscurrovides an opportunity for embedding any data wh
analysis gives the actual number of bits used tos gives clearly metric to understand the covert cha
e to have malicious conversation of the network evehis experiment that the hybrid covert channel has hlt to detect It is required to concentrate on stron
Dr VK Ananthashayana Erstwhile Head De
ering MSRamaiah Institute of Tech-nology B
tion Approaches at the URL htt
html 2014 [Online accessed 15-Feb-2015]
culation at the URL httpwww shannonentro
]
braham Behaviour analysis of transport layer based
al Conference on Net-work Security and Application
-Verlag LNCS seriesath N K Attack modelling and behavioral analysis of
tion ACEEE In-ternational Journal of Network Securit
ob VallettaEmploying Entropy in the Detection and
12
d Koduvayur P Subbalakshmi Covert chan-nel for
d experiences 5(1)4150 July 2007
ay 2015
52
e the contentich may even
represent thennel schemes
n in presenceigh degree ofger detection
-partment of
angalore for
pgray-world
pynetmarkpl
hybrid covert
pages 83-92
hybrid covert
05(2)6777
Monitoring of
ensics on the
882019 E NTROPY B ASED D ETECTION A ND B EHAVIORAL A NALYSIS OF H YBRID C OVERT C HANNELIN S ECURED C OMMUhellip
httpslidepdfcomreaderfulle-ntropy-b-ased-d-etection-a-nd-b-ehavioral-a-nalysis-of-h-ybrid-c-overt-c 1515
International Journal of Net
[7] Anjan K Koundinya etal C
In ADCONS 2011 pages 582
[8] JaideepChandrashekar etal
Proceedings of 12th Internat
September 2009
[9] LoicHelou Claude Jard andSPV03 Volume 3 April 200
[10] Anjan K Koundinya and Jibi
Detection Engine volume 1 o
2010
[11] B W Lampson A Note on th
[12] Enping Li and Scott Craver
of the 11th ACM workshop
2009[13] Clay Shields SarderCabuk C
2004
[14] Clay Shields SarderCabuk
Information and System Secur
[15] Gustavus J Simmons The Sub
[16] Steffen Wendzel Protocol Ch[17] Andreas Willig A short intro
1999
[18] Adam Young and Moti Yung
220-240 2004
AUTHORrsquoS
AnjanK has received his B
UniversityBelgaumIndia in 2007
Science and Engineering MSRam
been awarded Best Performer PG 2
includes NetworkSecurityandCrypt
PhD in Computer Science and Engi
as Assistant Professorin Deptof CEngineering Bengaluru India
SrinathNK has his ME degree in S
Roorkee University in 1986 and P
in 2009His areas of research int
Distributed Computing DBMS Mi
PG Dept of Computer Science and
JibiAbraham has received h
BITSRajasthanIndia in 199 and
University Belgaum India in
fresearch interests include Network
of Wireless Sensor Networks andHead in Dept of CEIT College of
ork Security amp Its Applications (IJNSA) Vol7 No3 M
vertness analysis of subliminal channels in legitimate c
591 Springer- Verlag LNCS series 2012
xploiting temporal persistence to detect covert botnet
ional Symposium RAID 2009 pages 326345 Saint-
Marc ZeitounCovert channels detection in protocols u
Abraham Design of Transport Layer Based Hybrid C
f 4 International Journal of Ad hocSensor and Ubiquito
Con_nement ProblemCommunication of the ACM 19
supraliminal channel in a wireless phone application
n Multimedia and security pages 718 Princeton Ne
rla Brodley IP covert timing channels Design and det
Carla Brodley IP covert channel detectionACM
ity Volume 12(Article 22) 2009
liminal Channel and Digital SignaturesSpringer-Verlag
nnelsHAKIN9 2009uction to queuing theorylecture notes at Technical Uni
Malicious Cryptography First edition Wiley Publish-
E degree from Visveswariah Technological
nd his master degre from Department of Computer
iahInstitute of Technology Bangalore IndiaHe has
10 for his academic excellenceHis area so fresearch
graphyAgile Software EngineeringHe ispursuing
neeing fromVTUBelgaum He is currently working
omputer Science and Engineering RV College of
ystems Engineering and Operations Research from
D degree from Avinash Lingum UniversityIndia
rests include Operations Research Parallel and
roprocessor His isworking as Professor and Dean
EngineeringRVCollege of Engineering
r MS degree in Software Systems from
PhD degree from Visveswariah Technological
008 in the area of Network SecurityHe rarea so
routing algorithms Cryptography Network Security
lgorithms DesignShe is working as Professor andngineering Pune
ay 2015
53
ommunication
channels In
Malo France
sing scenarios
overt Channel
us Computing
3
n Proceedings
Jersey USA
ction CCS 4
ransaction on
1998
versity Berlin
ingFeb pages
882019 E NTROPY B ASED D ETECTION A ND B EHAVIORAL A NALYSIS OF H YBRID C OVERT C HANNELIN S ECURED C OMMUhellip
httpslidepdfcomreaderfulle-ntropy-b-ased-d-etection-a-nd-b-ehavioral-a-nalysis-of-h-ybrid-c-overt-c 815
International Journal of Network Security amp Its Applications (IJNSA) Vol7 No3 May 2015
46
Where 983080983081 is the encoding function R is the IP ID value and n is the size of the character setFor an ASCII character set n = 256
Example If IP ID = 26702 and if the character to be sent is `M Then 983080983081 983101 983090983094983095983088983090 minus
983089 983090983093983094 = `M
To convey a covert message the covert sender has select IP ID in such a way as to match with
983080983081
Scheme 2
Another prominent scheme used is on the sequence number where maximum range is4294967296 numbers as it is 32 bit field To communicate covertly under this scheme following
strategy is employed-
bull
Sequence number is multiplied with value of character set and bound is declared withmaximum limit
bull The receiver side retrieves the sequence number and then divides it by character set size
The encoding function 983080983081 is given below-
Where S is the initial sequence number and n is the size of the character set The decoding
function is 983080991257983081 is given below ndash
Where 991257 is the decoded character and 991257 is the received sequence number
For instance to send a character I covertly over the channel the sender would have to choose
1235037038 as sequence number and the max value is derived as 65535 256 = 16777216
Therefore the decoded character is 983080991257983081 = 1235037038=16777216 = 73 The value 73 when
mapped back to ASCII Table is the character `I
Scheme 3
Another scheme which has tremendous effect on the bandwidth is the modulation of TCP
timestamps or use of timing element in the network protocol TCP timestamps is in the optionsfield of the TCP header which indicates the round trip time of the packets The TCP processaccurately calculates the next retransmission of TCP segment which was failed to beacknowledged If the character is to be covertly sent using this scheme following strategy is used
bull Get the binary representation of the character and extract bits from the least significant
bit
bull Check if the Timestamp least significant bit (LSB) is same as covert bit if so send the
882019 E NTROPY B ASED D ETECTION A ND B EHAVIORAL A NALYSIS OF H YBRID C OVERT C HANNELIN S ECURED C OMMUhellip
httpslidepdfcomreaderfulle-ntropy-b-ased-d-etection-a-nd-b-ehavioral-a-nalysis-of-h-ybrid-c-overt-c 915
International Journal of Network Security amp Its Applications (IJNSA) Vol7 No3 May 2015
47
TCP segment
bull Covert receiver will extract the LSB of the timestamp and store the same until it is a byte
Let be the binary representation of the character `c and FLSB(Bc) be the encoding function for
encoding the covert bits in TCP timestamp
6ENTROPY BASED COVERT CHANNEL ANALYSIS
The entropy [2] in communication network indicates the number of bits required to encode a
character over the channel as stated by Shannon Entropy theory This is based on the frequency of
the characters in given string and the size of the alphabet The entropy measure also checks foruncertainty of the random variable
Let A be finite set of characters such that 983164983164 ge 983089 and any character983136991257 isin A is sequence of
symbols which is a string each of alphabet in string isin A For instance let cbbacabbac besequence of symbols that needs to be transmitted over network then its sequence of bits represents
the coded symbol sequence which may be 101110011011100010 Then the entropy for suchscenario is defined as ndash
where isin 983164983164 and 983164983164 983102 983089 pi is the probability of the occurrence of symbol lsquocrsquo in the string and ngives the length of the string To transmit a message ldquonetworkrdquo over the communication
network following are the calculated entropy for each alphabet ndash
The frequency of all the characters in a string with unique symbols will be same since the word
ldquonetworkrdquo has unique symbols the frequency is 0143 Let X be string for which the entropy is to
be calculated here X may word like network or stream of numbers then
H(X)=[(0143log20143) + (0143log20143) + (0143log20143) +(0143log20143) + (01
43log20143) + (0143log20143) + (0143log20143)]
H(X)=2803
It requires 3 bits to represent each symbol in the given string and 21 bits are required to representthe entire string Further the appropriate line coding technique has to be chosen to represent themin the transmission line So in general entropy of X where each alphabet is a unique symbol is
In a covert channel scenario the covert user has to be chosen the message in such a way that theentropy of string should always be less that number of bits available for that field in the protocol
header
ieH(X)lt|Maximumnumberof bitsinthatf ield(Bf )|
882019 E NTROPY B ASED D ETECTION A ND B EHAVIORAL A NALYSIS OF H YBRID C OVERT C HANNELIN S ECURED C OMMUhellip
httpslidepdfcomreaderfulle-ntropy-b-ased-d-etection-a-nd-b-ehavioral-a-nalysis-of-h-ybrid-c-overt-c 1015
International Journal of Net
The IP ID presented in the sc
X the minimum of 21 bits are
The covert channel occupies 25
header or protocol header simplchannel capacity ratio will be lo
This makes the detection of covefields for analysis
In general
for robust covert channel constcovert channel will be greater
protocols is actually setting upentropy for such scenarios isscheme Also in the scenario o
hybrid covert channel where the
figure 7 and figure 8 shows the a
ork Security amp Its Applications (IJNSA) Vol7 No3 M
eme 1 of this paper has 16 bits in the IP heade
required Hence capacity of the covert channel i
of total IP header space Multiple trapdoors (t)
y doubles the covert channel capacity However tthus making it robust ie
rt bits much difficult as the detection systems needs
uction where [7]the covertness index for suchthan 05 The multiple trapdoors through a proto
f multiple covert channels in the communicationispersed across multiple making it difficult to umulti-trapdoors covert channel behaves like a si
effect of the entropy is doubled The below results
ccurate expected behaviour discussed in this paper -
Fig7 IP Entropy analysis
Fig8 TCP Entropy Analysis
ay 2015
48
r so to send
is
[5] [4] in IP
he entropy to
to scan more
ulti-trapdoorcol or set of
network Thederstand thegle coherent
shown in the
882019 E NTROPY B ASED D ETECTION A ND B EHAVIORAL A NALYSIS OF H YBRID C OVERT C HANNELIN S ECURED C OMMUhellip
httpslidepdfcomreaderfulle-ntropy-b-ased-d-etection-a-nd-b-ehavioral-a-nalysis-of-h-ybrid-c-overt-c 1115
International Journal of Network Security amp Its Applications (IJNSA) Vol7 No3 May 2015
49
The results indicate the multiple trapdoors used in hybrid covert channel yields to a higherentropy value and low channel to entropy ratio (CE) The constant CE ratio also indicates the
consistent usage of protocol header for constructing multi-trapdoor based hybrid covert channelThis implies that the covert schemes used in Hybrid covert channel is difficult detect in secured
communication
7RESULTS AND DISCUSSIONS
The number of trapdoors implemented in a protocol cannot be all the fields vulnerable in thatprotocol ie
where Tm is the max number of trapdoors possible in that protocol Ts is the no of Trapdoors set
The analysis of the trapdoor setting is performed on protocols like IPv4 TCP and IPSec
SSLTLS The trapdoor setting in the rudimentary network protocols like the IPv4 and TCP ismerely based on placing the covert data in any of its header fields The table 1 shows effect ofvarying the number of trapdoors in IPv4 protocol
Table1Multi-TrapdoorAnalysisof IPv4
SlNo
TrapdoorName Noof Trap
doors
No
o
f Trapdoor
Algorith
m
CovertnessIndex
Entropy
C E
1 Network Covert
Channel-IPv4-
Single
4 1 NIL 025 2803 0089
2 Network Covert
Channel-IPv4-
dual
4 2 NIL 05 5606 017
3 Network Covert
Channel-IPv4-
triple
4 3 NIL 075 1121 0358
The graph of Trapdoors Vs the Covertness Index is show in the figure 9 where increase in the
number of the trapdoors in IPv4 increases the difficulty in detecting the covert channel Thetrapdoor setting in IPSec using subliminal channel is slightly complex to understand However
the ESP format provides two fields to convey the covert bits in the protocol header Theremaining data is sent over the ESP algorithm during the time of the key generation for
encryption using AES algorithm The residual bits in used in random number generation or used
in the round box of the AES and this is depicted on row 2 of the table 2 Hence the covertnessindex is 015 equation 2 which is 047 This will not change any further as there is limited scope
for subliminal channel development in IPSec -ESP format
882019 E NTROPY B ASED D ETECTION A ND B EHAVIORAL A NALYSIS OF H YBRID C OVERT C HANNELIN S ECURED C OMMUhellip
httpslidepdfcomreaderfulle-ntropy-b-ased-d-etection-a-nd-b-ehavioral-a-nalysis-of-h-ybrid-c-overt-c 1215
International Journal of Net
Fig
Table 2 Multi-
The graph of Trapdoors Vs the
number of the trapdoors in IPSbased protocol is simple and pro
the changing trapdoor that hastrapdoors are involved it is difficshows change in the trapdoor co
covertness index can be minima
based on the algorithm used inHowever to increase the compl
bits is feasible in chosen prime
index for such channels is discus
Fig10 Entropy V
SlNo TrapdoorName
1 SubliminalChan
nel-IPSecESP-1
2 SubliminalChan
nel-IPSecESP-2
3 SubliminalChannel-IPSecESP-3
ork Security amp Its Applications (IJNSA) Vol7 No3 M
9 Entropy Vs Covertness Index in IPv4
Trapdoor Analysis of Subliminal Channel in IPSec
Covertness Index is show in the figure 10 where i
c ESP makes covertness index constant The trapvides seven fields for placing the covert data The t
an effect on the covertness index When more nult to detect the composition of the covert channelnt that has an effect in the detection However the
l The trapdoor setting in the subliminal channel i
its cipher suite This is purely called as random oxity of the subliminal to thwart detection the ran
umber This forms Newton Subliminal Channel T
sed in the table 4
s Covertness Index in IPSec based subliminal channel
Noof Trapdoors
No of
Trapdoorsu
Algorithm CovertnessIndex
Entropy C
2 1 AES-
XCBC-MAC
015 2803 0
- - AES-
XCBC-
MAC
047 478 0
- - AES-XCBC-
MAC
047 521 0
ay 2015
50
crease in the
oors in TCPble 3 depicts
umber of theThe figure 11hanges in the
SSLTLS is
acle channelomization of
he covertness
E
14
35
35
882019 E NTROPY B ASED D ETECTION A ND B EHAVIORAL A NALYSIS OF H YBRID C OVERT C HANNELIN S ECURED C OMMUhellip
httpslidepdfcomreaderfulle-ntropy-b-ased-d-etection-a-nd-b-ehavioral-a-nalysis-of-h-ybrid-c-overt-c 1315
International Journal of Net
Table 3 Multi-
SlNo TrapdoorName
1 Network Coverthannel-TCP-
2 Network Covert
hannel-TCP-
3 Network Covert
hannel-TCP-
The graph of covertness index
12 The higher entropy value f[10] is able to detect the activi
Hybrid Covert channel is not fea
and IPv4 as this become easily d
Fig11 Entro
Table4Multi-
SlNo TrapdoorName
1 SubliminalChannel(Oracl
e)-
SSL TLS-1 2 SubliminalC
hannel(Oracl
e)-
SSL TLS-2 3 SubliminalC
hann
el(Oracl
e)-
SSL TLS-3
ork Security amp Its Applications (IJNSA) Vol7 No3 M
rapdoor Analysis of Network covert channel in TCP
Noof Trapd
oors No
of
Trapdoorsu
Algorithm CovertnessI
ndex Entropy C
1 7 1 NIL 0142 2803 0
2 7 2 NIL 028 5606 0
3 7 3 NIL 042 1121 0
s the trapdoor in the subliminal channel is shown
r the some of the formation indicates that the detty and this give clear indication of the higher de
sible for the combinations of the Network covert ch
tectable combination
y Vs Covertness Index in Covert Channel based on TCP
TrapdoorAnalysisof SubliminalChannelinSSL TLS
Noof Trapdoors
No of
Trapdoorsu
Algorithm CovertnessIndex
Entropy C
- - SSLCi-pherSuite
025 2803 0
- - SSLCi-pherSuite
058 367 0
- - SSLCi-
pherSu
ite
058 367 0
ay 2015
51
E
14
28
14
in the figure
ction enginetection rates
annel in TCP
E
14
35
35
882019 E NTROPY B ASED D ETECTION A ND B EHAVIORAL A NALYSIS OF H YBRID C OVERT C HANNELIN S ECURED C OMMUhellip
httpslidepdfcomreaderfulle-ntropy-b-ased-d-etection-a-nd-b-ehavioral-a-nalysis-of-h-ybrid-c-overt-c 1415
International Journal of Net
Fig12 Covertn
8CONCLUSION
Covert schemes are difficult totaken in protocol header This p
be malware code Entropy basecovert symbol in a protocol Thi
in a better way It is unacceptablof administrator It is inference tentropy which makes it difficu
principle to detect such events
ACKNOWLEDGEMENT
AnjanKoundinya thanks Late
Computer Science and Engine
igniting the passion for research
REFERENCES
[1] Description of Detec
netprojectspapershtmlcctde
[2] Description of the Entropy cal
[Online accessed 16-Feb-201
[3] KoundinyaAnjan and Jibi A
channel In Third Internation
Chennai India 2010 Springe[4] Jibi Abraham Anjan K Srin
channel in secured communic
2014
[5] Bo Yuan Chaim Sanders Ja
Network Covert Channels 201
[6] RajarathnamChandramouli a
internet Issues approaches a
ork Security amp Its Applications (IJNSA) Vol7 No3 M
ss Index for Subliminal Channel based on SSLTLS
understand from third party entity as they obscurrovides an opportunity for embedding any data wh
analysis gives the actual number of bits used tos gives clearly metric to understand the covert cha
e to have malicious conversation of the network evehis experiment that the hybrid covert channel has hlt to detect It is required to concentrate on stron
Dr VK Ananthashayana Erstwhile Head De
ering MSRamaiah Institute of Tech-nology B
tion Approaches at the URL htt
html 2014 [Online accessed 15-Feb-2015]
culation at the URL httpwww shannonentro
]
braham Behaviour analysis of transport layer based
al Conference on Net-work Security and Application
-Verlag LNCS seriesath N K Attack modelling and behavioral analysis of
tion ACEEE In-ternational Journal of Network Securit
ob VallettaEmploying Entropy in the Detection and
12
d Koduvayur P Subbalakshmi Covert chan-nel for
d experiences 5(1)4150 July 2007
ay 2015
52
e the contentich may even
represent thennel schemes
n in presenceigh degree ofger detection
-partment of
angalore for
pgray-world
pynetmarkpl
hybrid covert
pages 83-92
hybrid covert
05(2)6777
Monitoring of
ensics on the
882019 E NTROPY B ASED D ETECTION A ND B EHAVIORAL A NALYSIS OF H YBRID C OVERT C HANNELIN S ECURED C OMMUhellip
httpslidepdfcomreaderfulle-ntropy-b-ased-d-etection-a-nd-b-ehavioral-a-nalysis-of-h-ybrid-c-overt-c 1515
International Journal of Net
[7] Anjan K Koundinya etal C
In ADCONS 2011 pages 582
[8] JaideepChandrashekar etal
Proceedings of 12th Internat
September 2009
[9] LoicHelou Claude Jard andSPV03 Volume 3 April 200
[10] Anjan K Koundinya and Jibi
Detection Engine volume 1 o
2010
[11] B W Lampson A Note on th
[12] Enping Li and Scott Craver
of the 11th ACM workshop
2009[13] Clay Shields SarderCabuk C
2004
[14] Clay Shields SarderCabuk
Information and System Secur
[15] Gustavus J Simmons The Sub
[16] Steffen Wendzel Protocol Ch[17] Andreas Willig A short intro
1999
[18] Adam Young and Moti Yung
220-240 2004
AUTHORrsquoS
AnjanK has received his B
UniversityBelgaumIndia in 2007
Science and Engineering MSRam
been awarded Best Performer PG 2
includes NetworkSecurityandCrypt
PhD in Computer Science and Engi
as Assistant Professorin Deptof CEngineering Bengaluru India
SrinathNK has his ME degree in S
Roorkee University in 1986 and P
in 2009His areas of research int
Distributed Computing DBMS Mi
PG Dept of Computer Science and
JibiAbraham has received h
BITSRajasthanIndia in 199 and
University Belgaum India in
fresearch interests include Network
of Wireless Sensor Networks andHead in Dept of CEIT College of
ork Security amp Its Applications (IJNSA) Vol7 No3 M
vertness analysis of subliminal channels in legitimate c
591 Springer- Verlag LNCS series 2012
xploiting temporal persistence to detect covert botnet
ional Symposium RAID 2009 pages 326345 Saint-
Marc ZeitounCovert channels detection in protocols u
Abraham Design of Transport Layer Based Hybrid C
f 4 International Journal of Ad hocSensor and Ubiquito
Con_nement ProblemCommunication of the ACM 19
supraliminal channel in a wireless phone application
n Multimedia and security pages 718 Princeton Ne
rla Brodley IP covert timing channels Design and det
Carla Brodley IP covert channel detectionACM
ity Volume 12(Article 22) 2009
liminal Channel and Digital SignaturesSpringer-Verlag
nnelsHAKIN9 2009uction to queuing theorylecture notes at Technical Uni
Malicious Cryptography First edition Wiley Publish-
E degree from Visveswariah Technological
nd his master degre from Department of Computer
iahInstitute of Technology Bangalore IndiaHe has
10 for his academic excellenceHis area so fresearch
graphyAgile Software EngineeringHe ispursuing
neeing fromVTUBelgaum He is currently working
omputer Science and Engineering RV College of
ystems Engineering and Operations Research from
D degree from Avinash Lingum UniversityIndia
rests include Operations Research Parallel and
roprocessor His isworking as Professor and Dean
EngineeringRVCollege of Engineering
r MS degree in Software Systems from
PhD degree from Visveswariah Technological
008 in the area of Network SecurityHe rarea so
routing algorithms Cryptography Network Security
lgorithms DesignShe is working as Professor andngineering Pune
ay 2015
53
ommunication
channels In
Malo France
sing scenarios
overt Channel
us Computing
3
n Proceedings
Jersey USA
ction CCS 4
ransaction on
1998
versity Berlin
ingFeb pages
882019 E NTROPY B ASED D ETECTION A ND B EHAVIORAL A NALYSIS OF H YBRID C OVERT C HANNELIN S ECURED C OMMUhellip
httpslidepdfcomreaderfulle-ntropy-b-ased-d-etection-a-nd-b-ehavioral-a-nalysis-of-h-ybrid-c-overt-c 915
International Journal of Network Security amp Its Applications (IJNSA) Vol7 No3 May 2015
47
TCP segment
bull Covert receiver will extract the LSB of the timestamp and store the same until it is a byte
Let be the binary representation of the character `c and FLSB(Bc) be the encoding function for
encoding the covert bits in TCP timestamp
6ENTROPY BASED COVERT CHANNEL ANALYSIS
The entropy [2] in communication network indicates the number of bits required to encode a
character over the channel as stated by Shannon Entropy theory This is based on the frequency of
the characters in given string and the size of the alphabet The entropy measure also checks foruncertainty of the random variable
Let A be finite set of characters such that 983164983164 ge 983089 and any character983136991257 isin A is sequence of
symbols which is a string each of alphabet in string isin A For instance let cbbacabbac besequence of symbols that needs to be transmitted over network then its sequence of bits represents
the coded symbol sequence which may be 101110011011100010 Then the entropy for suchscenario is defined as ndash
where isin 983164983164 and 983164983164 983102 983089 pi is the probability of the occurrence of symbol lsquocrsquo in the string and ngives the length of the string To transmit a message ldquonetworkrdquo over the communication
network following are the calculated entropy for each alphabet ndash
The frequency of all the characters in a string with unique symbols will be same since the word
ldquonetworkrdquo has unique symbols the frequency is 0143 Let X be string for which the entropy is to
be calculated here X may word like network or stream of numbers then
H(X)=[(0143log20143) + (0143log20143) + (0143log20143) +(0143log20143) + (01
43log20143) + (0143log20143) + (0143log20143)]
H(X)=2803
It requires 3 bits to represent each symbol in the given string and 21 bits are required to representthe entire string Further the appropriate line coding technique has to be chosen to represent themin the transmission line So in general entropy of X where each alphabet is a unique symbol is
In a covert channel scenario the covert user has to be chosen the message in such a way that theentropy of string should always be less that number of bits available for that field in the protocol
header
ieH(X)lt|Maximumnumberof bitsinthatf ield(Bf )|
882019 E NTROPY B ASED D ETECTION A ND B EHAVIORAL A NALYSIS OF H YBRID C OVERT C HANNELIN S ECURED C OMMUhellip
httpslidepdfcomreaderfulle-ntropy-b-ased-d-etection-a-nd-b-ehavioral-a-nalysis-of-h-ybrid-c-overt-c 1015
International Journal of Net
The IP ID presented in the sc
X the minimum of 21 bits are
The covert channel occupies 25
header or protocol header simplchannel capacity ratio will be lo
This makes the detection of covefields for analysis
In general
for robust covert channel constcovert channel will be greater
protocols is actually setting upentropy for such scenarios isscheme Also in the scenario o
hybrid covert channel where the
figure 7 and figure 8 shows the a
ork Security amp Its Applications (IJNSA) Vol7 No3 M
eme 1 of this paper has 16 bits in the IP heade
required Hence capacity of the covert channel i
of total IP header space Multiple trapdoors (t)
y doubles the covert channel capacity However tthus making it robust ie
rt bits much difficult as the detection systems needs
uction where [7]the covertness index for suchthan 05 The multiple trapdoors through a proto
f multiple covert channels in the communicationispersed across multiple making it difficult to umulti-trapdoors covert channel behaves like a si
effect of the entropy is doubled The below results
ccurate expected behaviour discussed in this paper -
Fig7 IP Entropy analysis
Fig8 TCP Entropy Analysis
ay 2015
48
r so to send
is
[5] [4] in IP
he entropy to
to scan more
ulti-trapdoorcol or set of
network Thederstand thegle coherent
shown in the
882019 E NTROPY B ASED D ETECTION A ND B EHAVIORAL A NALYSIS OF H YBRID C OVERT C HANNELIN S ECURED C OMMUhellip
httpslidepdfcomreaderfulle-ntropy-b-ased-d-etection-a-nd-b-ehavioral-a-nalysis-of-h-ybrid-c-overt-c 1115
International Journal of Network Security amp Its Applications (IJNSA) Vol7 No3 May 2015
49
The results indicate the multiple trapdoors used in hybrid covert channel yields to a higherentropy value and low channel to entropy ratio (CE) The constant CE ratio also indicates the
consistent usage of protocol header for constructing multi-trapdoor based hybrid covert channelThis implies that the covert schemes used in Hybrid covert channel is difficult detect in secured
communication
7RESULTS AND DISCUSSIONS
The number of trapdoors implemented in a protocol cannot be all the fields vulnerable in thatprotocol ie
where Tm is the max number of trapdoors possible in that protocol Ts is the no of Trapdoors set
The analysis of the trapdoor setting is performed on protocols like IPv4 TCP and IPSec
SSLTLS The trapdoor setting in the rudimentary network protocols like the IPv4 and TCP ismerely based on placing the covert data in any of its header fields The table 1 shows effect ofvarying the number of trapdoors in IPv4 protocol
Table1Multi-TrapdoorAnalysisof IPv4
SlNo
TrapdoorName Noof Trap
doors
No
o
f Trapdoor
Algorith
m
CovertnessIndex
Entropy
C E
1 Network Covert
Channel-IPv4-
Single
4 1 NIL 025 2803 0089
2 Network Covert
Channel-IPv4-
dual
4 2 NIL 05 5606 017
3 Network Covert
Channel-IPv4-
triple
4 3 NIL 075 1121 0358
The graph of Trapdoors Vs the Covertness Index is show in the figure 9 where increase in the
number of the trapdoors in IPv4 increases the difficulty in detecting the covert channel Thetrapdoor setting in IPSec using subliminal channel is slightly complex to understand However
the ESP format provides two fields to convey the covert bits in the protocol header Theremaining data is sent over the ESP algorithm during the time of the key generation for
encryption using AES algorithm The residual bits in used in random number generation or used
in the round box of the AES and this is depicted on row 2 of the table 2 Hence the covertnessindex is 015 equation 2 which is 047 This will not change any further as there is limited scope
for subliminal channel development in IPSec -ESP format
882019 E NTROPY B ASED D ETECTION A ND B EHAVIORAL A NALYSIS OF H YBRID C OVERT C HANNELIN S ECURED C OMMUhellip
httpslidepdfcomreaderfulle-ntropy-b-ased-d-etection-a-nd-b-ehavioral-a-nalysis-of-h-ybrid-c-overt-c 1215
International Journal of Net
Fig
Table 2 Multi-
The graph of Trapdoors Vs the
number of the trapdoors in IPSbased protocol is simple and pro
the changing trapdoor that hastrapdoors are involved it is difficshows change in the trapdoor co
covertness index can be minima
based on the algorithm used inHowever to increase the compl
bits is feasible in chosen prime
index for such channels is discus
Fig10 Entropy V
SlNo TrapdoorName
1 SubliminalChan
nel-IPSecESP-1
2 SubliminalChan
nel-IPSecESP-2
3 SubliminalChannel-IPSecESP-3
ork Security amp Its Applications (IJNSA) Vol7 No3 M
9 Entropy Vs Covertness Index in IPv4
Trapdoor Analysis of Subliminal Channel in IPSec
Covertness Index is show in the figure 10 where i
c ESP makes covertness index constant The trapvides seven fields for placing the covert data The t
an effect on the covertness index When more nult to detect the composition of the covert channelnt that has an effect in the detection However the
l The trapdoor setting in the subliminal channel i
its cipher suite This is purely called as random oxity of the subliminal to thwart detection the ran
umber This forms Newton Subliminal Channel T
sed in the table 4
s Covertness Index in IPSec based subliminal channel
Noof Trapdoors
No of
Trapdoorsu
Algorithm CovertnessIndex
Entropy C
2 1 AES-
XCBC-MAC
015 2803 0
- - AES-
XCBC-
MAC
047 478 0
- - AES-XCBC-
MAC
047 521 0
ay 2015
50
crease in the
oors in TCPble 3 depicts
umber of theThe figure 11hanges in the
SSLTLS is
acle channelomization of
he covertness
E
14
35
35
882019 E NTROPY B ASED D ETECTION A ND B EHAVIORAL A NALYSIS OF H YBRID C OVERT C HANNELIN S ECURED C OMMUhellip
httpslidepdfcomreaderfulle-ntropy-b-ased-d-etection-a-nd-b-ehavioral-a-nalysis-of-h-ybrid-c-overt-c 1315
International Journal of Net
Table 3 Multi-
SlNo TrapdoorName
1 Network Coverthannel-TCP-
2 Network Covert
hannel-TCP-
3 Network Covert
hannel-TCP-
The graph of covertness index
12 The higher entropy value f[10] is able to detect the activi
Hybrid Covert channel is not fea
and IPv4 as this become easily d
Fig11 Entro
Table4Multi-
SlNo TrapdoorName
1 SubliminalChannel(Oracl
e)-
SSL TLS-1 2 SubliminalC
hannel(Oracl
e)-
SSL TLS-2 3 SubliminalC
hann
el(Oracl
e)-
SSL TLS-3
ork Security amp Its Applications (IJNSA) Vol7 No3 M
rapdoor Analysis of Network covert channel in TCP
Noof Trapd
oors No
of
Trapdoorsu
Algorithm CovertnessI
ndex Entropy C
1 7 1 NIL 0142 2803 0
2 7 2 NIL 028 5606 0
3 7 3 NIL 042 1121 0
s the trapdoor in the subliminal channel is shown
r the some of the formation indicates that the detty and this give clear indication of the higher de
sible for the combinations of the Network covert ch
tectable combination
y Vs Covertness Index in Covert Channel based on TCP
TrapdoorAnalysisof SubliminalChannelinSSL TLS
Noof Trapdoors
No of
Trapdoorsu
Algorithm CovertnessIndex
Entropy C
- - SSLCi-pherSuite
025 2803 0
- - SSLCi-pherSuite
058 367 0
- - SSLCi-
pherSu
ite
058 367 0
ay 2015
51
E
14
28
14
in the figure
ction enginetection rates
annel in TCP
E
14
35
35
882019 E NTROPY B ASED D ETECTION A ND B EHAVIORAL A NALYSIS OF H YBRID C OVERT C HANNELIN S ECURED C OMMUhellip
httpslidepdfcomreaderfulle-ntropy-b-ased-d-etection-a-nd-b-ehavioral-a-nalysis-of-h-ybrid-c-overt-c 1415
International Journal of Net
Fig12 Covertn
8CONCLUSION
Covert schemes are difficult totaken in protocol header This p
be malware code Entropy basecovert symbol in a protocol Thi
in a better way It is unacceptablof administrator It is inference tentropy which makes it difficu
principle to detect such events
ACKNOWLEDGEMENT
AnjanKoundinya thanks Late
Computer Science and Engine
igniting the passion for research
REFERENCES
[1] Description of Detec
netprojectspapershtmlcctde
[2] Description of the Entropy cal
[Online accessed 16-Feb-201
[3] KoundinyaAnjan and Jibi A
channel In Third Internation
Chennai India 2010 Springe[4] Jibi Abraham Anjan K Srin
channel in secured communic
2014
[5] Bo Yuan Chaim Sanders Ja
Network Covert Channels 201
[6] RajarathnamChandramouli a
internet Issues approaches a
ork Security amp Its Applications (IJNSA) Vol7 No3 M
ss Index for Subliminal Channel based on SSLTLS
understand from third party entity as they obscurrovides an opportunity for embedding any data wh
analysis gives the actual number of bits used tos gives clearly metric to understand the covert cha
e to have malicious conversation of the network evehis experiment that the hybrid covert channel has hlt to detect It is required to concentrate on stron
Dr VK Ananthashayana Erstwhile Head De
ering MSRamaiah Institute of Tech-nology B
tion Approaches at the URL htt
html 2014 [Online accessed 15-Feb-2015]
culation at the URL httpwww shannonentro
]
braham Behaviour analysis of transport layer based
al Conference on Net-work Security and Application
-Verlag LNCS seriesath N K Attack modelling and behavioral analysis of
tion ACEEE In-ternational Journal of Network Securit
ob VallettaEmploying Entropy in the Detection and
12
d Koduvayur P Subbalakshmi Covert chan-nel for
d experiences 5(1)4150 July 2007
ay 2015
52
e the contentich may even
represent thennel schemes
n in presenceigh degree ofger detection
-partment of
angalore for
pgray-world
pynetmarkpl
hybrid covert
pages 83-92
hybrid covert
05(2)6777
Monitoring of
ensics on the
882019 E NTROPY B ASED D ETECTION A ND B EHAVIORAL A NALYSIS OF H YBRID C OVERT C HANNELIN S ECURED C OMMUhellip
httpslidepdfcomreaderfulle-ntropy-b-ased-d-etection-a-nd-b-ehavioral-a-nalysis-of-h-ybrid-c-overt-c 1515
International Journal of Net
[7] Anjan K Koundinya etal C
In ADCONS 2011 pages 582
[8] JaideepChandrashekar etal
Proceedings of 12th Internat
September 2009
[9] LoicHelou Claude Jard andSPV03 Volume 3 April 200
[10] Anjan K Koundinya and Jibi
Detection Engine volume 1 o
2010
[11] B W Lampson A Note on th
[12] Enping Li and Scott Craver
of the 11th ACM workshop
2009[13] Clay Shields SarderCabuk C
2004
[14] Clay Shields SarderCabuk
Information and System Secur
[15] Gustavus J Simmons The Sub
[16] Steffen Wendzel Protocol Ch[17] Andreas Willig A short intro
1999
[18] Adam Young and Moti Yung
220-240 2004
AUTHORrsquoS
AnjanK has received his B
UniversityBelgaumIndia in 2007
Science and Engineering MSRam
been awarded Best Performer PG 2
includes NetworkSecurityandCrypt
PhD in Computer Science and Engi
as Assistant Professorin Deptof CEngineering Bengaluru India
SrinathNK has his ME degree in S
Roorkee University in 1986 and P
in 2009His areas of research int
Distributed Computing DBMS Mi
PG Dept of Computer Science and
JibiAbraham has received h
BITSRajasthanIndia in 199 and
University Belgaum India in
fresearch interests include Network
of Wireless Sensor Networks andHead in Dept of CEIT College of
ork Security amp Its Applications (IJNSA) Vol7 No3 M
vertness analysis of subliminal channels in legitimate c
591 Springer- Verlag LNCS series 2012
xploiting temporal persistence to detect covert botnet
ional Symposium RAID 2009 pages 326345 Saint-
Marc ZeitounCovert channels detection in protocols u
Abraham Design of Transport Layer Based Hybrid C
f 4 International Journal of Ad hocSensor and Ubiquito
Con_nement ProblemCommunication of the ACM 19
supraliminal channel in a wireless phone application
n Multimedia and security pages 718 Princeton Ne
rla Brodley IP covert timing channels Design and det
Carla Brodley IP covert channel detectionACM
ity Volume 12(Article 22) 2009
liminal Channel and Digital SignaturesSpringer-Verlag
nnelsHAKIN9 2009uction to queuing theorylecture notes at Technical Uni
Malicious Cryptography First edition Wiley Publish-
E degree from Visveswariah Technological
nd his master degre from Department of Computer
iahInstitute of Technology Bangalore IndiaHe has
10 for his academic excellenceHis area so fresearch
graphyAgile Software EngineeringHe ispursuing
neeing fromVTUBelgaum He is currently working
omputer Science and Engineering RV College of
ystems Engineering and Operations Research from
D degree from Avinash Lingum UniversityIndia
rests include Operations Research Parallel and
roprocessor His isworking as Professor and Dean
EngineeringRVCollege of Engineering
r MS degree in Software Systems from
PhD degree from Visveswariah Technological
008 in the area of Network SecurityHe rarea so
routing algorithms Cryptography Network Security
lgorithms DesignShe is working as Professor andngineering Pune
ay 2015
53
ommunication
channels In
Malo France
sing scenarios
overt Channel
us Computing
3
n Proceedings
Jersey USA
ction CCS 4
ransaction on
1998
versity Berlin
ingFeb pages
882019 E NTROPY B ASED D ETECTION A ND B EHAVIORAL A NALYSIS OF H YBRID C OVERT C HANNELIN S ECURED C OMMUhellip
httpslidepdfcomreaderfulle-ntropy-b-ased-d-etection-a-nd-b-ehavioral-a-nalysis-of-h-ybrid-c-overt-c 1015
International Journal of Net
The IP ID presented in the sc
X the minimum of 21 bits are
The covert channel occupies 25
header or protocol header simplchannel capacity ratio will be lo
This makes the detection of covefields for analysis
In general
for robust covert channel constcovert channel will be greater
protocols is actually setting upentropy for such scenarios isscheme Also in the scenario o
hybrid covert channel where the
figure 7 and figure 8 shows the a
ork Security amp Its Applications (IJNSA) Vol7 No3 M
eme 1 of this paper has 16 bits in the IP heade
required Hence capacity of the covert channel i
of total IP header space Multiple trapdoors (t)
y doubles the covert channel capacity However tthus making it robust ie
rt bits much difficult as the detection systems needs
uction where [7]the covertness index for suchthan 05 The multiple trapdoors through a proto
f multiple covert channels in the communicationispersed across multiple making it difficult to umulti-trapdoors covert channel behaves like a si
effect of the entropy is doubled The below results
ccurate expected behaviour discussed in this paper -
Fig7 IP Entropy analysis
Fig8 TCP Entropy Analysis
ay 2015
48
r so to send
is
[5] [4] in IP
he entropy to
to scan more
ulti-trapdoorcol or set of
network Thederstand thegle coherent
shown in the
882019 E NTROPY B ASED D ETECTION A ND B EHAVIORAL A NALYSIS OF H YBRID C OVERT C HANNELIN S ECURED C OMMUhellip
httpslidepdfcomreaderfulle-ntropy-b-ased-d-etection-a-nd-b-ehavioral-a-nalysis-of-h-ybrid-c-overt-c 1115
International Journal of Network Security amp Its Applications (IJNSA) Vol7 No3 May 2015
49
The results indicate the multiple trapdoors used in hybrid covert channel yields to a higherentropy value and low channel to entropy ratio (CE) The constant CE ratio also indicates the
consistent usage of protocol header for constructing multi-trapdoor based hybrid covert channelThis implies that the covert schemes used in Hybrid covert channel is difficult detect in secured
communication
7RESULTS AND DISCUSSIONS
The number of trapdoors implemented in a protocol cannot be all the fields vulnerable in thatprotocol ie
where Tm is the max number of trapdoors possible in that protocol Ts is the no of Trapdoors set
The analysis of the trapdoor setting is performed on protocols like IPv4 TCP and IPSec
SSLTLS The trapdoor setting in the rudimentary network protocols like the IPv4 and TCP ismerely based on placing the covert data in any of its header fields The table 1 shows effect ofvarying the number of trapdoors in IPv4 protocol
Table1Multi-TrapdoorAnalysisof IPv4
SlNo
TrapdoorName Noof Trap
doors
No
o
f Trapdoor
Algorith
m
CovertnessIndex
Entropy
C E
1 Network Covert
Channel-IPv4-
Single
4 1 NIL 025 2803 0089
2 Network Covert
Channel-IPv4-
dual
4 2 NIL 05 5606 017
3 Network Covert
Channel-IPv4-
triple
4 3 NIL 075 1121 0358
The graph of Trapdoors Vs the Covertness Index is show in the figure 9 where increase in the
number of the trapdoors in IPv4 increases the difficulty in detecting the covert channel Thetrapdoor setting in IPSec using subliminal channel is slightly complex to understand However
the ESP format provides two fields to convey the covert bits in the protocol header Theremaining data is sent over the ESP algorithm during the time of the key generation for
encryption using AES algorithm The residual bits in used in random number generation or used
in the round box of the AES and this is depicted on row 2 of the table 2 Hence the covertnessindex is 015 equation 2 which is 047 This will not change any further as there is limited scope
for subliminal channel development in IPSec -ESP format
882019 E NTROPY B ASED D ETECTION A ND B EHAVIORAL A NALYSIS OF H YBRID C OVERT C HANNELIN S ECURED C OMMUhellip
httpslidepdfcomreaderfulle-ntropy-b-ased-d-etection-a-nd-b-ehavioral-a-nalysis-of-h-ybrid-c-overt-c 1215
International Journal of Net
Fig
Table 2 Multi-
The graph of Trapdoors Vs the
number of the trapdoors in IPSbased protocol is simple and pro
the changing trapdoor that hastrapdoors are involved it is difficshows change in the trapdoor co
covertness index can be minima
based on the algorithm used inHowever to increase the compl
bits is feasible in chosen prime
index for such channels is discus
Fig10 Entropy V
SlNo TrapdoorName
1 SubliminalChan
nel-IPSecESP-1
2 SubliminalChan
nel-IPSecESP-2
3 SubliminalChannel-IPSecESP-3
ork Security amp Its Applications (IJNSA) Vol7 No3 M
9 Entropy Vs Covertness Index in IPv4
Trapdoor Analysis of Subliminal Channel in IPSec
Covertness Index is show in the figure 10 where i
c ESP makes covertness index constant The trapvides seven fields for placing the covert data The t
an effect on the covertness index When more nult to detect the composition of the covert channelnt that has an effect in the detection However the
l The trapdoor setting in the subliminal channel i
its cipher suite This is purely called as random oxity of the subliminal to thwart detection the ran
umber This forms Newton Subliminal Channel T
sed in the table 4
s Covertness Index in IPSec based subliminal channel
Noof Trapdoors
No of
Trapdoorsu
Algorithm CovertnessIndex
Entropy C
2 1 AES-
XCBC-MAC
015 2803 0
- - AES-
XCBC-
MAC
047 478 0
- - AES-XCBC-
MAC
047 521 0
ay 2015
50
crease in the
oors in TCPble 3 depicts
umber of theThe figure 11hanges in the
SSLTLS is
acle channelomization of
he covertness
E
14
35
35
882019 E NTROPY B ASED D ETECTION A ND B EHAVIORAL A NALYSIS OF H YBRID C OVERT C HANNELIN S ECURED C OMMUhellip
httpslidepdfcomreaderfulle-ntropy-b-ased-d-etection-a-nd-b-ehavioral-a-nalysis-of-h-ybrid-c-overt-c 1315
International Journal of Net
Table 3 Multi-
SlNo TrapdoorName
1 Network Coverthannel-TCP-
2 Network Covert
hannel-TCP-
3 Network Covert
hannel-TCP-
The graph of covertness index
12 The higher entropy value f[10] is able to detect the activi
Hybrid Covert channel is not fea
and IPv4 as this become easily d
Fig11 Entro
Table4Multi-
SlNo TrapdoorName
1 SubliminalChannel(Oracl
e)-
SSL TLS-1 2 SubliminalC
hannel(Oracl
e)-
SSL TLS-2 3 SubliminalC
hann
el(Oracl
e)-
SSL TLS-3
ork Security amp Its Applications (IJNSA) Vol7 No3 M
rapdoor Analysis of Network covert channel in TCP
Noof Trapd
oors No
of
Trapdoorsu
Algorithm CovertnessI
ndex Entropy C
1 7 1 NIL 0142 2803 0
2 7 2 NIL 028 5606 0
3 7 3 NIL 042 1121 0
s the trapdoor in the subliminal channel is shown
r the some of the formation indicates that the detty and this give clear indication of the higher de
sible for the combinations of the Network covert ch
tectable combination
y Vs Covertness Index in Covert Channel based on TCP
TrapdoorAnalysisof SubliminalChannelinSSL TLS
Noof Trapdoors
No of
Trapdoorsu
Algorithm CovertnessIndex
Entropy C
- - SSLCi-pherSuite
025 2803 0
- - SSLCi-pherSuite
058 367 0
- - SSLCi-
pherSu
ite
058 367 0
ay 2015
51
E
14
28
14
in the figure
ction enginetection rates
annel in TCP
E
14
35
35
882019 E NTROPY B ASED D ETECTION A ND B EHAVIORAL A NALYSIS OF H YBRID C OVERT C HANNELIN S ECURED C OMMUhellip
httpslidepdfcomreaderfulle-ntropy-b-ased-d-etection-a-nd-b-ehavioral-a-nalysis-of-h-ybrid-c-overt-c 1415
International Journal of Net
Fig12 Covertn
8CONCLUSION
Covert schemes are difficult totaken in protocol header This p
be malware code Entropy basecovert symbol in a protocol Thi
in a better way It is unacceptablof administrator It is inference tentropy which makes it difficu
principle to detect such events
ACKNOWLEDGEMENT
AnjanKoundinya thanks Late
Computer Science and Engine
igniting the passion for research
REFERENCES
[1] Description of Detec
netprojectspapershtmlcctde
[2] Description of the Entropy cal
[Online accessed 16-Feb-201
[3] KoundinyaAnjan and Jibi A
channel In Third Internation
Chennai India 2010 Springe[4] Jibi Abraham Anjan K Srin
channel in secured communic
2014
[5] Bo Yuan Chaim Sanders Ja
Network Covert Channels 201
[6] RajarathnamChandramouli a
internet Issues approaches a
ork Security amp Its Applications (IJNSA) Vol7 No3 M
ss Index for Subliminal Channel based on SSLTLS
understand from third party entity as they obscurrovides an opportunity for embedding any data wh
analysis gives the actual number of bits used tos gives clearly metric to understand the covert cha
e to have malicious conversation of the network evehis experiment that the hybrid covert channel has hlt to detect It is required to concentrate on stron
Dr VK Ananthashayana Erstwhile Head De
ering MSRamaiah Institute of Tech-nology B
tion Approaches at the URL htt
html 2014 [Online accessed 15-Feb-2015]
culation at the URL httpwww shannonentro
]
braham Behaviour analysis of transport layer based
al Conference on Net-work Security and Application
-Verlag LNCS seriesath N K Attack modelling and behavioral analysis of
tion ACEEE In-ternational Journal of Network Securit
ob VallettaEmploying Entropy in the Detection and
12
d Koduvayur P Subbalakshmi Covert chan-nel for
d experiences 5(1)4150 July 2007
ay 2015
52
e the contentich may even
represent thennel schemes
n in presenceigh degree ofger detection
-partment of
angalore for
pgray-world
pynetmarkpl
hybrid covert
pages 83-92
hybrid covert
05(2)6777
Monitoring of
ensics on the
882019 E NTROPY B ASED D ETECTION A ND B EHAVIORAL A NALYSIS OF H YBRID C OVERT C HANNELIN S ECURED C OMMUhellip
httpslidepdfcomreaderfulle-ntropy-b-ased-d-etection-a-nd-b-ehavioral-a-nalysis-of-h-ybrid-c-overt-c 1515
International Journal of Net
[7] Anjan K Koundinya etal C
In ADCONS 2011 pages 582
[8] JaideepChandrashekar etal
Proceedings of 12th Internat
September 2009
[9] LoicHelou Claude Jard andSPV03 Volume 3 April 200
[10] Anjan K Koundinya and Jibi
Detection Engine volume 1 o
2010
[11] B W Lampson A Note on th
[12] Enping Li and Scott Craver
of the 11th ACM workshop
2009[13] Clay Shields SarderCabuk C
2004
[14] Clay Shields SarderCabuk
Information and System Secur
[15] Gustavus J Simmons The Sub
[16] Steffen Wendzel Protocol Ch[17] Andreas Willig A short intro
1999
[18] Adam Young and Moti Yung
220-240 2004
AUTHORrsquoS
AnjanK has received his B
UniversityBelgaumIndia in 2007
Science and Engineering MSRam
been awarded Best Performer PG 2
includes NetworkSecurityandCrypt
PhD in Computer Science and Engi
as Assistant Professorin Deptof CEngineering Bengaluru India
SrinathNK has his ME degree in S
Roorkee University in 1986 and P
in 2009His areas of research int
Distributed Computing DBMS Mi
PG Dept of Computer Science and
JibiAbraham has received h
BITSRajasthanIndia in 199 and
University Belgaum India in
fresearch interests include Network
of Wireless Sensor Networks andHead in Dept of CEIT College of
ork Security amp Its Applications (IJNSA) Vol7 No3 M
vertness analysis of subliminal channels in legitimate c
591 Springer- Verlag LNCS series 2012
xploiting temporal persistence to detect covert botnet
ional Symposium RAID 2009 pages 326345 Saint-
Marc ZeitounCovert channels detection in protocols u
Abraham Design of Transport Layer Based Hybrid C
f 4 International Journal of Ad hocSensor and Ubiquito
Con_nement ProblemCommunication of the ACM 19
supraliminal channel in a wireless phone application
n Multimedia and security pages 718 Princeton Ne
rla Brodley IP covert timing channels Design and det
Carla Brodley IP covert channel detectionACM
ity Volume 12(Article 22) 2009
liminal Channel and Digital SignaturesSpringer-Verlag
nnelsHAKIN9 2009uction to queuing theorylecture notes at Technical Uni
Malicious Cryptography First edition Wiley Publish-
E degree from Visveswariah Technological
nd his master degre from Department of Computer
iahInstitute of Technology Bangalore IndiaHe has
10 for his academic excellenceHis area so fresearch
graphyAgile Software EngineeringHe ispursuing
neeing fromVTUBelgaum He is currently working
omputer Science and Engineering RV College of
ystems Engineering and Operations Research from
D degree from Avinash Lingum UniversityIndia
rests include Operations Research Parallel and
roprocessor His isworking as Professor and Dean
EngineeringRVCollege of Engineering
r MS degree in Software Systems from
PhD degree from Visveswariah Technological
008 in the area of Network SecurityHe rarea so
routing algorithms Cryptography Network Security
lgorithms DesignShe is working as Professor andngineering Pune
ay 2015
53
ommunication
channels In
Malo France
sing scenarios
overt Channel
us Computing
3
n Proceedings
Jersey USA
ction CCS 4
ransaction on
1998
versity Berlin
ingFeb pages
882019 E NTROPY B ASED D ETECTION A ND B EHAVIORAL A NALYSIS OF H YBRID C OVERT C HANNELIN S ECURED C OMMUhellip
httpslidepdfcomreaderfulle-ntropy-b-ased-d-etection-a-nd-b-ehavioral-a-nalysis-of-h-ybrid-c-overt-c 1115
International Journal of Network Security amp Its Applications (IJNSA) Vol7 No3 May 2015
49
The results indicate the multiple trapdoors used in hybrid covert channel yields to a higherentropy value and low channel to entropy ratio (CE) The constant CE ratio also indicates the
consistent usage of protocol header for constructing multi-trapdoor based hybrid covert channelThis implies that the covert schemes used in Hybrid covert channel is difficult detect in secured
communication
7RESULTS AND DISCUSSIONS
The number of trapdoors implemented in a protocol cannot be all the fields vulnerable in thatprotocol ie
where Tm is the max number of trapdoors possible in that protocol Ts is the no of Trapdoors set
The analysis of the trapdoor setting is performed on protocols like IPv4 TCP and IPSec
SSLTLS The trapdoor setting in the rudimentary network protocols like the IPv4 and TCP ismerely based on placing the covert data in any of its header fields The table 1 shows effect ofvarying the number of trapdoors in IPv4 protocol
Table1Multi-TrapdoorAnalysisof IPv4
SlNo
TrapdoorName Noof Trap
doors
No
o
f Trapdoor
Algorith
m
CovertnessIndex
Entropy
C E
1 Network Covert
Channel-IPv4-
Single
4 1 NIL 025 2803 0089
2 Network Covert
Channel-IPv4-
dual
4 2 NIL 05 5606 017
3 Network Covert
Channel-IPv4-
triple
4 3 NIL 075 1121 0358
The graph of Trapdoors Vs the Covertness Index is show in the figure 9 where increase in the
number of the trapdoors in IPv4 increases the difficulty in detecting the covert channel Thetrapdoor setting in IPSec using subliminal channel is slightly complex to understand However
the ESP format provides two fields to convey the covert bits in the protocol header Theremaining data is sent over the ESP algorithm during the time of the key generation for
encryption using AES algorithm The residual bits in used in random number generation or used
in the round box of the AES and this is depicted on row 2 of the table 2 Hence the covertnessindex is 015 equation 2 which is 047 This will not change any further as there is limited scope
for subliminal channel development in IPSec -ESP format
882019 E NTROPY B ASED D ETECTION A ND B EHAVIORAL A NALYSIS OF H YBRID C OVERT C HANNELIN S ECURED C OMMUhellip
httpslidepdfcomreaderfulle-ntropy-b-ased-d-etection-a-nd-b-ehavioral-a-nalysis-of-h-ybrid-c-overt-c 1215
International Journal of Net
Fig
Table 2 Multi-
The graph of Trapdoors Vs the
number of the trapdoors in IPSbased protocol is simple and pro
the changing trapdoor that hastrapdoors are involved it is difficshows change in the trapdoor co
covertness index can be minima
based on the algorithm used inHowever to increase the compl
bits is feasible in chosen prime
index for such channels is discus
Fig10 Entropy V
SlNo TrapdoorName
1 SubliminalChan
nel-IPSecESP-1
2 SubliminalChan
nel-IPSecESP-2
3 SubliminalChannel-IPSecESP-3
ork Security amp Its Applications (IJNSA) Vol7 No3 M
9 Entropy Vs Covertness Index in IPv4
Trapdoor Analysis of Subliminal Channel in IPSec
Covertness Index is show in the figure 10 where i
c ESP makes covertness index constant The trapvides seven fields for placing the covert data The t
an effect on the covertness index When more nult to detect the composition of the covert channelnt that has an effect in the detection However the
l The trapdoor setting in the subliminal channel i
its cipher suite This is purely called as random oxity of the subliminal to thwart detection the ran
umber This forms Newton Subliminal Channel T
sed in the table 4
s Covertness Index in IPSec based subliminal channel
Noof Trapdoors
No of
Trapdoorsu
Algorithm CovertnessIndex
Entropy C
2 1 AES-
XCBC-MAC
015 2803 0
- - AES-
XCBC-
MAC
047 478 0
- - AES-XCBC-
MAC
047 521 0
ay 2015
50
crease in the
oors in TCPble 3 depicts
umber of theThe figure 11hanges in the
SSLTLS is
acle channelomization of
he covertness
E
14
35
35
882019 E NTROPY B ASED D ETECTION A ND B EHAVIORAL A NALYSIS OF H YBRID C OVERT C HANNELIN S ECURED C OMMUhellip
httpslidepdfcomreaderfulle-ntropy-b-ased-d-etection-a-nd-b-ehavioral-a-nalysis-of-h-ybrid-c-overt-c 1315
International Journal of Net
Table 3 Multi-
SlNo TrapdoorName
1 Network Coverthannel-TCP-
2 Network Covert
hannel-TCP-
3 Network Covert
hannel-TCP-
The graph of covertness index
12 The higher entropy value f[10] is able to detect the activi
Hybrid Covert channel is not fea
and IPv4 as this become easily d
Fig11 Entro
Table4Multi-
SlNo TrapdoorName
1 SubliminalChannel(Oracl
e)-
SSL TLS-1 2 SubliminalC
hannel(Oracl
e)-
SSL TLS-2 3 SubliminalC
hann
el(Oracl
e)-
SSL TLS-3
ork Security amp Its Applications (IJNSA) Vol7 No3 M
rapdoor Analysis of Network covert channel in TCP
Noof Trapd
oors No
of
Trapdoorsu
Algorithm CovertnessI
ndex Entropy C
1 7 1 NIL 0142 2803 0
2 7 2 NIL 028 5606 0
3 7 3 NIL 042 1121 0
s the trapdoor in the subliminal channel is shown
r the some of the formation indicates that the detty and this give clear indication of the higher de
sible for the combinations of the Network covert ch
tectable combination
y Vs Covertness Index in Covert Channel based on TCP
TrapdoorAnalysisof SubliminalChannelinSSL TLS
Noof Trapdoors
No of
Trapdoorsu
Algorithm CovertnessIndex
Entropy C
- - SSLCi-pherSuite
025 2803 0
- - SSLCi-pherSuite
058 367 0
- - SSLCi-
pherSu
ite
058 367 0
ay 2015
51
E
14
28
14
in the figure
ction enginetection rates
annel in TCP
E
14
35
35
882019 E NTROPY B ASED D ETECTION A ND B EHAVIORAL A NALYSIS OF H YBRID C OVERT C HANNELIN S ECURED C OMMUhellip
httpslidepdfcomreaderfulle-ntropy-b-ased-d-etection-a-nd-b-ehavioral-a-nalysis-of-h-ybrid-c-overt-c 1415
International Journal of Net
Fig12 Covertn
8CONCLUSION
Covert schemes are difficult totaken in protocol header This p
be malware code Entropy basecovert symbol in a protocol Thi
in a better way It is unacceptablof administrator It is inference tentropy which makes it difficu
principle to detect such events
ACKNOWLEDGEMENT
AnjanKoundinya thanks Late
Computer Science and Engine
igniting the passion for research
REFERENCES
[1] Description of Detec
netprojectspapershtmlcctde
[2] Description of the Entropy cal
[Online accessed 16-Feb-201
[3] KoundinyaAnjan and Jibi A
channel In Third Internation
Chennai India 2010 Springe[4] Jibi Abraham Anjan K Srin
channel in secured communic
2014
[5] Bo Yuan Chaim Sanders Ja
Network Covert Channels 201
[6] RajarathnamChandramouli a
internet Issues approaches a
ork Security amp Its Applications (IJNSA) Vol7 No3 M
ss Index for Subliminal Channel based on SSLTLS
understand from third party entity as they obscurrovides an opportunity for embedding any data wh
analysis gives the actual number of bits used tos gives clearly metric to understand the covert cha
e to have malicious conversation of the network evehis experiment that the hybrid covert channel has hlt to detect It is required to concentrate on stron
Dr VK Ananthashayana Erstwhile Head De
ering MSRamaiah Institute of Tech-nology B
tion Approaches at the URL htt
html 2014 [Online accessed 15-Feb-2015]
culation at the URL httpwww shannonentro
]
braham Behaviour analysis of transport layer based
al Conference on Net-work Security and Application
-Verlag LNCS seriesath N K Attack modelling and behavioral analysis of
tion ACEEE In-ternational Journal of Network Securit
ob VallettaEmploying Entropy in the Detection and
12
d Koduvayur P Subbalakshmi Covert chan-nel for
d experiences 5(1)4150 July 2007
ay 2015
52
e the contentich may even
represent thennel schemes
n in presenceigh degree ofger detection
-partment of
angalore for
pgray-world
pynetmarkpl
hybrid covert
pages 83-92
hybrid covert
05(2)6777
Monitoring of
ensics on the
882019 E NTROPY B ASED D ETECTION A ND B EHAVIORAL A NALYSIS OF H YBRID C OVERT C HANNELIN S ECURED C OMMUhellip
httpslidepdfcomreaderfulle-ntropy-b-ased-d-etection-a-nd-b-ehavioral-a-nalysis-of-h-ybrid-c-overt-c 1515
International Journal of Net
[7] Anjan K Koundinya etal C
In ADCONS 2011 pages 582
[8] JaideepChandrashekar etal
Proceedings of 12th Internat
September 2009
[9] LoicHelou Claude Jard andSPV03 Volume 3 April 200
[10] Anjan K Koundinya and Jibi
Detection Engine volume 1 o
2010
[11] B W Lampson A Note on th
[12] Enping Li and Scott Craver
of the 11th ACM workshop
2009[13] Clay Shields SarderCabuk C
2004
[14] Clay Shields SarderCabuk
Information and System Secur
[15] Gustavus J Simmons The Sub
[16] Steffen Wendzel Protocol Ch[17] Andreas Willig A short intro
1999
[18] Adam Young and Moti Yung
220-240 2004
AUTHORrsquoS
AnjanK has received his B
UniversityBelgaumIndia in 2007
Science and Engineering MSRam
been awarded Best Performer PG 2
includes NetworkSecurityandCrypt
PhD in Computer Science and Engi
as Assistant Professorin Deptof CEngineering Bengaluru India
SrinathNK has his ME degree in S
Roorkee University in 1986 and P
in 2009His areas of research int
Distributed Computing DBMS Mi
PG Dept of Computer Science and
JibiAbraham has received h
BITSRajasthanIndia in 199 and
University Belgaum India in
fresearch interests include Network
of Wireless Sensor Networks andHead in Dept of CEIT College of
ork Security amp Its Applications (IJNSA) Vol7 No3 M
vertness analysis of subliminal channels in legitimate c
591 Springer- Verlag LNCS series 2012
xploiting temporal persistence to detect covert botnet
ional Symposium RAID 2009 pages 326345 Saint-
Marc ZeitounCovert channels detection in protocols u
Abraham Design of Transport Layer Based Hybrid C
f 4 International Journal of Ad hocSensor and Ubiquito
Con_nement ProblemCommunication of the ACM 19
supraliminal channel in a wireless phone application
n Multimedia and security pages 718 Princeton Ne
rla Brodley IP covert timing channels Design and det
Carla Brodley IP covert channel detectionACM
ity Volume 12(Article 22) 2009
liminal Channel and Digital SignaturesSpringer-Verlag
nnelsHAKIN9 2009uction to queuing theorylecture notes at Technical Uni
Malicious Cryptography First edition Wiley Publish-
E degree from Visveswariah Technological
nd his master degre from Department of Computer
iahInstitute of Technology Bangalore IndiaHe has
10 for his academic excellenceHis area so fresearch
graphyAgile Software EngineeringHe ispursuing
neeing fromVTUBelgaum He is currently working
omputer Science and Engineering RV College of
ystems Engineering and Operations Research from
D degree from Avinash Lingum UniversityIndia
rests include Operations Research Parallel and
roprocessor His isworking as Professor and Dean
EngineeringRVCollege of Engineering
r MS degree in Software Systems from
PhD degree from Visveswariah Technological
008 in the area of Network SecurityHe rarea so
routing algorithms Cryptography Network Security
lgorithms DesignShe is working as Professor andngineering Pune
ay 2015
53
ommunication
channels In
Malo France
sing scenarios
overt Channel
us Computing
3
n Proceedings
Jersey USA
ction CCS 4
ransaction on
1998
versity Berlin
ingFeb pages
882019 E NTROPY B ASED D ETECTION A ND B EHAVIORAL A NALYSIS OF H YBRID C OVERT C HANNELIN S ECURED C OMMUhellip
httpslidepdfcomreaderfulle-ntropy-b-ased-d-etection-a-nd-b-ehavioral-a-nalysis-of-h-ybrid-c-overt-c 1215
International Journal of Net
Fig
Table 2 Multi-
The graph of Trapdoors Vs the
number of the trapdoors in IPSbased protocol is simple and pro
the changing trapdoor that hastrapdoors are involved it is difficshows change in the trapdoor co
covertness index can be minima
based on the algorithm used inHowever to increase the compl
bits is feasible in chosen prime
index for such channels is discus
Fig10 Entropy V
SlNo TrapdoorName
1 SubliminalChan
nel-IPSecESP-1
2 SubliminalChan
nel-IPSecESP-2
3 SubliminalChannel-IPSecESP-3
ork Security amp Its Applications (IJNSA) Vol7 No3 M
9 Entropy Vs Covertness Index in IPv4
Trapdoor Analysis of Subliminal Channel in IPSec
Covertness Index is show in the figure 10 where i
c ESP makes covertness index constant The trapvides seven fields for placing the covert data The t
an effect on the covertness index When more nult to detect the composition of the covert channelnt that has an effect in the detection However the
l The trapdoor setting in the subliminal channel i
its cipher suite This is purely called as random oxity of the subliminal to thwart detection the ran
umber This forms Newton Subliminal Channel T
sed in the table 4
s Covertness Index in IPSec based subliminal channel
Noof Trapdoors
No of
Trapdoorsu
Algorithm CovertnessIndex
Entropy C
2 1 AES-
XCBC-MAC
015 2803 0
- - AES-
XCBC-
MAC
047 478 0
- - AES-XCBC-
MAC
047 521 0
ay 2015
50
crease in the
oors in TCPble 3 depicts
umber of theThe figure 11hanges in the
SSLTLS is
acle channelomization of
he covertness
E
14
35
35
882019 E NTROPY B ASED D ETECTION A ND B EHAVIORAL A NALYSIS OF H YBRID C OVERT C HANNELIN S ECURED C OMMUhellip
httpslidepdfcomreaderfulle-ntropy-b-ased-d-etection-a-nd-b-ehavioral-a-nalysis-of-h-ybrid-c-overt-c 1315
International Journal of Net
Table 3 Multi-
SlNo TrapdoorName
1 Network Coverthannel-TCP-
2 Network Covert
hannel-TCP-
3 Network Covert
hannel-TCP-
The graph of covertness index
12 The higher entropy value f[10] is able to detect the activi
Hybrid Covert channel is not fea
and IPv4 as this become easily d
Fig11 Entro
Table4Multi-
SlNo TrapdoorName
1 SubliminalChannel(Oracl
e)-
SSL TLS-1 2 SubliminalC
hannel(Oracl
e)-
SSL TLS-2 3 SubliminalC
hann
el(Oracl
e)-
SSL TLS-3
ork Security amp Its Applications (IJNSA) Vol7 No3 M
rapdoor Analysis of Network covert channel in TCP
Noof Trapd
oors No
of
Trapdoorsu
Algorithm CovertnessI
ndex Entropy C
1 7 1 NIL 0142 2803 0
2 7 2 NIL 028 5606 0
3 7 3 NIL 042 1121 0
s the trapdoor in the subliminal channel is shown
r the some of the formation indicates that the detty and this give clear indication of the higher de
sible for the combinations of the Network covert ch
tectable combination
y Vs Covertness Index in Covert Channel based on TCP
TrapdoorAnalysisof SubliminalChannelinSSL TLS
Noof Trapdoors
No of
Trapdoorsu
Algorithm CovertnessIndex
Entropy C
- - SSLCi-pherSuite
025 2803 0
- - SSLCi-pherSuite
058 367 0
- - SSLCi-
pherSu
ite
058 367 0
ay 2015
51
E
14
28
14
in the figure
ction enginetection rates
annel in TCP
E
14
35
35
882019 E NTROPY B ASED D ETECTION A ND B EHAVIORAL A NALYSIS OF H YBRID C OVERT C HANNELIN S ECURED C OMMUhellip
httpslidepdfcomreaderfulle-ntropy-b-ased-d-etection-a-nd-b-ehavioral-a-nalysis-of-h-ybrid-c-overt-c 1415
International Journal of Net
Fig12 Covertn
8CONCLUSION
Covert schemes are difficult totaken in protocol header This p
be malware code Entropy basecovert symbol in a protocol Thi
in a better way It is unacceptablof administrator It is inference tentropy which makes it difficu
principle to detect such events
ACKNOWLEDGEMENT
AnjanKoundinya thanks Late
Computer Science and Engine
igniting the passion for research
REFERENCES
[1] Description of Detec
netprojectspapershtmlcctde
[2] Description of the Entropy cal
[Online accessed 16-Feb-201
[3] KoundinyaAnjan and Jibi A
channel In Third Internation
Chennai India 2010 Springe[4] Jibi Abraham Anjan K Srin
channel in secured communic
2014
[5] Bo Yuan Chaim Sanders Ja
Network Covert Channels 201
[6] RajarathnamChandramouli a
internet Issues approaches a
ork Security amp Its Applications (IJNSA) Vol7 No3 M
ss Index for Subliminal Channel based on SSLTLS
understand from third party entity as they obscurrovides an opportunity for embedding any data wh
analysis gives the actual number of bits used tos gives clearly metric to understand the covert cha
e to have malicious conversation of the network evehis experiment that the hybrid covert channel has hlt to detect It is required to concentrate on stron
Dr VK Ananthashayana Erstwhile Head De
ering MSRamaiah Institute of Tech-nology B
tion Approaches at the URL htt
html 2014 [Online accessed 15-Feb-2015]
culation at the URL httpwww shannonentro
]
braham Behaviour analysis of transport layer based
al Conference on Net-work Security and Application
-Verlag LNCS seriesath N K Attack modelling and behavioral analysis of
tion ACEEE In-ternational Journal of Network Securit
ob VallettaEmploying Entropy in the Detection and
12
d Koduvayur P Subbalakshmi Covert chan-nel for
d experiences 5(1)4150 July 2007
ay 2015
52
e the contentich may even
represent thennel schemes
n in presenceigh degree ofger detection
-partment of
angalore for
pgray-world
pynetmarkpl
hybrid covert
pages 83-92
hybrid covert
05(2)6777
Monitoring of
ensics on the
882019 E NTROPY B ASED D ETECTION A ND B EHAVIORAL A NALYSIS OF H YBRID C OVERT C HANNELIN S ECURED C OMMUhellip
httpslidepdfcomreaderfulle-ntropy-b-ased-d-etection-a-nd-b-ehavioral-a-nalysis-of-h-ybrid-c-overt-c 1515
International Journal of Net
[7] Anjan K Koundinya etal C
In ADCONS 2011 pages 582
[8] JaideepChandrashekar etal
Proceedings of 12th Internat
September 2009
[9] LoicHelou Claude Jard andSPV03 Volume 3 April 200
[10] Anjan K Koundinya and Jibi
Detection Engine volume 1 o
2010
[11] B W Lampson A Note on th
[12] Enping Li and Scott Craver
of the 11th ACM workshop
2009[13] Clay Shields SarderCabuk C
2004
[14] Clay Shields SarderCabuk
Information and System Secur
[15] Gustavus J Simmons The Sub
[16] Steffen Wendzel Protocol Ch[17] Andreas Willig A short intro
1999
[18] Adam Young and Moti Yung
220-240 2004
AUTHORrsquoS
AnjanK has received his B
UniversityBelgaumIndia in 2007
Science and Engineering MSRam
been awarded Best Performer PG 2
includes NetworkSecurityandCrypt
PhD in Computer Science and Engi
as Assistant Professorin Deptof CEngineering Bengaluru India
SrinathNK has his ME degree in S
Roorkee University in 1986 and P
in 2009His areas of research int
Distributed Computing DBMS Mi
PG Dept of Computer Science and
JibiAbraham has received h
BITSRajasthanIndia in 199 and
University Belgaum India in
fresearch interests include Network
of Wireless Sensor Networks andHead in Dept of CEIT College of
ork Security amp Its Applications (IJNSA) Vol7 No3 M
vertness analysis of subliminal channels in legitimate c
591 Springer- Verlag LNCS series 2012
xploiting temporal persistence to detect covert botnet
ional Symposium RAID 2009 pages 326345 Saint-
Marc ZeitounCovert channels detection in protocols u
Abraham Design of Transport Layer Based Hybrid C
f 4 International Journal of Ad hocSensor and Ubiquito
Con_nement ProblemCommunication of the ACM 19
supraliminal channel in a wireless phone application
n Multimedia and security pages 718 Princeton Ne
rla Brodley IP covert timing channels Design and det
Carla Brodley IP covert channel detectionACM
ity Volume 12(Article 22) 2009
liminal Channel and Digital SignaturesSpringer-Verlag
nnelsHAKIN9 2009uction to queuing theorylecture notes at Technical Uni
Malicious Cryptography First edition Wiley Publish-
E degree from Visveswariah Technological
nd his master degre from Department of Computer
iahInstitute of Technology Bangalore IndiaHe has
10 for his academic excellenceHis area so fresearch
graphyAgile Software EngineeringHe ispursuing
neeing fromVTUBelgaum He is currently working
omputer Science and Engineering RV College of
ystems Engineering and Operations Research from
D degree from Avinash Lingum UniversityIndia
rests include Operations Research Parallel and
roprocessor His isworking as Professor and Dean
EngineeringRVCollege of Engineering
r MS degree in Software Systems from
PhD degree from Visveswariah Technological
008 in the area of Network SecurityHe rarea so
routing algorithms Cryptography Network Security
lgorithms DesignShe is working as Professor andngineering Pune
ay 2015
53
ommunication
channels In
Malo France
sing scenarios
overt Channel
us Computing
3
n Proceedings
Jersey USA
ction CCS 4
ransaction on
1998
versity Berlin
ingFeb pages
882019 E NTROPY B ASED D ETECTION A ND B EHAVIORAL A NALYSIS OF H YBRID C OVERT C HANNELIN S ECURED C OMMUhellip
httpslidepdfcomreaderfulle-ntropy-b-ased-d-etection-a-nd-b-ehavioral-a-nalysis-of-h-ybrid-c-overt-c 1315
International Journal of Net
Table 3 Multi-
SlNo TrapdoorName
1 Network Coverthannel-TCP-
2 Network Covert
hannel-TCP-
3 Network Covert
hannel-TCP-
The graph of covertness index
12 The higher entropy value f[10] is able to detect the activi
Hybrid Covert channel is not fea
and IPv4 as this become easily d
Fig11 Entro
Table4Multi-
SlNo TrapdoorName
1 SubliminalChannel(Oracl
e)-
SSL TLS-1 2 SubliminalC
hannel(Oracl
e)-
SSL TLS-2 3 SubliminalC
hann
el(Oracl
e)-
SSL TLS-3
ork Security amp Its Applications (IJNSA) Vol7 No3 M
rapdoor Analysis of Network covert channel in TCP
Noof Trapd
oors No
of
Trapdoorsu
Algorithm CovertnessI
ndex Entropy C
1 7 1 NIL 0142 2803 0
2 7 2 NIL 028 5606 0
3 7 3 NIL 042 1121 0
s the trapdoor in the subliminal channel is shown
r the some of the formation indicates that the detty and this give clear indication of the higher de
sible for the combinations of the Network covert ch
tectable combination
y Vs Covertness Index in Covert Channel based on TCP
TrapdoorAnalysisof SubliminalChannelinSSL TLS
Noof Trapdoors
No of
Trapdoorsu
Algorithm CovertnessIndex
Entropy C
- - SSLCi-pherSuite
025 2803 0
- - SSLCi-pherSuite
058 367 0
- - SSLCi-
pherSu
ite
058 367 0
ay 2015
51
E
14
28
14
in the figure
ction enginetection rates
annel in TCP
E
14
35
35
882019 E NTROPY B ASED D ETECTION A ND B EHAVIORAL A NALYSIS OF H YBRID C OVERT C HANNELIN S ECURED C OMMUhellip
httpslidepdfcomreaderfulle-ntropy-b-ased-d-etection-a-nd-b-ehavioral-a-nalysis-of-h-ybrid-c-overt-c 1415
International Journal of Net
Fig12 Covertn
8CONCLUSION
Covert schemes are difficult totaken in protocol header This p
be malware code Entropy basecovert symbol in a protocol Thi
in a better way It is unacceptablof administrator It is inference tentropy which makes it difficu
principle to detect such events
ACKNOWLEDGEMENT
AnjanKoundinya thanks Late
Computer Science and Engine
igniting the passion for research
REFERENCES
[1] Description of Detec
netprojectspapershtmlcctde
[2] Description of the Entropy cal
[Online accessed 16-Feb-201
[3] KoundinyaAnjan and Jibi A
channel In Third Internation
Chennai India 2010 Springe[4] Jibi Abraham Anjan K Srin
channel in secured communic
2014
[5] Bo Yuan Chaim Sanders Ja
Network Covert Channels 201
[6] RajarathnamChandramouli a
internet Issues approaches a
ork Security amp Its Applications (IJNSA) Vol7 No3 M
ss Index for Subliminal Channel based on SSLTLS
understand from third party entity as they obscurrovides an opportunity for embedding any data wh
analysis gives the actual number of bits used tos gives clearly metric to understand the covert cha
e to have malicious conversation of the network evehis experiment that the hybrid covert channel has hlt to detect It is required to concentrate on stron
Dr VK Ananthashayana Erstwhile Head De
ering MSRamaiah Institute of Tech-nology B
tion Approaches at the URL htt
html 2014 [Online accessed 15-Feb-2015]
culation at the URL httpwww shannonentro
]
braham Behaviour analysis of transport layer based
al Conference on Net-work Security and Application
-Verlag LNCS seriesath N K Attack modelling and behavioral analysis of
tion ACEEE In-ternational Journal of Network Securit
ob VallettaEmploying Entropy in the Detection and
12
d Koduvayur P Subbalakshmi Covert chan-nel for
d experiences 5(1)4150 July 2007
ay 2015
52
e the contentich may even
represent thennel schemes
n in presenceigh degree ofger detection
-partment of
angalore for
pgray-world
pynetmarkpl
hybrid covert
pages 83-92
hybrid covert
05(2)6777
Monitoring of
ensics on the
882019 E NTROPY B ASED D ETECTION A ND B EHAVIORAL A NALYSIS OF H YBRID C OVERT C HANNELIN S ECURED C OMMUhellip
httpslidepdfcomreaderfulle-ntropy-b-ased-d-etection-a-nd-b-ehavioral-a-nalysis-of-h-ybrid-c-overt-c 1515
International Journal of Net
[7] Anjan K Koundinya etal C
In ADCONS 2011 pages 582
[8] JaideepChandrashekar etal
Proceedings of 12th Internat
September 2009
[9] LoicHelou Claude Jard andSPV03 Volume 3 April 200
[10] Anjan K Koundinya and Jibi
Detection Engine volume 1 o
2010
[11] B W Lampson A Note on th
[12] Enping Li and Scott Craver
of the 11th ACM workshop
2009[13] Clay Shields SarderCabuk C
2004
[14] Clay Shields SarderCabuk
Information and System Secur
[15] Gustavus J Simmons The Sub
[16] Steffen Wendzel Protocol Ch[17] Andreas Willig A short intro
1999
[18] Adam Young and Moti Yung
220-240 2004
AUTHORrsquoS
AnjanK has received his B
UniversityBelgaumIndia in 2007
Science and Engineering MSRam
been awarded Best Performer PG 2
includes NetworkSecurityandCrypt
PhD in Computer Science and Engi
as Assistant Professorin Deptof CEngineering Bengaluru India
SrinathNK has his ME degree in S
Roorkee University in 1986 and P
in 2009His areas of research int
Distributed Computing DBMS Mi
PG Dept of Computer Science and
JibiAbraham has received h
BITSRajasthanIndia in 199 and
University Belgaum India in
fresearch interests include Network
of Wireless Sensor Networks andHead in Dept of CEIT College of
ork Security amp Its Applications (IJNSA) Vol7 No3 M
vertness analysis of subliminal channels in legitimate c
591 Springer- Verlag LNCS series 2012
xploiting temporal persistence to detect covert botnet
ional Symposium RAID 2009 pages 326345 Saint-
Marc ZeitounCovert channels detection in protocols u
Abraham Design of Transport Layer Based Hybrid C
f 4 International Journal of Ad hocSensor and Ubiquito
Con_nement ProblemCommunication of the ACM 19
supraliminal channel in a wireless phone application
n Multimedia and security pages 718 Princeton Ne
rla Brodley IP covert timing channels Design and det
Carla Brodley IP covert channel detectionACM
ity Volume 12(Article 22) 2009
liminal Channel and Digital SignaturesSpringer-Verlag
nnelsHAKIN9 2009uction to queuing theorylecture notes at Technical Uni
Malicious Cryptography First edition Wiley Publish-
E degree from Visveswariah Technological
nd his master degre from Department of Computer
iahInstitute of Technology Bangalore IndiaHe has
10 for his academic excellenceHis area so fresearch
graphyAgile Software EngineeringHe ispursuing
neeing fromVTUBelgaum He is currently working
omputer Science and Engineering RV College of
ystems Engineering and Operations Research from
D degree from Avinash Lingum UniversityIndia
rests include Operations Research Parallel and
roprocessor His isworking as Professor and Dean
EngineeringRVCollege of Engineering
r MS degree in Software Systems from
PhD degree from Visveswariah Technological
008 in the area of Network SecurityHe rarea so
routing algorithms Cryptography Network Security
lgorithms DesignShe is working as Professor andngineering Pune
ay 2015
53
ommunication
channels In
Malo France
sing scenarios
overt Channel
us Computing
3
n Proceedings
Jersey USA
ction CCS 4
ransaction on
1998
versity Berlin
ingFeb pages
882019 E NTROPY B ASED D ETECTION A ND B EHAVIORAL A NALYSIS OF H YBRID C OVERT C HANNELIN S ECURED C OMMUhellip
httpslidepdfcomreaderfulle-ntropy-b-ased-d-etection-a-nd-b-ehavioral-a-nalysis-of-h-ybrid-c-overt-c 1415
International Journal of Net
Fig12 Covertn
8CONCLUSION
Covert schemes are difficult totaken in protocol header This p
be malware code Entropy basecovert symbol in a protocol Thi
in a better way It is unacceptablof administrator It is inference tentropy which makes it difficu
principle to detect such events
ACKNOWLEDGEMENT
AnjanKoundinya thanks Late
Computer Science and Engine
igniting the passion for research
REFERENCES
[1] Description of Detec
netprojectspapershtmlcctde
[2] Description of the Entropy cal
[Online accessed 16-Feb-201
[3] KoundinyaAnjan and Jibi A
channel In Third Internation
Chennai India 2010 Springe[4] Jibi Abraham Anjan K Srin
channel in secured communic
2014
[5] Bo Yuan Chaim Sanders Ja
Network Covert Channels 201
[6] RajarathnamChandramouli a
internet Issues approaches a
ork Security amp Its Applications (IJNSA) Vol7 No3 M
ss Index for Subliminal Channel based on SSLTLS
understand from third party entity as they obscurrovides an opportunity for embedding any data wh
analysis gives the actual number of bits used tos gives clearly metric to understand the covert cha
e to have malicious conversation of the network evehis experiment that the hybrid covert channel has hlt to detect It is required to concentrate on stron
Dr VK Ananthashayana Erstwhile Head De
ering MSRamaiah Institute of Tech-nology B
tion Approaches at the URL htt
html 2014 [Online accessed 15-Feb-2015]
culation at the URL httpwww shannonentro
]
braham Behaviour analysis of transport layer based
al Conference on Net-work Security and Application
-Verlag LNCS seriesath N K Attack modelling and behavioral analysis of
tion ACEEE In-ternational Journal of Network Securit
ob VallettaEmploying Entropy in the Detection and
12
d Koduvayur P Subbalakshmi Covert chan-nel for
d experiences 5(1)4150 July 2007
ay 2015
52
e the contentich may even
represent thennel schemes
n in presenceigh degree ofger detection
-partment of
angalore for
pgray-world
pynetmarkpl
hybrid covert
pages 83-92
hybrid covert
05(2)6777
Monitoring of
ensics on the
882019 E NTROPY B ASED D ETECTION A ND B EHAVIORAL A NALYSIS OF H YBRID C OVERT C HANNELIN S ECURED C OMMUhellip
httpslidepdfcomreaderfulle-ntropy-b-ased-d-etection-a-nd-b-ehavioral-a-nalysis-of-h-ybrid-c-overt-c 1515
International Journal of Net
[7] Anjan K Koundinya etal C
In ADCONS 2011 pages 582
[8] JaideepChandrashekar etal
Proceedings of 12th Internat
September 2009
[9] LoicHelou Claude Jard andSPV03 Volume 3 April 200
[10] Anjan K Koundinya and Jibi
Detection Engine volume 1 o
2010
[11] B W Lampson A Note on th
[12] Enping Li and Scott Craver
of the 11th ACM workshop
2009[13] Clay Shields SarderCabuk C
2004
[14] Clay Shields SarderCabuk
Information and System Secur
[15] Gustavus J Simmons The Sub
[16] Steffen Wendzel Protocol Ch[17] Andreas Willig A short intro
1999
[18] Adam Young and Moti Yung
220-240 2004
AUTHORrsquoS
AnjanK has received his B
UniversityBelgaumIndia in 2007
Science and Engineering MSRam
been awarded Best Performer PG 2
includes NetworkSecurityandCrypt
PhD in Computer Science and Engi
as Assistant Professorin Deptof CEngineering Bengaluru India
SrinathNK has his ME degree in S
Roorkee University in 1986 and P
in 2009His areas of research int
Distributed Computing DBMS Mi
PG Dept of Computer Science and
JibiAbraham has received h
BITSRajasthanIndia in 199 and
University Belgaum India in
fresearch interests include Network
of Wireless Sensor Networks andHead in Dept of CEIT College of
ork Security amp Its Applications (IJNSA) Vol7 No3 M
vertness analysis of subliminal channels in legitimate c
591 Springer- Verlag LNCS series 2012
xploiting temporal persistence to detect covert botnet
ional Symposium RAID 2009 pages 326345 Saint-
Marc ZeitounCovert channels detection in protocols u
Abraham Design of Transport Layer Based Hybrid C
f 4 International Journal of Ad hocSensor and Ubiquito
Con_nement ProblemCommunication of the ACM 19
supraliminal channel in a wireless phone application
n Multimedia and security pages 718 Princeton Ne
rla Brodley IP covert timing channels Design and det
Carla Brodley IP covert channel detectionACM
ity Volume 12(Article 22) 2009
liminal Channel and Digital SignaturesSpringer-Verlag
nnelsHAKIN9 2009uction to queuing theorylecture notes at Technical Uni
Malicious Cryptography First edition Wiley Publish-
E degree from Visveswariah Technological
nd his master degre from Department of Computer
iahInstitute of Technology Bangalore IndiaHe has
10 for his academic excellenceHis area so fresearch
graphyAgile Software EngineeringHe ispursuing
neeing fromVTUBelgaum He is currently working
omputer Science and Engineering RV College of
ystems Engineering and Operations Research from
D degree from Avinash Lingum UniversityIndia
rests include Operations Research Parallel and
roprocessor His isworking as Professor and Dean
EngineeringRVCollege of Engineering
r MS degree in Software Systems from
PhD degree from Visveswariah Technological
008 in the area of Network SecurityHe rarea so
routing algorithms Cryptography Network Security
lgorithms DesignShe is working as Professor andngineering Pune
ay 2015
53
ommunication
channels In
Malo France
sing scenarios
overt Channel
us Computing
3
n Proceedings
Jersey USA
ction CCS 4
ransaction on
1998
versity Berlin
ingFeb pages
882019 E NTROPY B ASED D ETECTION A ND B EHAVIORAL A NALYSIS OF H YBRID C OVERT C HANNELIN S ECURED C OMMUhellip
httpslidepdfcomreaderfulle-ntropy-b-ased-d-etection-a-nd-b-ehavioral-a-nalysis-of-h-ybrid-c-overt-c 1515
International Journal of Net
[7] Anjan K Koundinya etal C
In ADCONS 2011 pages 582
[8] JaideepChandrashekar etal
Proceedings of 12th Internat
September 2009
[9] LoicHelou Claude Jard andSPV03 Volume 3 April 200
[10] Anjan K Koundinya and Jibi
Detection Engine volume 1 o
2010
[11] B W Lampson A Note on th
[12] Enping Li and Scott Craver
of the 11th ACM workshop
2009[13] Clay Shields SarderCabuk C
2004
[14] Clay Shields SarderCabuk
Information and System Secur
[15] Gustavus J Simmons The Sub
[16] Steffen Wendzel Protocol Ch[17] Andreas Willig A short intro
1999
[18] Adam Young and Moti Yung
220-240 2004
AUTHORrsquoS
AnjanK has received his B
UniversityBelgaumIndia in 2007
Science and Engineering MSRam
been awarded Best Performer PG 2
includes NetworkSecurityandCrypt
PhD in Computer Science and Engi
as Assistant Professorin Deptof CEngineering Bengaluru India
SrinathNK has his ME degree in S
Roorkee University in 1986 and P
in 2009His areas of research int
Distributed Computing DBMS Mi
PG Dept of Computer Science and
JibiAbraham has received h
BITSRajasthanIndia in 199 and
University Belgaum India in
fresearch interests include Network
of Wireless Sensor Networks andHead in Dept of CEIT College of
ork Security amp Its Applications (IJNSA) Vol7 No3 M
vertness analysis of subliminal channels in legitimate c
591 Springer- Verlag LNCS series 2012
xploiting temporal persistence to detect covert botnet
ional Symposium RAID 2009 pages 326345 Saint-
Marc ZeitounCovert channels detection in protocols u
Abraham Design of Transport Layer Based Hybrid C
f 4 International Journal of Ad hocSensor and Ubiquito
Con_nement ProblemCommunication of the ACM 19
supraliminal channel in a wireless phone application
n Multimedia and security pages 718 Princeton Ne
rla Brodley IP covert timing channels Design and det
Carla Brodley IP covert channel detectionACM
ity Volume 12(Article 22) 2009
liminal Channel and Digital SignaturesSpringer-Verlag
nnelsHAKIN9 2009uction to queuing theorylecture notes at Technical Uni
Malicious Cryptography First edition Wiley Publish-
E degree from Visveswariah Technological
nd his master degre from Department of Computer
iahInstitute of Technology Bangalore IndiaHe has
10 for his academic excellenceHis area so fresearch
graphyAgile Software EngineeringHe ispursuing
neeing fromVTUBelgaum He is currently working
omputer Science and Engineering RV College of
ystems Engineering and Operations Research from
D degree from Avinash Lingum UniversityIndia
rests include Operations Research Parallel and
roprocessor His isworking as Professor and Dean
EngineeringRVCollege of Engineering
r MS degree in Software Systems from
PhD degree from Visveswariah Technological
008 in the area of Network SecurityHe rarea so
routing algorithms Cryptography Network Security
lgorithms DesignShe is working as Professor andngineering Pune
ay 2015
53
ommunication
channels In
Malo France
sing scenarios
overt Channel
us Computing
3
n Proceedings
Jersey USA
ction CCS 4
ransaction on
1998
versity Berlin
ingFeb pages