Download
1 / 36
360 likes | 495 Vues
This research presents a new method for secure communications employing a blending approach across multiple network connections. By leveraging existing traffic and employing covert communication strategies, we aim to facilitate data exfiltration while minimizing detection risk. Key objectives include scalable throughput, dynamic insertion point selection, and ensuring reliability. We analyze traffic patterns, establish parameters for covert insertion, and evaluate the system's performance in terms of throughput and packet loss. Our findings suggest a promising foundation for integrating covert data transmission within high-complexity payloads.
E N D
Using a Novel Blending Method Over Multiple Network Connections for Secure Communications Jaime C. Acosta and John Medrano U.S. Army Research Laboratory
Motivation • Network attack steps • Locate a network • Analyze traffic • Identify target • Scan nodes for vulnerabilities • Execute exploit • Issue • Node addresses and traffic flows
Motivation • Covert Communication • Traditionally seen as adversarial • Data exfiltration • From a defensive perspective • Hide data in decoy traffic • Hide node endpoints • Avoid scanning • Avoid suspicion for critical data
Covert Communication • Timing channels • Timing anomalies • Generally low throughput • Data channels • Unused fields, invalid messages • Once documented identification is trivial
Objectives • Scalable throughput • Reliable • Dynamic insertion point selection
Research Question Can we leverage characteristics of network flows for covert, secure communication?
Envisioned Approach B C A F D E
Envisioned Approach Conn1 Conn3 B C A Conn4 Conn2 Conn5 Conn7 F D E Conn8 Conn6 Connections: 1. Unidirectional 2. Fixed size messages sharing the same a. source and destination MAC, IP, and ports b. protocol type 3. Have an update rate 4. Have a complexity measure
Envisioned Approach Covert Communicators Conn1 Conn3 B C A Conn4 Conn2 Promiscuous Traffic Conn5 Conn7 F D E Conn8 Conn6
Envisioned Approach Hide data within high-complexity payloads Covert Communicators Conn1 Conn3 B C A Conn4 Conn2 Promiscuous Traffic Conn5 Conn7 F D E Conn8 Conn6
Methodology • Implement a system • Parameters for determining insertion points • Evaluate • Vary parameter values • Measure throughput and reliability
Network Blending Communication System (NBCS) Configuration Network Communications Subsystem Analysis Subsystem Display Subsystem
NBCS Analysis Subsystem Network Connection 1 Packets during window Connection 2 Connection 3
NBCS Analysis Subsystem Network Connection 1 Packets during window Connection 2 Connection 3
NBCS Analysis Subsystem Min/Max = byteComplexities
NBCS Analysis Subsystem Network Connection 1 Packets during window Freq. Distribution sum C Connection 1 complexity byteComplexities Connection 2 Connection 3
NBCS system Configuration Network Communications Subsystem Analysis Subsystem Display Subsystem
Communications Subsystem … … Covert data queue Connection 1 with sufficient complexity Latest packets with sufficient byteComplexities Connection 4 with sufficient complexity
Communications Subsystem … … Covert data queue Connection 1 with sufficient complexity Latest packets with sufficient byteComplexities • check • rateToUse Connection 4 with sufficient complexity Attach Sync and Checksum Bytes
Communications Subsystem … … Covert data queue Connection 1 with sufficient complexity Latest packets with sufficient byteComplexities Connection 4 with sufficient complexity
NBCS System Configuration Network Communications Subsystem Analysis Subsystem Display Subsystem
Requirements – How it can be done • Hub • Promiscuous by default • Switch • Port mirroring • Wireless • Within distance • Multicast • Within group
Requirements – How it can be done • Hub • Promiscuous by default • Switch • Port mirroring • Wireless • Within distance • Multicast • Within group
Evaluation • Controlled (favoring low detectability) • Window Size = 1000ms • Sync Bytes = 2 • Checksum Bytes = 2 • Protocol to Use = UDP • Rate Threshold = 10 • Rate to Use = 0.1
Evaluation • Independent • Byte Complexity Threshold [0.1-0.9] • Dependent • Throughput • Packet loss • Procedure • Covert sender and receiver start simultaneously • Covert data buffer is always full • Run for 5 minutes
Future Work • More beneficial to hide covert data based on byte similarity? • Wireless and multicast traffic? • Automatic parameter tuning in real time depending on network characteristics?
NBCS Analysis Subsystem Network Connection 1 Packets during window Connection 2 Connection 3
NBCS Analysis Subsystem Sample byte complexities
NBCS Analysis Subsystem Network Connection 1 Packets during window Min Max sum C Connection 1 complexity byteComplexities Connection 2 Connection 3
