Using a Novel Blending Method Over Multiple Network Connections for Secure Communications

1. Using a Novel Blending Method Over Multiple Network Connections for Secure Communications Jaime C. Acosta and John Medrano U.S. Army Research Laboratory

2. Motivation • Network attack steps • Locate a network • Analyze traffic • Identify target • Scan nodes for vulnerabilities • Execute exploit • Issue • Node addresses and traffic flows

3. Motivation • Covert Communication • Traditionally seen as adversarial • Data exfiltration • From a defensive perspective • Hide data in decoy traffic • Hide node endpoints • Avoid scanning • Avoid suspicion for critical data

4. Covert Communication • Timing channels • Timing anomalies • Generally low throughput • Data channels • Unused fields, invalid messages • Once documented identification is trivial

5. Objectives • Scalable throughput • Reliable • Dynamic insertion point selection

6. Research Question Can we leverage characteristics of network flows for covert, secure communication?

7. Envisioned Approach B C A F D E

8. Envisioned Approach Conn1 Conn3 B C A Conn4 Conn2 Conn5 Conn7 F D E Conn8 Conn6 Connections: 1. Unidirectional 2. Fixed size messages sharing the same a. source and destination MAC, IP, and ports b. protocol type 3. Have an update rate 4. Have a complexity measure

9. Envisioned Approach Covert Communicators Conn1 Conn3 B C A Conn4 Conn2 Promiscuous Traffic Conn5 Conn7 F D E Conn8 Conn6

10. Envisioned Approach Hide data within high-complexity payloads Covert Communicators Conn1 Conn3 B C A Conn4 Conn2 Promiscuous Traffic Conn5 Conn7 F D E Conn8 Conn6

11. Methodology • Implement a system • Parameters for determining insertion points • Evaluate • Vary parameter values • Measure throughput and reliability

12. Network Blending Communication System (NBCS) Configuration Network Communications Subsystem Analysis Subsystem Display Subsystem

13. NBCS Analysis Subsystem Network Connection 1 Packets during window Connection 2 Connection 3

14. NBCS Analysis Subsystem Network Connection 1 Packets during window Connection 2 Connection 3

15. NBCS Analysis Subsystem Min/Max = byteComplexities

16. NBCS Analysis Subsystem Network Connection 1 Packets during window Freq. Distribution sum C Connection 1 complexity byteComplexities Connection 2 Connection 3

17. NBCS system Configuration Network Communications Subsystem Analysis Subsystem Display Subsystem

18. Communications Subsystem … … Covert data queue Connection 1 with sufficient complexity Latest packets with sufficient byteComplexities Connection 4 with sufficient complexity

19. Communications Subsystem … … Covert data queue Connection 1 with sufficient complexity Latest packets with sufficient byteComplexities • check • rateToUse Connection 4 with sufficient complexity Attach Sync and Checksum Bytes

20. Communications Subsystem … … Covert data queue Connection 1 with sufficient complexity Latest packets with sufficient byteComplexities Connection 4 with sufficient complexity

21. NBCS System Configuration Network Communications Subsystem Analysis Subsystem Display Subsystem

22. Display Subsystem

23. Requirements – How it can be done • Hub • Promiscuous by default • Switch • Port mirroring • Wireless • Within distance • Multicast • Within group

24. Requirements – How it can be done • Hub • Promiscuous by default • Switch • Port mirroring • Wireless • Within distance • Multicast • Within group

25. Evaluation - Network Setup

26. Evaluation • Controlled (favoring low detectability) • Window Size = 1000ms • Sync Bytes = 2 • Checksum Bytes = 2 • Protocol to Use = UDP • Rate Threshold = 10 • Rate to Use = 0.1

27. Evaluation • Independent • Byte Complexity Threshold [0.1-0.9] • Dependent • Throughput • Packet loss • Procedure • Covert sender and receiver start simultaneously • Covert data buffer is always full • Run for 5 minutes

28. Results - Throughput

29. Results – Packet Loss

30. Future Work • More beneficial to hide covert data based on byte similarity? • Wireless and multicast traffic? • Automatic parameter tuning in real time depending on network characteristics?

31. Questions

32. Preliminary Wireless Tests

33. Preliminary Wireless Tests

34. NBCS Analysis Subsystem Network Connection 1 Packets during window Connection 2 Connection 3

35. NBCS Analysis Subsystem Sample byte complexities

36. NBCS Analysis Subsystem Network Connection 1 Packets during window Min Max sum C Connection 1 complexity byteComplexities Connection 2 Connection 3