Protocol Proxy: an FTE-Based Covert Channel

Protocol Proxy: an FTE-Based Covert Channel

Computers & Security 92 (2020) 101777 Contents lists available at ScienceDirect Computers & Security journal homepage: www.elsevier.com/locate/cose Protocol Proxy: An FTE-based covert channel ∗ Jonathan Oakley , Lu Yu, Xingsi Zhong, Ganesh Kumar Venayagamoorthy, Richard Brooks Department of Electrical and Computer Engineering, Clemson University, Clemson, SC, USA a r t i c l e i n f o a b s t r a c t Article history: In a hostile network environment, users must communicate without being detected. This involves blend- Received 25 September 2019 ing in with the existing traffic. In some cases, a higher degree of secrecy is required. We present a proof- Revised 24 December 2019 of-concept format transforming encryption (FTE)-based covert channel for tunneling TCP traffic through Accepted 22 February 2020 protected static protocols. Protected static protocols are UDP-based protocols with variable fields that can- Available online 24 February 2020 not be blocked without collateral damage, such as power grid failures. We (1) convert TCP traffic to UDP Keywords: traffic, (2) introduce observation-based FTE, and (3) model interpacket timing with a deterministic Hid- Covert channel den Markov Model (HMM). The resulting Protocol Proxy has a very low probability of detection and is Format Transforming Encryption (FTE) an alternative to current covert channels. We tunnel a TCP session through a UDP protocol and guaran- Steganography tee delivery. Observation-based FTE ensures traffic cannot be detected by traditional rule-based analysis Traffic analysis or DPI. A deterministic HMM ensures the Protocol Proxy accurately models interpacket timing to avoid Deep Packet Inspection (DPI) detection by side-channel analysis. Finally, the choice of a protected static protocol foils stateful protocol Pluggable transport (PT) analysis and causes collateral damage with false positives. Deterministic Hidden Markov Model (HMM) Synchrophasor ©2020 Elsevier Ltd. All rights reserved. 1. Introduction simply wrap encrypted traffic with a new header to allow TLS traf- fic to pass through firewalls ( Wiley, 2011; Yawning, 2019 ). At first, Traffic analysis classifies network traffic using observable infor- this may seem like an elegant solution, but it is simple to add an- mation. Network engineers use traffic analysis to ensure quality of other firewall rule to block this traffic. This is security through ob- service and identify threats. As a result, the development of hard- scurity. ware and software tools that quickly and effectively classify traffic Format Transformation Encryption (FTE) is a form of steganog- has been encouraged. Commercial traffic analysis tools are used by raphy that translates network traffic into a host protocol. 1 Previous governments to block access to websites that counter their current FTE implementations used regular expressions ( Dyer et al., 2013 ) narrative ( Heydari et al., 2017 ). Tools for countering traffic analysis and context free grammars ( Dyer et al., 2015 ). Padding and rerout- have been developed for both criminal use and covert channels. ing has obfuscated traffic and removed side-channels ( Guan et al., Tor is a popular overlay network that routes traffic through 2001 ). In previous work, we used FTE and hidden Markov models three randomly chosen nodes on the Internet. Tor uses nested en- (HMMs) to translate traffic flows into DNS requests and responses cryption to ensure messages cannot be intercepted. The client en- ( Fu et al., 2016; 2017 ) and smart grid sensor traffic ( Zhong et al., crypts packets. Each relay node decrypts the outermost layer, re- 2015b ). Fridrich determined an upper bound on the amount of in- vealing another encrypted layer for the next hop to decrypt. By formation that could be steganographically encoded in JPEG images wrapping encryption (like the layers of an onion), it is possible before distortions were visually detected ( Fridrich, 2006 ). HMMs to encrypt traffic so each node only knows its neighbors. This is have some notable advantages: not a silver bullet. In contested network environments, it is easy to detect and block Tor ( Dingledine, 2011 ). To prevent blocking, plug- 1. data windowing of HMMs ( Schwier et al., 2011 ) makes them gable transports (PTs) were developed to obfuscate Tor’s traffic pat- effective for both protocol detection and mimicry, terns. 2. tools for differentiating HMMs are well defined ( Schwier et al., PT developers must ensure their tools are able to penetrate na- 2011 ), and tion state firewalls while authoritarian governments must deter- 3. a normalized metric space can directly measure the quality of mine the optimal defense ( Garnaev et al., 2016 ). Some popular PTs protocol mimicry ( Lu et al., 2013 ). ∗ Corresponding author. E-mail address: [email protected] (J. Oakley). 1 The host protocol refers to the protocol being mimicked. https://doi.org/10.1016/j.cose.2020.101777 0167-4048/© 2020 Elsevier Ltd. All rights reserved. 2 J. Oakley, L. Yu and X. Zhong et al. / Computers & Security 92 (2020) 101777 Fig. 1. Protocol Proxy architecture with relevant sections indicated. We propose security through collateral damage. Certain proto- channels is encrypted, the goal is to balance probability of detec- cols are more expensive to block than others. Usually, blocking the tion with throughput based on the desired application ( Smith and wrong TLS stream has little collateral damage other than disgrun- Knight, 2010 ). Timing side-channels are used when low probability tled users. of detection is prioritized over throughput ( Kiyavash et al., 2013; We chose Synchrophasor traffic for our FTE implementation, but Yao et al., 2009 ). another example is Network Time Protocol (NTP) traffic. We use Named Data Networking (NDN) posits an alternative internet Synchrophasor traffic because we have access to Clemson’s Real- architecture based on content delivery ( Zhang et al., 2014 ). Con- Time Power and Intelligent System ( RTPIS, 2019 ) Laboratory and sumers express interest in a topic to NDN routers. These NDN real Synchrophasor traffic. 2 To accomplish this transformation, we routers check their Content Stores to see if an interest is cached. made the following novel contributions: If the information is not available, the router adds the interest to a Pending Interest Table and forwards the interest upstream according 1. An architecture to tunnel TCP traffic through UDP traffic. to the Forwarding Information Base and Forwarding Strategy . Tsudik 2. Real-time observation-based format transforming encryption et. al proposed an anonymous communication network using NDN (FTE) (Zhong et al., 2015b). ( Tsudik et al., 2016 ). Cui et al. proposed a model for preventing 3. A theoretical upper bound on the channel capacity of censorship using smart NDN routers ( Cui et al., 2016 ). Neither of observation-based FTE. these solutions addresses the issue of covert communications in a 4. Emulating the packet timing of a host protocol. contested environment. 5. A proxy capable of tunneling SSH (TCP) through power-grid Ambrosin et. al proposed a method for delay-based covert com- Synchrophasor traffic (UDP) in a statistically indistinguishable munication using cache techniques ( Ambrosin et al., 2014 ). Given a manner. sender and receiver share an NDN router at some point in the net- In Section 2 , we introduce related work. In Section 3 , we justify work, the sender and receiver can communicate using the round observation-based FTE as a undetectable communication channel. trip time (RTT) of the receiver’s interest requests. The sender and In Section 4 , we provide the mathematical background behind de- receiver agree on C0 and C1 out-of-band. The sender requests a terministic HMMs. In Section 5 , we provide the system architecture certain interest, Cb , and the receiver receives the message by re- and justify our design decisions. Figure 1 shows our high-level sys- questing both C0 and C1 . By comparing the RTT of both C0 and C1 , tem architecture: Section 5.1 describes observation-based format it is possible to determine which interest the sender requested– transforming encryption using our novel method. Section 5.2 de- Cb will have a shorter RTT since it already exists in the router’s scribes massaging packet timing with a deterministic HMM in- cache. While this covert channel is interesting, it would be easy ferred using the method described in Sections 4.1 , and 5.3 de- to detect in Iran or China since CCNx (the NDN implementation) scribes how everything fits the overall Protocol Proxy architecture. is not widely used. The traffic would be anomalous in that envi- Section 6 provides the experimental setup, and Section 7 details ronment and could be used to identify users before being blocked our results. Finally, we provide our closing thoughts and future (Mosko, 2014). work in Section 8 . Tor (Tor, 2019) anonymity network wraps network traffic in layers of encryption. Each layer can only be decrypted by the next hop in the onion network. While it provides anonymous 2. Related work access to the Internet, the Tor protocol is easy to detect and block ( Dingledine, 2011; Winter and Lindskog, 2012 ). Undetectable Creating covert online communication tools has been the fo- communication was not one of Tor’s goals, but it spawned the cus of many privacy advocacy groups. Since the data in covert Pluggable Transport project to address this challenge and en- courage the development of other covert communication tools 2 Synchrophasor traffic is a UDP-based protocol generated by Phasor Measure- ( Internews, 2017 ). ment Units (PMUs) that contains alternating current phase measurements. This pro- tocol is used to balance the load at different points in the power grid. J. Oakley, L. Yu and X. Zhong et al. / Computers & Security 92 (2020) 101777 3 Pluggable Transports ( Pluggable Transports, 2020 ) address this ernments block access to these tools, which makes the first hop concern. PTs offer a generic way to obfuscate traffic. Shape- important. shifting PTs transform traffic into a different protocol. SkypeMorph Traditional Virtual Private Networks (VPNs) are not usually ef- ( Mohajeri Moghaddam et al., 2012 ) makes network traffic resem- fective in a contested environment because encrypted data can ble a Skype session.

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    11 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us