Abstract

Firewalls and detection systems have been used for preventing and detecting attacks by a wide variety of mechanisms. A problem has arisen where users and applications can circumvent security policies because of the particularities in the TCP/IP protocol, the ability to obfuscate the data payload, tunnel protocols, and covertly simulate a permitted communication. It has been shown that unusual traffic patterns may lead to discovery of covert channels that employ packet headers. In addition, covert channels can be detected by observing an anomaly in unused packet header fields. Presently, we are not aware of any schemes that address detecting anomalous traffic patterns that can potentially be created by a covert channel. In this work, we will explore the approach of combining anomaly based detection and covert channel profiling to be used for detecting a very precise subset of covert storage channels in network protocols. We shall also discuss why this method is more practical and industry-ready compared to the present research on how to profile and mitigate these types of attacks. Finally, we shall describe a specialized tool to passively monitor networks for these types of attacks and show how it can be used to build an efficient hybrid covert channel and anomaly based detection system.