IDS mailing list archives
RE: Detecting covert data channels?
From: Omar Herrera <oherrera () prodigy net mx>
Date: Mon, 28 May 2007 19:28:30 -0500
Hi Joff, You'll probably need some algortihtms to test for randmoness; these might be helpful: http://csrc.nist.gov/rng/ But then you must be aware of 2 problems: a) Statistical tests like these tests work on the whole sequence. With mixed sequences (e.g. an encapsulated random payload within a non-random structure) you'll still need some algorithm to try to identify the boundaries of the candidate bit string to test. b) Randomness tests usually need a few bits to be accurate (e.g. ~100 bits for the frequency and runs tests), some need thousands of bits. Therefore with fragmented sequences it might be nearly impossible to detect. c) No test is accurate enough on its own, although Maurer's Universal statistical test claims to be (it needs about 388,000 bits to be reliable under its own terms anyway), so you might need to apply a batch of tests to have enough confidence that a certain bitstring is indeed random. d) Compressed sequences, although not exactly random, might look very similar to an encrypted sequence (from a randomness test point of view). With standard statistical tests it is very difficult to tell; it is hard but it can be done. e) There is no way (that I know of) to distinguish between totally random sequences and sequences encrypted with a good encryption algorithm (such as AES), and that's the point of good encryption anyway ;-). So if you get totally random sequences as decoys you should be aware of the risks of denial of service, because running this kind of detection on real-time traffic flows will certainly consume some CPU cycles. Other than that, it is certainly an interesting project, but I wonder if there aren't more effective ways to detect information leaks than just identifying pseudorandom strings on the network and then assuming that those might be related to confidential information. Cheers, Omar Herrera
-----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Joff Thyer It is reasonably trivial to encode data within packet headers, and even encrypt said data as most are probably aware. There are past examples where control information has been sent within ICMP and other packets using header fields. My question surrounds detection; given that IDS tends to be payload focused, if a covert channel exists that has encrypted data in a packet header, how do we go about detecting it? My initial thought leans toward the fact that encrypted data blocks are statistically flat over time. Given say 'snort', how can we use this idea? I am not a snort expert by any means, so please no flames! I would be happy to summarize opinions. -Joff Thyer
------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------
Current thread:
- Detecting covert data channels? Joff Thyer (May 28)
- Re: Detecting covert data channels? vijay upadhyaya (May 29)
- RE: Detecting covert data channels? Omar Herrera (May 29)
- Re: Detecting covert data channels? Kowsik (May 29)
- Re: Detecting covert data channels? Eric Hacker (May 29)
- Re: Detecting covert data channels? Skip Carter (May 29)
- Re: Detecting covert data channels? Ron Gula (May 29)
- Re: Detecting covert data channels? Richard Bejtlich (May 30)
- Re: Detecting covert data channels? Jose Nazario (May 31)