Skip to main content
SpringerLink
Log in

Summary-Invisible Networking: Techniques and Defenses

  • Conference paper
Information Security (ISC 2010)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 6531))

Included in the following conference series:

  • 2310 Accesses

Abstract

Numerous network anomaly detection techniques utilize traffic summaries (e.g., NetFlow records) to detect and diagnose attacks. In this paper we investigate the limits of such approaches, by introducing a technique by which compromised hosts can communicate without altering the behavior of the network as evidenced in summary records of many common types. Our technique builds on two key observations. First, network anomaly detection based on payload-oblivious traffic summaries admits a new type of covert embedding in which compromised nodes embed content in the space vacated by compressing the payloads of packets already in transit between them. Second, point-to-point covert channels can serve as a “data link layer” over which routing protocols can be run, enabling more functional covert networking than previously explored. We investigate the combination of these ideas, which we term Summary-Invisible Networking (SIN), to determine both the covert networking capacities that an attacker can realize in various tasks and the possibilities for defenders to detect these activities.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Ahsan, K., Kundur, D.: Practical data hiding in TCP/IP. In: Workshop on Multimedia and Security at ACM Multimedia 2002 (December 2002)

    Google Scholar 

  2. Borup, L.: Peer-to-peer botnets: A case study on Waledac. Master’s thesis, Technical University of Denmark (2009)

    Google Scholar 

  3. Cabuk, S., Brodley, C.E., Shields, C.: IP covert timing channels: Design and detection. In: CCS, pp. 178–187 (2004)

    Google Scholar 

  4. Collins, M.P., Reiter, M.K.: Finding peer-to-peer file-sharing using coarse network behaviors. In: Gollmann, D., Meier, J., Sabelfeld, A. (eds.) ESORICS 2006. LNCS, vol. 4189, pp. 1–17. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  5. Collins, M.P., Reiter, M.K.: Hit-list worm detection and bot identification in large networks using protocol graphs. In: Kruegel, C., Lippmann, R., Clark, A. (eds.) RAID 2007. LNCS, vol. 4637, pp. 276–295. Springer, Heidelberg (2007)

    Chapter  Google Scholar 

  6. Collins, M.P., Reiter, M.K.: On the limits of payload-oblivious network attack detection. In: Lippmann, R., Kirda, E., Trachtenberg, A. (eds.) RAID 2008. LNCS, vol. 5230, pp. 251–270. Springer, Heidelberg (2008)

    Chapter  Google Scholar 

  7. Demmer, M., Fall, K.: DTLSR: Delay tolerant routing for developing regions. In: Workshop on Networked Systems for Developing Regions, pp. 1–6 (2007)

    Google Scholar 

  8. Erramilli, V., Crovella, M.: Forwarding in opportunistic networks under resource constraints. In: ACM MobiCom Workshop on Challenged Networks (September 2008)

    Google Scholar 

  9. Fall, K.: A delay-tolerant network architecture for challenged internets. In: SIGCOMM, pp. 27–34 (2003)

    Google Scholar 

  10. Ford Jr., L.R., Fulkerson, D.R.: Maximal flow through a network. Canadian J. Mathematics 8, 399–404 (1956)

    Article  MathSciNet  MATH  Google Scholar 

  11. Gao, Y., Zhao, Y., Schweller, R., Venkataraman, S., Chen, Y., Song, D., Kao, M.-Y.: Detecting stealthy attacks using online histograms. In: 15th IEEE Intern. Workshop on Quality of Service (June 2007)

    Google Scholar 

  12. Giffin, J., Greenstadt, R., Litwack, P., Tibbetts, R.: Covert messaging through TCP timestamps. In: Dingledine, R., Syverson, P.F. (eds.) PET 2002. LNCS, vol. 2482, pp. 194–208. Springer, Heidelberg (2003)

    Chapter  Google Scholar 

  13. Gu, G., Perdisci, R., Zhang, J., Lee, W.: BotMiner: Clustering analysis of network traffic for protocol and structure independent botnet detection. In: USENIX Security (2008)

    Google Scholar 

  14. Gu, G., Porras, P., Yegneswaran, V., Fong, M., Lee, W.: BotHunter: Detecting malware infection through ids-driven dialog correlation. In: USENIX Security (August 2007)

    Google Scholar 

  15. Gu, G., Zhang, J., Lee, W.: BotSniffer: Detecting botnet command and control channels in network traffic. In: NDSS (February 2008)

    Google Scholar 

  16. Handel, T.G., Sandford II, M.T.: Hiding data in the OSI network model. In: Anderson, R. (ed.) IH 1996. LNCS, vol. 1174, pp. 23–38. Springer, Heidelberg (1996)

    Chapter  Google Scholar 

  17. Hernández-Campos, F., Nobel, A.B., Smith, F.D., Jeffay, K.: Understanding patterns of TCP connection usage with statistical clustering. In: MASCOTS, pp. 35–44 (September 2005)

    Google Scholar 

  18. Jain, S., Fall, K., Patra, R.: Routing in a delay tolerant network. In: SIGCOMM, pp. 145–158 (2004)

    Google Scholar 

  19. Jung, J., Paxson, V., Berger, A.W., Balakrishnan, H.: Fast portscan detection using sequential hypothesis testing. In: IEEE Symp. Security and Privacy (May 2004)

    Google Scholar 

  20. Karagiannis, T., Papagiannaki, K., Faloutsos, M.: BLINC: Multilevel traffic classification in the dark. In: SIGCOMM (August 2005)

    Google Scholar 

  21. Karamcheti, V., Geiger, D., Kedem, Z., Muthukrishnan, S.: Detecting malicious network traffic using inverse distributions of packet contents. In: Workshop on Mining Network Data, pp. 165–170 (2005)

    Google Scholar 

  22. Kim, H.A., Karp, B.: Autograph: Toward automatic distributed worm signature generation. In: USENIX Security (August 2004)

    Google Scholar 

  23. Kruegel, C., Toth, T., Kirda, E.: Service specific anomaly detection for network intrusion detection. In: Symp. Applied Computing (March 2002)

    Google Scholar 

  24. Lakhina, A., Crovella, M., Diot, C.: Mining anomalies using traffic feature distributions. In: SIGCOMM, pp. 217–228 (2005)

    Google Scholar 

  25. Lucena, N.B., Lewandowski, G., Chapin, S.J.: Covert channels in IPv6. In: Danezis, G., Martin, D. (eds.) PET 2005. LNCS, vol. 3856, pp. 147–166. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  26. Murdoch, S.J., Lewis, S.: Embedding covert channels into TCP/IP. In: Barni, M., Herrera-Joancomartí, J., Katzenbeisser, S., Pérez-González, F. (eds.) IH 2005. LNCS, vol. 3727, pp. 247–261. Springer, Heidelberg (2005)

    Chapter  Google Scholar 

  27. Newsome, J., Karp, B., Song, D.: Polygraph: Automatically generating signatures for polymorphic worms. In: IEEE Symp. Security and Privacy (May 2005)

    Google Scholar 

  28. Rowland, C.H.: Covert channels in the TCP/IP protocol suite. First Monday 2(5) (1997)

    Google Scholar 

  29. Singh, S., Estan, C., Varghese, G., Savage, S.: Automated worm fingerprinting. In: OSDI (December 2004)

    Google Scholar 

  30. Staniford-Chen, S., Cheung, S., Crawford, R., Dilger, M., Frank, J., Hoagl, J., Levitt, K., Wee, C., Yip, R., Zerkle, D.: GrIDS – a graph based intrusion detection system for large networks. In: 19th National Information Systems Security Conf., pp. 361–370 (1996)

    Google Scholar 

  31. Stover, S., Dittrich, D., Hernandez, J., Dietrich, S.: Analysis of the Storm and Nugache trojans: P2P is here. USENIX;login 32(6) (2007)

    Google Scholar 

  32. Terrell, J., Jeffay, K., Smith, F.D., Gogan, J., Keller, J.: Exposing server performance to network managers through passive network measurements. In: IEEE Internet Network Management Workshop, pp. 1–6 (October 2008)

    Google Scholar 

  33. Vadhat, A., Becker, D.: Epidemic routing for partially connected ad hoc networks. Technical Report CS-200006, Department of Computer Science, Duke University (2000)

    Google Scholar 

  34. Wang, K., Cretu, G., Stolfo, S.J.: Anomalous payload-based worm detection and signature generation. In: Valdes, A., Zamboni, D. (eds.) RAID 2005. LNCS, vol. 3858, pp. 227–246. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  35. Wang, K., Parekh, J.J., Stolfo, S.J.: Anagram: A content anomaly detector resistant to mimicry attack. In: Zamboni, D., Krügel, C. (eds.) RAID 2006. LNCS, vol. 4219, pp. 226–248. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  36. Wang, K., Stolfo, S.J.: Anomalous payload-based network intrusion detection. In: Jonsson, E., Valdes, A., Almgren, M. (eds.) RAID 2004. LNCS, vol. 3224, pp. 203–222. Springer, Heidelberg (2004)

    Chapter  Google Scholar 

  37. Wei, L., Reiter, M.K., Mayer-Patel, K.: Summary-invisible networking: Techniques and defenses. Technical Report TR09-019, Department of Computer Science, University of North Carolina at Chapel Hill (2009)

    Google Scholar 

  38. Xie, Y., Sekar, V., Maltz, D., Reiter, M.K., Zhang, H.: Worm origin identification using random moonwalks. In: 2005 IEEE Symp. Security and Privacy, pp. 242–256 (May 2005)

    Google Scholar 

  39. Yen, T.-F., Reiter, M.K.: Traffic aggregation for malware detection. In: Zamboni, D. (ed.) DIMVA 2008. LNCS, vol. 5137, pp. 207–227. Springer, Heidelberg (2008)

    Chapter  Google Scholar 

  40. Yen, T.-F., Reiter, M.K.: Are your hosts trading or plotting? Telling P2P file-sharing and bots apart. In: ICDCS (2010)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. University of North Carolina, Chapel Hill, NC, USA

    Lei Wei, Michael K. Reiter & Ketan Mayer-Patel

Authors
  1. Lei Wei
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Michael K. Reiter
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Ketan Mayer-Patel
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Center for Security and Assurance in IT (C-SAIT), Department of Computer Science, Florida State University, 32306-4530, Tallahassee, FL, USA

    Mike Burmester

  2. Department of Computer Science, University of California, Irvine, 92697-3425, CA, USA

    Gene Tsudik

  3. Center for Cryptology and Information Security (CCIS), Department of Mathematical Sciences, Florida Atlantic University, 33431-0991, Boca Raton, FL, USA

    Spyros Magliveras

  4. Mathematical Sciences Department, Florida Atlantic University, 33431-0991, Boca Raton, FL, USA

    Ivana Ilić

Rights and permissions

Reprints and permissions

Copyright information

© 2011 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Wei, L., Reiter, M.K., Mayer-Patel, K. (2011). Summary-Invisible Networking: Techniques and Defenses. In: Burmester, M., Tsudik, G., Magliveras, S., Ilić, I. (eds) Information Security. ISC 2010. Lecture Notes in Computer Science, vol 6531. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-18178-8_19

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-18178-8_19

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-18177-1

  • Online ISBN: 978-3-642-18178-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation