Skip to main content
SpringerLink
Log in

InCC: Evading Interception and Inspection by Mimicking Traffic in Network Flows

  • Conference paper
  • First Online:
E-Business and Telecommunications (ICETE 2013)

Part of the book series: Communications in Computer and Information Science ((CCIS,volume 456))

Included in the following conference series:

  • 761 Accesses

Abstract

This article proposes and implements a network covert channel called InCC capable of hiding information on the Internet, which is designed to produce a undetectable communication channel between systems. This network channel is fully transparent to any network analysis and for hence to any interception and inspection on a network. InCC is capable to send messages on the same production network without compromising the existence of source and destination. By using techniques like encryption, address spoofing, signature poisoning and traffic analysis, the channel is able to hide the flows on the network without implicating the source and destination.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. 5200.28-STD, D.: Trusted Computer System Evaluation Criteria. Dod Computer Security Center (1985)

    Google Scholar 

  2. Llamas, D., Miller, A., Allison, C.: An evaluation framework for the analysis of covert channels in the tcp/ip protocol suite. In: ECIW, pp. 205–214. Academic Conferences Limited, Reading (2005)

    Google Scholar 

  3. Zander, S., Armitage, G.J., Branch, P.: A survey of covert channels and countermeasures in computer network protocols. IEEE Commun. Surv. Tutorials 9, 44–57 (2007)

    Article  Google Scholar 

  4. Sellke, S.H., Wang, C.C., Bagchi, S., Shroff, N.B.: Tcp/ip timing channels: theory to implementation. In: INFOCOM, pp. 2204–2212. IEEE (2009)

    Google Scholar 

  5. Nussbaum, L., Neyron, P., Richard, O.: On robust covert channels inside DNS. In: Gritzalis, D., Lopez, J. (eds.) SEC 2009. IFIP AICT, vol. 297, pp. 51–62. Springer, Heidelberg (2009)

    Chapter  Google Scholar 

  6. Rios, R., Onieva, J.A., Lopez, J.: HIDE_DHCP: covert communications through network configuration messages. In: Gritzalis, D., Furnell, S., Theoharidou, M. (eds.) SEC 2012. IFIP AICT, vol. 376, pp. 162–173. Springer, Heidelberg (2012)

    Chapter  Google Scholar 

  7. Freire, E.P., Ziviani, A., Salles, R.M.: On metrics to distinguish skype flows from http traffic. J. Netw. Syst. Manage. 17, 53–72 (2009)

    Article  Google Scholar 

  8. Dittmann, J., Hesse, D., Hillert, R.: Steganography and steganalysis in voice-over ip scenarios: operational aspects and first experiences with a new steganalysis tool set. In: Delp, E.J., Wong, P.W. (eds.) Security, Steganography, and Watermarking of Multimedia Contents. Proceedings of SPIE, vol. 5681, pp. 607–618. SPIE (2005)

    Google Scholar 

  9. Liu, Y., Ghosal, D., Armknecht, F., Sadeghi, A.-R., Schulz, S., Katzenbeisser, S.: Hide and seek in time — robust covert timing channels. In: Backes, M., Ning, P. (eds.) ESORICS 2009. LNCS, vol. 5789, pp. 120–135. Springer, Heidelberg (2009)

    Chapter  Google Scholar 

  10. Zhang, D., Askarov, A., Myers, A.C.: Predictive mitigation of timing channels in interactive systems. In: Proceedings of the 18th ACM Conference on Computer and Communications Security, CCS ’11, pp. 563–574. ACM, New York (2011)

    Google Scholar 

  11. Zander, S., Armitage, G.J., Branch, P.: An empirical evaluation of ip time to live covert channels. In: ICON, pp. 42–47. IEEE (2007)

    Google Scholar 

  12. Luo, X., Chan, E.W.W., Chang, R.K.C.: Clack: a network covert channel based on partial acknowledgment encoding. In: ICC, pp. 1–5. IEEE (2009)

    Google Scholar 

  13. Wendzel, S., Zander, S.: Detecting protocol switching covert channels. In: 37th Annual IEEE Conference on Local Computer Networks, pp. 280–283 (2012)

    Google Scholar 

  14. Mazurczyk, W., Szczypiorski, K.: Steganography in handling oversized ip packets. CoRR abs/0907.0313 (2009)

    Google Scholar 

  15. Lucena, N.B., Pease, J., Yadollahpour, P., Chapin, S.J.: Syntax and semantics-preserving application-layer protocol steganography. In: Fridrich, J. (ed.) IH 2004. LNCS, vol. 3200, pp. 164–179. Springer, Heidelberg (2004)

    Chapter  Google Scholar 

  16. Fu, X., Guan, Y., Graham, B., Bettati, R., Zhao, W.: Using parasite flows to camouflage flow traffic. In: Proceedings of the 2002 IEEE Workshop on Information Assurance (2002)

    Google Scholar 

  17. Burnett, S., Feamster, N., Vempala, S.: Chipping away at censorship firewalls with user-generated content. In: Proceedings of the 19th USENIX Conference on Security, USENIX Security’10, pp. 29–29. USENIX Association, Berkeley (2010)

    Google Scholar 

  18. Miklosovic, S.: Pa018 - term project - port knocking enhancements (2011). http://www.portknocking.org/view/resources

  19. Degraaf, R., Aycock, J., Jacobson, M.: Improved port knocking with strong authentication. In: Proceedings of the 21st Annual Computer Security Applications Conference (ACSAC 2005), pp. 409–418. Springer (2005)

    Google Scholar 

  20. Tariq, M., Baig, M.S., Saeed, M.T.: Associating the authentication and connection-establishment phases in passive authorization techniques (2008)

    Google Scholar 

  21. Rcf4557: The rc4-hmac kerberos encryption types used by microsoft windows (2006). http://www.ietf.org/rfc/rfc4757.txt

  22. Snort: Snort (2013). http://www.snort.org/

  23. OpenDPI: Opendpi (2013). http://www.opendpi.org/opendpi.org/index.html

  24. Rfc2246: The tls protocol (1999). http://www.ietf.org/rfc/rfc2246.txt

  25. BitTorrent: The bittorrent protocol specification, version 11031 (2013). http://bittorrent.org/beps/bep_0003.html

  26. Klein, A.: Attacks on the rc4 stream cipher. Des. Codes Crypt. 48, 269–286 (2008)

    Article  MATH  Google Scholar 

  27. Mantin, I.: Predicting and distinguishing attacks on RC4 keystream generator. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 491–506. Springer, Heidelberg (2005)

    Chapter  Google Scholar 

  28. Paul, S., Preneel, B.: A new weakness in the rc4 keystream generator and an approach to improve the security of the cipher, pp. 245–259 (2004)

    Google Scholar 

  29. Tcpdump: Tcpdump (2013). http://www.tcpdump.org/

  30. Hippie: Hi-performance protocol identification engine (2013). http://sourceforge.net/projects/hippie/

  31. Battlefield: Battlefield (2013). http://www.battlefield.com/

Download references

Acknowledgements

This work has been partially funded by Vulcano project (ref 442808215-8215-4-9) funded by Spanish ministry of Science and Innovation.

Author information

Authors and Affiliations

  1. Universidad Rey Juan Carlos, Madrid, Spain

    Luis Campo Giralte, Isaac Martin de Diego, Cristina Conde & Enrique Cabello

Authors
  1. Luis Campo Giralte
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Isaac Martin de Diego
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Cristina Conde
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Enrique Cabello
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Enrique Cabello .

Editor information

Editors and Affiliations

  1. Department of Computer Science, Monmouth University, West Long Branch, New Jersey, USA

    Mohammad S. Obaidat

  2. Polytechnic Institute of Setúbal, INSTICC, Setúbal, Portugal

    Joaquim Filipe

Rights and permissions

Reprints and permissions

Copyright information

© 2014 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Giralte, L.C., de Diego, I.M., Conde, C., Cabello, E. (2014). InCC: Evading Interception and Inspection by Mimicking Traffic in Network Flows. In: Obaidat, M., Filipe, J. (eds) E-Business and Telecommunications. ICETE 2013. Communications in Computer and Information Science, vol 456. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-662-44788-8_13

Download citation

  • DOI: https://doi.org/10.1007/978-3-662-44788-8_13

  • Published:

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-662-44787-1

  • Online ISBN: 978-3-662-44788-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation